Re: Neal Stephenson, the EFF and Exploit Sales

[Jason Syversen <jason.syversen () gmail com>]

On the flip side, the security industry has had a field day painting scary
pictures of nefarious government organizations hacking computers around the
world to spy on everyone. Kaspersky in particular is getting tons of press
talking about "nation state" attacks (which very likely ARE nation state
attacks) and drumming up business from everyone from CNN/Fox customers to
CSOs. The 0-days used in those attacks drive awareness that it's not just a
theoretical issue and people need to take the attacks seriously. I would
argue that the research doesn't change the "number of 0-day vulnerabilities
that are known and unpatched at any given time". It might change the number
that are known... but inversely probably drives the numbers that are
patched UP, not down.

Governments are not the only people interested in 0-days, and they
certainly don't have a monopoly, as Pinkie Pie demonstrated.  I still agree
with your conclusion Michal, just not some of the arguments used to get
there. I'm a big supporter of EFF most of the time, but don't agree with
them on every single topic and definitely don't think they should be
arguing for government legislation regarding what code/research is legal or
who can buy what. Governments can't even handle simple "cyber" regulation
well, it's not clear to me who thinks they could handle a complex area like
0-day research effectively. That said, I'm not withdrawing my support from
EFF either, hopefully they'll continue to spend their energies on more
productive areas like IP law and Internet freedom.

Jason

On Fri, Aug 10, 2012 at 6:09 PM, Michal Zalewski <lcamtuf () coredump cx>wrote:

> EFF takes a variety of positions on a variety of topics - and while
> they are great folks, if this is the first time you disagree with one
> of their positions, I'm surprised :-)
>
> That said... the side effect of governments racing to hoard 0-days and
> withhold them from the general public is that this drastically
> increases the number of 0-day vulnerabilities that are known and
> unpatched at any given time. This makes the Internet statistically
> less safe, and gives the government a monopoly in deciding who is
> "important enough" to get that information and patch themselves. The
> disparity in purchasing power is also troubling, given that
> governments have tons of "free money" to spend on defense, and are
> eager to do so, outcompeting any other buyers.
>
> So I don't find EFF's argument particularly weird; it's possible to
> hold that position and believe that the current patterns of
> vulnerability trade are detrimental to the health of the Internet.
> It's also possible to hold a different view.
>
> /mz
> _______________________________________________
> Dailydave mailing list
> Dailydave () lists immunityinc com
> https://lists.immunityinc.com/mailman/listinfo/dailydave
_______________________________________________
Dailydave mailing list
Dailydave () lists immunityinc com
https://lists.immunityinc.com/mailman/listinfo/dailydave