
EFF Pries More Information on Zero Days from the Government - tghw
https://www.eff.org/deeplinks/2016/01/eff-pries-more-transparency-zero-days-governments-grasp
======
blakesterz
I love the EFF and what they do but I always feel like their writing style is
so often... I'm not sure how to put it... just kind of over the top? e.g.
first paragraph, "the charade is over" ... third "this too doesn’t exactly
come as a shocker." So much of what they write about is really important but I
can't help but think the writing is often maybe too hyperbolic and turns off
people that should be following these things closer.

~~~
zitterbewegung
Putting the hyperbole in not only makes people click on it but it makes people
be more swayed not only by reason but also by feeling . Sharing the article
probably makes a significant people Donate to the organization. Disclaimer : I
am an EFF member.

~~~
mikeash
It sways people away because of feelings, too. I admire what the EFF does but
I always have a hard time taking them seriously because of this.

Also, at some point, I think integrity demands reasonable language even if
hyperbole is effective. It ends up being a variation on clickbait.

------
Animats
This changes what "responsible disclosure" of security bugs means. It's no
longer appropriate to report security bugs just to the vendor and CERT. They
_must_ be disclosed publicly to prevent them from being misused by government.
It's now irresponsible to delay disclosure.

~~~
tptacek
No, this has very little at all to do with reporting to vendors. The USG
doesn't have a stockpile of vulnerabilities because vendors give them
vulnerability feeds (in fact, there's no evidence that anything like this has
ever happened, and that's not surprising, because to make that work, vendors
would need to knowingly retain vulnerabilities in software they ship to their
customers). The USG has a stockpile of vulnerabilities because it employs
researchers and buys vulnerabilities from outside researchers.

That is exactly what the newly unredacted VEP the EFF is writing about says:
agencies discover vulnerabilities and report them to an internal
clearinghouse. That _may or may not_ result in alerts to vendors.

Reporting to vendors remains a solid way of killing vulnerabilities, so long
as researchers are aggressive about it (the 60-90 day open publication window
seems to do the trick).

(This is my field).

~~~
viraptor
While it's not stockpiles of vulnerabilities, I don't think it's valid to say
there's no evidence of vulnerability feeds. For example a bigger company can
get early notification of embargoed vulnerabilities for various projects they
use, sometimes with early patches.

I'd be surprised if USG didn't have access to pretty much every important feed
like that. This gives every notified party at least a few days to act.
(defence or otherwise)

~~~
ikeboy
[http://www.bloomberg.com/news/articles/2013-06-14/u-s-
agenci...](http://www.bloomberg.com/news/articles/2013-06-14/u-s-agencies-
said-to-swap-data-with-thousands-of-firms) confirms it.

