Remember those brief days of sunlight when we held out hope WikiLeaks might have stopped acting like arses, and might have decided to act in the interests of everyone who relies upon technology for their security and privacy?
Well, as predicted, there are clouds on the horizon.
As Motherboard reports, WikiLeaks’ Julian Assange may be making unreasonable demands about how he will share details of the alleged zero-day vulnerabilities that have been leaked from the CIA:
This week, Assange sent an email to Apple, Google, Microsoft and all the companies mentioned in the documents. But instead of reporting the bugs or exploits found in the leaked CIA documents it has in its possession, WikiLeaks made demands, according to multiple sources familiar with the matter who spoke on condition of anonymity.
WikiLeaks included a document in the email, requesting the companies to sign off on a series of conditions before being able to receive the actual technical details to deploy patches, according to sources. It’s unclear what the conditions are, but a source mentioned a 90-day disclosure deadline, which would compel companies to commit to issuing a patch within three months.
Is 90 days a reasonable time to fix a vulnerability?
I think that’s very hard for someone outside of a technology vendor’s programming and quality assurance team to say with any confidence.
It makes me very uncomfortable when outsiders make determinations of how hard a problem should take to fix (and, of course, how long it will take to test that the fix works reliably in all scenarios and setups), when they have no knowledge of what else teams might be working on - including other vulnerabilities they might already be working hard at fixing - some of which may be of even higher importance.
Of course, I don’t think we should allow technology firms with unpatched vulnerabilities in their software and hardware to rest on their laurels, or treat it as anything less than serious.
But I also want to feel confident that bugs are patched properly and that fixes do not themselves introduce more problems than the problem they are trying to address.
Who is Julian Assange qualified to say that 90 days is enough? There are ways of putting pressure on technology firms to fix bugs, and highlight if you think they are taking too long, without dangling a sword of Damocles over their heads if flaws are not fixed on your own determined schedule.
You can hear some of my personal concerns about whether WikiLeaks will share details of the alleged zero-day vulnerabilities with technology firms in this week’s “Smashing Security” podcast, where I was joined by Carole Theriault and special guest Nick FitzGerald.
The discussion about WikiLeaks starts at about 10 minutes in, but you might enjoy the rest of the podcast too!