Dailydave mailing list archives
Re: Neal Stephenson, the EFF and Exploit Sales
From: Ben Nagy <ben () iagu net>
Date: Tue, 14 Aug 2012 15:33:32 +0545
I usually try to troll once on these kinds of topics and then shut up, but I think there are some very interesting things to be explored from looking at this mostly reasonable post. On Sat, Aug 11, 2012 at 3:54 AM, Michal Zalewski <lcamtuf () coredump cx> wrote:
That said... the side effect of governments racing to hoard 0-days and withhold them from the general public is that this drastically increases the number of 0-day vulnerabilities that are known and unpatched at any given time. This makes the Internet statistically less safe,
That's an assertion, and it really only holds logical water through the implicit premise that 'governments' are the only significant group that holds 0day without releasing them, and that 0day can't be in two places at once. I'd imagine you've already seen my point. As an aside, I'm fascinated by the constant emphasis on 0day here, it's almost like it's designed to make naive people think that 0day is the only, or at least a serious, threat to individual security.
and gives the government a monopoly in deciding who is "important enough" to get that information and patch themselves.
I like this dystopian future of yours where governments acquire defensive / offensive capability with absolutely no intent to make "The Internet" "safe" for anyone but "important people". Very noir. Not that I necessarily agree with this, but, I think there are a lot of people with a mindset like 'If our capability is greater than our enemies then our country is safer' where by country they mean themselves and all the people in it. Those people might go on to argue that 'you can't have a capability differential if you can't keep some secrets'. On this point, I offer a delicious false dichotomy. If you trust the Government, then why would you diminish their capacity to protect you? If you trust in the Individual, why would you tie their hands? [1] [...]
So I don't find EFF's argument particularly weird; it's possible to hold that position and believe that the current patterns of vulnerability trade are detrimental to the health of the Internet. It's also possible to hold a different view.
I am completely happy if the EFF manages somehow to convince 'The US Government' to act like ZDI, but using public money. Buy and release all the 0day! Or don't, let someone else buy it, whatever! No more secrets! It's never going to _work_ but an EFF that's railing against sneaky guvmint spies and shady agencies makes sense to me. I only become invested in the parts where they (or anyone) try to paint researchers who sell software as wrong and evil, and try to impose their own geopolitical worldview on individuals who, in many cases, owe no allegiance to US interests or indeed those of any state in particular. The arguments used along these lines, whether to further the position above, or whether as a stated position in and of itself are illogical, run contrary to the individual liberty the EFF claims to stand for and I think have cost them a lot of community respect. I'm going to drop this in here, because my statement above often gets read somehow as 'I endorse killing Syrian children'. I have seen, many times, the express or implied premise that 'bad regimes' use 0day to track and then torture people. This is usually followed by "Look! Batman!", and concludes triumphantly with "so thus any researcher selling any 0day is a bad person". Setting aside the question of who gets to make the 'bad regime' determination... from everything we know, that's just crap. They send their targets stock malware and say 'please install by clicking on this photo, love, er... not the government, srsly'. Or, they leverage the fact that they have physical access to the carrier, the internet cafes and so forth. (Or probably they just use humint cause it's easier). What those guys really need is better opsec, and I hope they continue to get it.[2] As others have said, let's go after the _real_ tools used by 'bad regimes', wherever in the world they may hide! Let's see, we need Metasploit, Backtrack, FinFisher, Northropp, Raytheon, EnCase, the Root CAs, BlueCoat, Cisco, Nortel (for the LI capacity in their carrier gear)... Oh wait, most of those guys have lobbyists, forget it. Finally, because "some people just want to watch the world burn", and since we're on the topic of 'cybers' and "what motivates governments", I wonder why we're talking a whole lot about the devastating cyber capability of the Middle East and not a single breath about China. Long live the Chinese Patriots writing The People's 0day! [3] Cheers, ben [1] And if you're smart enough to fully trust neither, why do you keep making such dumb, polarising arguments? [2] Or Security Awareness Training and AV! ( ... too soon? ) [3] Q: What's worse than a Cold War? A: All of the other kinds. PS: HELLO KIWICON!! YES I AM WELL!! HOW ARE YOU?? BY THE WAY THIS CHANNEL MAY NOT BE SECURE! _______________________________________________ Dailydave mailing list Dailydave () lists immunityinc com https://lists.immunityinc.com/mailman/listinfo/dailydave
Current thread:
- Neal Stephenson, the EFF and Exploit Sales Dave Aitel (Aug 08)
- Re: Neal Stephenson, the EFF and Exploit Sales Kyle Maxwell (Aug 10)
- Re: Neal Stephenson, the EFF and Exploit Sales Dave Aitel (Aug 10)
- Re: Neal Stephenson, the EFF and Exploit Sales Michal Zalewski (Aug 13)
- Re: Neal Stephenson, the EFF and Exploit Sales Jason Syversen (Aug 14)
- Re: Neal Stephenson, the EFF and Exploit Sales Ben Nagy (Aug 14)
- Re: Neal Stephenson, the EFF and Exploit Sales Bas Alberts (Aug 14)
- Re: Neal Stephenson, the EFF and Exploit Sales Michal Zalewski (Aug 14)
- Re: Neal Stephenson, the EFF and Exploit Sales Dave Aitel (Aug 10)
- Re: Neal Stephenson, the EFF and Exploit Sales Don Bailey (Aug 13)
- Re: Neal Stephenson, the EFF and Exploit Sales Christian Heinrich (Aug 13)
- Re: Neal Stephenson, the EFF and Exploit Sales Tracy Reed (Aug 13)
- Re: Neal Stephenson, the EFF and Exploit Sales Adam Shostack (Aug 14)
- Re: Neal Stephenson, the EFF and Exploit Sales Kyle Maxwell (Aug 10)
- Re: Neal Stephenson, the EFF and Exploit Sales Haroon Meer (Aug 14)
- Re: Neal Stephenson, the EFF and Exploit Sales Rich Mogull (Aug 17)