back to article CIA hacking dossier leak reignites debate over vulnerability disclosure

WikiLeaks' dump of CIA hacking tool documents on Tuesday has kicked off a debate among security vendors about whether intel agencies are stockpiling vulnerabilities, and the effect this is having on overall security hygiene. The leaked documents purport to show how the intel agency infiltrates smartphones, PCs, routers, IoT …

  1. Anonymous Coward
    Holmes

    I've been saying this since the Snowden revelations came out...

    Check my posting history if you must. The U.S. Cyberwarfare Command needs to be moved out of the NSA and Fort Meade. GCHQ has made a big deal about taking over cyberwarfare/defense for Britain, and that needs to be moved into a separate organization. In both cases, the cyberwarfare and defense organizations need to be moved out of the intelligence community altogether.

    Otherwise, you are going to see the traditional intelligence community focus on "What system did you penetrate today to get me some good intel on what Russia/ISIS/China/insert-rival-name-here is up to?" will always outweigh the unsexy and unhelpful "Today we validated that the IT systems in the Department of Transportation have entirely adopted encryption of data-at-rest."

    1. Anonymous Coward
      Anonymous Coward

      Re: I've been saying this since the Snowden revelations came out...

      The U.S. Cyberwarfare Command needs to be moved out of the NSA and Fort Meade.

      And that would stop the TLAs using exploits? Without oversight they'll continue to find their own, so moving Cyberwarfare to a separate place achieves nothing, surely?

      1. Anonymous Coward
        Anonymous Coward

        Re: I've been saying this since the Snowden revelations came out...

        My contention is that the current reporting structure for these cyberdefense organizations makes them intentionally and systematically handicapped, because the cyber-espionage side of the house will always set the agenda on what the security side can or can't do.

        1. Adam 1

          Re: I've been saying this since the Snowden revelations came out...

          Exactly. The Windows zero day (for example) will get reported to Microsoft when both

          * A better/faster/less detectable exploit is discovered/purchased; AND

          * They catch an adversary doing it.

          If the first point hasn't happened, the second point won't be a consideration.

    2. Frumious Bandersnatch

      Re: I've been saying this since the Snowden revelations came out...

      I've been saying my own stuff. I remembered a post I made back in 2014.

      I would say that the chickens have come home to roost, but the last time that expression made the news, it didn't go too well for the guy who used it.

  2. Vector

    "...so critics are actually arguing that the government should spend millions on vulnerabilities in order to disclose them to vendors."

    Why, that sounds like a marvelous way to spend taxpayer dollars since I always thought my tax dollars were supposed to work for me!

    "Security pundits fear that information exposed in the release will allow cybercriminals and less capable nation states to up the ante."

    A) If the CIA is buying these exploits, wouldn't it be a bit naive to assume that no one else has a checkbook.

    B) Equally simplistic is the idea that the folks the CIA bought the exploit from are the only ones to discover it. This is not a zero sum game and it's also not like guarding nuclear secrets where you need hard materials in addition to knowledge (OK, you need a computer, but...).

    1. John Brown (no body) Silver badge

      "A) If the CIA is buying these exploits, wouldn't it be a bit naive to assume that no one else has a checkbook."

      Exactly. Unlike physical objects, the same vuln can be sold again and again. It's not like stealing a car. It's more like so-called software/IP piracy ;-)

  3. John Smith 19 Gold badge
    Unhappy

    Zero day vulns sound great for TLA's

    A secret way into a system that only we know about. That only we can exploit...

    Except.

    IRL what's the chance of either of those statements being true?

    Vulns threaten everyone.

    Keeping cyber defense and offense combines sounds like a good idea but it's like having developers test their own code, which is now recognized to be a very bad idea.

    1. annodomini2

      Re: Zero day vulns sound great for TLA's

      Like anything regarding security: "If there is a way in, you can get in!"

  4. Paul Crawford Silver badge

    "Weaponizing everyday products such as TVs and smartphones – and failing to disclose vulnerabilities to manufacturers – is dangerous and short-sighted"

    And sadly even if said vulnerabilities are disclosed, many supplies will do SFW about it :(

    MS get beaten up over taking 90+days to patch (and rightly so given their size and budget) but they are one of the better players around!

    1. Anonymous Coward
      Anonymous Coward

      My TV has never had a patch or update issued

      reporting to manufacturers is one thing, getting anything done except publicising vulnerabilities is quite another.

      It's not the CIA's job to fix the internet of tat - its job is to spy on people.

