[Dailydave] Neal Stephenson, the EFF and Exploit Sales

David Maynor dave at erratasec.com
Tue Aug 14 13:14:53 EDT 2012 

I agree that the EFF has lost its way. I wrote a blogpost about it here: http://erratasec.blogspot.com/2012/08/who-will-fight-for-me.html. Since the idea came from this list I thought I would join the conversation here. I think this example shows the EFF is not what they are promoted to be. It is not for Internet freedoms for all, it is for protecting certain freedoms of certain people. I felt a political shift in the EFF after Wikileaks/Manning to an anti-government viewpoint, which is different than pro-individual viewpoint. In a nutshell, I feel the EFF would sacrifice some of our freedoms in order to deny warfighting assets to the government.
I've heard lots of arguments that the EFF post targets the government and not the researchers. I don't believe this. If you apply regulations to one part of an industry, at some point regulations will seep to every part like the stench of rotten eggs. At first it seems good: "awesome, the government is making us safer by turning over 0day to manufacturers". Then it will start downhill with simple things like any researcher selling 0day to the government must take a drug test and diversity training. It will end up with researchers having to go through the same process that a firearms manufacturer does to make a weapon. The ATF would become the ATFE. There would be mandatory fines for anyone caught with weapons grade exploits. There will be mandatory government certs for pentesting, or you will need a license to run Nessus.
Can you imagine a federal agent asking if you have the right paperwork for the 100 line ruby script? How about a court case where some sysadmin has to prove that he was using VNC for remote access and not as a backdoor. Don't like your neighbor? Call the tip line and tell them you've seen 2600 mags, hot pockets, and lots of strange people entering the dwelling carrying computers. ATFE raid time!
These are all fictitious examples, but they demonstrate where regulation ends. The EFF knows this and so do their apologists. Asking/inviting/demanding the government get involved in the control of anything will end badly for all those involved. Look at the FCC, ATF, and FAA for examples of what slowly happens to an industry over time when government regulation is imposed. Possession of certain equipment is made illegal by some FCC rules without proper licensing. The ATF throws a $200 tax and a six-month wait time to by a “silencer” for a gun, which should be considered a safety device (they don’t work like they do in movies). The FAA makes recreational flying a nightmare.
The worst part is that the politicians who are the butt of jokes about "internet tubes" are the same people you would entrust to make law on this very technical topic. It’s unbelievable.
David Maynor

On Aug 8, 2012, at 3:41 PM, Dave Aitel <dave.aitel at gmail.com<mailto:dave.aitel at gmail.com>> wrote:

<image.jpeg>

So I have to admit I was a little disappointed in the Neal Stephenson "keynote" at BlackHat this year. First of all, it wasn't a keynote. It was one of those "Question and Answer" session things that conferences do because they don't require presentation on the part of the speaker, which means they're more likely to get someone to do it.

And I'm a fanatical fan of Neal Stephenson - to the point where I think his best books is his Quicksilver "Con-fusion" trilogy which most people agree are the hardest to get into (i.e. after the first 500 pages they're a real page turner!). So I thought the questions were banal - a lost opportunity to see what one of our generation's great futurists has to say about our industry. He's explored these themes before, of course, which is why he was there in the first place...

In fact, a lot of his books are about our industry and some even have the same characters, which is part of the fun. For example, there's "Eric" (or as you may remember him from Cryptonomicon: "Enoch Root<http://baroquecycle.wikia.com/wiki/Enoch_Root>"), who is an Immortal (and oddly enough an Alchemist). You'll see him doing things like raising the dead, and it's hinted that he's not particularly human, but merely visiting from "Elsewhere" on some sort of fact finding mission. Then there's the Shaftoe family, which are generally the footsoldiers of all his books, and the Waterhouses, which are the scientists and hackers, and so forth.

In any case, at some point in his writing career, Neal got fascinated with the idea that there was, in fact, a titanic battle going on over the course of human history between the forces of who would use technology for solving useful human problems and the forces of war. Ironically enough Neal represents this in Cryptonomicon as a sort of Athena project, if you will. And a lot of plot points turn on decisions about this in his books - for example, a gay German mathematician choosing not to give the Germans strong cryptography during WWII.

<image.png>

So this then is the question that was asked of DIRNSA at DefCon. A secure internet means that the nation would go deaf in many ways that are important. But an insecure one means we suffer under the economic and political pain of everyone always being hacked (those of you complaining about APT - this means you).

Lately the EFF has been posting things that seem to want to restrict exploit sales ( https://www.eff.org/deeplinks/2012/03/zero-day-exploit-sales-should-be-key-point-cybersecurity-debate ) as if this somehow increases security for the Internet as a whole. Aside from regulation being an ineffective tool here, I don't think the EFF should have the particular worldview that giving up freedom for security here is an acceptable trade-off. And when Charlie Miller and I talked to an EFF representative at DefCon, she agreed with us.

However, the current EFF stated opinion is this:
"If the U.S. government is serious about securing the Internet, any bill, directive, or policy related to cybersecurity should work toward ensuring that vulnerabilities are fixed, and explicitly disallow any clandestine operations within the government that do not further this goal"

Calling for the government to regulate what kind of code you write sounds counter-productive to the EFF mission, and is definitely counter to the opinions of people on this list and in this community. Until the EFF changes their position, I recommend not donating to them or buying the strangely decorated shirts at DefCon.

Thanks,
Dave Aitel
Immunity, Inc.


_______________________________________________
Dailydave mailing list
Dailydave at lists.immunityinc.com<mailto:Dailydave at lists.immunityinc.com>
https://lists.immunityinc.com/mailman/listinfo/dailydave

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.immunityinc.com/pipermail/dailydave/attachments/20120814/9378705d/attachment-0001.html>

More information about the Dailydave mailing list