[Dailydave] Neal Stephenson, the EFF and Exploit Sales

Dave Aitel dave at immunityinc.com
Fri Aug 10 15:57:29 EDT 2012 

So your theory here is that because the EFF is calling for regulation of
the government's ability to use 0day it has bought, that they are still
advocating some sort of freedom? Frankly, I can't for the life of me
understand why the EFF would take these positions - they seem counter to
its mission, if not just completely confusing. It's like some selection
of people at the EFF got scared that 0day exists and took a random
position on the matter, completely ignoring that their (former) support
base has the opposite position on the "equities issue".

-dave


On 8/8/12 4:01 PM, Kyle Maxwell wrote:
> (Disclosure: I'm a rank-and-file member of the EFF but with no special
> knowledge or access or anything.)
>
> I don't read their statement the same way you do. That is, you're
> still free as far as I can tell to write whatever code you want to
> write. The EFF's real goal, I think, seems to be in the next sentence
> of the post you cited:
>
> "Unfortunately, if these exploits are being bought by governments for
> offensive purposes, then there is pressure to selectively harden
> sensitive targets while keeping the attack secret from everyone else,
> leaving technology—and its users—vulnerable to attack."
>
> So, taking these two together, what the EFF seems to advocate is that
> vulnerabilities and such purchased with the intent to be used for
> offensive operations should also be used in some way for defensive
> operations. Subject to OPSEC concerns, I think this is more or less
> correct: if we know of a bug, we know it has a limited shelf life
> (especially once it's used). It makes sense to then transition to
> fixing the same problem in our systems.
>
> Even if I misunderstand their position, or somebody disagrees with it,
> everybody has to decide whether the rest of the things they do
> outweigh this corner of their policy proposals. After all, they work
> on a lot more (and bigger) issues than just this, so for now I'm happy
> to continue buying schwag, sending them money, and volunteering for
> projects within my domain of expertise.
>
> --
> Kyle Maxwell [krmaxwell at gmail.com]
> http://www.xwell.org
> Twitter: @kylemaxwell
> _______________________________________________
> Dailydave mailing list
> Dailydave at lists.immunityinc.com
> https://lists.immunityinc.com/mailman/listinfo/dailydave


-- 
INFILTRATE - the world's best offensive information security conference.
April 2013 in Miami Beach
www.infiltratecon.com


-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 267 bytes
Desc: OpenPGP digital signature
URL: <https://lists.immunityinc.com/pipermail/dailydave/attachments/20120810/55fec009/attachment.sig>

More information about the Dailydave mailing list