Re: Clarifying the record from EFF

[David Maynor <dave () erratasec com>]

It really seems like to me the EFF stance is being driven by people that are worried they may be victims of 0day usage 
and should therefore stop the government from having them. It seems you need a healthy mistrust of the government to be 
an EFF member these days. Someone on Twitter called me pure evil over the sale of exploits. You have to stop and think 
if these people would be so up in arms if I was giving 0day to anonymous or Syrian refugees.

Sadly I think the answer is no. This is one of the times that peoples own political views are spilling over into a 
technology area. I want to see an organization that fights for every bodies electronic freedoms equally instead of how 
often you add a #freemanning to your tweets.

While the department of Commerce may of not had an overwhelming victory in the crypto arena at the time hackers were 
those weird guys from Wargames, a  virus was something you tool medication for, and the internet was not used by most 
people. Now there are cyber battle spaces, military units fighting for funding in cyber warfare, and everyone know what 
a hacker is. I don't think the industry would survive if an assault was made to the degree it was done to crypto.

Just my thoughts.

On Aug 27, 2012, at 10:01 PM, Dave Aitel <dave.aitel () gmail com<mailto:dave.aitel () gmail com>> wrote:

Five or so years ago, when Mikko Hypponnen was still in a blissful imaginary world where bugs could be fixed and AV 
worked, George W Bush walked into a room full of defense and intelligence officials, and he pointed out to them in a 
dry Southern way how if they didn't think of something better that the Isrealis were 100% going to attack the Iranian 
nuclear program, and they were going to pull the United States into it, and there was going to be a large serving of  
_extremely unpleasant_ sandwich with a small side of possible nuclear winter for everyone involved...

And looking around the room, the people who had never shot a gun, who that very night would go home to play an RPG so 
hideously complex it has its own government, who spent the time before the meetings with high powered government 
officials arguing about Firefly versus Buffy the Vampire Slayer's various scripts, people who if given have a chance 
would expound upon deeply held personal opinons regarding various subtleties in the licensing of Unix 
distributions,...these people simply shrugged and said "Yeah, we got this one."

And hey look, here we are.

So let me just say here in this forum that I appreciate the EFF taking the time to  post, but I have to imagine that 
these issues can be thought out a bit more thoroughly...I can only posit that someone, or some group of people within 
the EFF, listened to Chris Soghoian who appears to be going on a profoundly uneducated crusade against exploit sellers 
(to which our personal liberty will be simple collateral damage).

I don't know if the EFF can change its position on this without losing face, but I also think a careful reading of the 
Commerce Department's EAR would demonstrate that we didn't exactly win the war against cryptographic restrictions 
either.

-dave

On Tue, Aug 21, 2012 at 11:45 AM, trevor <trevor () eff org<mailto:trevor () eff org>> wrote:
Hey folks,

Below is EFF's response to the Daily Dave thread entitled "Neal Stephenson, the EFF, and Exploit Sales."

In March, in the midst of a heated public about cybersecurity, EFF published an article entitled "Zero-Day Exploit 
Sales Should be a Key Point in the Cybersecurity Debate." Unfortunately, it has been mischaracterized and distorted on 
this list and other public forums, so we want to take the opportunity to clarify what we said, and importantly, what we 
didn't say.

The confusion seems to stem from this paragraph:
If the U.S. government is serious about securing the Internet, any bill, directive, or policy related to cybersecurity 
should work toward ensuring that vulnerabilities are fixed, and explicitly disallow any clandestine operations within 
the government that do not further this goal. Unfortunately, if these exploits are being bought by governments for 
offensive purposes, then there is pressure to selectively harden sensitive targets while keeping the attack secret from 
everyone else, leaving technology—and its users—vulnerable to attack.

Based on this, we’ve been accused of calling for regulation of coders’ free speech rights.  But that is not what this 
paragraph (or the rest of the blog post) says.  This paragraph is about what the U.S. government should do, and not 
about coders at all.

Indeed, EFF established that code is speech in the 1990s in a case called Bernstein v. Department of Justice, winning 
the right to export cryptography (https://www.eff.org/press/archives/2008/04/21-29). We continue to defend these rights 
to this day. Any legislation or other government action that would restrict coders from writing code (and offering it 
to the government) should be presumptively unconstitutional, and rightly so.

The blog post was written while the House of Representatives was debating CISPA, a dangerous bill that would carve a 
huge hole in existing privacy law while not actually making the Internet any safer:

https://www.eff.org/deeplinks/2012/04/cybersecurity-bill-faq-disturbing-privacy-dangers-cispa-and-how-you-stop-it

The basic point we were trying to make is that Congress should look at the government's own actions and consider what 
it could do to improve security before passing sweeping new legislation to scale back everyone else's rights. That 
includes the government’s own decisions to keep information from companies and the public that could help secure 
networks, systems, and critical data -- as part of a hidden offensive strategy or otherwise.

The main cybersecurity bills are no longer moving forward, but the debate about policies to address information 
security will doubtless continue.  In these discussions, EFF will continue to fight for the users, for the researchers, 
for robust privacy and security technology, and against governmental restrictions on the freedom to code.  While you 
may not agree with everything we do, we thank you for the opportunity to participate in the discussions on this forum.


--
Trevor Timm
Activist
Electronic Frontier Foundation
trevor () eff org<mailto:trevor () eff org>
415.436.9333 ext. 104<tel:415.436.9333%20ext.%20104>
www.eff.org<http://www.eff.org/>
454 Shotwell Street
San Francisco, CA 94110

Defending your civil liberties in the digital world.

_______________________________________________
Dailydave mailing list
Dailydave () lists immunityinc com<mailto:Dailydave () lists immunityinc com>
https://lists.immunityinc.com/mailman/listinfo/dailydave


_______________________________________________
Dailydave mailing list
Dailydave () lists immunityinc com<mailto:Dailydave () lists immunityinc com>
https://lists.immunityinc.com/mailman/listinfo/dailydave

_______________________________________________
Dailydave mailing list
Dailydave () lists immunityinc com
https://lists.immunityinc.com/mailman/listinfo/dailydave