>Thatâs the crucial caveat that I think many missed regarding my call for a global moratorium: it is a prohibition on the commercial tradeâthat is to say, specifically the for-profit exploitation of society at large, which is the raison dâetre of the insecurity industryârather than the mere development, production, or use of exploit code.
I don't see how prohibition would solve the problem here, people would just sell it in [insert rogue market].
Raison d'ĂȘtre is not trade, it's demand, and demand doesn't care about the DOJ.
Also, exploits aren't just an arbitrary good, but a tool of power themselves, so effective prohibition seems even more absurd.
What am I missing?
There's a difference between underground criminal gangs discovering exploits and selling them on black markets and being able to raise capital, have legal protection, etc. while you hire experienced developers to find exploits that you sell to despotic regimes like Saudi Arabia.
I suspect that distinction is what you are missing.
Exactly, it wouldn't necessarily change the demand, but would hopefully reduce the supply (by raising costs). Being a legal entity has much lower cost of funding and much lower cost of operations than being an illegal entity. Otherwise most entities/corporations would not bother to be legal, which is clearly not the case.
Look how magnificently such a strategy worked for drugs.
> people would just sell it in [insert]
This is a specific form of a general argument against any law - "people would just break the law by [insert a way to break the law]".
These arguments are obviously generally true (any law can be broken) but you usually don't need an absolute victory, just a legal weapon against the bad guys, which hopefully is hard to use against the good guys.
Snowden is specifically talking about how this prohibition will deter security researchers from working for this "companies". Having been in the field a while back, I agree with him. Most people won't jump the extra hoop you need to jump to work for an illegal industry if they can make bank without breaking bad.
You may underestimate how much government funding has widened and deepened the production side of the exploit world. Once TLAs outsourced and started buying exploits on the open market, the whole thing professionalized and became much more liquid. That kind of intellectual capital formation really changes things.
Mind you, the genie is out of the bottle. A half-hearted moratorium is unlikely to undo what Pointexter wrought.
Interesting that his most common feedback is to use simpler language and write shorter pieces; personally I've felt he does very well at using accessible language but is handcuffed by the intrinsic inaccessibility of the topic to people without knowledge in the cybersecurity/privacy domain. This article, I think, is a good illustration of his abilities there.
I wonder if that feedback was about technical knowledge, or just the style he writes in. I would 100% characterize his style as âsomeone who thinks heâs smartâ. I donât mean that to be totally offensive, only a little bit.
> One of the interesting things for me about this shared space of ours is to be able to see what it is that you most enjoy
This is pretty clearly a backwards way of writing a normal American English sentence.
This is a very common problem. He could just use an editor/trusted friend who has experience writing for pop audiences.
Here's an example of purple prose that has nothing to do with the complexity of cybersecurity, from his first post on Substack (https://edwardsnowden.substack.com/p/lifting-the-mask):
> Though my relationship to time fluctuates, the gravamen of my disclosures remains constant. In the past eight years, the depredations of surveillance have merely become more entrenched, with the capabilities that used to be the province of governments now in the hands of private companies, too, which employ them to track and tether us and attenuate our freedoms.
I don't know, this is exactly how I would talk if I wanted to poison the data of anyone trying to run word-use analysis against my public posts. On anonymous channels I'd probably type like an 8-year-old.
I'm not blaming him, but he could use simpler words.
> ... to witness indicia of that ...
> ... the ultima ratio regum of a state that has exhausted ...
> ... which is the raison dâetre of the insecurity industry ...
That's fair, especially since in my opinion the first two examples are definitely unnecessarily flowery language for the topic.
His gratuitous use of "25 cent words" is the most singular annoying and off-putting aspect of Snowden. It's extreme with him, which to me indicates a hugely inflated ego -- many more would listen to him if he would not try to sound so damn professorial.
Fascinatingâpart of the reason I thoroughly enjoy reading him is the language he employs.
It may just be an attempt to use precise language in an (unsuccessful) attempt to not be misunderstood.
Iâve primarily listened to him interviewed and while he uses big words there, it doesnât seem as much as in his writing. And he seems to me, in these interviews, as surprisingly normal considering everything.
A little game theory:
I really believe that it's not in the US government interest to increase computer security.
I think the NSA is at least 5 or 6 steps ahead of the security game, so for now the NSA dominates cyber warfare, which is why they don't want more security in software, so they will constantly make everything possible so that software is insecure.
But at some point, it is going to sting because China, Russia and others are catching up.
I always found it weird that there are a lot of security standards for other industries, OSHA, etc, but for software, there is nothing, no companies are required to comply to software security standards. No software is being inspected at all. Isn't it weird?
