WikiLeaks Not Disclosing CIA-Hoarded Vulnerabilities to Companies

WikiLeaks has started publishing a large collection of classified CIA documents, including information on several—possibly many—unpublished (i.e., zero-day) vulnerabilities in computing equipment used by Americans. Despite assurances that the US government prioritizes defense over offense, it seems that the CIA was hoarding vulnerabilities. (It’s not just the CIA; last year we learned that the NSA is, too.)

Publishing those vulnerabilities into the public means that they’ll get fixed, but it also means that they’ll be used by criminals and other governments in the time period between when they’re published and when they’re patched. WikiLeaks has said that it’s going to do the right thing and privately disclose those vulnerabilities to the companies first.

This process seems to be hitting some snags:

This week, Assange sent an email to Apple, Google, Microsoft and all the companies mentioned in the documents. But instead of reporting the bugs or exploits found in the leaked CIA documents it has in its possession, WikiLeaks made demands, according to multiple sources familiar with the matter who spoke on condition of anonymity.

WikiLeaks included a document in the email, requesting the companies to sign off on a series of conditions before being able to receive the actual technical details to deploy patches, according to sources. It’s unclear what the conditions are, but a source mentioned a 90-day disclosure deadline, which would compel companies to commit to issuing a patch within three months.

I’m okay with a 90-day window; that seems reasonable. But I have no idea what the other conditions are, and how onerous they are.

Honestly, at this point the CIA should do the right thing and disclose all the vulnerabilities to the companies. They’re burned as CIA attack tools. I have every confidence that Russia, China, and several other countries can hack WikiLeaks and get their hands on a copy. By now, their primary value is for defense. The CIA should bypass WikiLeaks and get the vulnerabilities fixed as soon as possible.

Tags: , , , ,

Posted on March 21, 2017 at 6:05 AM60 Comments

Comments

Alf March 21, 2017 6:25 AM

The companies that waged war on Wikileaks by denying them legitimate donations from third parties are now getting what they deserve. I hope sincerely that they get bitten really hard for trying to destroy Wikileaks.

mostly harmful March 21, 2017 7:03 AM

Every time information expressed in pure ASCII gets published in jpeg format, a unicorn gets cancer.

Why does Twitter want to genocide unicorns?

Update on CIA #Vault7 “zero day” software vulnerabilities
https://mobile.twitter.com/wikileaks/status/842929984054398980

[transcribed to text below]

Update on CIA Vault7 “zero day” software vulnerabilities

Organizations such as Mozilla have exchanged letters with Wikileaks and have already been informed by WikiLeaks of some vulnerabilities. Google and some other companies have yet to respond other than to confirm reciept of our initial approach. They have not agreed, disagreed, or questioned our industry standard responsible disclosure plan.

Most of these lagging companies have conflicts of interest due to their classified work for US government agencies. In practice such associations limit industry staff with US security clearances from fixing security holes based on leaked information from the CIA.

Should such companies choose to not secure their users against CIA or NSA attacks, users may prefer organizations such as Mozilla or European companies that prioritize their users over government contracts. Should these companies continue to drag their feet, we will create a league table comparing company responsiveness and government entanglements so users can decide for themselves. We will have more to say about this issue next week.

Julian Assange

More information on industry standard vulnerability disclosure plans can be found here:

https://googleprojectzero.blogspot.co.uk/2015/02/feedback-and-data-driven-updates-to.html

Vesselin Bontchev March 21, 2017 8:44 AM

@mostly harmful, Assange is just a bullshit artist who is trying to milk this for the purpose of self-aggrandizement.

There are plenty of people with security clearances at Microsoft – but that didn’t prevent them from fixing the 0days used by Stuxnet or the MD5 collisions used by Flame, did it?

If Assange was really interested in getting these vulnerabilities fixed, he would have disclosed them to the respective vendors immediately, without any conditions whatsoever, and then disclosed them publicly after 90 days, just like Google does.

