[Dailydave] Neal Stephenson, the EFF and Exploit Sales

Ben Nagy ben at iagu.net
Tue Aug 14 05:48:32 EDT 2012

I usually try to troll once on these kinds of topics and then shut up,
but I think there are some very interesting things to be explored from
looking at this mostly reasonable post.

On Sat, Aug 11, 2012 at 3:54 AM, Michal Zalewski <lcamtuf at coredump.cx> wrote:
> That said... the side effect of governments racing to hoard 0-days and
> withhold them from the general public is that this drastically
> increases the number of 0-day vulnerabilities that are known and
> unpatched at any given time. This makes the Internet statistically
> less safe,

That's an assertion, and it really only holds logical water through
the implicit premise that 'governments' are the only significant group
that holds 0day without releasing them, and that 0day can't be in two
places at once. I'd imagine you've already seen my point.

As an aside, I'm fascinated by the constant emphasis on 0day here,
it's almost like it's designed to make naive people think that 0day is
the only, or at least a serious, threat to individual security.

> and gives the government a monopoly in deciding who is
> "important enough" to get that information and patch themselves.

I like this dystopian future of yours where governments acquire
defensive / offensive capability with absolutely no intent to make
"The Internet" "safe" for anyone but "important people". Very noir.

Not that I necessarily agree with this, but, I think there are a lot
of people with a mindset like 'If our capability is greater than our
enemies then our country is safer' where by country they mean
themselves and all the people in it. Those people might go on to argue
that 'you can't have a capability differential if you can't keep some

On this point, I offer a delicious false dichotomy. If you trust the
Government, then why would you diminish their capacity to protect you?
If you trust in the Individual, why would you tie their hands? [1]


> So I don't find EFF's argument particularly weird; it's possible to
> hold that position and believe that the current patterns of
> vulnerability trade are detrimental to the health of the Internet.
> It's also possible to hold a different view.

I am completely happy if the EFF manages somehow to convince 'The US
Government' to act like ZDI, but using public money. Buy and release
all the 0day! Or don't, let someone else buy it, whatever! No more
secrets! It's never going to _work_ but an EFF that's railing against
sneaky guvmint spies and shady agencies makes sense to me.

I only become invested in the parts where they (or anyone) try to
paint researchers who sell software as wrong and evil, and try to
impose their own geopolitical worldview on individuals who, in many
cases, owe no allegiance to US interests or indeed those of any state
in particular. The arguments used along these lines, whether to
further the position above, or whether as a stated position in and of
itself are illogical, run contrary to the individual liberty the EFF
claims to stand for and I think have cost them a lot of community

I'm going to drop this in here, because my statement above often gets
read somehow as 'I endorse killing Syrian children'. I have seen, many
times, the express or implied premise that 'bad regimes' use 0day to
track and then torture people. This is usually followed by "Look!
Batman!", and concludes triumphantly with "so thus any researcher
selling any 0day is a bad person".

Setting aside the question of who gets to make the 'bad regime'
determination... from everything we know, that's just crap. They send
their targets stock malware and say 'please install by clicking on
this photo, love, er... not the government, srsly'. Or, they leverage
the fact that they have physical access to the carrier, the internet
cafes and so forth. (Or probably they just use humint cause it's
easier). What those guys really need is better opsec, and I hope they
continue to get it.[2]

As others have said, let's go after the _real_ tools used by 'bad
regimes', wherever in the world they may hide! Let's see, we need
Metasploit, Backtrack, FinFisher, Northropp, Raytheon, EnCase, the
Root CAs, BlueCoat, Cisco, Nortel (for the LI capacity in their
carrier gear)... Oh wait, most of those guys have lobbyists, forget

Finally, because "some people just want to watch the world burn", and
since we're on the topic of 'cybers' and "what motivates governments",
I wonder why we're talking a whole lot about the devastating cyber
capability of the Middle East and not a single breath about China.

Long live the Chinese Patriots writing The People's 0day! [3]



[1] And if you're smart enough to fully trust neither, why do you keep
making such dumb, polarising arguments?
[2] Or Security Awareness Training and AV! ( ...  too soon? )
[3] Q: What's worse than a Cold War?    A: All of the other kinds.


More information about the Dailydave mailing list