Tuesday, August 14, 2012

Who will fight for me?

Recently on Dave Aitel's popular mailing list this question was posed:
does the EFF have our best interest at heart? The answer is clearly
no: I think the EFF has lost it's way and I doubt it can be set
correctly.

The catalyst that set off the discussions and this blog post come from
a March EFF blog entitled
"Zero-day exploit sales should be key pointin cyber-security debate".
 For those of you who do not follow US
federal politics, there are a lot of bills in play aimed at cyber
security reform and bringing organizations under the government
umbrella of protection. As someone who distrusts authority, I don't
like this. This increases government meddling in our lives while doing
nearly nothing to actually protect us.

The EFF has made a 180 degree turn on this issue. Originally, the EFF
was founded on libertarian principles of individualism opposing
government regulation, claiming that cyberspace should be sovereign.
Now the EFF wants to collectivize the Internet and impose its "ethics"
on coders, claiming we have a moral obligation hand over 0day
vulnerabilities for the common good.

That statement is beyond naive and shows a lack of understanding of
the process used to find vulns. Vulns are discovered because people
are looking for them. People look for them because they expect to be
rewarded. Removing the reward, and we'll no long look for vulns. If
the military stops buying weaponized vulns from researchers like me,
then I stop finding them -- I uninstall WinDbg and ignore program
crashes instead of spending two days trying to reproduce the problem
and weaponize an exploit.

These exploits are the munition of choice for the upcoming cyberwar.
The EFF naively believes in unilateral disarmament, that the US stops
buying these weapons even though Russia, China, Israel, North Korea,
and Iran continue. It's irrational to believe this makes the Internet
"safer".

In a related argument, the EFF describes exploit sales as "security
for the 1%" using the ugly class warfare rhetoric of the #Occupy
movement. It's a paranoid conspiracy theory that bankers are out to
get you, and it's a paranoid conspiracy theory that exploit
sellers/buyers are out to get you. Yes, I know it sucks that some
people have more money than you and more security than you, but
attacking them and curtailing their freedom's won't make you any
better off. The actual selling of weaponized exploits is only a small
part of what vuln discovers do -- the vast majority of our efforts
filters out quickly to everyone else, both to vendors to help them fix
bugs, but also to everyone else to educate them on which products are
more reliable. Sure, people like me do things that you may not like,
but trying to curtail our freedoms will do more to stop the things you
do like.

The big thing the EFF has done with posts is to reduce funding. We
used to unquestioningly support the EFF because they promised to
support freedom of all of us. Now it has become obvious that they
really don't, that they are more of the standard partisan group,
promoting the interests of some at the expense of others. The obvious
basis of the EFF's posts have nothing to do with electronic liberties,
but everything to do with a partisan attack against the American
military specifically.

This was just a long way of saying the EFF is dead to me.

9 comments:

Anonymous said...

This is the most bullshit gibberish I've ever read. At no point do you come close to making a cogent argument. And I say that without even taking into account the ethics of exploit sales.

George said...

David, sounds like you're the coding bourgeoisie holding down the Internet's proletariat.

Anonymous said...

I hear the Iranians and North Koreans pay better than the Americans, maybe you can extend your 'love of freedom and greed' to fighting for the right for anyone to sell these 'weapons'to those countries ... or does your love of 'freedom' only extend to those with certain people?

jcran said...

"The actual selling of weaponized exploits is only a smart (sic) part of what vuln discovers do -- the vast majority of our efforts filters out quickly to everyone else, both to vendors to help them fix bugs, but also to everyone else to educate them on which products are
more reliable."

Can you clarify this? The incentives (and legal implications) are probably wrong for you to discuss the discovered bugs, and certainly to release them to the vendor. I'd like to believe this helpful effect is the case, but is it really?

Anonymous said...

Quote:"Sure, people like me do things that you may not like,
but trying to curtail our freedoms will do more to stop the things you
do like."

