Monday, May 25, 2015

This is how we get ants

Today's Wassenaar proposal to limit 0days -- and thereby virtually all cybersecurity products -- is partly the result of lobbying by the ACLU and EFF. The principle technologist of the ACLU called 0day sellers "merchants of death". The EFF called for 0day sales to governments to be the center of any policy debate on cybersecurity.

Yet, they deny responsibility for Wassenaar -- because the regulations go too far, and appear to restrict virtually all cybersecurity software and any free-speech on the topic. These groups now back off and claim they never called for 0day restrictions in the first place.

For example, when the EFF said "exploit sales should be key point in cybersecurity debate", nowhere in the article does it explicitly call for a ban on exploit sales.  Their focus was on limiting the actions of the NSA in buying exploits, not so much those who would sell the exploits. 

This is true, but only technically. There's no conceivable situation where the US Government would unilaterally disarm itself of cyberweapons while allowing everyone else to purchase them. It's also not conceivable that when you've put that much work into calling 0days evil and unethical, that a reasonable person wouldn't interpret this as a call to ban them. If you say the issue of governments (plural, not just the US) buying 0days should be at the center of policy debates, that means Wassenaar -- the primary international arrangement for arms control.

But more importantly, the EFF never clarified its remarks. After the EFF published the document, the cybersecurity community quickly responded. Critics pointed out that the EFF was implicitly calling for a ban on 0day. The EFF responded by pointing out the technicality that their call for regulation wasn't explicit. They did not respond by publishing a document explicitly supporting 0day.

That's likely to continue to be the case. The EFF is going to publish a response to the US Wassenaar proposals. While the EFF may point out that Wassenaar goes too far, the EFF is unlikely to defend the rights of 0day coders. The EFF may tacitly agree that proper 0day restrictions are a good thing -- just deny that the currently proposed restrictions are proper.

The debate between researchers and the EFF/ACLU has raged for three years now. The EFF/ACLU can end this debate at any time by publishing an official document in support of 0day research. Until that happens, the only reasonable way to interpret their position (as demonstrated in the above link) is that they want 0day bans.

I point this out because this is how you get totalitarianism. Strident populism leads to regulation. Each one looks good when viewed in isolation, but there's always unexpected consequences. Populists deny they are responsible for those unintended consequences -- but they are. 0days are just speech and standard cybersecurity practice. There's no way to split the baby, to separate out the bad stuff you want to prevent without also limiting good speech and good cybersecurity products. The current attempt by the EFF to split the baby just won't work. If the EFF were serious about principle instead of populism, the only tenable position is an absolute support for free-speech, coder's rights, and cybersecurity research -- and thus absolute support for 0day.


Braden said...

Preach brother

John Thacker said...

Wassenaar and other export controls agreements are fairly reasonable for people who think that the only problems are terrorists and a handful of rogue states. It's completely insane for anyone who thinks that the NSA or other western intelligence agencies are part of the problem. The idea that actual defense contractors would have any problem getting licenses (and ITAR approval) to send things anywhere that the government intelligence agencies wanted is crazy, as is the idea that the NSA would actually restrain itself.

Any organization, like the ACLU or EFF, claiming to have a problem with government spying by the USA and other Western countries pushing for export controls shows at best naivete.

John Thacker said...

These misguided activists start with this idea of "exploits shouldn't be sold to bad guys!" The intelligence agencies and governments readily agree, so long as they get to define who the bad guys are. Was anything ever a more obvious result (to any libertarian?)