Features Download
From: Bas Alberts <bas.alberts <at> immunityinc.com>
Subject: Re: Neal Stephenson, the EFF and Exploit Sales
Newsgroups: gmane.comp.security.dailydave
Date: Tuesday 14th August 2012 16:15:55 UTC (over 4 years ago)
First of all, I love it when Ben Nagy writes. All aboard the Nagy-logic
I say, choo choo.

Second of all, I think it is hilarious how "cyber" has moved from
ironic use into standard industry lingo. I'm not sure tentatively ironic
what I think it means, but whatever.

I think the piece of the puzzle that people like the EFF, and other
supposed privacy advocates lack is an actual understanding of the subject
they're protesting.

To me it seems like what the EFF is doing is putting a veil of moral
on top of the commoditization of software flaws. They are trying to
between good and evil. Whenever people try to quantify right and wrong you
end up with preachy zealotism that results in little more than finger
and name calling. Case in point: Chris Soghoian. His twitter feed is a
example of what happens when morality meets misunderstanding and hyperbole.

It's very much human nature to declare something "of the devil" when you do
not fully understand it. It is the same kind of knee-jerk reactionism that
ended up with crusty hippie chicks burning at the stake in Salem.

At the end of the day this discussion seemingly boils down to the old
freedom versus security debate. And by antisec I mean of the 1992AD

Perfect security and absolute freedom are mutually exclusive. A perfectly
Internet implies an inherently controlled Internet. Think about it.

I would go as far as to say that 0day ownership promotes freedom for the
regardless of who is selling or buying it. That's coincidental. It is one
of the
few areas where a sufficiently motivated individual or group of individuals
find, exploit, and develop an offensive capability that rivals that of a
state. It represents a right to bear arms (RAWR!) on the Electronic

This quest for a state of perfect security by an organization that
promotes a free and open Internet baffles me. Especially considering the
EFF has
very much focused on offensive research themselves (DeepCrack anyone?) in

Improving security does not promote freedom for the individual. Unpublished
vulnerabilities are a constant regardless of which ones you choose to
remove from
the pool. Invididual security comes from impact containment, not patching

And even after all that, you still do not write your own software and you
install your operating systems and tools based on nothing but blind trust.

Government A, B, or C having purchased a vulnerability for software X, Y, Z
does not make you any less secure. You installing software X, Y, Z made you
less secure. The individual needs to make the informed assumption that
they operate on and use will and has been compromised. If that makes you
uncomfortable, oh well. Deal with it. Accept the facts and compartmentalize
accordingly. If that is too much work, so be it, but at least you made a
conscious choice and weighed your options.

Peace of mind is a game of context.

Personally I think vulnerabilities do less damage in their unpublished
whilst at the same time maintaining the option of freedom for the motivated
individual who is willing to do the work.

Now I hesitate to follow into the postulate that nation state sponsored
hacking prevents physical conflict and warfare.

Obviously at some point someone is ending up on the opposite side of a
somewhere if things escalate sufficiently enough regardless of how much
reduced the yield on whoever's nuclear centrifuges. I would have to assume
that these things are just part of larger operations and are more a
of efficiency than they are of not getting people killed.

I do however think people are barking up a tree that was planted long
they knew it existed or cared that it existed. Vulnerabilities and exploits
have always been a commodity ... a commodity of ego, humor and yes *gasp*
Exploit developers on both sides of the fence have been commoditizing
for close to 2 decades, if not longer. They've been commoditized as
tools, network tools, performance art, weapons, and political statements
regardless of whether they were private or public and regardless of who was
using them.

I don't know if that is right or wrong, nor do I particularly care. I
that makes me morally bankrupt by some standards. But I'm about as worried
getting hacked by a nation state as I am about getting run over by public

If someone wants to reach out and touch you, they will. Your shiny macbook
offers some more convenient and efficient ways to do so.


