[Dailydave] I am the reason we cannot have nice things on the Internet.

[dan at geer.org]

Michal,

Precisely as you say, anyone who cares to complain has a duty to
suggest alternatives to what they are complaining about.  Otherwise
they are engaging in mere cant.

Without in any way trying to say I have "the answer," your point
in this sentence, "[I]n the world of international affairs, there
are very few real rules, and very little to be gained by taking
a principled stand" is exactly what I was getting at in my recent
speech at Blackhat -- the entire nature of Realpolitik is precisely
as you say it.  (I include the minimum passage below for your
inspection.)  Ditto for "I think that the specific practice of
stockpiling 0-days is ultimately harmful to the Internet."
(Another passage follows below.)  Perhaps you and I are flying in
some sort of formation on these matters.

As you are from what was once a Soviet satellite, are there issues
of culture that lead a country into that kind of totalitarianism?
More to the point, are those issues reinforced or diminished by
what we now call "digital life?"

--dan


http://geer.tinho.net/geer.blackhat.6viii14.txt

...... As to Realpolitik ..................................

Political realism of the sort I am talking about is based on four
premises:

. The international system is anarchic
. States are the most important actors
. All states within the system are unitary, rational actors
. The primary concern of all states is survival

This is likewise the realism of the cybersecurity situation in a
global Internet.  It is anarchic, and states have become the most
important actors.  States' investment in offensive cyber is entirely
about survival in such a world.  States are driven to this by the
dual, simultaneous expansion of what is possible and what their
citizens choose to depend on.

The late Peter Bernstein, perhaps the world's foremost thinker on
the topic, defined "risk" as "more things can happen than will."[PB]
With technologic advance accelerating, "more things can happen than
will" takes on a particularly ominous quality if your job is to
ensure your citizens' survival in an anarchy where, daily, ever
more things can happen than will.  Realpolitik would say that under
such circumstances, defense becomes irrelevant.  What is relevant
is either (1) offense or (2) getting out of the line of fire
altogether.  States that are investing in offense are being entirely
rational and are likely to survive.  Those of us who are backing
out our remaining dependencies on digital goods and services are
being entirely rational and are likely to survive.  The masses who
quickly depend on every new thing are effectively risk seeking, and

Nevertheless, cybersecurity is all about power and only power.
Realpolitik says that what cybersecurity works is right and what
cybersecurity does not work is wrong and Realpolitik thus resonates
with Howard's "Security will always be exactly as bad as it can
possibly be while allowing everything to still function."  Realpolitik
says that offense routinely beating defense is right, and imagining
otherwise is wrong, that those whose offense wins are right while
those whose defense loses are wrong.  Realpolitik says that offense's
superiority means that it a utopian fantasy to believe that information
can be protected from leakage, and so the counter-offense of
disinformation is what we must deploy in return.  Realpolitik says
that sentient opponents have always been a fact of life, but never
before have they been location independent and never before have
they been able to recruit mercenaries who will work for free.
Realpolitik says that attribution is impossible unless we deploy a
unitary surveillance state.

...... As to stockpiling 0days ............................

6. Vulnerability finding -- HEGEMONY

Vulnerability finding is a job.  It has been a job for something
like eight years now, give or take.  For a good long while, you
could do vulnerability finding as a hobby and get paid in bragging
rights, but finding vulnerabilities got to be too hard to do as a
hobby in your spare time -- you needed to work it like a job and
get paid like a job.  This was the result of hard work on the part
of the software suppliers including the suppliers of operating
systems, but as the last of the four verities of government says,
every solution has side effects.  In this case, the side effect is
that once vulnerability finding became a job and stopped being a
bragging-rights hobby, those finding the vulnerabilities stopped
sharing.  If you are finding vulns for fun and fame, then the minute
you find a good one you'll let everybody know just to prevent someone
else finding it and beating you to the punch.  If you are doing it
for profit, then you don't share.  That's where the side effect is
-- once coin-operated vuln finders won't share, the percentage of
all attacks that are zero-day attacks must rise, and it has.

In a May article in The Atlantic,[BS] Bruce Schneier asked a cogent
first-principles question: Are vulnerabilities in software dense
or sparse?  If they are sparse, then every one you find and fix
meaningfully lowers the number of avenues of attack that are extant.
If they are dense, then finding and fixing one more is essentially
irrelevant to security and a waste of the resources spent finding
it.  Six-take-away-one is a 15% improvement.  Six-thousand-take-
away-one has no detectable value.

If a couple of Texas brothers could corner the world silver market,[HB]
there is no doubt that the U.S. Government could openly corner the
world vulnerability market, that is we buy them all and we make
them all public.  Simply announce "Show us a competing bid, and
we'll give you 10x."  Sure, there are some who will say "I hate
Americans; I sell only to Ukrainians," but because vulnerability
finding is increasingly automation-assisted, the seller who won't
sell to the Americans knows that his vulns can be rediscovered in
due course by someone who *will* sell to the Americans who will
tell everybody, thus his need to sell his product before it outdates
is irresistible.

This strategy's usefulness comes from two side effects: (1) that
by overpaying we enlarge the talent pool of vulnerability finders
and (2) that by making public every single vuln the USG buys we
devalue them.  Put differently, by overpaying we increase the rate
of vuln finding, while by showing everyone what it is that we bought
we zero out whatever stockpile of cyber weapons our adversaries
have.  We don't need intelligence on what weapons our adversaries
have if we have something close to a complete inventory of the
world's vulns and have shared that with all the affected software
suppliers.  But this begs Schneier's question: Are vulnerabilities
sparse or dense?  If they are sparse or even merely numerous, then
cornering the market wins in due course.  If they are dense, then
all we would end up doing is increasing costs both to software
suppliers now obligated to repair all the vulns a growing army of
vuln researchers can find and to taxpayers.  I believe that vulns
are scarce enough for this to work and therefore I believe that
cornering the market is the cheapest win we will ever get.

Let me note, however, that my colleagues in static analysis report
that they regularly see web applications greater than 2GB in size
and with 20,000 variables.  Such web apps can only have been written
by machine and, therefore, the vulns found in them were also written
by machine.  Machine-powered vuln creation might change my analysis
though I can't yet say in what direction.