So I read the article you linked to along with several other postings, and I haven't seen anything about the EFF trying curtail freedoms of people trying to find exploits or even weaponize them. What they seem to be arguing is for governments to stop buying exploits, (or more accurately stop buying them and keeping them secret). Now you can argue whether this is a good policy decision or not, but I don't see it as a freedom issue. To use a made up example (so I don't drag this thread into Goodwin's Law territory), suppose a government passed a transparency law where it couldn't keep cookie recipes secret, (Mmm cookies). This wouldn't stop you from making your own cookie recipe. It wouldn't stop you from keeping your cookie recipe secret. Heck it wouldn't even keep you from being able to sell your cookie recipe to the government. It's just then the government would have to publish your cookie recipe if it bought it.

Anonymous said...

Justifying your rapacious practice in the name of freedom is the height of lunacy and is utterly despicable.

There is blood on your hands.

Anonymous said...

"This is the most bullshit gibberish I've ever read. At no point do you come close to making a cogent argument. And I say that without even taking into account the ethics of exploit sales."
- EFF says vulnerabilities market is not legitimized by the trade of 0day exploit. This is a call for regulation and law. Period, there's no point to make, EFF call for regulation is against everything it was fighting for, to forbid a software based on its content (a supposed "weapon", as long there's no patch) is very close to what patent trolls are doing every day.

"I hear the Iranians and North Koreans pay better than the Americans, maybe you can extend your 'love of freedom and greed' to fighting for the right for anyone to sell these 'weapons'to those countries."
- FUD, it's not even close to what original Forbes ( http://www.forbes.com/sites/andygreenberg/2012/03/21/meet-the-hackers-who-sell-spies-the-tools-to-crack-your-pc-and-get-paid-six-figure-fees/2/ ) article says. Plus, Iranians are known to be the first target of 0day vulnerabilities in this market (Stuxnet), recently joined by Lebanese (Gauss).

"So I read the article you linked to along with several other postings, and I haven't seen anything about the EFF trying curtail freedoms of people trying to find exploits or even weaponize them."
- From the EFF blog: "The existence of a marketplace for such transactions does not legitimize the practice". See definition of legitimize -> laws & regulations. But sure, imagine they stop buying exploits (haha. good joke, they're getting exploit from industry since years before this get public). Now, it clearly come to no-more-gray-and-pure-black-market, because of the nature of people who will still buy exploits, and this is a call to regulation (again). All possible consequences of the EFF position is an end of freedom for vulnerability researchers, and guess what, it will be the end for your security.

"Justifying your rapacious practice in the name of freedom is the height of lunacy and is utterly despicable.

There is blood on your hands."

- Sure, Google buying vulns for 2k$ when they're making billions is not a rapacious practice, as long as you can get your software for free (as a free beer) and it doesn't make you feel like a vulture, right? Plus, on the "blood on your hands", nothing could be further from the truth, the Stuxnet example, clearly shows that, as long as the malware was kept secret, no one was hurt, and the day the disclosure went too far, a quantum physicist was killed, who's got blood on his hand?

EFF will still get some funding, as long as this buzz continues, because this kind of troll makes EFF look like they're useful on these subjects. C. Soghoian found his "bad guys" and we've got an amazing story telling for his personal branding here, I can't wait to see helicopters flying over the house of a 0day dealer's house as the Kim Dotcom of security... This is pathetic.

Anonymous said...

Quote:"From the EFF blog: "The existence of a marketplace for such transactions does not legitimize the practice". See definition of legitimize -> laws & regulations."
/endquote

An alternative explanation is offered two paragraphs down in that EFF blog post: "The U.S. government has the ability to make us more secure right now with no new legislation."
Once again, I'm not arguing if requiring the government to be transparent about 0-days they purchase is a good idea or not. What I am saying though is I haven't seen anything the EFF has said that would limit the freedom of exploit developers.

Jack said...

David,i think i could fight for you.Do you?