Dailydave mailing list archives
Re: Neal Stephenson, the EFF and Exploit Sales
From: Bas Alberts <bas.alberts () immunityinc com>
Date: Tue, 14 Aug 2012 12:15:55 -0400
First of all, I love it when Ben Nagy writes. All aboard the Nagy-logic mantrain I say, choo choo. Second of all, I think it is hilarious how "cyber" has moved from tentatively ironic use into standard industry lingo. I'm not sure tentatively ironic means what I think it means, but whatever. I think the piece of the puzzle that people like the EFF, and other supposed privacy advocates lack is an actual understanding of the subject matter they're protesting. To me it seems like what the EFF is doing is putting a veil of moral ambiguity on top of the commoditization of software flaws. They are trying to distinguish between good and evil. Whenever people try to quantify right and wrong you end up with preachy zealotism that results in little more than finger pointing and name calling. Case in point: Chris Soghoian. His twitter feed is a painful example of what happens when morality meets misunderstanding and hyperbole. It's very much human nature to declare something "of the devil" when you do not fully understand it. It is the same kind of knee-jerk reactionism that ended up with crusty hippie chicks burning at the stake in Salem. At the end of the day this discussion seemingly boils down to the old antisec freedom versus security debate. And by antisec I mean of the 1992AD variety. Perfect security and absolute freedom are mutually exclusive. A perfectly secure Internet implies an inherently controlled Internet. Think about it. I would go as far as to say that 0day ownership promotes freedom for the individual, regardless of who is selling or buying it. That's coincidental. It is one of the few areas where a sufficiently motivated individual or group of individuals can find, exploit, and develop an offensive capability that rivals that of a nation state. It represents a right to bear arms (RAWR!) on the Electronic Frontier(tm). This quest for a state of perfect security by an organization that supposedly promotes a free and open Internet baffles me. Especially considering the EFF has very much focused on offensive research themselves (DeepCrack anyone?) in the past. Improving security does not promote freedom for the individual. Unpublished vulnerabilities are a constant regardless of which ones you choose to remove from the pool. Invididual security comes from impact containment, not patching bugs. And even after all that, you still do not write your own software and you still install your operating systems and tools based on nothing but blind trust. Government A, B, or C having purchased a vulnerability for software X, Y, Z does not make you any less secure. You installing software X, Y, Z made you less secure. The individual needs to make the informed assumption that anything they operate on and use will and has been compromised. If that makes you uncomfortable, oh well. Deal with it. Accept the facts and compartmentalize accordingly. If that is too much work, so be it, but at least you made a conscious choice and weighed your options. Peace of mind is a game of context. Personally I think vulnerabilities do less damage in their unpublished format whilst at the same time maintaining the option of freedom for the motivated individual who is willing to do the work. Now I hesitate to follow into the postulate that nation state sponsored hacking prevents physical conflict and warfare. Obviously at some point someone is ending up on the opposite side of a barrel somewhere if things escalate sufficiently enough regardless of how much you've reduced the yield on whoever's nuclear centrifuges. I would have to assume that these things are just part of larger operations and are more a question of efficiency than they are of not getting people killed. I do however think people are barking up a tree that was planted long before they knew it existed or cared that it existed. Vulnerabilities and exploits have always been a commodity ... a commodity of ego, humor and yes *gasp* money. Exploit developers on both sides of the fence have been commoditizing exploits for close to 2 decades, if not longer. They've been commoditized as marketing tools, network tools, performance art, weapons, and political statements ... regardless of whether they were private or public and regardless of who was using them. I don't know if that is right or wrong, nor do I particularly care. I suppose that makes me morally bankrupt by some standards. But I'm about as worried about getting hacked by a nation state as I am about getting run over by public transit. If someone wants to reach out and touch you, they will. Your shiny macbook just offers some more convenient and efficient ways to do so. Love, Bas On Tue, Aug 14, 2012 at 03:33:32PM +0545, Ben Nagy wrote:
