Surprise! WikiLeaks won't just hand over details of zero-day vulnerabilities to tech firms

Sigh… there are strings attached.

Surprise! WikiLeaks won't just hand over details of zero-day vulnerabilities to tech firms

Remember those brief days of sunlight when we held out hope WikiLeaks might have stopped acting like arses, and might have decided to act in the interests of everyone who relies upon technology for their security and privacy?

Well, as predicted, there are clouds on the horizon.

As Motherboard reports, WikiLeaks' Julian Assange may be making unreasonable demands about how he will share details of the alleged zero-day vulnerabilities that have been leaked from the CIA:

This week, Assange sent an email to Apple, Google, Microsoft and all the companies mentioned in the documents. But instead of reporting the bugs or exploits found in the leaked CIA documents it has in its possession, WikiLeaks made demands, according to multiple sources familiar with the matter who spoke on condition of anonymity.

WikiLeaks included a document in the email, requesting the companies to sign off on a series of conditions before being able to receive the actual technical details to deploy patches, according to sources. It's unclear what the conditions are, but a source mentioned a 90-day disclosure deadline, which would compel companies to commit to issuing a patch within three months.

Is 90 days a reasonable time to fix a vulnerability?

I think that's very hard for someone outside of a technology vendor's programming and quality assurance team to say with any confidence.

It makes me very uncomfortable when outsiders make determinations of how hard a problem should take to fix (and, of course, how long it will take to test that the fix works reliably in all scenarios and setups), when they have no knowledge of what else teams might be working on - including other vulnerabilities they might already be working hard at fixing - some of which may be of even higher importance.

Of course, I don't think we should allow technology firms with unpatched vulnerabilities in their software and hardware to rest on their laurels, or treat it as anything less than serious.

But I also want to feel confident that bugs are patched properly and that fixes do not themselves introduce more problems than the problem they are trying to address.

Who is Julian Assange qualified to say that 90 days is enough? There are ways of putting pressure on technology firms to fix bugs, and highlight if you think they are taking too long, without dangling a sword of Damocles over their heads if flaws are not fixed on your own determined schedule.

You can hear some of my personal concerns about whether WikiLeaks will share details of the alleged zero-day vulnerabilities with technology firms in this week's "Smashing Security" podcast, where I was joined by Carole Theriault and special guest Nick FitzGerald.

The discussion about WikiLeaks starts at about 10 minutes in, but you might enjoy the rest of the podcast too!

Audio podcast: iTunes | Google Play | Overcast | Stitcher | RSS for you nerds.

Tags: , ,

Smashing Security audio podcast
Check out "Smashing Security", the new weekly audio podcast, with Graham Cluley, Carole Theriault, and special guests from the world of information security.

"Three people having fun in an industry often focused on bad news" • "It's brilliant!" • "The Top Gear of computer security"

Latest episode:

Subscribe to the free GCHQ newsletter

, ,

15 Responses

  1. Endrik

    March 18, 2017 at 2:43 pm #

    It's not that hard to fix. If they can't do it in 90 days, then there's something really wrong. Something that urgent has to be done quick.

    • Graham Cluley in reply to Endrik.

      March 19, 2017 at 8:24 am #

      What's not that hard to fix? How do you know it's not hard to fix? How do you know how long it takes to properly test that the fix works in all environments reliably and doesn't introduce its own problems? How do you know what else the vendor's team is currently working on that might be of greater importance to the testing team than what WikiLeaks is planning to disclose in 90 days? Should WikiLeaks' vulnerabilities be considered of greater importance just because they're creating an almighty stink about them?

      The truth is that we don't know the answers to any of these questions. We don't know the detail of what the vulnerabilities are, and WikiLeaks doesn't know how difficult they are to fix.

      They should share the details with the vendors without any strings attached. If they feel that the vendor is taking too long to fix them WikiLeaks could demonstrate the flaws to journalists to apply more pressure. Releasing proof-of-concept code or details that could aid other criminals does no good to any of us.

      • Itisi in reply to Graham Cluley.

        March 20, 2017 at 10:04 am #

        If Wikileaks has them, the exploits should already be deemed 'out there'. I think 90 days is reasonable; Google's ProjectZero also uses 90 days before it makes their findings public.
        I think the reason Wikileaks uses this hard deadline is that it prevents vendors from keeping said exploits in their code, f.e. in the case such a backdoor has been ordered by a national security agency or government. And face it, even if a vendor refuses to sign off Wikileaks' request, the exploits will be made public anyway (or worse, exploited in the wild).
        PS: has anyone performed a traceroute on wikileaks.org? Now that smells fishy.. (Mir Telematiki Ltd, Moscow, Russia)

  2. Kev whelan

    March 18, 2017 at 8:58 pm #

    90 days is plenty.

