A better submission for discussion would be Dave Aitel's piece at Lawfare, which is making the rounds in the industry right now, and is linked from this EFF advocacy piece. Nobody at EFF is as close to this issue as Aitel is.
I don't know enough to say whether that is the case here, but I trust the opinion of a non-profit organization established to defend my rights over an ex-NSA security firm CTO whom I admittedly know nothing about except what I just looked up.
Yes by all means read Aitel's piece before reading TFA's point-by-point critique.
I do think EFF is worried about too much here, which helps to distract from the main issues. I don't really care about vulns that the State finds or purchases from researchers. I do care about vulns that the State creates, abusing its position to weaken standards or infrastructure. More broadly, I definitely care about unlawful actions the State uses its vulns to commit.
Granted, it's difficult to sort one category from the other, from the outside. If we've learned anything, however, it's that we can't simply trust the insiders. EFF wants to know more, and so do I.
Dave's article's certainly worth reading, and he makes some good points. He's certainly closer to the intelligence agency and vulnerability market side of things than EFF is; but that's not the only aspect of the issue.
And as others have pointed out, closeness isn't always an advantage. Dave criticized the EFF post by saying
"This is a fundamental misstatement of how 0days work in the real world—in reality, the vulnerabilities used by the US government are almost never discovered or used by anyone else—and these falsehoods further confuse the conversation about 0day policy solutions."
Except of course that as the Shadow Brokers leak showed, quite a few of these vulnerabilities _have_ been discovered (and for all we know, used). The risk of something like this happens is something that EFF et al. always bring up, and the intelligence agencies and their supporters always dismiss it ... where's the "falsehood"?
The point you're making is orthogonal to the point Aitel is. Aitel is saying that on a day-to-day operational basis, Russia and China are usually using a different set of vulnerabilities than the USG is. So, putting Russian discoveries of USG tradecraft aside, the point he's making is very simple: is the USG is obligated to disclose its bugs, and meanwhile Russia is clearly not and never will be, then Russia has an advantage: it's bugs are safe, but its adversary has to churn through new ones.
No, this is where he's talking about how "The phenomenon of adding more noise than signal is now practically characteristic of misguided policy proposals in this area".
Specifically, he's using the EFF's statement "The problem is that if a vulnerability has been discovered, it is likely that other actors will also find out about it" as an example -- describing it as a "fundamental misstatement" because "the vulnerabilities used by the US government are almost never discovered or used by anyone else".
And then just ten days after his article, we've just seen a bunch of vulnerabilities not only discovered by somebody else but actually released on the web.
And the EFF's point is, that sounds nice, but how do we know the US is using different vulns than Russia and China? Especially when the US is sourcing those vulns from third parties?
This article is response to Dave Aitel's piece, which references an earlier post by the EFF.
I'm curious, where do you fall on this point Aitel makes:
> the EFF recently posted a blog stating,“The problem is that if a vulnerability has been discovered, it is likely that other actors will also find out about it, meaning the same vulnerability may be exploited by malicious third parties, ranging from nation-state adversaries to simple thieves.” This is a fundamental misstatement of how 0days work in the real world—in reality, the vulnerabilities used by the US government are almost never discovered or used by anyone else—and these falsehoods further confuse the conversation about 0day policy solutions.
There's a lot I don't agree with Aitel about and we do not generally think alike. However, a pretty useful rule of thumb for me has been, unless I have strong evidence to the contrary, if Aitel says something about zero-days, and particular about how they're used by governments, what he says is probably the way you should bet.
What is your basis for trusting him on that? Not trolling, I really want to know, because EFF is telling me not to trust him without evidence, which seems pretty rational to me.
He worked for NSA and his firm does a ton of vulnerability research and development, including creating probably the most sophisticated pentesting toolkit this side of a nation state(in fact I believe its explicit design goal is to simulate just that).
The whole point the EFF is trying to make is, apparently our government has a lot of knowledge and power with regards to computer vulnerabilities and exploits, and is using it all secretly with no oversight and no restraints that we normally hope to enjoy due to things like the 4th amendment. I feel weird even needing to explain this.
So, please forgive us when you say, "just trust this guy," and we are leery.
Do you have something more than an appeal to a much weaker authority? All I see as a counterargument is "EFF says otherwise". But EFF does not in fact staff experts in the development of zero-day exploits, and Dave Aitel --- apart from himself being one of those experts --- clearly does.
Update: slightly better summary of Dave Aitel's article.
I'm speaking about the greater issue of unchecked government power that the EFF raised. That does not come from a a simple appeal to authority, I hope we don't need to rehash the reasons we have a Bill of Rights and a government based on checks and balances. Dave Aitel's article was very focused on one of the EFF's concerns, management and disclosure of vulnerabilities, and much of what he said boiled down to, "Our enemies operate without oversight and so we need to also. Sorry, you are just going to have to trust us."
I'm sorry, but if we can't even agree about the facts, or even how we might arrive at the same ballpark of facts, what makes you think a debate of meta-facts is going to be productive?
We do seem to be talking past each other. Against better judgement, I'll try once more.
Dave Aitel can be the world's foremost expert on developing zero days with no peer in sight, but that doesn't automatically make him (or any expert) trustworthy. One of the great things about our government (when it functions correctly) is that we don't have to trust any one person in our government too much. We have things like transparency, checks and balances, competing interests and so on that help force everyone to be at least somewhat honest and responsible. The arguments that we should just shut up and trust the FBI and the NSA go counter to that. The EFF may not be expert in exploits, but even school children in the US understand basics about government corruption and the need for checks and balances.
I do think I understand Dave's argument. Oversight and transparency applied to US agencies with regards to exploits will not also be uniformly applied to non-US agencies and their use of exploits. Why does that matter even matter? Well, nobody seems to be coming out and saying as much but Dave and others strongly imply that we are in the middle of a secret all-out no-holds-barred high-stakes computer security war with other countries right now. Burdening the FBI and NSA with any kind of transparency or oversight requirements will put us at a disadvantage in that war and Bad Things will happen if we lose.
If that's really the case, then it sounds like we need Geneva Conventions for cyber war, something that protects all the worlds citizens from the land mines and mustard gasses of state sponsored computer hacking. Before that could ever happen we'd need to first admit we are in the middle of a cyber war, and nobody seems to want to do that.
