Wikileaks is offering tech firms CIA files first

The post you link directly contradicts this:

> There's no false flags. In several places, the CIA talks about making sure that what they do isn't so unique, so it can't be attributed to them. However, Wikileaks's press release hints that the "UMBRAGE" program is deliberately stealing techniques from Russia to use as a false-flag operation. This is nonsense. For example, the DNC hack attribution was live command-and-control servers simultaneously used against different Russian targets -- not a few snippets of code.

It wouldn't surprise me - a lot of the stuff they use to identify a malware source just isn't that accurate. Anyone can buy a server from the other side of the world, anyone can put strings in another language into malware and anyone can target a source country starting from a specific provider or VPN.

They're advocating for radical transparency of governments and corporations, not individuals - there's a significant difference. Releasing these exploits as is would result in harm to individuals who are unrelated entirely to the CIA or government.

Harmful to whom may be the important question here. I thought the underlying premise of radical transparency was to make it sufficiently difficult to maintain state and corporate secrets that they either give up trying to keep secrets entirely or at least learn to avoid conducting truly shady activities because secrecy is no longer a guaranteed. If that's true then I'd say that admission is a strong endorsement that the practice is at least on sound theoretical ground.

> He added that while Wikileaks maintained a neutral position on most of its leaks, in this case it did take a strong stance.

Uh huh. After the US Election debacle, I'm not so sure of that.

It tells you that the person advocating that philosophy has given themselves license to wield all of that enormous power you're describing, without check or balance.

Wikileaks stopped being about 'radical transparency' when Julian Assange felt personally threatened by Hillary Clinton and Google. Since then the Wikileaks agenda appears to be more about attacking and undermining US policy and standing wherever it can.

WikiLeaks believe in radical transparency has never applied to WikiLeaks itself.

Wikileaks has always defended responsible disclosure and censored crucial names. They simply have a different notion of who or what is crucial.

In general but I believe this is the first time wikileaks has had specific exploit information so it's the first time they are doing it.

Yeah, it'll be interesting here though - they potentially have some pretty major remote exploits and tech firms might be resistant to even patch as those who are unpatched will be left vulnerable to attack. The standard route then is to threaten to publish anyways... This will involve very careful treading on the parts of both wikileaks and the firms involved.

The standard practice for Wikileaks was once to publish everything no matter what. I'm happy they have changed.

Wikileaks is dramatically misrepresenting what Umbrage is. There are descriptive documents that explain exactly what it is and how it's meant to be used that were also leaked. Even the Intercept, who aren't exactly friendly to intelligence sources took umbrage (ha) with WL's characterization:

> It would be possible to leave such fingerprints if the CIA were re-using unique source code written by other actors to intentionally implicate them in CIA hacks, but the published CIA documents don’t say this. Instead they indicate the UMBRAGE group is doing something much less nefarious.

> They say UMBRAGE is borrowing hacking “techniques” developed or used by other actors to use in CIA hacking projects. This is intended to save the CIA time and energy by copying methods already proven successful. If the CIA were actually re-using source code unique to a specific hacking group this could lead forensic investigators to mis-attribute CIA attacks to the original creators of the code. But the documents appear to say the UMBRAGE group is writing snippets of code that mimic the functionality of other hacking tools and placing it in a library for CIA developers to draw on when designing custom CIA tools.

https://theintercept.com/2017/03/08/wikileaks-files-show-the...

I think it's going to be severely abused politically.

I've already seen a few people on the right saying it means the DNC hack was 100% fake.

And I've already seen a security researcher on the left saying it has nothing to do with the results because "they found running C&C servers in that case", like you can't buy C&C servers anywhere in the world that you want.

Neither claim makes any verifiable sense. Hacking attribution is somewhere between hard and impossible if your opponent doesn't want to be found or wants you to find someone else instead.

It's a legitimately interesting program and something to consider when these claims get made. But don't listen the politics of it. It'll be a nightmare.

That it's a logical program for a Covert / Clandestine intelligence agency.

Almost certainly.

If I had money/power, I would assume every device and account I have is compromised in some way.

Back to pen and paper we go, until that can be compromised too.

So what are you implying with that ambigous and opaque statement ?

Some possible reasons: * They comparmentalise information better? * They don't use private contractors ? * It's more dangerous to leak material in those countries ? * ... * ... * ...

Likely has a lot to do with the countries themselves. Russia and China have much stricter governments and the values on freedom and privacy aren't as widely respected - so not as many leakers pop up.

It's almost like it's painting a pattern now. Almost.

Definitely a coincidence that it was within a week of Sessions being taken to task over his involvement with Russia and a Trump adviser being told by the SSCI to retain information about contact with Russia.

We all know there's no chance this is smearing US intel agencies during an investigation.

Please make a list of firms which have provided these comments denying that Wikileaks has provided them with information while claiming to have done so. This way others are able to confirm your comment. Otherwise it's really hard to take your comment seriously.

I know it's not normally a good idea to comment about voting and comment position, but there are a lot of people talking about this issue on HN and this comment is one of the few written by someone directly engaged with these issues. If Dan says he hasn't heard anything from any security team he's familiar with, that's not dispositive, but given how connected Dan is, it's certainly a real data point.

I say this because it would make sense to vote a comment like this down if it was just a random opinion. I agree: "don't trust Assange" is kind of a banal sentiment (I share it, but I wouldn't claim it was interesting enough to showcase). But that's not all Dan is saying.

(I haven't heard anything either but, I mean, I've only known about this for about 3 minutes now).

Very few people at these companies would have any idea about the vulnerabilities and even less would know where the reports came from. Big tech companies realize that they employee a lot of people and heavily restrict who can know about the reported vulnerabilities,me specially before they're patched. To think that those "privileged" people would tell you about it is asinine, especially regarding this very high profile event.

"Companies to get" implies future tense, not past. Thus it makes sense the companies have not received them yet. But I agree that confirmation from the companies once they receive would be very nice.

"Assange" the person may not be trustworthy, but Wikileaks the organization he created is, so far, beyond reproach. They have never released false data.

Their site did apparently start out as a wiki. Wikipedia (another site whose name derives from their use of a wiki) says:

"WikiLeaks was originally established with a "wiki" communal publication method..."

https://en.wikipedia.org/wiki/WikiLeaks#Staff.2C_name_and_fo...

They can only leak what is given to them. There are plenty of leaks that are not US related.

https://wikileaks.org/-Leaks-.html