WikiLeaks won’t share CIA exploits unless companies meet terms
WikiLeaks offered to work with tech companies to patch the CIA’s leaked security exploits, but there has been a whole lot of silence ever since. Why? That depends on who you ask. Motherboard sources claim that WikiLeaks “made demands” of the companies before it would hand over necessary details of the vulnerabilities, including a requirement that they promise to issue security patches within 90 days. Potential fixes are reportedly stuck in legal limbo, the tipsters say, as the companies are worried about writing patches based on leaked info, not to mention the origins of the leak. They’re worried that Russia might have been responsible for forwarding the info.
WikiLeaks has confirmed the core of the story, but has a decidedly different take on the situation. While it acknowledges that most of the companies haven’t taken action, it claims that Google and others aren’t reacting to WikiLeaks’ “industry standard responsible disclosure plan” due to “conflicts of interest” from their work with the US government. Supposedly, they’re prevented from fixing these kinds of flaws due to their contracts.
More details on this situation are coming next week, WikiLeaks says. However, it’s already threatening to name and shame companies by comparing their responsiveness with their “government entanglements.” It points out that Mozilla and some European firms have been quicker to respond and have received some exploit data.
While it’s difficult to know who’s right, some caution is definitely necessary. WikiLeaks has a habit of playing up leaks, such as implying that the CIA could crack encrypted chat apps (it can only crack the devices used by those apps). Although leaks have suggested that companies might cooperate with US agencies, the truth in this case could be decidedly less exciting. Even a company fully opposed to backdoor surveillance may not want to patch flaws unless it’s absolutely sure that it’s legal to do so.
Source: Motherboard, WikiLeaks (Twitter)