Five or so years ago, when Mikko Hypponnen was still in a blissful imaginary world where bugs could be fixed and AV worked, George W Bush walked into a room full of defense and intelligence officials, and he pointed out to them in a dry Southern way how if they didn&#39;t think of something better that the Isrealis were 100% going to attack the Iranian nuclear program, and they were going to pull the United States into it, and there was going to be a large serving of  _extremely unpleasant_ sandwich with a small side of possible nuclear winter for everyone involved...<div>
<br></div><div>And looking around the room, the people who had never shot a gun, who that very night would go home to play an RPG so hideously complex it has its own government, who spent the time before the meetings with high powered government officials arguing about Firefly versus Buffy the Vampire Slayer&#39;s various scripts, people who if given have a chance would expound upon deeply held personal opinons regarding various subtleties in the licensing of Unix distributions,...these people simply shrugged and said &quot;Yeah, we got this one.&quot;</div>
<div><br></div><div>And hey look, here we are. </div><div><br></div><div>So let me just say here in this forum that I appreciate the EFF taking the time to  post, but I have to imagine that these issues can be thought out a bit more thoroughly...I can only posit that someone, or some group of people within the EFF, listened to Chris Soghoian who appears to be going on a profoundly uneducated crusade against exploit sellers (to which our personal liberty will be simple collateral damage). <br>
<br>I don&#39;t know if the EFF can change its position on this without losing face, but I also think a careful reading of the Commerce Department&#39;s EAR would demonstrate that we didn&#39;t exactly win the war against cryptographic restrictions either. </div>
<div><br></div><div>-dave</div><div><br><div class="gmail_quote">On Tue, Aug 21, 2012 at 11:45 AM, trevor <span dir="ltr">&lt;<a href="mailto:trevor@eff.org" target="_blank">trevor@eff.org</a>&gt;</span> wrote:<br><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">

  

    
  
  <div text="#000000" bgcolor="#FFFFFF">
    <span style="vertical-align:baseline;font-variant:normal;font-style:normal;font-size:15px;background-color:transparent;text-decoration:none;font-family:Arial;font-weight:normal">Hey
      folks,<br>
      <br>
      Below is EFF&#39;s response to the Daily Dave thread entitled &quot;Neal
      Stephenson, the EFF, and Exploit Sales.&quot; <br>
      <br>
    </span><span style="vertical-align:baseline;font-variant:normal;font-style:normal;font-size:15px;background-color:transparent;text-decoration:none;font-family:Arial;font-weight:normal">In
      March, in the midst of a heated public about cybersecurity, EFF
      published an article entitled &quot;</span><span style="vertical-align:baseline;font-variant:normal;font-style:normal;font-size:15px;background-color:transparent;text-decoration:none;font-family:Arial;font-weight:bold">Zero-Day

      Exploit Sales Should be a Key Point in the Cybersecurity Debate</span><span style="vertical-align:baseline;font-variant:normal;font-style:normal;font-size:15px;background-color:transparent;text-decoration:none;font-family:Arial;font-weight:normal">.&quot;

      Unfortunately, it has been mischaracterized and distorted on this
      list and other public forums, so we want to take the opportunity
      to clarify what we said, and importantly, what we didn&#39;t say.</span><br>
    <span style="vertical-align:baseline;font-variant:normal;font-style:normal;font-size:15px;background-color:transparent;text-decoration:none;font-family:Arial;font-weight:normal"></span><br>
    <span style="vertical-align:baseline;font-variant:normal;font-style:normal;font-size:15px;background-color:transparent;text-decoration:none;font-family:Arial;font-weight:normal">The

      confusion seems to stem from this paragraph:<i><br>
      </i></span>
    <blockquote><i><span style="vertical-align:baseline;font-variant:normal;font-style:normal;font-size:15px;background-color:transparent;text-decoration:none;font-family:Arial;font-weight:normal">If


          the U.S. government is serious about secur</span><span style="vertical-align:baseline;font-variant:normal;font-style:normal;font-size:15px;background-color:transparent;text-decoration:none;font-family:Arial;font-weight:normal"></span><span style="vertical-align:baseline;font-variant:normal;font-style:normal;font-size:15px;background-color:transparent;text-decoration:none;font-family:Arial;font-weight:normal"></span><span style="vertical-align:baseline;font-variant:normal;font-style:normal;font-size:15px;background-color:transparent;text-decoration:none;font-family:Arial;font-weight:normal">ing

          the Internet, any bill, directive, or policy related to
          cybersecurity should work toward ensuring that vulnerabilities
          are fixed, and explicitly disallow any clandestine operations
          within the government that do not further this goal.
          Unfortunately, if these exploits are being bought by
          governments for offensive purposes, then there is pressure to
          selectively harden sensitive targets while keeping the attack
          secret from everyone else, leaving technology—and its
          users—vulnerable to attack.</span></i></blockquote>
    <br>
    <span style="vertical-align:baseline;font-variant:normal;font-style:normal;font-size:15px;background-color:transparent;text-decoration:none;font-family:Arial;font-weight:normal">Based


      on this, we’ve been accused of calling for regulation of coders’
      free speech rights.  But that is not what this paragraph (or the
      rest of the blog post) says.  This paragraph is about what <i>the
      </i></span><i><span style="vertical-align:baseline;font-variant:normal;font-style:normal;font-size:15px;background-color:transparent;text-decoration:none;font-family:Arial;font-weight:bold"></span></i><span style="vertical-align:baseline;font-variant:normal;font-style:normal;font-size:15px;background-color:transparent;text-decoration:none;font-family:Arial;font-weight:normal"><i>U.S.

