

Nations Buying as Hackers Sell Computer Flaws - stfu
http://www.nytimes.com/2013/07/14/world/europe/nations-buying-as-hackers-sell-computer-flaws.html?_r=0

======
ihsw
Responsible disclosure is one of the worst things to happen to the information
security industry, and the sale of exploits is similarly terrible. Modern-day
white hats have effectively turned into 'green hats' whose goals are no longer
compatible with the previously-held ethical hacking belief system.

Personally I feel that the sale of exploits should be outlawed, or at least
specifically to customers have no intentions of fixing the exploit (buying a
hackers silence), or to governments that are intent on conducting
clandestine/offensive operations.

I also agree with the EFF's stance on exploit sales, and that is that they
should be front-and-center in any and all national cyber-security debates:

[https://www.eff.org/deeplinks/2012/03/zero-day-exploit-
sales...](https://www.eff.org/deeplinks/2012/03/zero-day-exploit-sales-should-
be-key-point-cybersecurity-debate)

Also on Schneier.com:
[http://www.schneier.com/blog/archives/2012/06/the_vulnerabil...](http://www.schneier.com/blog/archives/2012/06/the_vulnerabili.html)

No I'm not arguing for zero disclosure or that security researchers shouldn't
be compensated for their hard work, I just think that the people and
organizations that sell these exploits are effectively complicit in the
destruction resulting from these exploits.

The world of information security is slowly but surely moving towards a Cold
War scenario where nation-states are fostering sustained and escalating
tensions, especially where they maintain a stockpile of exploits to be
deployed in war-time scenarios.

~~~
jrockway
I don't think exploit sales could ever be made illegal in the US. Courts have
already ruled that code is speech [1], and the Constitution puts restrictions
on how the government can limit speech. First 0-day exploits are illegal, then
The New York Times.

Exploit sales are basically a byproduct of living in a free society. If you
want them to go away, find the exploits yourself and post them to full-
disclosure. Or pay someone to.

[1]
[http://en.wikipedia.org/wiki/Bernstein_v._United_States](http://en.wikipedia.org/wiki/Bernstein_v._United_States)

~~~
malandrew
Publishing exploits should certainly be protected as free speech, but the sale
of exploits to a party with ill intent (governments included, even ours) is
moving into the realm of arms dealing because that exploit is going to be
weaponized. Intent matters.

If there is a transaction with weaponization as the intent => arms dealing

If it is published to edify => free speech

~~~
mindslight
By that logic, having a perl RSA implementation in your signature is arms
dealing because the intent is for that speech to spread to others to weaponize
it into encryption software. Reality already won that battle, let's not fight
it again.

------
s_q_b
I'm surprised Endgame Systems isn't mentioned. As far as I can discern,
they're one of the largest purveyors of zero-day exploits to the IC.

They sell a target-mapping tool known as Bonesaw, and for a couple million a
year you can upgrade it with zero-day exploit packs for every region on the
globe. It's system compromise made point-and-click.

EDIT: Should have read the second page. I'll leave it up as a testament to my
haphazard reading ability.

~~~
joshfraser
It was interesting to see that some of our own silicon valley folks are on
Endgame's board. Notably, David Cowan from Bessemer and Ted Schlein from
Kleiner Perkins.

~~~
s_q_b
Absolutely. I'm DC based, so it's more "your" than "our."

But you'd be equally surprised to see the flow of money that moves in the
opposite direction. In-Q-Tel, the non-profit venture capital firm of the CIA,
has invested in many Valley companies including Facebook and Palantir.

Now, I've heard that In-Q-Tel funding does not imply any obligation toward
government interests in the future. However, from an organization who's stated
mission is "specifically to help companies add capabilities needed by our
customers in the Intelligence Community," such relationships pose interesting
questions.

------
pm24601
Quite frankly I also blame the criminalization of responsible bug reporting.

For example, Barret Brown (
[http://www.democracynow.org/2013/7/11/jailed_journalist_barr...](http://www.democracynow.org/2013/7/11/jailed_journalist_barrett_brown_faces_105)
) is facing jail time.

Others have tried to report security issues and been threaten or charged with
hacking. ( I will let you google for examples - there are quite a bit)

At DefCon there have been cases where presenters were threatened with charges
for reporting security issues.

Selling the vuln "solves" the problem for the responsible hacker.

I know if I found a bug - I would be unlikely to report it - too dangerous.

~~~
preter
It's sad but accurate. The safest route for the reporter is to sell it to
people who want to attack their enemies, the vendor wont bully them,
administrators wont attack them and you're shielded from criticism.

It's unfortunately common for administrators to believe security is the state
of perpetual ignorance of vulnerabilities that affect them, if Windows Update
says "No updates available" then you're secure. If you tear them from that
blissful ignorance, then they get angry and shoot the messenger.

Security researchers do not introduce insecurity, they expose it. This is
apparently a very hard concept to grasp for a lot of people.

------
lawnchair_larry
Exploits are not weapons, they are research. They are the discovery of the
correct sequence of bytes that someone else's program has been written to
accept as input and perform actions that the author (probably) did not intend.
Exploits are not any _act_ of doing this, they are the knowledge of _how_ to
do it.

There is no physical analogy. A bomb doesn't care what its target is, it's an
indiscriminate destructive force. You cannot do something similar with an
exploit. The exploit only has context within the rules set forth by the
programmer of the target software.

Just because I know which inputs you accept that cause unintended behavior,
that you put there and I had nothing to do with, does not mean I have
"created" something, positive or negative. Fundamentally, exploits are not
created, they are discovered.

This discovery process is expensive, and it's easy for you to say that it is
ethical for me to share what I've found for free. I think that's arrogant and
disrespectful, and I also think that criminalizing my knowledge is far more
dystopian than what you think my knowledge might be used for if shared with
someone else.

I don't like what some governments are doing with them or that my tax money is
feeding the industrial complex, but such a fundamental attack on freedom
cannot be tolerated.

------
tcoppi
Apparently Regulation of exploits has made it into the 2014 NDAA:
[http://blog.erratasec.com/2013/07/thanks-eff-for-
outlawing-c...](http://blog.erratasec.com/2013/07/thanks-eff-for-outlawing-
code.html#.UeQmUcUjsUE)

