![]() |
Subject: Re: Neal Stephenson, the EFF and Exploit Sales Newsgroups: gmane.comp.security.dailydave Date: Tuesday 14th August 2012 16:15:55 UTC (over 5 years ago) First of all, I love it when Ben Nagy writes. All aboard the Nagy-logic mantrain I say, choo choo. Second of all, I think it is hilarious how "cyber" has moved from tentatively ironic use into standard industry lingo. I'm not sure tentatively ironic means what I think it means, but whatever. I think the piece of the puzzle that people like the EFF, and other supposed privacy advocates lack is an actual understanding of the subject matter they're protesting. To me it seems like what the EFF is doing is putting a veil of moral ambiguity on top of the commoditization of software flaws. They are trying to distinguish between good and evil. Whenever people try to quantify right and wrong you end up with preachy zealotism that results in little more than finger pointing and name calling. Case in point: Chris Soghoian. His twitter feed is a painful example of what happens when morality meets misunderstanding and hyperbole. It's very much human nature to declare something "of the devil" when you do not fully understand it. It is the same kind of knee-jerk reactionism that ended up with crusty hippie chicks burning at the stake in Salem. At the end of the day this discussion seemingly boils down to the old antisec freedom versus security debate. And by antisec I mean of the 1992AD variety. Perfect security and absolute freedom are mutually exclusive. A perfectly secure Internet implies an inherently controlled Internet. Think about it. I would go as far as to say that 0day ownership promotes freedom for the individual, regardless of who is selling or buying it. That's coincidental. It is one of the few areas where a sufficiently motivated individual or group of individuals can find, exploit, and develop an offensive capability that rivals that of a nation state. It represents a right to bear arms (RAWR!) on the Electronic Frontier(tm). This quest for a state of perfect security by an organization that supposedly promotes a free and open Internet baffles me. Especially considering the EFF has very much focused on offensive research themselves (DeepCrack anyone?) in the past. Improving security does not promote freedom for the individual. Unpublished vulnerabilities are a constant regardless of which ones you choose to remove from the pool. Invididual security comes from impact containment, not patching bugs. And even after all that, you still do not write your own software and you still install your operating systems and tools based on nothing but blind trust. Government A, B, or C having purchased a vulnerability for software X, Y, Z does not make you any less secure. You installing software X, Y, Z made you less secure. The individual needs to make the informed assumption that anything they operate on and use will and has been compromised. If that makes you uncomfortable, oh well. Deal with it. Accept the facts and compartmentalize accordingly. If that is too much work, so be it, but at least you made a conscious choice and weighed your options. Peace of mind is a game of context. Personally I think vulnerabilities do less damage in their unpublished format whilst at the same time maintaining the option of freedom for the motivated individual who is willing to do the work. Now I hesitate to follow into the postulate that nation state sponsored hacking prevents physical conflict and warfare. Obviously at some point someone is ending up on the opposite side of a barrel somewhere if things escalate sufficiently enough regardless of how much you've reduced the yield on whoever's nuclear centrifuges. I would have to assume that these things are just part of larger operations and are more a question of efficiency than they are of not getting people killed. I do however think people are barking up a tree that was planted long before they knew it existed or cared that it existed. Vulnerabilities and exploits have always been a commodity ... a commodity of ego, humor and yes *gasp* money. Exploit developers on both sides of the fence have been commoditizing exploits for close to 2 decades, if not longer. They've been commoditized as marketing tools, network tools, performance art, weapons, and political statements ... regardless of whether they were private or public and regardless of who was using them. I don't know if that is right or wrong, nor do I particularly care. I suppose that makes me morally bankrupt by some standards. But I'm about as worried about getting hacked by a nation state as I am about getting run over by public transit. If someone wants to reach out and touch you, they will. Your shiny macbook just offers some more convenient and efficient ways to do so. Love, Bas On Tue, Aug 14, 2012 at 03:33:32PM +0545, Ben Nagy wrote: > I usually try to troll once on these kinds of topics and then shut up, > but I think there are some very interesting things to be explored from > looking at this mostly reasonable post. > > On Sat, Aug 11, 2012 at 3:54 AM, Michal Zalewski |
||