        government</i> should do, and not about coders at all. </span><br>
    <span style="vertical-align:baseline;font-variant:normal;font-style:normal;font-size:15px;background-color:transparent;text-decoration:none;font-family:Arial;font-weight:normal"></span><br>
    <span style="vertical-align:baseline;font-variant:normal;font-style:normal;font-size:15px;text-decoration:none;font-family:Arial;font-weight:normal">Indeed,


      EFF established that code is speech in the 1990s in a case called
      Bernstein v. Department of Justice, winning the right to export
      cryptography (</span><span style="vertical-align:baseline;font-variant:normal;font-style:normal;font-size:15px;text-decoration:none;font-family:Arial;font-weight:normal"><a href="https://www.eff.org/press/archives/2008/04/21-29" target="_blank">https://www.eff.org/press/archives/2008/04/21-29</a></span>).<span style="vertical-align:baseline;font-variant:normal;font-style:normal;font-size:15px;text-decoration:none;font-family:Arial;font-weight:normal">
      We continue to defend these rights to this day. Any legislation or
      other government action that would restrict coders from writing
      code (and offering it to the government) should be presumptively
      unconstitutional, and rightly so.</span><span style="vertical-align:baseline;font-variant:normal;font-style:normal;font-size:15px;background-color:transparent;text-decoration:none;font-family:Arial;font-weight:normal"></span><br>

    <span style="vertical-align:baseline;font-variant:normal;font-style:normal;font-size:15px;background-color:transparent;text-decoration:none;font-family:Arial;font-weight:normal"></span><br>
    <span style="vertical-align:baseline;font-variant:normal;font-style:normal;font-size:15px;background-color:transparent;text-decoration:none;font-family:Arial;font-weight:normal">The


      blog post was written while the House of Representatives was
      debating CISPA, a dangerous bill that would carve a huge hole in
      existing privacy law while not actually making the Internet any
      safer:<br>
      <br>
    </span> <span style="vertical-align:baseline;font-variant:normal;font-style:normal;font-size:15px;background-color:transparent;text-decoration:none;font-family:Arial;font-weight:normal"><a href="https://www.eff.org/deeplinks/2012/04/cybersecurity-bill-faq-disturbing-privacy-dangers-cispa-and-how-you-stop-it" target="_blank">https://www.eff.org/deeplinks/2012/04/cybersecurity-bill-faq-disturbing-privacy-dangers-cispa-and-how-you-stop-it</a></span><span style="vertical-align:baseline;font-variant:normal;font-style:normal;font-size:15px;background-color:transparent;text-decoration:none;font-family:Arial;font-weight:normal">
    </span><br>
    <span style="vertical-align:baseline;font-variant:normal;font-style:normal;font-size:15px;background-color:transparent;text-decoration:none;font-family:Arial;font-weight:normal"></span><br>
    <span style="vertical-align:baseline;font-variant:normal;font-style:normal;font-size:15px;background-color:transparent;text-decoration:none;font-family:Arial;font-weight:normal"></span><span style="vertical-align:baseline;font-variant:normal;font-style:normal;font-size:15px;background-color:transparent;text-decoration:none;font-family:Arial;font-weight:normal">The


      basic point we were trying to make is that Congress should look at
      the government&#39;s own actions and consider what it could do to
      improve security before passing sweeping new legislation to scale
      back everyone else&#39;s rights. That includes the government’s own
      decisions to keep information from companies and the public that
      could help secure networks, systems, and critical data -- as part
      of a hidden offensive strategy or otherwise. </span><br>
    <br>
    <span style="vertical-align:baseline;font-variant:normal;font-style:normal;font-size:15px;background-color:transparent;text-decoration:none;font-family:Arial;font-weight:normal">The


      main cybersecurity bills are no longer moving forward, but the
      debate about policies to address information security will
      doubtless continue.  In these discussions, EFF will continue to
      fight for the users, for the researchers, for robust privacy and
      security technology, and against governmental restrictions on the
      freedom to code.  While you may not agree with everything we do,
      we thank you for the opportunity to participate in the discussions
      on this forum.</span><span class="HOEnZb"><font color="#888888"><br>
    <br>
    <pre cols="72">-- 
Trevor Timm
Activist
Electronic Frontier Foundation
<a href="mailto:trevor@eff.org" target="_blank">trevor@eff.org</a>
<a href="tel:415.436.9333%20ext.%20104" value="+14154369333" target="_blank">415.436.9333 ext. 104</a>
<a href="http://www.eff.org" target="_blank">www.eff.org</a>
454 Shotwell Street
San Francisco, CA 94110

Defending your civil liberties in the digital world.</pre>
  </font></span></div>

<br>_______________________________________________<br>
Dailydave mailing list<br>
<a href="mailto:Dailydave@lists.immunityinc.com">Dailydave@lists.immunityinc.com</a><br>
<a href="https://lists.immunityinc.com/mailman/listinfo/dailydave" target="_blank">https://lists.immunityinc.com/mailman/listinfo/dailydave</a><br>
<br></blockquote></div><br></div>