Thursday, February 16, 2012

0-days and cowboys

(I post most of the stuff I see on Twitter now, it's such a seamless way to share information. But I just wrote a long post and thought this article was funny/worth mentioning)

In February 2012, Chris Soghoian called for "reining in" the 0-day researchers and adding regulations or other mechanisms to prevent people from buying/selling "weaponized exploits". He also calls people cowboys and a "ticking bomb" which I think is a bit FUD-oriented. His basic theme that there's a large, opaque market that could go wrong some day is generally a legitimate point (I was surprised how fast/loose people could be there) but I'm not sure how on earth legal restrictions would be constructed to do that effectively. The biggest problem out there now is the lack of transparency and trust between buyers and sellers... if it was brought to light buyers like Google and Facebook could continue to improve their products, commercial vendors can get what they are looking for and researchers could be paid for their work. Hard to picture some senator effectively putting that into legislation or some regulation...

Some questions that come to mind:
  • Who would define what an exploit is? Does it matter if it's "weaponized" or not? What, exactly, is he proposing to ban/regulate?
  • Who defines what is legitimate or not? If the FBI wanted to buy one to compromise some mafia machine, is that OK with him? Or it was a government? 
  • Is Metasploit/Rapid7 bad? Isn't that what Metasploit is, a "weaponized exploit" framework? What about Canvas and all the other penetration testing tools?
  • If Congress can't even figure out how to regulate copyright violations without breaking the Internet, who on earth would even dream of suggesting they wade into a domain that's significantly more complex? 
  • His concern that Anonymous was going to hack some organization that bought an exploit, and use it is just a little silly. If they are able to hack into the organization that's buying "weaponized exploits" in the first place, it's pretty likely they don't need much help to wreck havoc. 
Can't spend too much time on silly suggestions or poorly thought out ideas in our community as you'd have a new full time job, but some deserve to be called out! Doesn't mean thoughtful dialog on how to improve the situation isn't useful (one could argue, necessary!) but adding FUD to the mix isn't helpful.

[Sep 2016 Update] Sounds like the US State Department and the Wassenaar Agreement folks agreed with his argument and proposed some disastrous rules making penetration testing and research tools export controlled. (So if you go to Blackhat and present on some new vulnerability with a POC and foreigners are in the audience you could be fined or go to jail!) Rapid7 has a politically correct writeup about some of the issues.  And of course Dave Aitel was writing about it non stop through the process on his mailing list and cyber security policy blog.  Fortunately the Wassenaar rules died, although I'm sure it will return again in some other form, just like Internet regulations have.