[Dailydave] Neal Stephenson, the EFF and Exploit Sales

Dr. Sandro Gaycken s.gaycken at fu-berlin.de
Thu Aug 16 03:56:01 EDT 2012

:) Sorry again from the ivory tower. I'm just the messenger, concerning that (and I don't have beard - yet). "Managing exploits" is already a debate in numerous international fora. And the idea is not to ban anything or inhibit your liberty. Governments will simply want to know about the outcome of your research and whom you're selling it to - including a list of customers you shouldn't sell it to. It's the good ole "responsible disclosure" thing again, grown up. If you have a good argument on why that should not take place, I'll be happy to invite you and present it. Shouldn't be the usual "stifling innovation"-voodoo, though. And one important thing: simply declaring APTs to be mythical sea monsters is not going to work either. Almost everything around that is classified - sadly -, but we know for sure that they are here and here to stay - be it secret services, militaries, mercenaries or organized criminals. This is a fact, and even though ignorance is bliss, it's not going to work as an argument.

Apart from that, privacy and liberty are a very strong focus here. It's also one of the core ideas of the zero day governance paper. Less risk of APTs = back to the 90ies = sufficient security = much less pressure to monitor everything. That's the kind of regulation I'm trying pull through (it includes lifting the German ban on the free use of hacker tools, btw). More security research, more patching, more pen testing.

Regarding the single-use issue: high-end attackers usually attack only a few, dedicated targets, and they put a high emphasis on avoiding discovery - including numerous side-attacks on any kind of detection or security in the target, tactical designs, clever ways of deployment, of exfiltration of data, of avoiding too much feedback, and of exfiltrating the whole attack after it has done its job. This way, modules of attacks or even whole attacks can be reused. Many of the APT attacks we know of are clearly multiple-use. Their modules come up in numerous different contexts, and quite frequently, many of them have been around for years as it turns out. High-end attackers are opportunistic just as anyone else. As long as one exploit works - why invent a new one? And as these are very good exploits, they can usually be used multiple times.

Am 16.08.2012 um 07:32 schrieb Ben Nagy:

> On Wed, Aug 15, 2012 at 3:13 PM, Dr. Sandro Gaycken
> <s.gaycken at fu-berlin.de> wrote
> Henceforth, I respond, if at all, exclusively in sarcastic couplets.
> "The 0day and the Ivory Tower"
> Said Doctor One to Doctor Two, these 0days are a bore
> I read about them just last year! They're too scary to ignore!
> Said Doctor Two to Doctor One I know just what to do -
> A brilliant plan from me and you, to save the whole EU!
> With just 20 million Euro from each of 20 trusted friends,
> we'll find the bugs and fix them all, then APT will end!
> Of course the plan will never work without a total ban
> on coding and compilers (unless we say they can)
> But how on earth, said Doctor One, can governments be showed
> that individual liberty is worth less than some code?
> Gentlemen! Said Doctor Three, (he enters from the rear)
> By my scraggy beard and ponytail, well I can help you there!
> We'll simply call them cyberarms, to strike their hearts with fear,
> and speak of Arabs killing folk, and such and such, all clear?
> A cunning plot, good Doctor Three, but surely you recall
> their allies in the USA, and justice there, for all?
> Oh, don't mind us, said EFF, we're not as staid as that
> Just let us sign a bill or two, this whole thing's in the hat!
> So black was white and white was black
> And code was arms, no-one could hack
> The Doctors published articles, they gained respect and friends
> And then got owned by clicking on
> The End
> Baby seals,
> ben
> --
> " Invididual security comes from impact containment, not patching bugs."

More information about the Dailydave mailing list