Elliot March 21, 2017 9:05 AM

It’s possible that Russia and China can hack Wikileaks. It is by no means certain. It’s possible that a state actor can hack anyone. However to say you have every confidence that this shall happen is… well… have you considered writing for the New York Times or Washington Post?

Bruce Schneier March 21, 2017 9:34 AM

@ Elliot

“It’s possible that Russia and China can hack Wikileaks. It is by no means certain. It’s possible that a state actor can hack anyone. However to say you have every confidence that this shall happen is… well… have you considered writing for the New York Times or Washington Post?”

That final clause is probably trolling, so I’ll ignore it.

There is a world of difference between the Internet attack/defense capabilities of the major nation states of the world than of everyone else — including individuals, corporations, and NGOs. We saw details of this in the NSA’s capabilities exposed by both Edward Snowden and the Shadow Brokers, along with the tools discovered in the wild — think Flame. We saw details on this in some of the Mandient and Crowdstrike reports on the various Chinese APT groups. If the NSA/GCHQ/Chinese/Russians/Israelis/a few others want to be inside WikiLeak’s networks, they’re in those networks.

In case that final clause is not trolling, I could write a Washington Post op ed on this. I don’t know if I’ll have time this week.

Clive Robinson March 21, 2017 9:47 AM

@ Bruce,

along with the tools discovered in the wild — think Frame

Is that a typo, or are you refering to the malware found on a couple of Digital Picture Frames that may have been supply chain poisoning?

Bob March 21, 2017 10:06 AM

That would require the CIA to act in the interests of people who aren’t the deep state. Chances of that happening: zero.

ShavedMyWhiskers March 21, 2017 10:08 AM

There is also a congressional investigation into the DNC email hacks by “Russians” apparently trying to influence the election. This is being framed as a matter of national security. Clearly,to me, there is an opportunity to close the software flaws involved.
The public hearings and ongoing FBI investigations will give congress an opportunity to act and direct agencies in ways that will close these defects.
DT has been ‘incredulous’ that his Towers and associates have been under investigation. He can and likely should take the opportunity to issue an Executive order that mandates remedial actions to close flaws that open citizens and US companies to hacking. Such an EO need not be supported by any evidence. It only needs clarity that known exploits are also a risk to the US and need closing.
i.e. common defense.
“We the people of the United States, in order to form a more perfect union, establish justice, insure domestic tranquility, provide for the common defense, promote the general welfare, and secure the blessings of liberty to ourselves and our posterity…”

Omri March 21, 2017 10:23 AM

How exactly is a 90 day deadline a “condition”?

If that’s what you want, you send them an email saying “90 days after you get my report, the public gets it too.”

There’s nothing for them to agree or refuse on that.

D-503 March 21, 2017 10:56 AM

What’s Apple’s track record for patching known, major vulnerabilities?
As a relatively ignorant Apple user, I can report that it sometimes takes Apple several months or even years, if ever.
I think a former Apple engineer commented on this (sorry I’m to lazy to find the link) – for many years Apple’s business plan was to sell a “new” model every year, not fix the “old” stuff. It isn’t planned obsolescence, not primarily (though planned obsolescence is a factor too). It’s more that they switched away from catering to the kind of customer who needed devices to work. As long as Apple sold themselves as making devices that “just work”, they were limiting themselves to a tiny, niche market of working professionals. So, instead, they switched to focusing on the the kind of customer who always buys the shiny disposable new thing every year without actually needing any functionality. A much bigger market.

Without a 90 day deadline, a lot of these vulnerabilities won’t get patched. What’s the incentive, for a big company, if they’re allowed to procrastinate indefinately? Remember, Apple, Microsoft, Google, etc., are there to make a profit.

John Macdonald March 21, 2017 11:15 AM

@omri – the condition that they are being asked to agree to is likely a promise to not take court action to try to prevent that 90 day disclosure.

The Phisher King March 21, 2017 11:20 AM

The CIA may very well like to release their now useless vulnerabilities to industry. However, to do that legally they would have to go through the highly tedious and time-consuming process of getting the information de-classified, otherwise CIA staff would be breaking the law and potentially face charges relating to espionage and treason.

Bruce Schneier March 21, 2017 11:38 AM

@ Clive

“@ Bruce, ‘along with the tools discovered in the wild — think Frame’ Is that a typo, or are you refering to the malware found on a couple of Digital Picture Frames that may have been supply chain poisoning?”

Sorry. Flame.

I’ll correct it above.

Desmond Brennan March 21, 2017 11:58 AM

The CIA will only want to disclose what was exposed. They’ll only know that, if the breach investigation has identified same.

Now if the breach is obvious, then sure, we should expect responsible disclosure…

bearbearian March 21, 2017 12:04 PM

@ D-503
What’s Apple’s track record for patching known, major vulnerabilities?
As a relatively ignorant Apple user, I can report that it sometimes takes Apple several months or even years, if ever.

I’d counter that Apple has in the past responded quickly and effectively to major vulnerabilities; ref. their 9.3.5 emergency patch after the Trident disclosure. https://threatpost.com/emergency-ios-update-patches-zero-days-used-by-government-spyware/120158/

Ross Snider March 21, 2017 12:34 PM

@Bruce

“Demands” seems to me to be negative PR spun against Wikileaks.

There are normally these kinds of conditions for disclosure (think Google Project Zero).

I doubt there are any conditions that would be deemed ‘onerous’.

I agree with you wholeheartedly that the CIA/Executive should disclose them before Wikileaks. It takes away Wikileak’s ability to be a hero. It’s strategically valuable from a marketing/PR standpoint for the CIA to take that win away from the media outlet.

Clive Robinson March 21, 2017 1:26 PM

The question is “Does it matter what is in the Wikileaks disclosure agrement?”.

Originally some companies anounced that they could not accept information they were not cleared for. There are obvious and simple ways around that as I’ve indicated before, but I doubt that the companies will use them. Which brings up the second question which is “Why not?”.

I suspect that Wikileaks worked out one or more of the answers to that question prior to releasing some of the cache of papers.

One question that will have arisen is what the CIA will or will not do over the partial revelations. As Bruce notes for the sake of ordinary users it would be best for the CIA to release the vulnerabilities to manufactures. Unfortunately as many readers he will probably assume, the CIA will in all probability just sit on their hands and do nothing under the usuall “say nothing” doctrine.

Thus we enter a kind of Mexican stand off, as Wikileaks starts pushing out it’s list of non complying companies, they will start to feel the effects. They will thus start applying preasure through back channels in the US Gov. The question is what will the US Gov do? As long as the executive stay out of it they have three basic options, put preasure on the CIA, try to get at Wikileaks, or likewise sit on their hands.

However if the current executive get involved… there is not much love for various parts of the US IC there, which to put it mildly will prove interesting.

TimH March 21, 2017 1:40 PM

From Assange’s statement, I expect WL suspects that some of these vulnerabilities are knowingly unfixed, to allow use and abuse by essentially 5-Eyes. Compensation (not necessarily money, perhaps cessation of monopoly investigation or similar) may have been agreed to keep certain vulns open.

WL can bring this out by insisting that the companies fix the disclosed vulns. If they won’t, then there are more scandals to unfold.

James Joyce March 21, 2017 1:55 PM

@ Bruce

“If the NSA/GCHQ/Chinese/Russians/Israelis/a few others want to be inside WikiLeak’s networks, they’re in those networks.”

This would seem to imply that WikiLeaks should publish the unredacted documents immediately, because if they don’t, they just lose their grip on them anyway.

Also, if it’s true that there are “knowingly unfixed vulnerabilities”, then that would of course be the way to proceed.

Pollard's Piles March 21, 2017 2:43 PM

“If the NSA/GCHQ/Chinese/Russians/Israelis/a few others want to be inside WikiLeak’s networks, they’re in those networks.”

Famous last words. If we’re defining networks as electronic doohickeys connected by cables and wires and things, with sysadmins to hunt, that may well be true. But the wikileaks website platform is the merest tip of the iceberg of an unusually decentralized NGO. The organization’s means of communication are quite diversified in different ways. The fearsome state adversaries cited are not so hot at contact chaining free associations – if they were, CIA wouldn’t be blasting arms and legs off thousands of blushing brides, flower girls, bereaved moms, reporters, schoolkids, and truck drivers taking a dump. The police states are not sure where Wikileaks begins and ends, and they have limited ability to kill em all. Wikileaks collectively knows them better than they know it. They are in those networks cause those networks are in them.

ab praeceptis March 21, 2017 2:52 PM

“If the NSA/GCHQ/Chinese/Russians/Israelis/a few others want to be inside WikiLeak’s networks, they’re in those networks.”

Good to read that from you, Bruce Schneier. Well spoken.

bc8ee5b0ca442fb9665f5c448c7fc021 March 21, 2017 3:06 PM

I’m sure the “conditions” etc are PR to make wikileaks look bad one more time.

What’s interesting is… does CIA knows everything that WikiLeak has? Saying to CIA to publish things is a thin line: they could publish, but it’s not interesting for CIA to publish anything more than necessary. Even contacting the manufacturers is enough to prove that CIA had those vulnerabilities, and that might hit then back in some judicial action seeking damages.

CIA gains nothing from publishing, if you forget that it’s funded by the government, owned by government, and governments should do what’s best for their people. And I know that “best for the people” has many definitions.

Dirk Praet March 21, 2017 3:57 PM

@ Clive

I suspect that Wikileaks worked out one or more of the answers to that question prior to releasing some of the cache of papers.

I concur. They have probably included the necessary legalese not just to cover their own asses for disclosing classified information, but also to somehow tie acceptance to fixing. Which makes perfect sense.

EvilKiru March 21, 2017 5:06 PM

@mostly harmful: Twitter really needs to remove the legacy 140-character tweet limit instead of forcing people to use idiotic workarounds like text images and tweet storms.

Sancho_P March 21, 2017 5:29 PM

”If the NSA/GCHQ/Chinese/Russians/Israelis/a few others want to be inside WikiLeak’s networks, they’re in those networks.” (@Bruce)

To me this is a funny statement, but I’d suggest to read it the other way:
WikiLeaks use a network which is owned by NSA/GCHQ/Chinese/ …
* and *
the owners of that network can’t stop (Wiki)Leaks.

And I love it, because this is the evidence that they do not own us / our freedom.

There is no crime, no ruse, no trick, no fraud, no vice which does not live by secrecy. Bring this secrets to light, unveil and ridicule them to everybody. Sooner or later the public opinion will sweep them out.
Publication may not be enough – but it is the only means without all other attempts will fail. 
(Joseph Pulitzer, 1847-1911)

[Apologize my attempt to translate, didn’t find that in English]

@Vesselin Bontchev

”Assange is just a bullshit artist who is trying to milk …”

I still use a programmable power supply which I built more than 30 years ago.
Sure, you’d comment on the shitty enclosing and not discuss the facts / specs?

r March 21, 2017 5:29 PM

@Mr. Bontchev,

Re: ms v stuxnet fat fs usb exploit rounds 1 & 2

Emphasis on round 2 qualifications

r March 21, 2017 7:19 PM

@Clive,

RE: information sharing (dhs) and vulnerability disclosure to companies

I quote: ‘Which brings up the second question which is “Why not?”.’

With respect to the context, it could be their response teams possess clearance and aren’t legally able to view/respond to such hactivity?

Heartbleed or Heartburn? yum.

Tyrone March 21, 2017 10:38 PM

@omri – the condition that they are being asked to agree to is likely a promise to not take court action to try to prevent that 90 day disclosure.

Perhaps, but I can only imagine such an action ending hilariously. Plus, those companies could start legal action right now, and Wikileaks could start releasing the tools right now.

There’s no reason the agreement needs to be secret. Wikileaks should release it.

Tyrone March 21, 2017 10:50 PM

It would appear that the CIA has a comand line vulnerability for over 300 models of CISCO kit… And currently there is no fix…

The linked story says disabling telnet is a fix. Workaround, if you prefer, but really, why should people still be using telnet, and does Cisco even support an otherwise-secure way to use telnet (like gssapi)?

Saying “over 300 models” is just a way to make Cisco look bad without giving any useful information. I have no idea how many models Cisco has, or how their update model looks like. Obviously this is in common code and affects entire product lines. Maybe they’ll only need one or a few patches to fix it.

Clive Robinson March 22, 2017 2:26 AM

@ r,

With respect to the context, it could be their response teams possess clearance and aren’t legally able to view/respond to such hactivity?

I think you will find I covered that in the paragraph you quote from,

    Originally some companies anounced that they could not accept information they were not cleared for. There are obvious and simple ways around that as I’ve indicated before, but I doubt that the companies will use them. Which brings up the second question which is “Why not?”.

As I’ve said before there is a fairly simple processes to get around such legalistic nonsense.

The first and most obvious of which is for Wikileaks to just publish the vunerability outside of the US where US law has no reach. Most of these larger US companies have offices outside of US jurisdiction and technical staff without security clearance. By law these companies “have to protect shareholder interest” which means they would be on a legal hook if they did not act to minimise any losses, and anybody with just one share could bring such an action, all they have to show is some –arbitary minimal– loss. The only way out would be for the company to plead “National Security” which would be quite counter productive, for not just the US company but also the US Government.

A second way is rather than Wikileaks just publish the vulnerabilities is for them to “clean room” reverse engineer the exploits and give them to either the companies out of jurisdiction or to a non US vulnarabilities register.

There are several ways that the actual vulnerability can be “sanitised” such that the US companies are in the position of knowing about a vulnerability but not knowing if it’s from the CIA trove or not. Importantly the only way for them to find out would be to ask the CIA/US Government. At which point the whole thing becomes Kafkaesque with the entire world watching the show.

If people follow the thought process through, they will realise that what Wikileaks is doing intentionaly or not is actually mounting an attack against arcane secrecy legislation in the US.

If you want to think about it further then turn the arguments around and remove the “Big Scary Agency” and “National Security” nonsense. Thus it’s like the US Gov being an ordinary defendant at trial trying to claim that encrypted information on their hard drive is somehow protected when the prosecution can demonstrate they have plaintext copies of many if not all of the files… The judge if the prosecution so wished would probably not take long to find against the defendant for either obstruction or failing to service a lawful request of a police officer etc…

Clive Robinson March 22, 2017 2:43 AM

@ ,

Saying “over 300 models” is just a way to make Cisco look bad without giving any useful information.

The URL gives the impression that they know the exact number (unless it’s a typo). And it was the article that claimed their was no fix which might or might not be true irrespective of their being a possible work around.

The point I was making however is that the article is –probably– the first of what maybe a large number of such stories over the vulnarabilities from the alleged CIA documents Wikileaks has.

Which raises the question of which will happen first, we run out of vulnarabilities to talk about, or everybody just gets board stiff of the whole issue. It will be intetesting to see if journalist etc will have an easy time or not linking the Ed Snowden revelations in with the story, I’m sure there are certain parts of the US MSM that would love to conflate the two stories for various reasons.

Ph March 22, 2017 3:21 AM

So how can a USA company like Microsoft react to Wikileaks if the vulnerability is suspected to be covered in a gag order or national security letter?

Dirk Praet March 22, 2017 4:54 AM

@ Ph

So how can a USA company like Microsoft react to Wikileaks if the vulnerability is suspected to be covered in a gag order or national security letter?

@Clive just explained that here. If upon disclosure in a foreign jurisdiction, the vulnerability doesn’t get fixed, it would amount to a deliberate or mandatory backdoor, a practice the existence of which both the affected companies and the USG have always vehemently denied. Implicitly admitting to this collusion would not be in any US tech company’s interest as it would further erode international confidence in their products, impact sales and thus shareholder value.

@ Clive, @ Tyrone

It would appear that the CIA has a comand line vulnerability for over 300 models of CISCO kit … And currently there is no fix…

They have published a work-around advisory and announced an upcoming patch. I guess it does take some time to produce, test and release a ready-for-production fix for 318 different models. And every SE not previously having disabled telnet when ssh is also available is just as big a vulnerability and a liability as the exploit itself.

@ MrV

A certain hypocrisy given you have Google disclosing the vulnerabilities of others while not giving a damn about it’s own swiss cheese products.

In the bigger picture, hardly a problem as long as they do it in a responsible way. Every vulnerability disclosed and fixed ultimately benefits the user.

Who? March 22, 2017 5:01 AM

@ Ph, Dirk Praet.

Another way to solve the NSL vs. disclosed vulnerability issue may be fixing the leaked vulnerability while opening a new one for the U.S. Government intelligence agencies.

r March 22, 2017 5:48 AM

@Clive,

Sorry i missed that, thanks for responding.

Maybe they don’t have such responsibilities, I’ve been kicking around the ‘ISP immunity’ as ‘information storage provider’ or ‘information store’.

Language is not their only tint.

r March 22, 2017 5:50 AM

Information service provider,

What does the FCC day about these web facing and infrastructure companies?

r March 22, 2017 5:54 AM

@Who?,

That’s what ms did v stuxnet, look at mr vesselins content and my short response.

ATN March 22, 2017 6:21 AM

I have every confidence that Russia, China, and several other countries can hack WikiLeaks and get their hands on a copy.

WikiLeaks has this list of vulnerability for free. If you are ready to pay, you probably would go to better places, where you pay for services like pre-built tools and up-to-date documentation.

I am not saying WikiLeaks providing that list is a bad thing, it is very good for users (often called “terrorist until proven innocent”) ; but if you are one of the attacker having a budget, you already know that list and do not want to spend time reading such old information…

Steve Carr March 22, 2017 7:57 AM

Wikileaks may have finally opened up peoples eyes to what is really going on in our world. Everybody thinking our government is out for us and they us terrorism as there excuse to spy on us. It’s all garbage its all about control. The NSA, FBI and the CIA are all the same. Wake up people save our country now or its over. Also a safe search engine that doesn’t track you, a good old fashion private search engine Lookseek.com. Have a awesome day.

steven March 22, 2017 10:08 AM

Lame attempt at negative spin, coming from anonymous sources quoted in an unreliable publication.

Wikileaks never had to disclose anything, to any one, and they’re under no obligation to be responsible. Nonetheless, “irresponsible” would be to:
a. hoard the vulnerabilities – as the agencies did for years
b. disclose everything immediately while all users are at risk

If Wikileaks stipulated terms for getting early access to this information, and these companies (who can profit from getting said information) don’t like it, they should rightly make a counter-offer to Wikileaks involving a sum of money instead (akin to how bug bounty programs work).

tomb March 22, 2017 2:08 PM

Someone correct me if I’m wrong but it seems to me like we’re all wrapped up in the issue of CIA public non-disclosure of zero day vulnerabilities but this is a non-issue. Isn’t it the job of the NSA and NIST to provide discovery and disclosure services regarding computer security issues? The CIA’s job is, essentially, to formulate and strengthen social networks. One of the ways can do this is by integrating its operations into the wallets of black markets and hacker communities. It’s a comparatively cheap way to keep track or guide the course of what powerful portions of the hacking community is working on.

Anura March 22, 2017 4:51 PM

@tommy

I think it’s extremely dangerous for a congressman to be accusing the President of working with foreign terrorists.

“In short, unless you’re talking to a foreign-based terrorist, the NSA is not monitoring you.” – David Nunes.

mike March 22, 2017 8:31 PM

@ Dirk Praet,” Implicitly admitting to this collusion would not be in any US tech company’s interest as it would further erode international confidence in their products, impact sales and thus shareholder value.”

This is very much a myth akin to saying companies make better, more durable products in order to stay in business.

It also in entirety ignored fact(s), that tech sector is heavily subsidized by you-know-who(s) from the bottom layer up, and rules of the lands.

Clive Robinson March 22, 2017 9:11 PM

@ Mike,

This is very much a myth akin to saying companies make better, more durable products in order to stay in business.

It’s not a myth, it depends on your frame of refrence.

If two companies make similar products at a similar price and similar availability, most consumers will buy what they perceive as the better more durable product. It’s what “Good Will” used to be all about. It’s also what you tend to see in luxury markets irrespective of price.

It’s when manufactures start to deal dishonestly with consumers that things start to go wrong for them, unless the manufacturer is de facto a monopoly or has formed a cartel with other major players.

tommy March 22, 2017 11:27 PM

Below is a letter by a founding member of Judicial Watch, Larry Klayman, dated to yesterday and written to Nunes. This fellow apparently now runs some kind of JW spin-off group. It claims a whistleblower, Dennis Montgomery, approached his org with a treasure trove of classified info after being rebuffed by government outlets. If–and it’s a big “if” given that I know little about the players here–this checks out and Montgomery’s evidence is what prompted Nunes, this is explosive:

http://www.freedomwatchusa.org/pdf/170321-Final%20Whistleblower%20Letter.pdf

tommy March 22, 2017 11:44 PM

If CIA/NSA contractor Montgomery really was in possession of 600 million pages of intel info and 47 hard drives as Klayman claims, he might be a strong candidate for our Vault 7 leaker but we’d need a clearer timeline to figure that out.

Clive Robinson March 23, 2017 2:39 AM

@ Tommy,

If CIA/NSA contractor Montgomery really was in possession of 600 million pages of intel info and 47 hard drives as Klayman claims

The quantity is not surprising if we think about others we know of that have liberated information out of the US IC.

[Montgomery] might be a strong candidate for our Vault 7 leaker but we’d need a clearer timeline to figure that out.

Honestly, I would not try and make that link untill we have more information. We kind of made that mistake before after the Ed Snowden revelations.

I suspect there are a lot of very unhappy people in the US IC as the scales start to fall from some of their eyes and they see how other whistle blowers have been treated, I suspect “crisis of conscience” will happen to others.

The question that arises for me is how much dirt Montgomery has on other Government IC’s like those of Australia, Canada, Germany, Israel, New Zealand, Sweden, UK, etc, the brown stuff may well hit the fan very hard.

tommy March 23, 2017 4:10 PM

Montgomery and now others alleging the existence of a joint CIA/NSA eavesdropping system named (or nicknamed) “The Hammer” that’s set up at a naval base in Maryland. Claims Trump and millions of Americans were subjects of surveillance through this system:

Montgomery and now others alleging the existence of a joint CIA/NSA eavesdropping system named (or nicknamed) “The Hammer” that’s set up at a naval base in Maryland. Claims Trump and millions of Americans were subjects of surveillance through this system

Montgomery and now others alleging the existence of a joint CIA/NSA eavesdropping system named (or nicknamed) “The Hammer” that’s set up at a naval base in Maryland. Claims Trump and millions of Americans were subjects of surveillance through this system:

https://twitter.com/kwilli1046/status/844889152638332928/video/1

Leave a comment

Login

Allowed HTML <a href="URL"> • <em> <cite> <i> • <strong> <b> • <sub> <sup> • <ul> <ol> <li> • <blockquote> <pre> Markdown Extra syntax via https://michelf.ca/projects/php-markdown/extra/

Sidebar photo of Bruce Schneier by Joe MacInnis.