Dailydave mailing list archives

Re: Neal Stephenson, the EFF and Exploit Sales

From: Don Bailey <don.bailey () gmail com>
Date: Fri, 10 Aug 2012 15:19:56 -0700

What is interesting is that the result of opposing zero day may, in effect, destroy the "other freedoms" that the EFF 
supports.

If zero day sales are driven further underground due to people like EFF lobbying for regulation, other movements are 
likely to manifest as a result. Why not regulate the development of code as a whole? Why aren't software engineers 
licensed, or have government approved certifications for designing "certain types" of software? Why not fine exploit 
developers for breaking their engineering limitations to enforce who can or can't write zero day? That certainly may 
limit zero day development.

Why don't we require identification for the purchase of computing equipment so if zero day is used on a device they can 
be tracked? 

While these are extreme examples, our world is changing fast. We may see a shift in the near future where security 
consultancies are no longer allowed to write or use exploits. Maybe only specific government contractors will have 
infosec jobs. Or, maybe no one will. 

The fact is, it is becoming clear that there are too many kids with guns these days. 

D

On Aug 10, 2012, at 12:57 PM, Dave Aitel <dave () immunityinc com> wrote:

So your theory here is that because the EFF is calling for regulation of
the government's ability to use 0day it has bought, that they are still
advocating some sort of freedom? Frankly, I can't for the life of me
understand why the EFF would take these positions - they seem counter to
its mission, if not just completely confusing. It's like some selection
of people at the EFF got scared that 0day exists and took a random
position on the matter, completely ignoring that their (former) support
base has the opposite position on the "equities issue".

-dave


On 8/8/12 4:01 PM, Kyle Maxwell wrote:

(Disclosure: I'm a rank-and-file member of the EFF but with no special
knowledge or access or anything.)

I don't read their statement the same way you do. That is, you're
still free as far as I can tell to write whatever code you want to
write. The EFF's real goal, I think, seems to be in the next sentence
of the post you cited:

"Unfortunately, if these exploits are being bought by governments for
offensive purposes, then there is pressure to selectively harden
sensitive targets while keeping the attack secret from everyone else,
leaving technology—and its users—vulnerable to attack."

So, taking these two together, what the EFF seems to advocate is that
vulnerabilities and such purchased with the intent to be used for
offensive operations should also be used in some way for defensive
operations. Subject to OPSEC concerns, I think this is more or less
correct: if we know of a bug, we know it has a limited shelf life
(especially once it's used). It makes sense to then transition to
fixing the same problem in our systems.

Even if I misunderstand their position, or somebody disagrees with it,
everybody has to decide whether the rest of the things they do
outweigh this corner of their policy proposals. After all, they work
on a lot more (and bigger) issues than just this, so for now I'm happy
to continue buying schwag, sending them money, and volunteering for
projects within my domain of expertise.

--
Kyle Maxwell [krmaxwell () gmail com]
http://www.xwell.org
Twitter: @kylemaxwell
_______________________________________________
Dailydave mailing list
Dailydave () lists immunityinc com
https://lists.immunityinc.com/mailman/listinfo/dailydave



-- 
INFILTRATE - the world's best offensive information security conference.
April 2013 in Miami Beach
www.infiltratecon.com


_______________________________________________
Dailydave mailing list
Dailydave () lists immunityinc com
https://lists.immunityinc.com/mailman/listinfo/dailydave

_______________________________________________
Dailydave mailing list
Dailydave () lists immunityinc com
https://lists.immunityinc.com/mailman/listinfo/dailydave

Current thread:

Neal Stephenson, the EFF and Exploit Sales Dave Aitel (Aug 08)
- Re: Neal Stephenson, the EFF and Exploit Sales Kyle Maxwell (Aug 10)
  - Re: Neal Stephenson, the EFF and Exploit Sales Dave Aitel (Aug 10)
    - Re: Neal Stephenson, the EFF and Exploit Sales Michal Zalewski (Aug 13)
    - Re: Neal Stephenson, the EFF and Exploit Sales Jason Syversen (Aug 14)
    - Re: Neal Stephenson, the EFF and Exploit Sales Ben Nagy (Aug 14)
    - Re: Neal Stephenson, the EFF and Exploit Sales Bas Alberts (Aug 14)
    - Re: Neal Stephenson, the EFF and Exploit Sales Michal Zalewski (Aug 14)
    - Re: Neal Stephenson, the EFF and Exploit Sales Don Bailey (Aug 13)
    - Re: Neal Stephenson, the EFF and Exploit Sales Christian Heinrich (Aug 13)
    - Re: Neal Stephenson, the EFF and Exploit Sales Tracy Reed (Aug 13)
    - Re: Neal Stephenson, the EFF and Exploit Sales Adam Shostack (Aug 14)
    - Re: Neal Stephenson, the EFF and Exploit Sales Haroon Meer (Aug 14)
    - Re: Neal Stephenson, the EFF and Exploit Sales Rich Mogull (Aug 17)
- Re: Neal Stephenson, the EFF and Exploit Sales Mary Landesman (Aug 14)
- Re: Neal Stephenson, the EFF and Exploit Sales David Maynor (Aug 14)
- <Possible follow-ups>
- Re: Neal Stephenson, the EFF and Exploit Sales Loose Tweets (Aug 10)
  - Re: Neal Stephenson, the EFF and Exploit Sales Loose Tweets (Aug 14)
    - Re: Neal Stephenson, the EFF and Exploit Sales Adriel T. Desautels (Aug 14)

(Thread continues...)