Dailydave mailing list archives

Re: Neal Stephenson, the EFF and Exploit Sales

From: Daniel Margolis <dan () af0 net>
Date: Fri, 17 Aug 2012 10:57:19 +0200

I don't think that that really follows.

First, I don't think it's necessarily the case that legislating based on
intent somehow opens the door to legislative overreach. In criminal law it
is nearly always the case (with the exception of a few specific statutory
crimes) for intent to be a component of criminality; this limits the
application of the law, rather than the opposite. You would not, I think,
argue that defining murder based on intent opens the door to unfairly
prosecuting other types of homicide.

Second, it doesn't sound to me like the EFF were really advocating any
restrictions on what we, as private actors, do; as Adam said, they were
only advocating limiting how tax dollars are spent. Complaining that this
limits our freedom as private actors seems tantamount to saying that
cutting the defense budget unfairly infringes upon the rights of military
contractors to sell expensive weapons to the Pentagon.

It might be true that limiting exploit sales to the government is the first
step down a slippery slope of limiting all exploit sales, but the EFF
didn't propose that--they only proposed limiting what the government can
spend money on. That's not itself an individual rights issue, is it?

(I think it's quite reasonable that some people here see the EFF's talk of
the "ethical responsibility" of exploit sales as building the rhetorical
base for regulating all exploit sales, but, well, isn't there some ethical
consideration to be made?)

On Wed, Aug 15, 2012 at 11:52 PM, Bas Alberts
<bas.alberts () immunityinc com>wrote:

Two DD posts in as many days!

So, lets simmer down a bit and define what supposedly needs to be
regulated:

"The sale of 0day exploits to governments"

Now lets deconstruct what a 0day exploit is at its core:

"An input into an algorithm that causes unexpected and undocumented
results in the algorithm that are detrimental to the overall security
of the system implementing said algorithm."

Alright, hopefully that was broad enough for you nitpickers out there.

So, exploits generate inputs for software that make the software do
something it wasn't intended to do. The exploit itself is nothing
more than an input generator as such.

Now some of you may be all "lol yeah and a gun is nothing more than
a high velocity lead output generator" and you would be correct in
that assessment.

That still doesn't make the gun vs. exploit analogy fit any better
though.

Objectively speaking exploits are just data that are input into
software. I think we can all agree on that. The fact that this input
facilitates the more worrysome stage of malicious tool deployment is
coincidental. The exploit itself is agnostic in that regard. It
does nothing more than trigger existing paths and states in the
targeted software.

So playing devil's advocate, the argument is that certain types of
inputs into software should be regulated. That implies that there
is to be a regulatory body for types of input into software which
can establish the offensive intent of the input in question.

Right?

So now we're going to have to evaluate every software input generator
sold to the government to establish whether it is generating input
that may or may not have an undocumented impact on certain software
that may be beneficial in offensive scenarios.

We have to do this because we certainly would not want any exploit
sales to slip under the radar.

Correct?

What I'm getting at is that exploits, 0day or otherwise, are pieces
of software that generate input into other pieces of software. By
attempting to regulate software based on intent of use alone you are
opening the door to much broader regulation and restriction of software
development and software market freedom. Which is a point other people
have been trying to make on this list in various ways.

You are then also opening the pandora's box of going after any offensive
tool, exploit or otherwise. Because if the bar for regulation is
set by intent of use alone, then any and all software development
can now be targeted under the very same regulations.

And _THAT_ does not strike me as the sort of thing the EFF supposedly
stands for.

Love,
Bas

On Tue, Aug 14, 2012 at 05:57:04PM -0400, Adriel T. Desautels wrote:

Oh I think it has the potential to cause harm, especially in the wrong
hands... which is why I think that the zero-day exploit market should be
regulated.  We're selling bullets and computers are the guns, there's no
doubting that.  That is why when we sell we are so selective.

We do our best to keep these tools in the right hands (being  a matter
of perspective of course). And really, that's the most anyone can do
right?

What sorts of 0-day's are you seeing?  I'm very interested.

On 8/14/12 5:33 PM, Michal Zalewski wrote:

How can anyone expect to protect themselves from zero-day's if they

can't

protect themselves from known issues for which patches / fixes already
exist?

I generally agree, and that's why I think the APT rhetoric is somewhat

harmful:

http://lcamtuf.blogspot.com/2011/02/world-of-hbgary.html

But you know, I'm also working for a company that happens to be
routinely targeted by 0-days - so I disagree with the argument that
0-day trade has no potential to cause harm.

/mz

_______________________________________________
Dailydave mailing list
Dailydave () lists immunityinc com
https://lists.immunityinc.com/mailman/listinfo/dailydave



-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.10 (GNU/Linux)

iEYEARECAAYFAlAsGjUACgkQLpdA2Ju9tfc6/ACfQZ1JquvGAeR9CAWxD6yx9DFh
yGsAnR2x4fwnUEsxkzC0wxiU9c9HhZRA
=h6C0
-----END PGP SIGNATURE-----

_______________________________________________
Dailydave mailing list
Dailydave () lists immunityinc com
https://lists.immunityinc.com/mailman/listinfo/dailydave

_______________________________________________
Dailydave mailing list
Dailydave () lists immunityinc com
https://lists.immunityinc.com/mailman/listinfo/dailydave

Current thread:

Re: Neal Stephenson, the EFF and Exploit Sales, (continued)
- Re: Neal Stephenson, the EFF and Exploit Sales David Maynor (Aug 14)
- Re: Neal Stephenson, the EFF and Exploit Sales Loose Tweets (Aug 10)
  - Re: Neal Stephenson, the EFF and Exploit Sales Loose Tweets (Aug 14)
    - Re: Neal Stephenson, the EFF and Exploit Sales Adriel T. Desautels (Aug 14)
    - Re: Neal Stephenson, the EFF and Exploit Sales Michal Zalewski (Aug 15)
    - Re: Neal Stephenson, the EFF and Exploit Sales Adriel T. Desautels (Aug 15)
    - Re: Neal Stephenson, the EFF and Exploit Sales Michal Zalewski (Aug 15)
    - Re: Neal Stephenson, the EFF and Exploit Sales Adriel T. Desautels (Aug 15)
    - Re: Neal Stephenson, the EFF and Exploit Sales Bas Alberts (Aug 16)
    - Re: Neal Stephenson, the EFF and Exploit Sales Tracy Reed (Aug 17)
    - Re: Neal Stephenson, the EFF and Exploit Sales Daniel Margolis (Aug 17)
    - Re: Neal Stephenson, the EFF and Exploit Sales Dr. Sandro Gaycken (Aug 15)
    - Re: Neal Stephenson, the EFF and Exploit Sales Ben Nagy (Aug 16)
    - Re: Neal Stephenson, the EFF and Exploit Sales Dr. Sandro Gaycken (Aug 16)
    - Re: Neal Stephenson, the EFF and Exploit Sales Michal Zalewski (Aug 17)
    - Re: Neal Stephenson, the EFF and Exploit Sales Jon Oberheide (Aug 17)
    - Re: Neal Stephenson, the EFF and Exploit Sales Sergio Alvarez (Aug 20)
- Re: Neal Stephenson, the EFF and Exploit Sales Rodrigo Rubira Branco (BSDaemon) (Aug 24)