For the last little while, Christopher Soghoian has attempted to highlight the dangers of the zero-day exploit market. The basics are that some vulnerability researchers are selling exploits to make money, without vetting who the end user will be, and in some cases knowingly selling them to militaries (he phrases it as governments, but the implication is that they aren't using them for defence). Soghoian, as I read it, is trying to highlight this trade, and get some sort of legislation passed to regulate it. (A darker reading would make it seem that he has a more, aggressive agenda, but let's leave that aside for a moment.)
The worrying thing here is neatly summed up by Haroon:
The scariest thing about you, is how certain you are that you are right. Regulation is a scary instrument
Personally, I worry that selling exploits to the highest bidder isn't the best way to maximise the good in the world, and I do wonder if there isn't a way to improve the situation. I've worried about this before back in 2008, when WabiSabiLabi was still around, and I think some of the points from that post still stand.
However, I then had this exchange with him on Twitter (edited to be IRC style, joined long tweets into one, and applied one correction I made s/project/product/):
csoghoian: The slides for my VB2012 keynote yesterday on the sale of security exploits, featuring @0xcharlie & @thegrugq (4MB pdf) http://files.dubfire.net/csoghoian-vb-2012-exploit-sales-keynote.pdf
singe: You say “the response from DC & Brussells” will not be pretty, is there not a way people who have their ear can steer them to a “pretty” solution? It seems like agitating hard for unthinking legislation does more danger than good?
singe: Slides from @csoghoian’s “0day exploit sales are bad” talk http://files.dubfire.net/csoghoian-vb-2012-exploit-sales-keynote.pdf Threat of bad legislation, no good solutions, focus on loud.
csoghoian: Since you clearly have strong opinions about this, want to discuss role Sensepost plays in the industry & its various gov contracts?
singe: We don’t sell exploits, but this feels a bit like an ad hominem & missing my worry; bad legislation shouldn’t be the end goal. I think and feel like this is an important issue. But it feels like you’re rushing & pushing & connected enough to make a change.
singe: If you are interested, here’s a suggestion I made in 2008 about vulnerability prize research fund http://singe.za.net/blog/archives/908-Why-I-think-Exploit-Markets-are-bad-a-response-to-Roberto-Preatoni-of-WabiSabiLabi.html
csoghoian: Does sensepost discover and then turn over vulns in commercial software under contract with govs? (different than selling exploits)
singe: No, we disclose vulns to the vendor of the product with permission of the client. But it still feels like you’re trying to threaten a company, rather than engage on the issues?
csoghoian: I'm not entirely clear how asking questions about your employer's government contracts is a threat. These are legit questions.
singe: I answered them, but you’re attempting to engage in ad hominem. The questions I raised stand no matter who I am or work for. It feels like it’s a threat, because it feels like you’re hoping we write exploits for govs, & you can then avoid issues I raise?
There's a real worry here, that knee jerk legislation is put in place, and we end up with laws that create a chilling effect with much wider ramifications than the area of worry. We've seen it before in Germany, and the UK, and the US has had some problems in recent history due to legislation that wasn't careful.
Now, I don't have the answers, and I'm not sure I'd be much use in drafting legislation, but it's clear that there are dangers that need to be thought through. We need some critical debate about this stuff. But it feels like, the person pushing hardest for it, and most closest to people who can affect legislative changes in the US doesn't want to debate. We need to remove the personalities from the debate, we need to not focus on the "loudest" people on both sides of the debate, we need solid research, and intelligent, carefully thought through legislative proposals (be they industry self-regulation or government led).
(This is my personal opinion, not that of my employer or even endorsed by them.)