> I really believe that it's not in the US government interest to increase computer security
Agreed. It's just doublespeak[0]. We all know it's the National Insecurity Agency, and that the NSA hoards & stockpiles 0day. They very rarely release tools and research papers designed to strengthen our IT infra, since they sit on so much 0day. There's no balance.
I don't buy that they're 50% red team, and 50% blue team. More like 99% red team and 1% blue team.
Hell the NIST does more to fulfill the NSA's mission of domestic IT security than the NSA does. Ghidra is the only good thing out of the NSA is a long time.
It might not be fair to assume that OSHA, etc, and the NSA, etc, operate under the same agenda. Some industries do have standards for tech. HIPAA, for instance, sets some minimum expectations for cyber security with regard to private health information (PHI). And there are HIPAA inspections, right along with OSHA ones. Of course, it's a fairly clunky solution given that government is slow and tech is fast, but it's certainly there, and it's certainly helpful.
>I always found it weird that there are a lot of security standards for other industries, OSHA, etc
Can't speak for all, but look into things like the CISA[1]. I don't think they have much of legal authority over industries, perhaps in some deemed critical but not others, but to say there's no "standards" is a bit wrong.
If the NSA is ahead on discovering exploits shouldn't they want a ban on selling exploits, so others have a harder time catching up, and it's less likely that any of the exploits that they've discovered in-house get "burned" by being used by someone else?
Not if they're also a big purchaser of exploits.
It's quite possible for the government to outlaw selling things to anyone other than them. Cf. a lot of military hardware.
Whatever you may think about Snowden, the stuff he does and writes is pretty thought provoking.
> a prohibition on the commercial trade â that is to say, specifically the for-profit exploitation of society at large, which is the raison dâetre of the insecurity industryârather than the mere development, production, or use of exploit code.
If the "use of exploit code" is protected then why bother? The law would have to prove an unauthorized use or "for-profit exploitation" of code, and at that point it doesn't matter if it's exploit code; any code could be used for unauthorized use.
Worse this would put corporations at the center of what's an exploit. Every time a company makes software there could be someone arguing that its an exploit or makes unauthorized use (of info or computing). Companies already avoid the GPL when they can because of legal FUD and this would extend those fears to all software they release. The Sony CD rootkit [0] was clearly over the line but what of iTunes encrypting local music files? Apple locked you out of your files by encrypting them and then offered to sell you the key -- sound familiar?
[0] https://en.wikipedia.org/wiki/Sony_BMG_copy_protection_rootk...
Commercial trade isn't the right definition. Exploit code is: using or bypassing an API in an unintended manner (for the benefit?, or to the detriment?, of the owner.)
>what of iTunes encrypting local music files? Apple locked you out of your files by encrypting them and then offered to sell you the key -- sound familiar?
Did Apple actually do this? Locking people out of files they already had without DRM?
> what of iTunes encrypting local music files? Apple locked you out of your files by encrypting them and then offered to sell you the key -- sound familiar?
Yes, and? That is malware/cyberattack and should be subject to felony prosecution.
> However, we also have to recognize that until your neighbors are lining up to storm the Bastille
Too soon, man, too soon.
> Another little-understood property that make exploits more dangerous than bombsâand they definitely areâis that, as with the viral strain of a biological weapon, as soon as an adversary catches a sample of an exploit, they can perfectly reproduce it... and then use it themselves against anyone they want.
On the other hand, once an exploit is used against a _good_ actor, they can neutralize the use of that kind of "bomb" against anyone.
I'm searching for a good comparison about mutating codes and innoculations against them...
What's to stop defense departments from buying and selling exploits behind closed doors? I think the point raised about lack of accountability in government compartments is a huge huge problem. The new way to skirt the law seems to be go from government-run to private contractors or vice versa.
Like many aspects of security, it's not about stopping every possible instance of a bad thing from happening, it's about making bad things less likely to occur.
If Saudi Arabia has to develop their own 0-day spying toolkit instead of buying one off the shelf, then at the margin they will be able to do less spying.
There's nothing stopping Saudi Arabia from setting up their own team to build such hacks, but it would cost them more. Further down the road, there's nothing stopping a bunch of smaller countries from teaming up to get the economies of scale that NSO brings by selling to multiple countries -- but these toolkits seem to be the sort of closely guarded secrets that even allies don't share (if the NSA is anything to go by they are more likely to use these techniques to spy on their allies), so I doubt that is very likely; could be wrong on that point though.
Get a daily email with the the top stories from Hacker News. No spam, unsubscribe at any time.