[go: up one dir, main page]
|
|
Log in / Subscribe / Register

Re: Neal Stephenson, the EFF and Exploit Sales

[Posted August 15, 2012 by jake]

From:  David Maynor <dave-AT-erratasec.com>
To:  Dave Aitel <dave.aitel-AT-gmail.com>
Subject:  Re: Neal Stephenson, the EFF and Exploit Sales
Date:  Tue, 14 Aug 2012 12:14:53 -0500
Message-ID:  <9FDDCC77-5F59-4912-8894-7DE2713C50F3@erratasec.com>
Cc:  "dailydave-AT-lists.immunityinc.com" <dailydave-AT-lists.immunityinc.com>

I agree that the EFF has lost its way. I wrote a blogpost about it here:
http://erratasec.blogspot.com/2012/08/who-will-fight-for-.... Since the idea came from this
list I thought I would join the conversation here. I think this example shows the EFF is not what
they are promoted to be. It is not for Internet freedoms for all, it is for protecting certain
freedoms of certain people. I felt a political shift in the EFF after Wikileaks/Manning to an
anti-government viewpoint, which is different than pro-individual viewpoint. In a nutshell, I feel
the EFF would sacrifice some of our freedoms in order to deny warfighting assets to the
government.
I've heard lots of arguments that the EFF post targets the government and not the researchers. I
don't believe this. If you apply regulations to one part of an industry, at some point regulations
will seep to every part like the stench of rotten eggs. At first it seems good: "awesome, the
government is making us safer by turning over 0day to manufacturers". Then it will start downhill
with simple things like any researcher selling 0day to the government must take a drug test and
diversity training. It will end up with researchers having to go through the same process that a
firearms manufacturer does to make a weapon. The ATF would become the ATFE. There would be
mandatory fines for anyone caught with weapons grade exploits. There will be mandatory government
certs for pentesting, or you will need a license to run Nessus.
Can you imagine a federal agent asking if you have the right paperwork for the 100 line ruby
script? How about a court case where some sysadmin has to prove that he was using VNC for remote
access and not as a backdoor. Don't like your neighbor? Call the tip line and tell them you've seen
2600 mags, hot pockets, and lots of strange people entering the dwelling carrying computers. ATFE
raid time!
These are all fictitious examples, but they demonstrate where regulation ends. The EFF knows this
and so do their apologists. Asking/inviting/demanding the government get involved in the control of
anything will end badly for all those involved. Look at the FCC, ATF, and FAA for examples of what
slowly happens to an industry over time when government regulation is imposed. Possession of
certain equipment is made illegal by some FCC rules without proper licensing. The ATF throws a $200
tax and a six-month wait time to by a “silencer” for a gun, which should be considered a safety
device (they don’t work like they do in movies). The FAA makes recreational flying a nightmare.
The worst part is that the politicians who are the butt of jokes about "internet tubes" are the
same people you would entrust to make law on this very technical topic. It’s unbelievable.
David Maynor

On Aug 8, 2012, at 3:41 PM, Dave Aitel <dave.aitel@gmail.com<mailto:dave.aitel@gmail.com>> wrote:

<image.jpeg>

So I have to admit I was a little disappointed in the Neal Stephenson "keynote" at BlackHat this
year. First of all, it wasn't a keynote. It was one of those "Question and Answer" session things
that conferences do because they don't require presentation on the part of the speaker, which means
they're more likely to get someone to do it.

And I'm a fanatical fan of Neal Stephenson - to the point where I think his best books is his
Quicksilver "Con-fusion" trilogy which most people agree are the hardest to get into (i.e. after
the first 500 pages they're a real page turner!). So I thought the questions were banal - a lost
opportunity to see what one of our generation's great futurists has to say about our industry. He's
explored these themes before, of course, which is why he was there in the first place...

In fact, a lot of his books are about our industry and some even have the same characters, which is
part of the fun. For example, there's "Eric" (or as you may remember him from Cryptonomicon: "Enoch
Root<http://baroquecycle.wikia.com/wiki/Enoch_Root>"), who is an Immortal (and oddly enough an
Alchemist). You'll see him doing things like raising the dead, and it's hinted that he's not
particularly human, but merely visiting from "Elsewhere" on some sort of fact finding mission. Then
there's the Shaftoe family, which are generally the footsoldiers of all his books, and the
Waterhouses, which are the scientists and hackers, and so forth.

In any case, at some point in his writing career, Neal got fascinated with the idea that there was,
in fact, a titanic battle going on over the course of human history between the forces of who would
use technology for solving useful human problems and the forces of war. Ironically enough Neal
represents this in Cryptonomicon as a sort of Athena project, if you will. And a lot of plot points
turn on decisions about this in his books - for example, a gay German mathematician choosing not to
give the Germans strong cryptography during WWII.

<image.png>

So this then is the question that was asked of DIRNSA at DefCon. A secure internet means that the
nation would go deaf in many ways that are important. But an insecure one means we suffer under the
economic and political pain of everyone always being hacked (those of you complaining about APT -
this means you).

Lately the EFF has been posting things that seem to want to restrict exploit sales (
https://www.eff.org/deeplinks/2012/03/zero-day-exploit-sa... ) as if this somehow increases security for the Internet as a whole. Aside from regulation being an ineffective tool here, I don't think the EFF should have the particular worldview that giving up freedom for security here is an acceptable trade-off. And when Charlie Miller and I talked to an EFF representative at DefCon, she agreed with us.

However, the current EFF stated opinion is this:
"If the U.S. government is serious about securing the Internet, any bill, directive, or policy
related to cybersecurity should work toward ensuring that vulnerabilities are fixed, and explicitly
disallow any clandestine operations within the government that do not further this goal"

Calling for the government to regulate what kind of code you write sounds counter-productive to the
EFF mission, and is definitely counter to the opinions of people on this list and in this
community. Until the EFF changes their position, I recommend not donating to them or buying the
strangely decorated shirts at DefCon.

Thanks,
Dave Aitel
Immunity, Inc.


_______________________________________________
Dailydave mailing list
Dailydave@lists.immunityinc.com<mailto:Dailydave@lists.immunityinc.com>
https://lists.immunityinc.com/mailman/listinfo/dailydave

_______________________________________________
Dailydave mailing list
Dailydave@lists.immunityinc.com
https://lists.immunityinc.com/mailman/listinfo/dailydave

to post comments


Copyright © 2012, Eklektix, Inc.
Comments and public postings are copyrighted by their creators.
Linux is a registered trademark of Linus Torvalds