Home page logo
/

dailydave logo Dailydave mailing list archives

Re: Neal Stephenson, the EFF and Exploit Sales
From: "Adriel T. Desautels" <adriel () netragard com>
Date: Tue, 14 Aug 2012 15:19:31 -0400

We just published an article that counters a lot of the FUD surrounding
zero-day exploits, risks and sales.  Granted its not 100% on topic but I
think there are some aspects of it that are. Feel free to give it a read
(or not).

http://pentest.netragard.com/2012/08/13/selling-zero-days-doesnt-increase-your-risk-heres-why/


On 8/14/12 1:09 PM, Loose Tweets wrote:
I get it now! If we just patch *all* the bugs, then there will be no
bugs left for anyone else to exploit. Guys, this is brilliant. How did
we get scooped by a few lawyers at the EFF when we've been working on
this for years?
It seems that people continue to misunderstand my earlier point
(https://twitter.com/0xcharlie/status/235402152716152834), so let me
re-iterate it without also attempting to troll.

It is a widely held assumption by people who are not on the front
lines of defense that increased access to vulnerability information
will make everyone more secure.

Setting aside the question of who gets to make the 'bad regime'
determination... from everything we know, that's just crap. They send
their targets stock malware and say 'please install by clicking on
this photo, love, er... not the government, srsly'. Or, they leverage
the fact that they have physical access to the carrier, the internet
cafes and so forth. (Or probably they just use humint cause it's
easier). What those guys really need is better opsec, and I hope they
continue to get it.[2]
...
As others have said, let's go after the _real_ tools used by 'bad
regimes', wherever in the world they may hide! Let's see, we need
Metasploit, Backtrack, FinFisher, Northropp, Raytheon, EnCase, the
Root CAs, BlueCoat, Cisco, Nortel (for the LI capacity in their
carrier gear)... Oh wait, most of those guys have lobbyists, forget
it.
Does it? Does increased access to vulnerability information solve any
problems here or elsewhere? Further, how many vulnerabilities would we
have to fix for it to have an impact on these threats?

That the EFF has so blatantly forsaken their own beliefs is a problem,
but of greater concern to me is that they appear to rely on snap
decisions and emotional judgements rather than competency to do their
jobs.

I already had misgivings about the EFF's ability to represent my
interests, but now I believe their incompetence may end up hindering
the progress of privacy and security on the internet. I'm with Dave
and I won't be giving even passive support to the EFF from this point
forward.

-LT
_______________________________________________
Dailydave mailing list
Dailydave () lists immunityinc com
https://lists.immunityinc.com/mailman/listinfo/dailydave

_______________________________________________
Dailydave mailing list
Dailydave () lists immunityinc com
https://lists.immunityinc.com/mailman/listinfo/dailydave

  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]