[Dailydave] Neal Stephenson, the EFF and Exploit Sales

Bas Alberts bas.alberts at immunityinc.com
Wed Aug 15 17:52:53 EDT 2012 

Two DD posts in as many days!

So, lets simmer down a bit and define what supposedly needs to be
regulated:

"The sale of 0day exploits to governments"

Now lets deconstruct what a 0day exploit is at its core:

"An input into an algorithm that causes unexpected and undocumented
results in the algorithm that are detrimental to the overall security
of the system implementing said algorithm." 

Alright, hopefully that was broad enough for you nitpickers out there.

So, exploits generate inputs for software that make the software do
something it wasn't intended to do. The exploit itself is nothing
more than an input generator as such.

Now some of you may be all "lol yeah and a gun is nothing more than
a high velocity lead output generator" and you would be correct in
that assessment.

That still doesn't make the gun vs. exploit analogy fit any better   
though.

Objectively speaking exploits are just data that are input into
software. I think we can all agree on that. The fact that this input
facilitates the more worrysome stage of malicious tool deployment is
coincidental. The exploit itself is agnostic in that regard. It
does nothing more than trigger existing paths and states in the
targeted software. 

So playing devil's advocate, the argument is that certain types of
inputs into software should be regulated. That implies that there
is to be a regulatory body for types of input into software which
can establish the offensive intent of the input in question.

Right?

So now we're going to have to evaluate every software input generator
sold to the government to establish whether it is generating input
that may or may not have an undocumented impact on certain software
that may be beneficial in offensive scenarios.

We have to do this because we certainly would not want any exploit
sales to slip under the radar.

Correct?

What I'm getting at is that exploits, 0day or otherwise, are pieces
of software that generate input into other pieces of software. By
attempting to regulate software based on intent of use alone you are  
opening the door to much broader regulation and restriction of software
development and software market freedom. Which is a point other people 
have been trying to make on this list in various ways.

You are then also opening the pandora's box of going after any offensive
tool, exploit or otherwise. Because if the bar for regulation is
set by intent of use alone, then any and all software development 
can now be targeted under the very same regulations.

And _THAT_ does not strike me as the sort of thing the EFF supposedly 
stands for.

Love,
Bas

On Tue, Aug 14, 2012 at 05:57:04PM -0400, Adriel T. Desautels wrote:
> Oh I think it has the potential to cause harm, especially in the wrong
> hands... which is why I think that the zero-day exploit market should be
> regulated.  We're selling bullets and computers are the guns, there's no
> doubting that.  That is why when we sell we are so selective.
> 
> We do our best to keep these tools in the right hands (being  a matter
> of perspective of course). And really, that's the most anyone can do
> right? 
> 
> What sorts of 0-day's are you seeing?  I'm very interested.
> 
> On 8/14/12 5:33 PM, Michal Zalewski wrote:
> >> How can anyone expect to protect themselves from zero-day's if they can't
> >> protect themselves from known issues for which patches / fixes already
> >> exist?
> > I generally agree, and that's why I think the APT rhetoric is somewhat harmful:
> > http://lcamtuf.blogspot.com/2011/02/world-of-hbgary.html
> >
> > But you know, I'm also working for a company that happens to be
> > routinely targeted by 0-days - so I disagree with the argument that
> > 0-day trade has no potential to cause harm.
> >
> > /mz
> 

> _______________________________________________
> Dailydave mailing list
> Dailydave at lists.immunityinc.com
> https://lists.immunityinc.com/mailman/listinfo/dailydave

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 198 bytes
Desc: Digital signature
URL: <https://lists.immunityinc.com/pipermail/dailydave/attachments/20120815/e5e6bcd6/attachment-0001.sig>

More information about the Dailydave mailing list