Features Download
From: David Maynor <dave <at> erratasec.com>
Subject: Re: Neal Stephenson, the EFF and Exploit Sales
Newsgroups: gmane.comp.security.dailydave
Date: Tuesday 14th August 2012 17:14:53 UTC (over 5 years ago)
I agree that the EFF has lost its way. I wrote a blogpost about it here: http://erratasec.blogspot.com/2012/08/who-will-fight-for-me.html.
Since the idea came from this list I thought I would join the conversation
here. I think this example shows the EFF is not what they are promoted to
be. It is not for Internet freedoms for all, it is for protecting certain
freedoms of certain people. I felt a political shift in the EFF after
Wikileaks/Manning to an anti-government viewpoint, which is different than
pro-individual viewpoint. In a nutshell, I feel the EFF would sacrifice
some of our freedoms in order to deny warfighting assets to the government.
I've heard lots of arguments that the EFF post targets the government and
not the researchers. I don't believe this. If you apply regulations to one
part of an industry, at some point regulations will seep to every part like
the stench of rotten eggs. At first it seems good: "awesome, the government
is making us safer by turning over 0day to manufacturers". Then it will
start downhill with simple things like any researcher selling 0day to the
government must take a drug test and diversity training. It will end up
with researchers having to go through the same process that a firearms
manufacturer does to make a weapon. The ATF would become the ATFE. There
would be mandatory fines for anyone caught with weapons grade exploits.
There will be mandatory government certs for pentesting, or you will need a
license to run Nessus.
Can you imagine a federal agent asking if you have the right paperwork for
the 100 line ruby script? How about a court case where some sysadmin has to
prove that he was using VNC for remote access and not as a backdoor. Don't
like your neighbor? Call the tip line and tell them you've seen 2600 mags,
hot pockets, and lots of strange people entering the dwelling carrying
computers. ATFE raid time!
These are all fictitious examples, but they demonstrate where regulation
ends. The EFF knows this and so do their apologists.
Asking/inviting/demanding the government get involved in the control of
anything will end badly for all those involved. Look at the FCC, ATF, and
FAA for examples of what slowly happens to an industry over time when
government regulation is imposed. Possession of certain equipment is made
illegal by some FCC rules without proper licensing. The ATF throws a $200
tax and a six-month wait time to by a “silencer” for a gun, which
should be considered a safety device (they don’t work like they do in
movies). The FAA makes recreational flying a nightmare.
The worst part is that the politicians who are the butt of jokes about
"internet tubes" are the same people you would entrust to make law on this
very technical topic. It’s unbelievable.
David Maynor

On Aug 8, 2012, at 3:41 PM, Dave Aitel
> wrote:

So I have to admit I was a little disappointed in the Neal Stephenson
"keynote" at BlackHat this year. First of all, it wasn't a keynote. It was
one of those "Question and Answer" session things that conferences do
because they don't require presentation on the part of the speaker, which
means they're more likely to get someone to do it.

And I'm a fanatical fan of Neal Stephenson - to the point where I think his
best books is his Quicksilver "Con-fusion" trilogy which most people agree
are the hardest to get into (i.e. after the first 500 pages they're a real
page turner!). So I thought the questions were banal - a lost opportunity
to see what one of our generation's great futurists has to say about our
industry. He's explored these themes before, of course, which is why he was
there in the first place...

In fact, a lot of his books are about our industry and some even have the
same characters, which is part of the fun. For example, there's "Eric" (or
as you may remember him from Cryptonomicon: "Enoch Root<http://baroquecycle.wikia.com/wiki/Enoch_Root>"),
who is an Immortal (and oddly enough an Alchemist). You'll see him doing
things like raising the dead, and it's hinted that he's not particularly
human, but merely visiting from "Elsewhere" on some sort of fact finding
mission. Then there's the Shaftoe family, which are generally the
footsoldiers of all his books, and the Waterhouses, which are the
scientists and hackers, and so forth.

In any case, at some point in his writing career, Neal got fascinated with
the idea that there was, in fact, a titanic battle going on over the course
of human history between the forces of who would use technology for solving
useful human problems and the forces of war. Ironically enough Neal
represents this in Cryptonomicon as a sort of Athena project, if you will.
And a lot of plot points turn on decisions about this in his books - for
example, a gay German mathematician choosing not to give the Germans strong
cryptography during WWII.

So this then is the question that was asked of DIRNSA at DefCon. A secure
internet means that the nation would go deaf in many ways that are
important. But an insecure one means we suffer under the economic and
political pain of everyone always being hacked (those of you complaining
about APT - this means you).

Lately the EFF has been posting things that seem to want to restrict
exploit sales ( https://www.eff.org/deeplinks/2012/03/zero-day-exploit-sales-should-be-key-point-cybersecurity-debate
) as if this somehow increases security for the Internet as a whole. Aside
from regulation being an ineffective tool here, I don't think the EFF
should have the particular worldview that giving up freedom for security
here is an acceptable trade-off. And when Charlie Miller and I talked to an
EFF representative at DefCon, she agreed with us.

However, the current EFF stated opinion is this:
"If the U.S. government is serious about securing the Internet, any bill,
directive, or policy related to cybersecurity should work toward ensuring
that vulnerabilities are fixed, and explicitly disallow any clandestine
operations within the government that do not further this goal"

Calling for the government to regulate what kind of code you write sounds
counter-productive to the EFF mission, and is definitely counter to the
opinions of people on this list and in this community. Until the EFF
changes their position, I recommend not donating to them or buying the
strangely decorated shirts at DefCon.

Dave Aitel
Immunity, Inc.

Dailydave mailing list
[email protected]
CD: 3ms