Features Download
From: Dave Aitel <dave.aitel <at> gmail.com>
Subject: Neal Stephenson, the EFF and Exploit Sales
Newsgroups: gmane.comp.security.dailydave
Date: Wednesday 8th August 2012 19:41:52 UTC (over 5 years ago)
[image: Inline image 2]

So I have to admit I was a little disappointed in the Neal Stephenson
"keynote" at BlackHat this year. First of all, it wasn't a keynote. It was
one of those "Question and Answer" session things that conferences do
because they don't require presentation on the part of the speaker, which
means they're more likely to get someone to do it.

And I'm a fanatical fan of Neal Stephenson - to the point where I think his
best books is his Quicksilver "Con-fusion" trilogy which most people agree
are the hardest to get into (i.e. after the first 500 pages they're a real
page turner!). So I thought the questions were banal - a lost opportunity
to see what one of our generation's great futurists has to say about our
industry. He's explored these themes before, of course, which is why he was
there in the first place...

In fact, a lot of his books are about our industry and some even have the
same characters, which is part of the fun. For example, there's "Eric" (or
as you may remember him from Cryptonomicon: "Enoch
who is an Immortal (and oddly enough an Alchemist). You'll see him doing
things like raising the dead, and it's hinted that he's
not particularly human, but merely visiting from "Elsewhere" on some sort
of fact finding mission. Then there's the Shaftoe family, which are
generally the footsoldiers of all his books, and the Waterhouses, which are
the scientists and hackers, and so forth.

In any case, at some point in his writing career, Neal got fascinated with
the idea that there was, in fact, a titanic battle going on over the course
of human history between the forces of who would use technology for solving
useful human problems and the forces of war. Ironically enough Neal
represents this in Cryptonomicon as a sort of Athena project, if you will.
And a lot of plot points turn on decisions about this in his books - for
example, a gay German mathematician choosing not to give the Germans strong
cryptography during WWII.

[image: Inline image 1]

So this then is the question that was asked of DIRNSA at DefCon. A secure
internet means that the nation would go deaf in many ways that are
important. But an insecure one means we suffer under the economic and
political pain of everyone always being hacked (those of you complaining
about APT - this means you).

Lately the EFF has been posting things that seem to want to restrict
exploit sales (
as if this somehow increases security for the Internet as a whole.
from regulation being an ineffective tool here, I don't think the EFF
should have the particular worldview that giving up freedom for security
here is an acceptable trade-off. And when Charlie Miller and I talked to an
EFF representative at DefCon, she agreed with us.

However, the current EFF stated opinion is this:
"*If the U.S. government is serious about securing the Internet, any bill,
directive, or policy related to cybersecurity should work toward ensuring
that vulnerabilities are fixed, and explicitly disallow any clandestine
operations within the government that do not further this goal*"

*Calling for the government to regulate what kind of code you write sounds
counter-productive to the EFF mission*, and is definitely counter to the
opinions of people on this list and in this community. Until the EFF
changes their position, I recommend not donating to them or buying the
strangely decorated shirts at DefCon.

Dave Aitel
Immunity, Inc.
CD: 19ms