This demonstrates the Orwellian nature of EFF's populism. They don't stand for principle but for popularity. They abandon their principle that the Internet is sovereign when they promoted Net Neutrality. They abandon their principle that code is free speech by suggesting that some code needs to be regulated.
The text of the NDAA, below, calls for the president to implement export controls on code:
SEC. 946. CONTROL OF THE PROLIFERATION OF CYBER WEAPONS.
(a) Interagency Process for Establishment of Policy- The President shall establish an interagency process to provide for the establishment of an integrated policy to control the proliferation of cyber weapons through unilateral and cooperative export controls, law enforcement activities, financial means, diplomatic engagement, and such other means as the President considers appropriate.
(b) Objectives- The objectives of the interagency process established under subsection (a) shall be as follows:
(1) To identify the types of dangerous software that can and should be controlled through export controls, whether unilaterally or cooperatively with other countries.
(2) To identify the intelligence, law enforcement, and financial sanctions tools that can and should be used to suppress the trade in cyber tools and infrastructure that are or can be used for criminal, terrorist, or military activities while preserving the ability of governments and the private sector to use such tools for legitimate purposes of self-defense.
(3) To establish a statement of principles to control the proliferation of cyber weapons, including principles for controlling the proliferation of cyber weapons that can lead to expanded cooperation and engagement with international partners.
(c) Recommendations- The interagency process established under subsection (a) shall develop, by not later than 270 days after the date of the enactment of this Act, recommendations on means for the control of the proliferation of cyber weapons, including a draft statement of principles and a review of applicable legal authorities.
The EFF article I link to above is at https://www.eff.org/deeplinks/2012/03/zero-day-exploit-sales-should-be-key-point-cybersecurity-debate. It doesn't explicitly say "0day must be regulated", but it's hard to read that post to mean anything but that.
The EFF article calls the 0day market "a dangerous but largely underreported problem". In the middle is this paragraph:
The existence of a marketplace for such transactions does not legitimize the practice, and security researchers should never turn a blind eye to their ethical responsibility to help improve technology. We should help ensure the Internet promotes freedom and safety, and is not a system to control and oppress.The last line strongly sounds like a call to regulate code.
Another paragraph from that same EFF post is:
A good cybersecurity discussion would address this issue head-on. If the U.S. government is serious about securing the Internet, any bill, directive, or policy related to cybersecurity should work toward ensuring that vulnerabilities are fixed, and explicitly disallow any clandestine operations within the government that do not further this goal.Again, a reasonable person would infer that this mention of bills, directions, and policy is a call to regulate.
Oh look, a fact-free EFF strawman post from @ErrataRob. Enjoy: http://t.co/duoGHx4lBJ
— Eva (@evacide) July 15, 2013
@ErrataRob Notice that article never, at any point, recommends a law that makes selling 0-days illegal. & 1 blog post !="at the forefront"
— Eva (@evacide) July 15, 2013
@ErrataRob lol, wow that was the most powerful blog post I've ever written then! (Even though we specifically said *don't* regulate code)
— Trevor Timm (@trevortimm) July 15, 2013
@ErrataRob I don't like the EFF's statements about exploit sales either, but blaming them for NDAA is a major leap.
— Michael Ossmann (@michaelossmann) July 15, 2013