On Tue, Aug 14, 2012 at 03:33:32PM +0545, Ben Nagy wrote:
> I usually try to troll once on these kinds of topics and then shut up,
> but I think there are some very interesting things to be explored from
> looking at this mostly reasonable post.
> On Sat, Aug 11, 2012 at 3:54 AM, Michal Zalewski 
> > That said... the side effect of governments racing to hoard 0-days and
> > withhold them from the general public is that this drastically
> > increases the number of 0-day vulnerabilities that are known and
> > unpatched at any given time. This makes the Internet statistically
> > less safe,
> That's an assertion, and it really only holds logical water through
> the implicit premise that 'governments' are the only significant group
> that holds 0day without releasing them, and that 0day can't be in two
> places at once. I'd imagine you've already seen my point.
> As an aside, I'm fascinated by the constant emphasis on 0day here,
> it's almost like it's designed to make naive people think that 0day is
> the only, or at least a serious, threat to individual security.
> > and gives the government a monopoly in deciding who is
> > "important enough" to get that information and patch themselves.
> I like this dystopian future of yours where governments acquire
> defensive / offensive capability with absolutely no intent to make
> "The Internet" "safe" for anyone but "important people". Very noir.
> Not that I necessarily agree with this, but, I think there are a lot
> of people with a mindset like 'If our capability is greater than our
> enemies then our country is safer' where by country they mean
> themselves and all the people in it. Those people might go on to argue
> that 'you can't have a capability differential if you can't keep some
> secrets'.
> On this point, I offer a delicious false dichotomy. If you trust the
> Government, then why would you diminish their capacity to protect you?
> If you trust in the Individual, why would you tie their hands? [1]
> [...]
> > So I don't find EFF's argument particularly weird; it's possible to
> > hold that position and believe that the current patterns of
> > vulnerability trade are detrimental to the health of the Internet.
> > It's also possible to hold a different view.
> I am completely happy if the EFF manages somehow to convince 'The US
> Government' to act like ZDI, but using public money. Buy and release
> all the 0day! Or don't, let someone else buy it, whatever! No more
> secrets! It's never going to _work_ but an EFF that's railing against
> sneaky guvmint spies and shady agencies makes sense to me.
> I only become invested in the parts where they (or anyone) try to
> paint researchers who sell software as wrong and evil, and try to
> impose their own geopolitical worldview on individuals who, in many
> cases, owe no allegiance to US interests or indeed those of any state
> in particular. The arguments used along these lines, whether to
> further the position above, or whether as a stated position in and of
> itself are illogical, run contrary to the individual liberty the EFF
> claims to stand for and I think have cost them a lot of community
> respect.
> I'm going to drop this in here, because my statement above often gets
> read somehow as 'I endorse killing Syrian children'. I have seen, many
> times, the express or implied premise that 'bad regimes' use 0day to
> track and then torture people. This is usually followed by "Look!
> Batman!", and concludes triumphantly with "so thus any researcher
> selling any 0day is a bad person".
> Setting aside the question of who gets to make the 'bad regime'
> determination... from everything we know, that's just crap. They send
> their targets stock malware and say 'please install by clicking on
> this photo, love, er... not the government, srsly'. Or, they leverage
> the fact that they have physical access to the carrier, the internet
> cafes and so forth. (Or probably they just use humint cause it's
> easier). What those guys really need is better opsec, and I hope they
> continue to get it.[2]
> As others have said, let's go after the _real_ tools used by 'bad
> regimes', wherever in the world they may hide! Let's see, we need
> Metasploit, Backtrack, FinFisher, Northropp, Raytheon, EnCase, the
> Root CAs, BlueCoat, Cisco, Nortel (for the LI capacity in their
> carrier gear)... Oh wait, most of those guys have lobbyists, forget
> it.
> Finally, because "some people just want to watch the world burn", and
> since we're on the topic of 'cybers' and "what motivates governments",
> I wonder why we're talking a whole lot about the devastating cyber
> capability of the Middle East and not a single breath about China.
> Long live the Chinese Patriots writing The People's 0day! [3]
> Cheers,
> ben
> [1] And if you're smart enough to fully trust neither, why do you keep
> making such dumb, polarising arguments?
> [2] Or Security Awareness Training and AV! ( ...  too soon? )
> [3] Q: What's worse than a Cold War?    A: All of the other kinds.
> _______________________________________________
> Dailydave mailing list
> [email protected]
> https://lists.immunityinc.com/mailman/listinfo/dailydave
CD: 2ms