I usually try to troll once on these kinds of topics and then shut up, but I think there are some very interesting things to be explored from looking at this mostly reasonable post. On Sat, Aug 11, 2012 at 3:54 AM, Michal Zalewski <lcamtuf () coredump cx> wrote:That said... the side effect of governments racing to hoard 0-days and withhold them from the general public is that this drastically increases the number of 0-day vulnerabilities that are known and unpatched at any given time. This makes the Internet statistically less safe,That's an assertion, and it really only holds logical water through the implicit premise that 'governments' are the only significant group that holds 0day without releasing them, and that 0day can't be in two places at once. I'd imagine you've already seen my point. As an aside, I'm fascinated by the constant emphasis on 0day here, it's almost like it's designed to make naive people think that 0day is the only, or at least a serious, threat to individual security.and gives the government a monopoly in deciding who is "important enough" to get that information and patch themselves.I like this dystopian future of yours where governments acquire defensive / offensive capability with absolutely no intent to make "The Internet" "safe" for anyone but "important people". Very noir. Not that I necessarily agree with this, but, I think there are a lot of people with a mindset like 'If our capability is greater than our enemies then our country is safer' where by country they mean themselves and all the people in it. Those people might go on to argue that 'you can't have a capability differential if you can't keep some secrets'. On this point, I offer a delicious false dichotomy. If you trust the Government, then why would you diminish their capacity to protect you? If you trust in the Individual, why would you tie their hands? [1] [...]So I don't find EFF's argument particularly weird; it's possible to hold that position and believe that the current patterns of vulnerability trade are detrimental to the health of the Internet. It's also possible to hold a different view.I am completely happy if the EFF manages somehow to convince 'The US Government' to act like ZDI, but using public money. Buy and release all the 0day! Or don't, let someone else buy it, whatever! No more secrets! It's never going to _work_ but an EFF that's railing against sneaky guvmint spies and shady agencies makes sense to me. I only become invested in the parts where they (or anyone) try to paint researchers who sell software as wrong and evil, and try to impose their own geopolitical worldview on individuals who, in many cases, owe no allegiance to US interests or indeed those of any state in particular. The arguments used along these lines, whether to further the position above, or whether as a stated position in and of itself are illogical, run contrary to the individual liberty the EFF claims to stand for and I think have cost them a lot of community respect. I'm going to drop this in here, because my statement above often gets read somehow as 'I endorse killing Syrian children'. I have seen, many times, the express or implied premise that 'bad regimes' use 0day to track and then torture people. This is usually followed by "Look! Batman!", and concludes triumphantly with "so thus any researcher selling any 0day is a bad person". Setting aside the question of who gets to make the 'bad regime' determination... from everything we know, that's just crap. They send their targets stock malware and say 'please install by clicking on this photo, love, er... not the government, srsly'. Or, they leverage the fact that they have physical access to the carrier, the internet cafes and so forth. (Or probably they just use humint cause it's easier). What those guys really need is better opsec, and I hope they continue to get it.[2] As others have said, let's go after the _real_ tools used by 'bad regimes', wherever in the world they may hide! Let's see, we need Metasploit, Backtrack, FinFisher, Northropp, Raytheon, EnCase, the Root CAs, BlueCoat, Cisco, Nortel (for the LI capacity in their carrier gear)... Oh wait, most of those guys have lobbyists, forget it. Finally, because "some people just want to watch the world burn", and since we're on the topic of 'cybers' and "what motivates governments", I wonder why we're talking a whole lot about the devastating cyber capability of the Middle East and not a single breath about China. Long live the Chinese Patriots writing The People's 0day! [3] Cheers, ben [1] And if you're smart enough to fully trust neither, why do you keep making such dumb, polarising arguments? [2] Or Security Awareness Training and AV! ( ... too soon? ) [3] Q: What's worse than a Cold War? A: All of the other kinds. PS: HELLO KIWICON!! YES I AM WELL!! HOW ARE YOU?? BY THE WAY THIS CHANNEL MAY NOT BE SECURE! _______________________________________________ Dailydave mailing list Dailydave () lists immunityinc com https://lists.immunityinc.com/mailman/listinfo/dailydave
Attachment:
signature.asc
Description: Digital signature
_______________________________________________ Dailydave mailing list Dailydave () lists immunityinc com https://lists.immunityinc.com/mailman/listinfo/dailydave
Current thread:
- Neal Stephenson, the EFF and Exploit Sales Dave Aitel (Aug 08)
- Re: Neal Stephenson, the EFF and Exploit Sales Kyle Maxwell (Aug 10)
- Re: Neal Stephenson, the EFF and Exploit Sales Dave Aitel (Aug 10)
- Re: Neal Stephenson, the EFF and Exploit Sales Michal Zalewski (Aug 13)
- Re: Neal Stephenson, the EFF and Exploit Sales Jason Syversen (Aug 14)
- Re: Neal Stephenson, the EFF and Exploit Sales Ben Nagy (Aug 14)
- Re: Neal Stephenson, the EFF and Exploit Sales Bas Alberts (Aug 14)
- Re: Neal Stephenson, the EFF and Exploit Sales Michal Zalewski (Aug 14)
- Re: Neal Stephenson, the EFF and Exploit Sales Dave Aitel (Aug 10)
- Re: Neal Stephenson, the EFF and Exploit Sales Don Bailey (Aug 13)
- Re: Neal Stephenson, the EFF and Exploit Sales Christian Heinrich (Aug 13)
- Re: Neal Stephenson, the EFF and Exploit Sales Tracy Reed (Aug 13)
- Re: Neal Stephenson, the EFF and Exploit Sales Adam Shostack (Aug 14)
- Re: Neal Stephenson, the EFF and Exploit Sales Kyle Maxwell (Aug 10)
- Re: Neal Stephenson, the EFF and Exploit Sales Haroon Meer (Aug 14)
- Re: Neal Stephenson, the EFF and Exploit Sales Rich Mogull (Aug 17)
- <Possible follow-ups>
- Re: Neal Stephenson, the EFF and Exploit Sales Loose Tweets (Aug 10)