Bloomberg drops bombshell – tech companies give zero-day exploits to U.S. before making them public

// June 14th, 2013 // Politics and legal

Hacking security graphic

We knew for sure that foreign companies collect zero-day vulnerabilities, often paying a pretty-penny for the exploit, and were fairly certain that the NSA did the same.  What we did not know however, was that tech companies freely *give* or sell their zero-day exploit vulnerability details to the United States government.  Bloomberg dropped the bombshell last night.

“Microsoft Corp., the world’s largest software company, provides intelligence agencies with information about bugs in its popular software before it publicly releases a fix, according to two people familiar with the process. That information can be used to protect government computers and to access the computers of terrorists or military foes. Redmond, Washington-based Microsoft (MSFT) and other software or Internet security companies have been aware that this type of early alert allowed the U.S. to exploit vulnerabilities in software sold to foreign governments, according to two U.S. officials. Microsoft doesn’t ask and can’t be told how the government uses such tip-offs, said the officials, who asked not to be identified because the matter is confidential.”

They went on to explain how telcos use foreign legal loopholes to get past FISA restrictions, allowing them to eavesdrop on consumers.

“Some U.S. telecommunications companies willingly provide intelligence agencies with access to facilities and data offshore that would require a judge’s order if it were done in the U.S.  In these cases, no oversight is necessary under the Foreign Intelligence Surveillance Act, and companies are providing the information voluntarily.”

Bloomberg went on to explain how telcos sought assurances that they would not be held liable for violating wiretap laws.

“Before they agreed to install the system on their networks, some of the five major Internet companies — AT&T Inc. (T), Verizon Communications Inc (VZ)., Sprint Nextel Corp. (S), Level 3 Communications Inc (LVLT). and CenturyLink Inc (CTL). — asked for guarantees that they wouldn’t be held liable under U.S. wiretap laws. Those companies that asked received a letter signed by the U.S. attorney general indicating such exposure didn’t meet the legal definition of a wiretap and granting them immunity from civil lawsuits, the person said.”

Yeah, now the “blanket immunity” clause in CISPA makes perfect sense…





« « Previous Article: Captured sea serpent? No, it’s a rarely seen Giant Oarfish     » » Next Article: US Special Forces may soon be equipped with stealth motorcycles


Leave a Reply

You must be logged in to post a comment.

%d bloggers like this: