Dailydave mailing list archives
Re: Neal Stephenson, the EFF and Exploit Sales
From: Kyle Maxwell <krmaxwell () gmail com>
Date: Wed, 8 Aug 2012 15:01:57 -0500
On Wed, Aug 8, 2012 at 2:41 PM, Dave Aitel <dave.aitel () gmail com> wrote:
Lately the EFF has been posting things that seem to want to restrict exploit sales ( https://www.eff.org/deeplinks/2012/03/zero-day-exploit-sales-should-be-key-point-cybersecurity-debate ) as if this somehow increases security for the Internet as a whole. Aside from regulation being an ineffective tool here, I don't think the EFF should have the particular worldview that giving up freedom for security here is an acceptable trade-off. And when Charlie Miller and I talked to an EFF representative at DefCon, she agreed with us. However, the current EFF stated opinion is this: "If the U.S. government is serious about securing the Internet, any bill, directive, or policy related to cybersecurity should work toward ensuring that vulnerabilities are fixed, and explicitly disallow any clandestine operations within the government that do not further this goal" Calling for the government to regulate what kind of code you write sounds counter-productive to the EFF mission, and is definitely counter to the opinions of people on this list and in this community. Until the EFF changes their position, I recommend not donating to them or buying the strangely decorated shirts at DefCon.
(Disclosure: I'm a rank-and-file member of the EFF but with no special knowledge or access or anything.) I don't read their statement the same way you do. That is, you're still free as far as I can tell to write whatever code you want to write. The EFF's real goal, I think, seems to be in the next sentence of the post you cited: "Unfortunately, if these exploits are being bought by governments for offensive purposes, then there is pressure to selectively harden sensitive targets while keeping the attack secret from everyone else, leaving technology—and its users—vulnerable to attack." So, taking these two together, what the EFF seems to advocate is that vulnerabilities and such purchased with the intent to be used for offensive operations should also be used in some way for defensive operations. Subject to OPSEC concerns, I think this is more or less correct: if we know of a bug, we know it has a limited shelf life (especially once it's used). It makes sense to then transition to fixing the same problem in our systems. Even if I misunderstand their position, or somebody disagrees with it, everybody has to decide whether the rest of the things they do outweigh this corner of their policy proposals. After all, they work on a lot more (and bigger) issues than just this, so for now I'm happy to continue buying schwag, sending them money, and volunteering for projects within my domain of expertise. -- Kyle Maxwell [krmaxwell () gmail com] http://www.xwell.org Twitter: @kylemaxwell _______________________________________________ Dailydave mailing list Dailydave () lists immunityinc com https://lists.immunityinc.com/mailman/listinfo/dailydave
Current thread:
- Neal Stephenson, the EFF and Exploit Sales Dave Aitel (Aug 08)
- Re: Neal Stephenson, the EFF and Exploit Sales Kyle Maxwell (Aug 10)
- Re: Neal Stephenson, the EFF and Exploit Sales Dave Aitel (Aug 10)
- Re: Neal Stephenson, the EFF and Exploit Sales Michal Zalewski (Aug 13)
- Re: Neal Stephenson, the EFF and Exploit Sales Jason Syversen (Aug 14)
- Re: Neal Stephenson, the EFF and Exploit Sales Ben Nagy (Aug 14)
- Re: Neal Stephenson, the EFF and Exploit Sales Bas Alberts (Aug 14)
- Re: Neal Stephenson, the EFF and Exploit Sales Michal Zalewski (Aug 14)
- Re: Neal Stephenson, the EFF and Exploit Sales Dave Aitel (Aug 10)
- Re: Neal Stephenson, the EFF and Exploit Sales Don Bailey (Aug 13)
- Re: Neal Stephenson, the EFF and Exploit Sales Christian Heinrich (Aug 13)
- Re: Neal Stephenson, the EFF and Exploit Sales Tracy Reed (Aug 13)
- Re: Neal Stephenson, the EFF and Exploit Sales Adam Shostack (Aug 14)
- Re: Neal Stephenson, the EFF and Exploit Sales Kyle Maxwell (Aug 10)