Subject: Neal Stephenson, the EFF and Exploit Sales
Date: Wednesday 8th August 2012 19:41:52 UTC (over 5 years ago)
[image: Inline image 2] So I have to admit I was a little disappointed in the Neal Stephenson "keynote" at BlackHat this year. First of all, it wasn't a keynote. It was one of those "Question and Answer" session things that conferences do because they don't require presentation on the part of the speaker, which means they're more likely to get someone to do it. And I'm a fanatical fan of Neal Stephenson - to the point where I think his best books is his Quicksilver "Con-fusion" trilogy which most people agree are the hardest to get into (i.e. after the first 500 pages they're a real page turner!). So I thought the questions were banal - a lost opportunity to see what one of our generation's great futurists has to say about our industry. He's explored these themes before, of course, which is why he was there in the first place... In fact, a lot of his books are about our industry and some even have the same characters, which is part of the fun. For example, there's "Eric" (or as you may remember him from Cryptonomicon: "Enoch Root<http://baroquecycle.wikia.com/wiki/Enoch_Root>"), who is an Immortal (and oddly enough an Alchemist). You'll see him doing things like raising the dead, and it's hinted that he's not particularly human, but merely visiting from "Elsewhere" on some sort of fact finding mission. Then there's the Shaftoe family, which are generally the footsoldiers of all his books, and the Waterhouses, which are the scientists and hackers, and so forth. In any case, at some point in his writing career, Neal got fascinated with the idea that there was, in fact, a titanic battle going on over the course of human history between the forces of who would use technology for solving useful human problems and the forces of war. Ironically enough Neal represents this in Cryptonomicon as a sort of Athena project, if you will. And a lot of plot points turn on decisions about this in his books - for example, a gay German mathematician choosing not to give the Germans strong cryptography during WWII. [image: Inline image 1] So this then is the question that was asked of DIRNSA at DefCon. A secure internet means that the nation would go deaf in many ways that are important. But an insecure one means we suffer under the economic and political pain of everyone always being hacked (those of you complaining about APT - this means you). Lately the EFF has been posting things that seem to want to restrict exploit sales ( https://www.eff.org/deeplinks/2012/03/zero-day-exploit-sales-should-be-key-point-cybersecurity-debate) as if this somehow increases security for the Internet as a whole. Aside from regulation being an ineffective tool here, I don't think the EFF should have the particular worldview that giving up freedom for security here is an acceptable trade-off. And when Charlie Miller and I talked to an EFF representative at DefCon, she agreed with us. However, the current EFF stated opinion is this: "*If the U.S. government is serious about securing the Internet, any bill, directive, or policy related to cybersecurity should work toward ensuring that vulnerabilities are fixed, and explicitly disallow any clandestine operations within the government that do not further this goal*" *Calling for the government to regulate what kind of code you write sounds counter-productive to the EFF mission*, and is definitely counter to the opinions of people on this list and in this community. Until the EFF changes their position, I recommend not donating to them or buying the strangely decorated shirts at DefCon. Thanks, Dave Aitel Immunity, Inc.