This article is from the source 'nytimes' and was first published or seen on . It last changed over 40 days ago and won't be checked again for changes.

You can find the current article at its original source at http://www.nytimes.com/2017/03/09/us/wikileaks-julian-assange-cia-hacking.html

The article has changed 2 times. There is an RSS feed of changes available.

Version 0 Version 1
WikiLeaks Will Help Tech Companies Fix Security Flaws, Assange Says WikiLeaks Will Help Tech Companies Fix Security Flaws, Assange Says
(about 9 hours later)
WASHINGTON — Julian Assange, founder of WikiLeaks, said on Thursday that the anti-secrecy organization would work with Apple, Google and other technology companies to fix flaws that have allowed the C.I.A. to hack into the phones, computers and other devices they produce. WASHINGTON — For years, Julian Assange, the founder of WikiLeaks, has been derided as an anti-American anarchist, indiscriminate in publishing leaks and far too cozy with Russia. For more than four years, he has been hiding out in the Ecuadorean Embassy in London to avoid sexual assault investigators in Sweden.
Speaking from London in an online news conference, Mr. Assange accused the C.I.A. of withholding information about the vulnerabilities the agency was exploiting in American technology even after it realized that documents describing the flaws had been leaked weeks ago. But on Thursday, fresh from revealing the largest leak of classified documents in C.I.A. history, Mr. Assange tried to turn the tables on his critics, presenting himself as a defender of the United States’ top technology companies from overreaching, double-dealing American spies.
While some companies have already fixed the weaknesses revealed in a batch of secret C.I.A. documents made public by WikiLeaks on Tuesday, Mr. Assange said, others say they need more technical information on the hacking techniques. The 8,000 C.I.A. documents that WikiLeaks made public this week the first installment in a far larger collection, Mr. Assange said showed that the agency had found flaws in the most popular products of the internet age: iPhones, Android phones, software used in every office and even internet-connected televisions. But instead of alerting the companies so they could plug the security holes, the agency exploited the weaknesses to carry out cyberspying around the world.
“There’s a limited ability to try and produce security fixes for iPhones, for Samsung TVs, for Android phones produced by Google, for Microsoft, for Linux, because the exact technical details are not known,” Mr. Assange said. “We have decided to work with them to give them some exclusive access to the additional technical details we have, so that fixes can be developed and pushed out so people can be secured.” So Mr. Assange, speaking by video in an online news conference, offered a lifeline to the companies, saying the antisecrecy organization was prepared to share leaked computer code that it has not yet published with Apple, Google and other technology companies to help them fix the flaws described in the leaked C.I.A. documents.
For Mr. Assange, it was a remarkable turning of the tables. He spoke from the Ecuadorean Embassy, where he sought refuge in 2012 from a sexual assault investigation in Sweden and has lived ever since. He has frequently been accused by American officials of being an enemy of the United States and an ally of Russia, especially since WikiLeaks released emails from Hillary Clinton’s presidential campaign that were believed to have come from Russian government hackers. “We have decided to work with them to give them some exclusive access to the additional technical details we have, so that fixes can be developed and pushed out so people can be secured,” Mr. Assange said.
But on Thursday, the Australian-born Mr. Assange presented himself as a defender of some of the most prominent American technology companies against their own government’s overreaching and double-dealing. The companies reacted cautiously to the WikiLeaks offer, saying there could be legal complications in accepting classified information stolen from the government. Sean Spicer, the White House press secretary, advised the companies to seek legal advice before accepting the leaked code.
“Why has the Central Intelligence Agency not acted with speed to come together with Apple, Microsoft and other manufacturers to defend us all from its own weapons systems?” Mr. Assange asked. “I do think that I would check with the Department of Justice in particular about if a program or a piece of information is classified,” he said at a press briefing. “It remains classified regardless of whether or not it is released into the public venue or not.”
Calmly fielding questions submitted via Twitter, Mr. Assange sought to insert himself into the strained relationship between the government and Silicon Valley, where some executives see their products’ reputations as being endangered by aggressive American espionage efforts. Microsoft suggested in a statement that it did not want to be seen as collaborating with WikiLeaks, declaring dryly that its “preferred method for anyone with knowledge of security issues, including the C.I.A. or WikiLeaks, is to submit details to us at secure@microsoft.com.” Microsoft, Apple and Google all said that some of the C.I.A. attacks had targeted old versions of their software and would be blocked by recent updates.
The C.I.A. responded with an unusually full response, attacking Mr. Assange’s credibility and noting that any spying it does is restricted by law to foreigners and foreign countries, with Americans off limits. WikiLeaks’ reputation was marred in some circles by its previous splash in the news, the release last year of emails from Hillary Clinton’s presidential campaign that were believed to have come from Russian government hackers. Now Mr. Assange, who once worked as a computer security specialist, insists that his goal was to safeguard the privacy of everyone’s communications from the intrusive gaze of the C.I.A.
