Re: Neal Stephenson, the EFF and Exploit Sales

["Dr. Sandro Gaycken" <s.gaycken () fu-berlin de>]

Fascinating post and good comments! I did some research on this, and I'm trying to push some international regulation 
on 0days (sorry about that..), so I'd like to add a few thoughts.

(1) 0days are not the only attack vector of course, but they are important for APTs. APTs want to have high confidence 
into their attacks, and they usually go for high value targets. High value targets (should) have fairly good IT-sec and 
awareness, so a highly reliable attack path can best be created by a combination of 0days and secret service tactics. 
They will use some other stuff with sufficient reliability too, but 0days will be important. 

(2) Because of this, 0days could be considered potential weapons and controlled respectively. In Germany, we have the 
"Kriegswaffenkontrollgesetz" (War Weapons Control Act), controlling the creation, sale and export of any kind of 
weapons, and it's likely that we will have to enforce a similar kind of transparency regarding 0days. The US has 
something similar, the EAR (Export Administration Regulations). This doesn't inhibit your research. You can still 
research and sell. But: (1) there will be paperwork, (2) you might have to implement more security in your own offices 
so no bad guys from other militaries steal your exploits (which they will certainly try from now on, by the way), (3) 
very dangerous exploits might be confiscated or disclosure might be limited to those affected only, and (4) you will 
only be able to sell to friends, not to potential adversaries (every country has a list).

(3) Some governments are hoarding 0days already (as far as possible NOT cooperating with any kind of industry on this), 
and they are refining tools, modularization and methodologies to extend the shelf-life and render them into 
multi-purpose tools, so the CBRs get better (whoever brought up this idea of "cyber"weapons being single-use only was 
an idiot). This is a fact from now on. And because governments are hoarding, but frequently don't pay enough to afford 
high-end researchers and developers, a new kind of industry is already developing: the hacker mercenary. This is a 
business model for the nearer future and a great concern for us regulators. Governments are dangerous, but they behave 
along certain rational patterns and will not do with certain things. Many mercenaries will simply sell to whoever has 
the money, no matter what the plan is. If we do not control them, they might sell exploits for allied IC4R-C&C-systems 
to the Taliban, to state a worst case example. That wo
 uld turn a crucial advantage into a crucial disadvantage, and it could turn the tides there.

(4) To confront this whole thing, a friend of mine and I once made a fairly rough thought experiment (rough because 
many of the numbers had to be educated guesses) on this question: how many 0days would have to be discovered per month 
to discourage APTs for good and finish the whole story at this most dangerous end. If a high amount of 0days would be 
discovered each month, APTs couldn't be certain that the one they are developing or using at present isn't among them, 
blowing up their whole attack prematurely, which has a couple of very negative side-effects. Concluding, they will lose 
confidence into this kind of tool and turn back to more old-fashioned vectors. From our admittedly rather hypothetical 
assumptions, it turned out that a sufficient effort on mass discovery of 0days could be undertaken, if only 20 willing 
nations would invest about 20 million Euros per year - a fairly small price to pay in comparison with the risks and the 
costs associated with high-security IT a
 s an alternative. So this could be a goal of international IT-defense cooperation. It would completely destroy the 
0day market, of course (although you could presumably assume very good posts in government, academia and consulting), 
and there will be a couple of other problems like getting the sufficient amount of hackers to do the job and getting 
the industry to patch all that stuff in time. But those problems could be preferable to the vast spectrum of 
alternative problems. The paper on this is here: http://www.cyberdialogue.ca/readings/ (it's called "Zero Day 
Governance"), and we'd love to get some critical comments on our assumptions, should you feel inclined to read into it. 
We'll try to get those substantiated by more empirical research, by the way - promised! :)

So sorry if there's a bunch of bad news here, but 0days have turned into an important military asset these days. 
Stuxnet started it as a proof of concept, and it's an irreversible trend. It just makes a lot of sense from an 
offensive point of view. Associated with that, being a security researcher will change quite a bit over the next few 
years.

Best,
Sandro (since most of you won't know me: a university researcher and a government guy (in Germany))
_______________________________________________
Dailydave mailing list
Dailydave () lists immunityinc com
https://lists.immunityinc.com/mailman/listinfo/dailydave