Yes, and that's what I meant about making it hard, not impossible. That said, there are uses of exploits which can be said are for the purpose of protecting property. I might conceivably want to use an Android or iOS exploit to liberate some of my data from my phone if some apps are less forthcoming with that data than I would like.
> I might conceivably want to use an Android or iOS exploit to liberate some of my data from my phone if some apps are less forthcoming with that data than I would like.
A great point that I should have thought of. I wish I could edit my original post and add that consideration.
I can draw a conceptual line: Ban using exploits on other people's equipment. But practically, I don't see how to stop that without criminalizing distribution, in which case I can't get my data from my phone (or install a 3rd party OS) without the vendor's permission.
> I can draw a conceptual line: Ban using exploits on other people's equipment. But practically, I don't see how to stop that without criminalizing distribution, in which case I can't get my data from my phone (or install a 3rd party OS) without the vendor's permission.
I don't understand what the problem is supposed to be. You don't need laws against knives because there are already laws against assault and murder and there is no harm in having a knife you use to cut carrots. Then you prosecute people for the bad things they actually do.
The justifiable laws against specific weapons are for the exceedingly dangerous ones like plutonium and smallpox. That isn't this.
> You don't need laws against knives because there are already laws against assault and murder
A good point. In this case it's so hard to catch perpetrators that to stop the crimes, it could be necessary to ban the weapons or their distribution (if that even is a practical option).
Are the other similar situations, where perpetrators are so hard to catch and you have to ban the means? Counterfeiting is all I can think of, and they don't ban color printers they just put tracking tech in them. Also, color printers are dual-use: They have many legitimate uses, exploits have very few.
> The justifiable laws against specific weapons are for the exceedingly dangerous ones like plutonium and smallpox. That isn't this.
Weapons that help foreign governments oppress large parts of their population might qualify, though clearly not all exploits fit that description.
> Are the other similar situations, where perpetrators are so hard to catch and you have to ban the means?
The nearest thing is clearly DMCA 1201. The problem of course being that DMCA 1201 is an epic failure. DRM circumvention tools are widely available to pirates, meanwhile it regularly subjects honest people to a choice between breaking the law and having it interfere with their legitimate activities.
> Also, color printers are dual-use: They have many legitimate uses, exploits have very few.
Exploits seem to have more legitimate uses than illegitimate ones. The only illegitimate use that comes to mind is wrongfully breaking into systems, which is the mirror image of the legitimate use of rightfully breaking into systems, in case you somehow get locked out (or some malicious third party locks you out).
Then on top of that, sysadmins require exploits to verify that a patch actually prevents the exploit. And proof of concept exploits are sometimes the only way to convince a vendor to fix a vulnerability. And academics need to study the newest actual exploits in order to keep up with what currently exists in the wild.
> Weapons that help foreign governments oppress large parts of their population might qualify, though clearly not all exploits fit that description.
Smallpox is inherently dangerous. Some exploits could be specifically dangerous in the sense that some very sensitive systems could be vulnerable to them, but only in the same sense that a Fire Axe could be used to break down some doors leading to very sensitive areas. The problem then is not that the public has access to axes, it's that there aren't enough independent security layers protecting sensitive systems.
And you can't fix that problem by banning tools because a high value target with bad security will fall to a state-level attacker regardless. The only answer is to improve the security of sensitive targets.
I think the equivalent (or much worse, actually) for exploits is something that is self replicating and disruptive. For example, a bug in the BGP routing protocol (or a certain percentage of the common implementations) that propagates bogus routes and disrupts some or all traffic for affected systems and spreads. Something that disrupted a large enough chunk of global traffic would not only be horrendous in its own right, but would also make dissemination of any fix quite problematic.
Then again, I assume it's probably good practice to somewhat lock down how BGP functions in your routers (if that makes sense. I'm not that familiar with it), but a certain incident from last year[1] leads me to believe that's either not possible, hard to do, or people just don't do it.
If you have the tooling to keep smallpox and not kill yourself you can also keep ebola around too, if you go to the effort to go find it. Really dangerous stuff and is going to be costly.
The problem here is I can make and keep 'digital smallpox' on my home PC, and for many pieces of equipment it is surprisingly easy to find exploits for them. Are you planning on watching every computer? Every person in the world?
Take a lesson from the failed war on drugs, where there is significant profit motivation people will do what is necessary to make massive amounts of money. There are massive amounts of money in blackhat work.
Which is exactly what I mean by "there aren't enough independent security layers protecting sensitive systems." We've known that BGP has terrible security for many years.
Fixing it is hard because it requires a lot of independent parties to agree on what to do and update their routers. In theory this is the sort of thing a government could help with by providing funding, to fund research into solutions and/or provide cash incentives to early adopters.
But the market also solves these things eventually, since successful attacks are bad for business. It just takes for the attacks to actually happen first in that case.
