“WikiLeaks promise to give tech companies access to exploits in their systems before being made public have hit a snag after the organisation added a demand that they must be fixed within 90 days,” Graeme Burton reports for V3. “‘We have decided to work with them, to give them some exclusive access to some of the technical details we have, so that fixes can be pushed out,’ said Wikileaks founder Julian Assange during a Facebook Live press conference days after the Vault 7 disclosures – what is believed will be the first of many from a trove that runs to more than 750,000 documents.”
“But now, according to reports, when Assange finally contacted Apple, Microsoft and Google about disclosing security flaws in their operating systems before Wikileaks publishes documents in future, he made a series of demands that the companies are now mulling over,” Burton reports. “These include a demand that the companies adhere to a 90-day deadline to deal with the vulnerabilities highlighted in the documents. If their software is not patched within that time, Wikileaks will go ahead and publish the information in its trove of leaked documents, regardless of the aggravation this may cause to the companies.”
Burton reports, “The 90-day deadline is the same that Google’s own Project Zero security group provides to companies when it uncovers flaws in their software. If a company has failed to patch its software accordingly, Project Zero publishes details of the flaw whether the vendor likes it or not.”
Read more in the full article here.
MacDailyNews Take: Apple’s iOS, macOS, and other software products are about to get even more secure! And, unlike with Google, Apple product owners actually have easy access to and install updates!
SEE ALSO:
What WikiLeaks’ CIA data dump tells us: Encryption works – March 11, 2017
Julian Assange says WikiLeaks will share CIA hacking tools with tech companies – March 9, 2017
Apple working to close remaining CIA exploits exposed by WikiLeaks, but difficulties remain – March 9, 2017
WikiLeaks raises prospect of teaming with tech giants, including Apple, to thwart CIA hacker-spies – March 8, 2017
FBI’s James Comey: ‘There is no such thing as absolute privacy in America’ – March 8, 2017
WikiLeaks reveals CIA’s global covert hacking program targeting Apple iPhone, Google Android, Microsoft Windows and even Samsung TVs – March 7, 2017
Bad news for Fragmandroid: FCC and FTC launch inquiry over mobile security updates – May 10, 2016
Google’s flawed Android is essentially unfixable – May 2, 2016
Apple’s deep commitment to security – April 18, 2016
Apple: We have the ‘most effective security organization in the world’ – April 16, 2016
85% of mobile device failures occur on Android, with Samsung leading the way – February 23, 2016
More than 90% of Android devices are running out-dated, insecure operating system versions – January 27, 2016
Dangerous new zero-day flaw affects more than two-thirds of all Android devices – January 20, 2016
Android malware steals one-time passcodes, a crucial defense for online banking – January 14, 2016
New Android malware is so bad, you’d better off buying a new phone – November 6, 2015
Apple issues iPhone manifesto; blasts Android’s lack of updates, lack of privacy, rampant malware – August 10, 2015
New Android malware strains to top 2 million by end of 2015 – July 1, 2015
Symantec: 1 in 5 Android apps is malware – April 25, 2015
Kaspersky Lab Director: Over 98% of mobile malware targets Android because it’s much, much easier to exploit than iOS – January 15, 2015
Security experts: Malware spreading to millions on Android phones – November 21, 2014
There’s practically no iOS malware, thanks to Apple’s smart control over app distribution – June 13, 2014
F-Secure: Android accounted for 99% of new mobile malware in Q1 2014 – April 30, 2014
Google’s Sundar Pichai: Android not designed to be safe; if I wrote malware, I’d target Android, too – February 27, 2014
Cisco: Android the target of 99 percent of world’s mobile malware – January 17, 2014
U.S. DHS, FBI warn of malware threats to Android mobile devices – August 27, 2013
90 days is about 3 months, which is not an unreasonable window to demand for patching major vulnerabilities. After all, if Wikileaks has them, at least one other party already has them, too.
“We have decided to work with them, to give them **SOME** exclusive access to **SOME** of the technical details we have, so that fixes can be pushed out…” (emphasis mine).
Why not give the vendors 100% access to 100% of the technical details of any exploit. Why play this game withholding critical information? It’s just one more game Assange is playing to make it appear to the uneducated that he is trying to make all those big bad organizations (large companies, governments, etc.) do good without actually committing to doing good himself.
Assange is not about making the world better. He’s about making a splash for Assange — just like his statement that he’d turn himself in if a certain prisoner’s sentence was commuted, then rescinding that offer once it happened.
Some bugs can be verified, characterized, fixed, and tested in a few days or at most a few weeks. A bug that is deep within the OS itself (or even in the kernel itself) is much more difficult to fully verify, characterize, fix, and test. Some of those changes can take several months to go through the whole process and still sometimes unintentional consequences pop up.
Thus giving a 90 day time constraint for any and all situations is just asinine.
Play with fire you get burned deplorables
Assange likes to believe his Wikileaks exists for the betterment of the “common man”. That has always been arguable. I find it hard, however, to see the value in disclosing these hacks to a broader audience.
You disclose it to a broader audience so that the hack becomes “known”. Now why is this important? It is important in the instance the hack is engineered by someone (Google) to be a back door for use by someone else (say CIA). If you don’t make it known, they will just keep it as is.
That is of course to secure to have them patched. As of now these security holes are exploited (and originally found) by “certain” secret spying agencies. NSA among all.
I GET why the broader populace should know that these security holes exist, and why the need to be patched. But disclosing the source code is not going to help the average person with an iPhone defend themselves. No. Divulging the source code puts the vulnerabilities into the hands of all the bad actors around the world looking for new ways to exploit us. If Apple and Google do not effect a patch for some reason, sharing this code is apt to bring more pain to more people, not less.
i agree with you on basic principle, but i also suppose wiki leaks views the time limit as “incentive” or perhaps better put, “leverage” to assure the companies to do the job quickly and well
…. or else….
Lol. I’m Vladimir Putin and I approve this message. Oh and vote GOP! Thanks!
Ha ha. At the time of this writing, the stars are split 50/50. My football team your football team syndrome. American politics is nothing but a football game.