Dave Aitel recently posted regarding the Electronic Frontier Foundation and exploit sales to the eponymous Daily Dave mailing list. I’ve snipped out stuff that doesn’t have anything to do with this particular issue:
Lately the EFF has been posting things that seem to want to restrict exploit sales ( https://www.eff.org/deeplinks/2012/03/zero-day-exploit-sales-should-be-key-point-cybersecurity-debate ) as if this somehow increases security for the Internet as a whole. Aside from regulation being an ineffective tool here, I don’t think the EFF should have the particular worldview that giving up freedom for security here is an acceptable trade-off. And when Charlie Miller and I talked to an EFF representative at DefCon, she agreed with us.
However, the current EFF stated opinion is this:
“If the U.S. government is serious about securing the Internet, any bill, directive, or policy related to cybersecurity should work toward ensuring that vulnerabilities are fixed, and explicitly disallow any clandestine operations within the government that do not further this goal.”Calling for the government to regulate what kind of code you write sounds counter-productive to the EFF mission, and is definitely counter to the opinions of people on this list and in this community. Until the EFF changes their position, I recommend not donating to them or buying the strangely decorated shirts at DefCon.
Marcia Hoffman then responded via Twitter:
@marciahofmann lists.immunityinc.com/pipermail/dail… (DD post on Exploit Sales, Neal Stephenson, EFF, etc.)
—
(@daveaitel) August 08, 2012@daveaitel We have never called for the government to regulate the code you can write.
—
Marcia Hofmann (@marciahofmann) August 08, 2012@daveaitel Hey there, Dave. Given the discussion we had at DEF CON, I'm disappointed to see you mischaracterize @EFF's position.
—
Marcia Hofmann (@marciahofmann) August 08, 2012@daveaitel @EFF I feel like you're trolling. That post doesn't propose regulation of code. It suggests regulation, if any, of government.
—
Marcia Hofmann (@marciahofmann) August 08, 2012She (and I) are not the only ones to disagree with the premise of his post:
@marciahofmann @daveaitel Maybe it's me, but Aitel seems to be taking creative license past the limit with his interpretation of the quote.
—
Francisco Artes (@franklyfranc) August 08, 2012I responded to part of his post, but for whatever reason it has not been posted back to the list. So I’m posting it here, partly because I think he’s wrong and partly because Marcia Hoffman requested a link. I’ve also fleshed it out a little.
I don’t read the EFF’s statement the same way Dave does. That is, you’re still free as far as I can tell to write whatever code you want to write. The next sentence of the post he cited states the EFF’s real goal:
“Unfortunately, if these exploits are being bought by governments for offensive purposes, then there is pressure to selectively harden sensitive targets while keeping the attack secret from everyone else, leaving technology — and its users — vulnerable to attack.”
So, taking the statement as a whole, the EFF advocates taking the vulnerabilities and exploits purchased for offensive operations and using them also for defensive operations. Subject to OPSEC concerns, I think this is more or less reasonable and correct: if we know of a bug, we know it has a limited shelf life (especially once it’s used against a sophisticated adversary). It makes sense to then transition to fixing the same problem in our systems. And along the way, perhaps some critical systems can have mitigation applied, whether that’s a patch or something else. After all, if smart hackers on one side can find it, smart hackers on another side can too.
Regarding the last bit of his post: even if I misunderstand the EFF’s position, or a supporter disagrees with it even so, we must then decide whether the rest of the things they do outweigh this portion of their policy proposals. After all, they work on a lot more (and bigger) issues than just this. So for now I’m happy to continue buying schwag, sending them money, and volunteering for projects within my domain of expertise.
(Disclosure: I’m a rank-and-file member of the EFF but with no special knowledge or access or anything similar to their policy statements.)
I have a problem EFF’s view for a few reasons. First, Why should EFF care if an enemy is targeted with a certain cyber weapon? (I don’t see EFF barking up the kinetic weapon sales tree). The goal of warfare is not the domain on EFF and so long as the govs in question are abiding by their own laws (not firing on their own for example) then it really has nothing to do with them. Second, there is an awful lot of presumption in this article regarding shelf-life and what-not which is, frankly, quite wrong. If you think there are not 4 year old 0-days out there you are fooling yourself. If you think that everyone knows about them just because people are smart you are also fooling yourself. Bug finding is hard. Bug finding is extremely hard.
The crux of this argument seems to me to be a moral one: Does a security researcher have the moral obligation to report a security flaw (for the betterment of the nebulous ‘community’) or can the researcher decide what to do with their own hard work. EFF enforcing a moral obligation on researchers is, quite frankly, a total contradiction and an absolute joke.
At least in this statement, *EFF did not make any statement about the obligation of researchers.* That’s the point I’m trying to make. The proposal relates to government policies regarding purchasing exploit and vulnerability data, not about whether bug hunters can decide what to do with it.
I know there are other debates happening right now about whether researchers should sell their exploits to governments, and which ones, but that’s out of scope for this post.