“As we’ve said previously, Julian Assange is not exactly a bastion of truth and integrity,” Heather Fritz Horniak, an agency spokeswoman, said in a statement. “Despite the efforts of Assange and his ilk, C.I.A. continues to aggressively collect foreign intelligence overseas to protect America from terrorists, hostile nation states and other adversaries.” “Why has the Central Intelligence Agency not acted with speed to come together with Apple, Microsoft and other manufacturers to defend us all from its own weapons systems?” he asked.
The statement declined to acknowledge the authenticity of the more than 8,000 documents from the Center for Cyber Intelligence of the C.I.A. that WikiLeaks posted online, though officials have said privately that the leaked material is genuine. But the statement defended the agency’s use of “innovative, cutting-edge” methods to gather intelligence. The C.I.A. issued an unusually lengthy response, emphasizing that any spying it does is restricted by law to foreigners and foreign countries, with Americans off limits.
The statement also asserted that the WikiLeaks revelations were damaging national security. “The American public should be deeply troubled by any WikiLeaks disclosure designed to damage the intelligence community’s ability to protect America against terrorists and other adversaries,” the statement said. “As we’ve said previously, Julian Assange is not exactly a bastion of truth and integrity,” the C.I.A. statement said. “Despite the efforts of Assange and his ilk, C.I.A. continues to aggressively collect foreign intelligence overseas to protect America from terrorists, hostile nation states and other adversaries.”
WikiLeaks said on Tuesday that the C.I.A. documents it was releasing, which appeared to show that the agency could compromise iPhones, Android phones and even internet-connected televisions, were only the first phase of a much larger set of disclosures to come regarding the agency’s hacking program. It claimed to have received the documents from an unnamed source who hoped the revelations would provoke a public debate over the United States’ use of cyberweapons. By his offer, Assange was inserting WikiLeaks into a strained relationship between the government and Silicon Valley, where some executives believe their products’ reputations are endangered by aggressive American espionage efforts.
The disclosure has set off a hunt for the leaker, who officials have said was most likely an agency insider or contractor. The Obama administration addressed this conflict by setting up a formal review process for technical vulnerabilities that the government discovered or purchased from hackers.
When an intelligence agency or the F.B.I. wanted to make use of a major chink in a company’s technological armor, it first had to get approval through a committee organized by the White House. At a sort of court of vulnerabilities, intelligence agencies argued for using the flaw for surveillance, while other officials made the case for revealing it to Apple, Microsoft, Google or some other firm.
“The default position was to disclose the vulnerability,” said Michael Daniel, the cybersecurity coordinator at the National Security Council under President Barack Obama, who ran the process. Last year, the administration said in congressional testimony that over 80 percent of vulnerabilities discovered by the government had been revealed to the industry.
But there were moments, Mr. Daniel said on Thursday, when the committee he assembled judged that it was in the national interest to keep secret a “zero day” flaw — so named because the target would have zero days of notice that there was a vulnerability. That would give the National Security Agency, the C.I.A. or the F.B.I. time to exploit it.
Not all of the flaws revealed in the new WikiLeaks trove of C.I.A. documents would necessarily have gone through this process, and the committee would not have reviewed the “tools,” or software techniques, used to exploit a vulnerability. But Mr. Daniel said that “all the appropriate agencies, including the C.I.A., participated in this process.” That suggests that using at least some of the vulnerabilities exposed by WikiLeaks would have required White House approval.
A new RAND Corporation study concludes that these “zero day” exploits, and the vulnerabilities they are based on, last longer than most thought. It found that the average vulnerability had a “life expectancy” of 6.9 years before it became useless to hackers.
Brian White, the chief operating officer of RedOwl Analytics, a cybersecurity firm, said the companies were caught between conflicting pressures, especially if some of their employees have security clearances to work on government contracts.
“If you are holding a security clearance and you engage in the movement or sharing of this data, you could have your clearance revoked,” he said.
But he said that companies like Apple and Google also had a responsibility to their shareholders and customers to make their products as safe as possible. “The likelihood of prosecution is much less important than understanding any vulnerability in their products,” he said.
In addition to the legal quandary, dealing with Mr. Assange, a mercurial personality who is considered a criminal by some people and a hero by others, is fraught with political complications.
While WikiLeaks has often been criticized for releasing sensitive data without regard for the consequences, Mr. Assange is acting responsibly this time, said Jennifer Granick, the director of civil liberties at the Stanford Center for Internet and Society. WikiLeaks redacted the actual computer code for C.I.A. exploits from its initial release to avoid spreading such cyberweapons.
“He is trying to do the right thing,” Ms. Granick said.
She said that the legal risk to companies using the leaked information to fix their products is minimal, but that the government could make it easy by sharing more information about the vulnerabilities directly with the companies.
Paul Kocher, a cryptographer who was previously an executive at the chip company Rambus, said that helping companies patch security holes was accepted practice in the industry.
“There are lots of things at WikiLeaks that are ethically questionable,” Mr. Kocher said. “But the normal thing to do if you come across vulnerabilities, regardless of who’s using them, is to help them get fixed.”