On the flip side, the security industry has had a field day painting scary pictures of nefarious government organizations hacking computers around the world to spy on everyone. Kaspersky in particular is getting tons of press talking about "nation state" attacks (which very likely ARE nation state attacks) and drumming up business from everyone from CNN/Fox customers to CSOs. The 0-days used in those attacks drive awareness that it's not just a theoretical issue and people need to take the attacks seriously. I would argue that the research doesn't change the "number of 0-day vulnerabilities that are known and unpatched at any given time". It might change the number that are known... but inversely probably drives the numbers that are patched UP, not down. <div>
<br></div><div>Governments are not the only people interested in 0-days, and they certainly don't have a monopoly, as Pinkie Pie demonstrated. I still agree with your conclusion Michal, just not some of the arguments used to get there. I'm a big supporter of EFF most of the time, but don't agree with them on every single topic and definitely don't think they should be arguing for government legislation regarding what code/research is legal or who can buy what. Governments can't even handle simple "cyber" regulation well, it's not clear to me who thinks they could handle a complex area like 0-day research effectively. That said, I'm not withdrawing my support from EFF either, hopefully they'll continue to spend their energies on more productive areas like IP law and Internet freedom.</div>
<div><br></div><div>Jason <br><br><div class="gmail_quote">On Fri, Aug 10, 2012 at 6:09 PM, Michal Zalewski <span dir="ltr"><<a href="mailto:lcamtuf@coredump.cx" target="_blank">lcamtuf@coredump.cx</a>></span> wrote:<br>
<blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">EFF takes a variety of positions on a variety of topics - and while<br>
they are great folks, if this is the first time you disagree with one<br>
of their positions, I'm surprised :-)<br>
<br>
That said... the side effect of governments racing to hoard 0-days and<br>
withhold them from the general public is that this drastically<br>
increases the number of 0-day vulnerabilities that are known and<br>
unpatched at any given time. This makes the Internet statistically<br>
less safe, and gives the government a monopoly in deciding who is<br>
"important enough" to get that information and patch themselves. The<br>
disparity in purchasing power is also troubling, given that<br>
governments have tons of "free money" to spend on defense, and are<br>
eager to do so, outcompeting any other buyers.<br>
<br>
So I don't find EFF's argument particularly weird; it's possible to<br>
hold that position and believe that the current patterns of<br>
vulnerability trade are detrimental to the health of the Internet.<br>
It's also possible to hold a different view.<br>
<span><font color="#888888"><br>
/mz<br>
</font></span><div><div>_______________________________________________<br>
Dailydave mailing list<br>
<a href="mailto:Dailydave@lists.immunityinc.com" target="_blank">Dailydave@lists.immunityinc.com</a><br>
<a href="https://lists.immunityinc.com/mailman/listinfo/dailydave" target="_blank">https://lists.immunityinc.com/mailman/listinfo/dailydave</a><br>
</div></div></blockquote></div><br></div>