Dailydave mailing list archives
Re: Neal Stephenson, the EFF and Exploit Sales
From: Jason Syversen <jason.syversen () gmail com>
Date: Mon, 13 Aug 2012 12:10:07 -0400
On the flip side, the security industry has had a field day painting scary pictures of nefarious government organizations hacking computers around the world to spy on everyone. Kaspersky in particular is getting tons of press talking about "nation state" attacks (which very likely ARE nation state attacks) and drumming up business from everyone from CNN/Fox customers to CSOs. The 0-days used in those attacks drive awareness that it's not just a theoretical issue and people need to take the attacks seriously. I would argue that the research doesn't change the "number of 0-day vulnerabilities that are known and unpatched at any given time". It might change the number that are known... but inversely probably drives the numbers that are patched UP, not down. Governments are not the only people interested in 0-days, and they certainly don't have a monopoly, as Pinkie Pie demonstrated. I still agree with your conclusion Michal, just not some of the arguments used to get there. I'm a big supporter of EFF most of the time, but don't agree with them on every single topic and definitely don't think they should be arguing for government legislation regarding what code/research is legal or who can buy what. Governments can't even handle simple "cyber" regulation well, it's not clear to me who thinks they could handle a complex area like 0-day research effectively. That said, I'm not withdrawing my support from EFF either, hopefully they'll continue to spend their energies on more productive areas like IP law and Internet freedom. Jason On Fri, Aug 10, 2012 at 6:09 PM, Michal Zalewski <lcamtuf () coredump cx>wrote:
EFF takes a variety of positions on a variety of topics - and while they are great folks, if this is the first time you disagree with one of their positions, I'm surprised :-) That said... the side effect of governments racing to hoard 0-days and withhold them from the general public is that this drastically increases the number of 0-day vulnerabilities that are known and unpatched at any given time. This makes the Internet statistically less safe, and gives the government a monopoly in deciding who is "important enough" to get that information and patch themselves. The disparity in purchasing power is also troubling, given that governments have tons of "free money" to spend on defense, and are eager to do so, outcompeting any other buyers. So I don't find EFF's argument particularly weird; it's possible to hold that position and believe that the current patterns of vulnerability trade are detrimental to the health of the Internet. It's also possible to hold a different view. /mz _______________________________________________ Dailydave mailing list Dailydave () lists immunityinc com https://lists.immunityinc.com/mailman/listinfo/dailydave
_______________________________________________ Dailydave mailing list Dailydave () lists immunityinc com https://lists.immunityinc.com/mailman/listinfo/dailydave
Current thread:
- Neal Stephenson, the EFF and Exploit Sales Dave Aitel (Aug 08)
- Re: Neal Stephenson, the EFF and Exploit Sales Kyle Maxwell (Aug 10)
- Re: Neal Stephenson, the EFF and Exploit Sales Dave Aitel (Aug 10)
- Re: Neal Stephenson, the EFF and Exploit Sales Michal Zalewski (Aug 13)
- Re: Neal Stephenson, the EFF and Exploit Sales Jason Syversen (Aug 14)
- Re: Neal Stephenson, the EFF and Exploit Sales Ben Nagy (Aug 14)
- Re: Neal Stephenson, the EFF and Exploit Sales Bas Alberts (Aug 14)
- Re: Neal Stephenson, the EFF and Exploit Sales Michal Zalewski (Aug 14)
- Re: Neal Stephenson, the EFF and Exploit Sales Dave Aitel (Aug 10)
- Re: Neal Stephenson, the EFF and Exploit Sales Don Bailey (Aug 13)
- Re: Neal Stephenson, the EFF and Exploit Sales Christian Heinrich (Aug 13)
- Re: Neal Stephenson, the EFF and Exploit Sales Tracy Reed (Aug 13)
- Re: Neal Stephenson, the EFF and Exploit Sales Adam Shostack (Aug 14)
- Re: Neal Stephenson, the EFF and Exploit Sales Kyle Maxwell (Aug 10)
- Re: Neal Stephenson, the EFF and Exploit Sales Haroon Meer (Aug 14)
- Re: Neal Stephenson, the EFF and Exploit Sales Rich Mogull (Aug 17)