[Dailydave] Sympathy for the Devil

[Ben Nagy]

I haven't dailydave-blogged for a while, so excuse me if this gets a
little ranty...

On March 29, 2012, the EFF published an article by Marcia Hofmann and
Trevor Timm:
https://www.eff.org/deeplinks/2012/03/zero-day-exploit-sales-should-be-key-point-cybersecurity-debate

I have several problems with the article itself, but mainly with the
underlying sense of outrage. This frothing moral outrage apparently
blossomed recently in 'the twitters', that internet backwater where
enforced brevity reduces debate to the sophistication of 'AM NOT! ...
ARE TOO!' and thence was a bandwagon formed...

Fortunately, the article provides an excellent all-in-one stalking
horse, although I would like to make it absolutely clear that it is by
no means the only, or even the worst, example of this kind of
hysterical sophism I have come across. (*cough* Soghoian *cough*),
it's merely the most recent I have seen which is written coherently
enough to even justify a response.

In a nutshell, some people are angry and jealous and afraid because
some security researchers are making money from research when they
should instead be wearing funny t-shirts, dressing like a zitty Neo
and doing what they're damn well told by Large US Corporations (in a
really cool, alternative way).

Let me begin with this. The article asserts that 'security researchers
should never turn a blind eye to their ethical responsibility to help
improve technology'. Imagine me saying this bit slowly:

I do not grant the premise.

In fact, so little granting, by me, of this premise, is done that the
depth of my antigranting can only be adequately expressed through
torturous grammar and neologism.

I think it's a perfectly valid moral choice for researchers to find
bugs and sell them for less than market value, or even give them away
for free. I don't think it's fine to assert that there's any objective
morality here at all. I absolutely don't think it's fine for anyone to
start hitting people over the head with an invented one, linked from
wiki-fricking-pedia and asserting that it 'should never be ignored'.

I love and hate argument by analogy when it comes to security, but
we're not talking about security, really, we're (allegedly) talking
about ethics. So, I'd like to offer drug companies as an example -
they have secrets which were created through research, ruthlessly
protect these secrets, and use that secret knowledge to make lots of
money to the direct, and sometimes fatal, detriment of large sections
of the global population - for which (defensibly) legal service they
are lauded by their millions of shareholders, and protected by their
governments.

And people think selling exploits is 'evil'?

Luckily, society has provided us with a convenient, if fuzzy, tool to
assess the ethical quality of actions when dispute arises. It's called
'the law', and I'd have thought the EFF might think more of it. ;)

The article does, graciously, allow that 'The governments who buy
zero-day exploits also bear responsibility here.' So I guess they do
recognize that the sector that creates both the key demand as well as
the legal framework within which the market operates does bear at
least a tiny bit of 'the blame' insofar as anyone has done anything
wrong.

This next bit is where the alarmist sophistry comes in [1]:

"the sale and use of exploits that leave ordinary users of popular
software vulnerable—a real cybersecurity threat—remains unmentioned in
this cybersecurity debate."

"Keeping flaws under wraps makes millions of Internet users less safe.
If exploits are used to conduct attacks on network infrastructure,
either in other countries or the U.S., those who sell exploits could
be complicit in such acts."

First of all, if the exploits are never released, then the Internet
Safety Delta is exactly zero. The bugs are already there, they don't
spring into existence the moment they're discovered - an alarmingly
common logical fallacy.

Secondly, to affect 'ordinary users', the exploit's use has to be
discovered, reverse engineered and then somehow make its way into the
hands of an entirely hypothetical lunatic who wants to use a $100k bug
to start owning up mom and pop computers and stealing their cat photos
- instead of the perfectly effective and thousand times easier
approach of selling them "discount antivirus". Not to mention that
there are already a variety of easily available products ranging from
free (like MSF) to 'cheap' (like CANVAS / IMPACT etc) against which an
'ordinary user' stands about as much chance as an ant fighting God.

The 'covert remote access solutions' these guys deal in are like
high-end sniper rifles, not pipe bombs, and they're part of an
intricate 'cyber' dance that few people understand. The general public
needs to worry about them as much as they need to worry about getting
blown up by a prototype Predator drone. [2] I don't have any idea what
the buyers are using these things for, but if it were me I wouldn't be
using exploits from 'semipublic' and attributable provenance to hit
genuine adversaries where there was a chance of being caught. I might
use them in internal pentests, though. Or training. Or testing '0day
defence' systems. Or even just looking around to see if my OWN 0day
had been discovered yet...but none of that sounds sinister enough for
the paranoid attention seekers of the blogosphere, I guess.

As for the ridiculous implication that exploit sellers should feel
responsible for their eventual use, or, to go back a step, should even
really give a crap which direction every mouthbreather on twitter's
moral compass is pointing, I don't know whether to find it hilarious
or breathtakingly arrogant. Certainly from someone who had ever said
'guns don't kill people, people kill people' or pretended that the
first half of the Second Amendment was written in pencil it would be
the latter, but from the EFF I like to believe they were just having a
bad rhetoric day. Like this:

"As EFF has stated previously, this is "security for the 1%," and it
makes the rest of us less safe."

... because the supply of 'security' is absolutely finite, and so
someone having more of it automatically makes everyone else have less.
TERK ERR SEKYERRIDDY! US Workers demand more Cybers! The French are
arming the Russians and the Arabs! Occupy The Internet! Honestly - all
that's missing is a link between exploit sales and higher taxes.

Pleased to meet you. I spend my time milling cyber-gunpowder for
people that make cyber-bullets sold by "modern-day cyber-merchants of
death". I am the frumpish british mother that filled the shells for
the fire-bombing of Dresden. I am the Wal-Mart attendant that sold the
gun to the father of the last school shooter [3]. I do it for money,
because I like it, and because most of the time I don't need to wear
pants. I spend approximately no seconds of any day worrying about the
imaginary ethical implications of every little thing I do, and I am
not particularly unique.

Now where's our courtesy, some sympathy and some taste?

Cheers,

ben

[1] It's such an easy lie that I've even used it myself, years ago, to
finger-wag at CANVAS in a short paper called "Vulnerability Research,
Disclosure and Ethics". To some extent I was Just Wrong, and to some
extent I was writing in a different time and under a different
employer. I like to think of it now as mostly a history paper written
by a bright but naive student.

[2] *General Public in Pakistan Not Included. Void where Prohibited by
the Ability to Get Away With It.

[3] This is allegory; whichever shooting you think I'm referring to,
I'm not. Take a deep breath.