    Someone needs to put pressure on Vendors and as we have seen it is certainly not going to be any Government……

    No pressure, no fix. Same as potholes in the road.

    • Graham Cluley in reply to Kev whelan.

      March 19, 2017 at 8:25 am #

      There are ways of applying pressure without handing tools to others which will enable them to exploit these flaws.

      I'm sure the vendors will be keen to fix the security holes as fast as they can. But it's not for WikiLeaks to demand it is done in 90 days with threats of disclosure.

  3. 0day

    March 18, 2017 at 10:17 pm #

    90 days is pretty normal for responsible disclosure. The only ass here is the author.

    • Graham Cluley in reply to 0day.

      March 19, 2017 at 8:27 am #

      Arse not ass.

      But anyway, I think the "90 days" figure grew to prominence from Google's Project Zero team. They have brought Google into disrepute by releasing proof-of-concept code which exploits security vulnerabilities in other vendors' software before a patch is released – sometimes putting regular internet users at risk while failing to get Android's broken patching infrastructure sorted out.

  4. Annoyed reader

    March 19, 2017 at 8:04 am #

    The author's only intention here seems to be a little flame-baiting against WikiLeaks, as he has no clue of the actual contents of the documents nor is the grace period of 90 days something uncommon.

    Wondering why this pointless post appeared on my Flipboard. Reported it.

    • Graham Cluley in reply to Annoyed reader.

      March 19, 2017 at 8:29 am #

      WikiLeaks gets plenty of flames as it is – probably doesn't need more from me!

      I don't see how WikiLeaks would be helping the typical internet users by releasing details of vulnerabilities after 90 days. If they want to apply pressure on vendors to patch bugs there are better ways of doing it.

  5. Etaoin Shrdlu

    March 19, 2017 at 8:04 am #

    No software company would ever have any qualms about "committing" to a 90 day deadline. They routinely commit and then fail to deliver on time. What is Julian going to do, get Ecuador to sue?

  6. Jay

    March 19, 2017 at 11:49 am #

    I would bet Wikileaks will soon be made redundant in this debate anyway. News says they weren't the first to get this material, and I have to think every hacker group on the planet was out there trying to get a copy from the moment the news broke.

  7. Bob

    March 19, 2017 at 6:23 pm #

    An update from The Register – it appears that the vendors are afraid of fixing the issues for fear of jeopardising their lucrative contracts with the government:

    "There's also the little hitch that these tools are classified US government property, and the tech giants are uneasy with handling this material, especially since they do lucrative contract work for Uncle Sam and have rules in place on who, internally, can and can't access sensitive reports and blueprints."

    https://www.theregister.co.uk/2017/03/18/friday_security_roundup/

  8. Sean

    March 20, 2017 at 11:16 pm #

    This is very poor Graham, as I researcher I regularly reverse patches and fully support the view that 90 days is sufficient. I understand why a lot of American and British "experts" in "cybersecurity" find reason to attack Wikileaks, for many Assange is undermining deep rooted and jingoistic tendencies that comes from an industry that sucks the government tit at every given opportunity.

    To float the idea that 90 days is not enough time is ridiculous and I suggest you know it is regardless of what you commit to print. Its worth remembering the limitations placed on Wikileaks, more accurately on Assange himself; regardless of personal traits he has shown more courage and commitment to his beliefs in a way that I doubt most "experts" can ever understand not least accept. Disappointed Graham.

    • Graham Cluley in reply to Sean.

      March 21, 2017 at 12:09 am #

      Thanks Sean.

      I'm genuinely sorry to have disappointed you. But if you look back on my previous articles you'll realise that my position has nothing to do with WikiLeaks being involved in this.

      I have been equally critical of Google, for instance, who were the main standard bearers for the "90 days is enough time to properly fix a vulnerability" position.

      I believe that releasing exploit code and putting that power in the hands of any Tom, Dick and Harry should always be a last resort, and one not to be taken lightly. As I have described before there are ways to pressure companies who you believe are being slowly to patch bugs without sharing the details of how to do it to the world.

  9. Dave Howe

    March 21, 2017 at 12:52 pm #

    If all it is, is a 90 day deadline, then that's all Google themselves give other people to fix their issues; MS have made a big thing out of the occasions they have ran out that 90 day clock and Google has went and published anyhow.

Leave a Reply