So here’s the deal about the 0day market: it’s all a big
conspiracy theory. It’s like when the military was testing the stealth fighter
over Area 51 and people thought it was space aliens. Yes, it’s true that the military was covering up something, but rather than
aliens it was something more normal. The same is true of the 0day market: it’s
not that it doesn’t exist, it’s just that everyone has created a conspiracy
theory about it that is largely unrelated to reality.
I mention this because of a recent Stanford undergraduate paper arguing
for the outlawing of 0day. It’s pure conspiracy theory, citing innuendo as
fact.
For example, when talking about Heartbleed, the paper’s
author says “Experts wondered whether this vulnerability resulted from coding
mistakes or was deliberately inserted, perhaps by a government intelligence
agency”, citing Bruce Schneier as the source. The word “wondered” means
“wondered”. Schneier has no reason to think this, he has no evidence, there’s
no reason to give his idle musings any weight. As a well know expert, I have
wondered on Twitter if Heartbleed was caused by Global Warming – which has
exactly as much validity as Schneier’s wonderings on Heartbleed. Conversely, NBA player LaBron James might've wondered if the NSA had something to do with Heartbleed, and he is every much qualified to wonder that as Bruce Schneier.
It’s not Schneier wondering here, but the paper’s author.
She wants to make this accusation, so cites something as hard evidence that is bare innuendo. She’s using what looks like an “academic” type
of citation but it’s really just a “conspiracy theory” citation. Seriously, the wackos claiming Bush was complicit in 9/11 have better standards than that. (That her advisors let her get away with this sort of nonsense citation shows how left-wing activism dominates good sense in academia).
There is a citation-inflation going on here. This paper
cites Schneier's idle musing as support for her claims, and the next paper will
cite this one as confirming “Experts believe the government knew ahead of time”.
That describes many of the citations in this paper. This paper places more confidence on claims than the original articles it cites. For example, this paper
cites sources to claim that my company, Errata Security, is a “verified seller
of 0day”. In fact, none of her sources make that claim -- that's her exaggerating what the sources did say.
In fact, there is no evidence that any particular 0day has ever been
sold in this vast market everyone is talking about. I mean, with such a big
market that everyone knows what’s going, I’d think you’d be able to name at
least one sold 0day as evidence, such as a bill of sale of VUPEN selling CVE-2012-4167 to the NSA for $100,000. Yes, there is a lot of partial evidence hinting that something is going on, but not nearly enough evidence to paint the complete picture. And that's the problem I mention at the top of this post: people have created an exciting conspiracy theory that differs from the boring reality.
I write this because regulating 0day will have an enormous
impact on civil liberties. Take, for example, “jailbreaking”. Companies like
Apple sell us phones that are locked down, controlled by Apple and the phone
companies, and not controlled by us. Taking control of the phone is called "jailbreaking", and it's illegal in many countries (including this one, technically). That’s Orwellian, as in the book 1984 where TV’s spied on their owners
and it was illegal to turn them off. Every time Apple releases an update, the
jailbreaking community rushes to find an 0day to jailbreak the phone, giving
control back to their owners, allowing owners to turn off the features Apple
and the phone companies use to spy on them. These same 0days are also sold to
the NSA so they can spy on people. This conspiracy-theory lead crackdown on
0day will do nothing to stop the NSA, but will do everything to take them out
of the hands of we the people. Far from believing in these disastrous conspiracy theories, our our community should be standing up for our 0day rights.
(Note: I expect to be updating this post soon by somebody citing an actual bill of sale from somebody, thus disproving my assertion that such things don't exist. It's just that I know a lot about this topic, and I've never come across any public information like this).
(Also note: Before commenting on this post, please pay attention to what I wrote, and not what you think I meant.)
6 comments:
somebody citing an actual bill of sale
I don't know if Charlie Miller can be called "somebody", but it shows an evidence of it in 2007: http://weis2007.econinfosec.org/papers/29.pdf with a scan of a 50000$ check.
"pay attention to what I wrote, and not what you think I meant"
So you think I'm FAT, Rob. That it?
Why would there be any public information about the sale of what amounts to weapons?
Even if you sold 0days to the govt, Rob, you know full well that there would be NDAs or even classification of the deal.
This article seems like deflection
So you are saying that the aliens are hiding their 0day sales to the NSA after taking over Area 51?
I think you misread the paper. She cites Heartbleed and the public musings about govt complicity in it to explain why the Obama Administration felt the need to go public with its 0day disclosure policy, and not because she thinks the govt was involved/knowledgeable. *Sigh*.
I thought Google pays a stipend to coders who find vulnerabilities in their code. I thought they even had an annual conference celebrating it.
Post a Comment