[Dailydave] Sympathy for the Devil

I haven't dailydave-blogged for a while, so excuse me if this gets a little ranty... On March 29, 2012, the EFF published an article by Marcia Hofmann and Trevor Timm: https://www.eff.org/deeplinks/2012/03/zero-day-exploit-sales-should-be-key-point-cybersecurity-debate I have several problems with the article itself, but mainly with the underlying sense of outrage. This frothing moral outrage apparently blossomed recently in 'the twitters', that internet backwater where enforced brevity reduces debate to the sophistication of 'AM NOT! ... ARE TOO!' and thence was a bandwagon formed... Fortunately, the article provides an excellent all-in-one stalking horse, although I would like to make it absolutely clear that it is by no means the only, or even the worst, example of this kind of hysterical sophism I have come across. (*cough* Soghoian *cough*), it's merely the most recent I have seen which is written coherently enough to even justify a response. In a nutshell, some people are angry and jealous and afraid because some security researchers are making money from research when they should instead be wearing funny t-shirts, dressing like a zitty Neo and doing what they're damn well told by Large US Corporations (in a really cool, alternative way). Let me begin with this. The article asserts that 'security researchers should never turn a blind eye to their ethical responsibility to help improve technology'. Imagine me saying this bit slowly: I do not grant the premise. In fact, so little granting, by me, of this premise, is done that the depth of my antigranting can only be adequately expressed through torturous grammar and neologism. I think it's a perfectly valid moral choice for researchers to find bugs and sell them for less than market value, or even give them away for free. I don't think it's fine to assert that there's any objective morality here at all. I absolutely don't think it's fine for anyone to start hitting people over the head with an invented one, linked from wiki-fricking-pedia and asserting that it 'should never be ignored'. I love and hate argument by analogy when it comes to security, but we're not talking about security, really, we're (allegedly) talking about ethics. So, I'd like to offer drug companies as an example - they have secrets which were created through research, ruthlessly protect these secrets, and use that secret knowledge to make lots of money to the direct, and sometimes fatal, detriment of large sections of the global population - for which (defensibly) legal service they are lauded by their millions of shareholders, and protected by their governments. And people think selling exploits is 'evil'? Luckily, society has provided us with a convenient, if fuzzy, tool to assess the ethical quality of actions when dispute arises. It's called 'the law', and I'd have thought the EFF might think more of it. ;) The article does, graciously, allow that 'The governments who buy zero-day exploits also bear responsibility here.' So I guess they do recognize that the sector that creates both the key demand as well as the legal framework within which the market operates does bear at least a tiny bit of 'the blame' insofar as anyone has done anything wrong. This next bit is where the alarmist sophistry comes in [1]: "the sale and use of exploits that leave ordinary users of popular software vulnerable—a real cybersecurity threat—remains unmentioned in this cybersecurity debate." "Keeping flaws under wraps makes millions of Internet users less safe. If exploits are used to conduct attacks on network infrastructure, either in other countries or the U.S., those who sell exploits could be complicit in such acts." First of all, if the exploits are never released, then the Internet Safety Delta is exactly zero. The bugs are already there, they don't spring into existence the moment they're discovered - an alarmingly common logical fallacy. Secondly, to affect 'ordinary users', the exploit's use has to be discovered, reverse engineered and then somehow make its way into the hands of an entirely hypothetical lunatic who wants to use a $100k bug to start owning up mom and pop computers and stealing their cat photos - instead of the perfectly effective and thousand times easier approach of selling them "discount antivirus". Not to mention that there are already a variety of easily available products ranging from free (like MSF) to 'cheap' (like CANVAS / IMPACT etc) against which an 'ordinary user' stands about as much chance as an ant fighting God. The 'covert remote access solutions' these guys deal in are like high-end sniper rifles, not pipe bombs, and they're part of an intricate 'cyber' dance that few people understand. The general public needs to worry about them as much as they need to worry about getting blown up by a prototype Predator drone. [2] I don't have any idea what the buyers are using these things for, but if it were me I wouldn't be using exploits from 'semipublic' and attributable provenance to hit genuine adversaries where there was a chance of being caught. I might use them in internal pentests, though. Or training. Or testing '0day defence' systems. Or even just looking around to see if my OWN 0day had been discovered yet...but none of that sounds sinister enough for the paranoid attention seekers of the blogosphere, I guess. As for the ridiculous implication that exploit sellers should feel responsible for their eventual use, or, to go back a step, should even really give a crap which direction every mouthbreather on twitter's moral compass is pointing, I don't know whether to find it hilarious or breathtakingly arrogant. Certainly from someone who had ever said 'guns don't kill people, people kill people' or pretended that the first half of the Second Amendment was written in pencil it would be the latter, but from the EFF I like to believe they were just having a bad rhetoric day. Like this: "As EFF has stated previously, this is "security for the 1%," and it makes the rest of us less safe." ... because the supply of 'security' is absolutely finite, and so someone having more of it automatically makes everyone else have less. TERK ERR SEKYERRIDDY! US Workers demand more Cybers! The French are arming the Russians and the Arabs! Occupy The Internet! Honestly - all that's missing is a link between exploit sales and higher taxes. Pleased to meet you. I spend my time milling cyber-gunpowder for people that make cyber-bullets sold by "modern-day cyber-merchants of death". I am the frumpish british mother that filled the shells for the fire-bombing of Dresden. I am the Wal-Mart attendant that sold the gun to the father of the last school shooter [3]. I do it for money, because I like it, and because most of the time I don't need to wear pants. I spend approximately no seconds of any day worrying about the imaginary ethical implications of every little thing I do, and I am not particularly unique. Now where's our courtesy, some sympathy and some taste? Cheers, ben [1] It's such an easy lie that I've even used it myself, years ago, to finger-wag at CANVAS in a short paper called "Vulnerability Research, Disclosure and Ethics". To some extent I was Just Wrong, and to some extent I was writing in a different time and under a different employer. I like to think of it now as mostly a history paper written by a bright but naive student. [2] *General Public in Pakistan Not Included. Void where Prohibited by the Ability to Get Away With It. [3] This is allegory; whichever shooting you think I'm referring to, I'm not. Take a deep breath.