      I am far more concerned that it's lost control of its armoury that the tools it contained.

  5. a_yank_lurker

    CIA definition

    CIA should stand for criminally incompetent agency.

    1. Oengus

      Re: CIA definition

      CIA should stand for criminally incompetent agency ars3hol3s.

      FTFY

  6. Anonymous Coward
    Anonymous Coward

    So the leak tells us a bit about how the CIA decided to use its knowledge...

    So the leak tells us a bit about how the CIA decided to abuse its power...

    TFTFY

  7. Patrick Marino

    Really?

    Apple and Google sitting on billions in cash couldn't pony up another 20 million bug bounty to make all the serious/critical bugs known?

  8. Neil Barnes Silver badge

    Here's the rub

    I have absolutely no problem with state actors spying on me - *provided* that they have acquired enough evidence from other sources to suggest to a judge that I am a likely suspect for a crime sufficiently severe that such surveillance is justified.

    I object most strenuously to the concept of 'even if we're not looking at you right now, we *could*, because you might be a villain in the future'.

    And I object most strenuously of all to the idea that these bozos are exposing me to the much more serious and likely event of some passing miscreant finding one of their exploits which could have been patched had the makers known of it, and emptying my bank account/selling my house/or otherwise financially inconveniencing me.

    For most people, that's where the risk is - and it's a real and present danger. I've had my identity faked three times in the last year or so (debit cards cloned and money removed from my accounts) and I'm one of sixty million - versus one or two 'terrist' plots per year that end up in court - and seem by all accounts to have been detected by the simple expedience of listening to people who have reported suspicious activity. The rummaging through the digital life occurs after the event to gather evidence.

    1. M7S

      Re: Here's the rub

      I likewise have no issue with state actors, however I would seek to limit this to actors of "my" state. An issue here is that it would appear that my system is insecure against actors of other states, not all of which may be our allies now or, if the currently are, in the future. If I worked for an employer that might be a suitable "target" in the event of less cordial relations at some future date, then that is a worry.

      Alas I cannot see how to limit the vulnerability so that only "my" state can come and rummage through my systems.

      1. FlamingDeath Silver badge

        Re: Here's the rub

        "not all of which may be our allies"

        not all of which may be our a̶l̶l̶i̶e̶s partners

        TFTFY

        Ther is a huge difference between allies and partners, HUGE!

  9. M7S

    Commercial AV products

    There was a short bit on BBC R4 last night, as part of the six o'clock news, mentioning some AV companies and what these agencies reportedly thought of their products.

    As a person with some responsibility for securing an employer's data and, whilst I do not wish to impede legal investigation or be prosecuted for this, in the belief that any vulnerability will eventually end up in the "wrong" hands thus rendering me liable to prosecution for failing to adequately protect the data of our staff/customers etc., I would like to see a site like El Reg go through this (I accept it may take a while) and being unafeared as it is of losing advertising revenue, provide a comprehensive breakdown, (with responses from and, if appropriate, rebuttals to the vendors) so that I can make a more informed judgement.

  10. Cuddles

    Not really news

    While the details of exactly which exploits they're using at the moment, who they share them with, and so on might be interesting to some, surely no-one is remotely surprised that various TLAs use security flaws to hack computers? That's their job, and we knew about it well before Snowden came along. People can argue all they like about whether it should happen and/or the details of what should be allowed, but yet another confirmation that the same thing we've known has been going on for decades is still going on really isn't news.

  11. John Smith 19 Gold badge
    Unhappy

    On the upside.

    Perhaps some of the mfgs mentioned (who might know of these vulns, but hoped no one else did) will finally accept they are "out in the wild" and do something about them.

    So what is the patching system for a Samsung TV?

    Yes this is me in "Mary Poppins" mode.

  12. Tom Paine

    "If the CIA knows of the specific exploit, chances are that the MI6, FSB, MSS, and Mossad are aware of it as well,

    That's trivially falsified by looking at how many disclosed vulnerabilities turn out to have already been discovered and reported by another researcher. It happens, but rarely. The Rand report published today says about 5%.

    So.

  13. FlamingDeath Silver badge

    CIA acronym

    Apparently this stands for Central Intelligence Agency

    An oxymoron if ever there was one

    They just love to put labels on themselves, such as "intelligence service" or "security service"

    The bare reality is, they are neither intelligent, or secure

    I would go as far as to describe them as unintelligent, insecure, thugs, who think they are (and they are) above the law

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Other stories you might like