A generous offer from Julian Assange to lend tech firms a hand in shoring up the security of their software in the wake of the WikiLeaks CIA data dump might not necessarily come to much.
Earlier this week, Assange’s WikiLeaks published thousands of files that are part of what it claims is the “largest ever publication of confidential documents” from the CIA. Present and former government staff say that the files appear to be genuine. We’ve already argued that the kinds of cyberweapons described in the files, and allegedly in use by the CIA, aren’t particularly revelatory from a technical perspective.
Still, they are a concern for tech companies whose hardware is compromised. That includes Samsung, whose smart TVs can apparently be repurposed as spy posts, as well as Apple and Google, whose smartphone operating systems, iOS and Android, find themselves threatened by targeted exploits that allow the CIA to gain partial remote control. WikiLeaks claims that it has source code for such attacks, though it has not yet published it.
Step forward the gallant knight Assange. “After considering what we think is the best way to proceed and hearing these calls from some of the manufacturers,” he explained during a press conference yesterday, “we have decided to work with them to give them some exclusive access to the additional technical details that we have so that fixes can be developed and pushed out, so that people can be secure.”
The technology world, it seems, is supposed to be grateful to Assange for this kindness and the fact that he’s willing to extend it despite his taste for radical transparency at all costs. But there are some problems with this promise.
First, it’s unclear why WikiLeaks didn’t simply share details of the CIA exploits with technology firms before going ahead and publishing the files. Security researchers, for instance, would typically alert companies to vulnerabilities before going public, allowing them a grace period in which to solve the problem before the news hits. Still, in WikiLeaks's defense, even opting to hold back the source code at all is an improvement on its previous "publish first, worry later" approach.
Second, a lot of the vulnerabilities listed in the files published so far are already old and fixed. Apple says that most of the flaws have already been spotted and patched in the latest version of iOS. Google says that users with the latest version of Android are protected from most of the hacks.
There’s also the fact that technology firms may not even take him up on the offer. According to the Financial Times (paywall), sources at some tech companies have decided that it might be “legally dangerous” to look at, let alone act on, the files without government permission. So even if it was useful to work with WikiLeaks, Assange’s promise may be of no practical use.
And then, of course, there’s the fact that Assange is notoriously media-savvy and the promise may be more bluster than substance. The Financial Times reports that he may be using the opportunity to sidle right into the center of an already fraught relationship between Silicon Valley and federal agencies to refresh his notoriety. Jake Williams, founder of security firm Rendition Infosec, meanwhile, is even more blunt: he told Wired that it all “sounds like pure hype.”
The situation may yet change. WikiLeaks has so far only published part of the full set of files that it claims to have in its possession, and it’s unclear how explosive the remaining tranches will be. But for now, it looks like technology companies may try to get by without his help.