I mention this because of a recent Stanford undergraduate paper arguing for the outlawing of 0day. It’s pure conspiracy theory, citing innuendo as fact.
For example, when talking about Heartbleed, the paper’s author says “Experts wondered whether this vulnerability resulted from coding mistakes or was deliberately inserted, perhaps by a government intelligence agency”, citing Bruce Schneier as the source. The word “wondered” means “wondered”. Schneier has no reason to think this, he has no evidence, there’s no reason to give his idle musings any weight. As a well know expert, I have wondered on Twitter if Heartbleed was caused by Global Warming – which has exactly as much validity as Schneier’s wonderings on Heartbleed. Conversely, NBA player LaBron James might've wondered if the NSA had something to do with Heartbleed, and he is every much qualified to wonder that as Bruce Schneier.
It’s not Schneier wondering here, but the paper’s author. She wants to make this accusation, so cites something as hard evidence that is bare innuendo. She’s using what looks like an “academic” type of citation but it’s really just a “conspiracy theory” citation. Seriously, the wackos claiming Bush was complicit in 9/11 have better standards than that. (That her advisors let her get away with this sort of nonsense citation shows how left-wing activism dominates good sense in academia).
There is a citation-inflation going on here. This paper cites Schneier's idle musing as support for her claims, and the next paper will cite this one as confirming “Experts believe the government knew ahead of time”.
That describes many of the citations in this paper. This paper places more confidence on claims than the original articles it cites. For example, this paper cites sources to claim that my company, Errata Security, is a “verified seller of 0day”. In fact, none of her sources make that claim -- that's her exaggerating what the sources did say.
In fact, there is no evidence that any particular 0day has ever been sold in this vast market everyone is talking about. I mean, with such a big market that everyone knows what’s going, I’d think you’d be able to name at least one sold 0day as evidence, such as a bill of sale of VUPEN selling CVE-2012-4167 to the NSA for $100,000. Yes, there is a lot of partial evidence hinting that something is going on, but not nearly enough evidence to paint the complete picture. And that's the problem I mention at the top of this post: people have created an exciting conspiracy theory that differs from the boring reality.
I write this because regulating 0day will have an enormous impact on civil liberties. Take, for example, “jailbreaking”. Companies like Apple sell us phones that are locked down, controlled by Apple and the phone companies, and not controlled by us. Taking control of the phone is called "jailbreaking", and it's illegal in many countries (including this one, technically). That’s Orwellian, as in the book 1984 where TV’s spied on their owners and it was illegal to turn them off. Every time Apple releases an update, the jailbreaking community rushes to find an 0day to jailbreak the phone, giving control back to their owners, allowing owners to turn off the features Apple and the phone companies use to spy on them. These same 0days are also sold to the NSA so they can spy on people. This conspiracy-theory lead crackdown on 0day will do nothing to stop the NSA, but will do everything to take them out of the hands of we the people. Far from believing in these disastrous conspiracy theories, our our community should be standing up for our 0day rights.
(Note: I expect to be updating this post soon by somebody citing an actual bill of sale from somebody, thus disproving my assertion that such things don't exist. It's just that I know a lot about this topic, and I've never come across any public information like this).
(Also note: Before commenting on this post, please pay attention to what I wrote, and not what you think I meant.)