Re: Give us your tired, your poor, your exploit writers yearning to breath free!

[Michal Zalewski <lcamtuf () coredump cx>]

> Team France pointed out that the legal situation for our industry has
> gotten even more murky in France.

How so?

Weaponized exploits are at best dual-use - and one could argue that
their primary purpose is a socially undesirable one. The situation is
roughly similar to getting in trouble for selling keyloggers, SIM
cloning kits, etc - they do have some fringe legitimate uses, but
offering them to the highest bidder is bound to strike a chord with
many audiences, and many societies were eager to ban or restrict such
trade in the past. So what's new?

It's also not fundamentally different from existing legal attitudes
toward non-software dual-use tools; in a couple of western countries,
you need a prescription to buy syringes; in others, you are not
allowed to buy lockpicks. Silly, maybe. Profoundly sinister or
malicious? Probably not.

Now, admittedly, *all* attempts to restrict software trade are a bit
murky, as algorithms are at their core just ideas, and might be
considered free speech. I would still hate to be the company that
eagerly sold a weaponized 0-day to a shady, anonymous buyer, only to
find out the 0-day got used by a foreign government to pwn US
consulates around the world, though - as I suspect even this defense
may be not enough.

Cheers,
/mz
_______________________________________________
Dailydave mailing list
Dailydave () lists immunitysec com
http://lists.immunitysec.com/mailman/listinfo/dailydave