And yet full and anonymous disclosure[1] is eschewed for "responsible" disclosure. Hopefully we can move beyond the insane money-making scheme known as "whitehat" and "ethical hacking" security research.
The zero-day exploit market[2] deserves fair mention too, especially since a variety of three-letter agencies across the planet are some of the largest purchasers. Zero-day exploit purchases and sales haven't had any news publicity at all, even though it's effectively comparable to trafficking nuclear warheads.
Both nuclear warheads and zero-day exploits are used as leverage between competing security organizations and competing nation states, both are being stockpiled, and both are exceedingly dangerous. We're on the cusp of global network warfare and it's just starting to become clear how terrifying and widespread it is. America's rivalry with China is in over-drive now.
I'm not saying that security researchers don't deserve to be paid for their work, but that we should be plain and honest about their work: it can be for the good of humanity or it can be for the destruction of humanity, there's very little inbetween.
And yet what is it for? Fighting terrorists and drug dealers, and protecting children and intellectual property?
With mutually assured destruction, generally everyone is discouraged from attacking because they know they will suffer just as much. However, all it takes is a single rogue state to trigger a free-for-all. We almost saw it in the Cold War, we did see it (and are currently seeing it) in the phone patent arena, and we could end up seeing it in security vulnerabilities sooner rather than later.
The distinction is that reconnaissance/espionage can be done quietly without destroying any hardware or disrupting data integrity, and it's far more difficult to pinpoint who is responsible for offensive/exploitative network operations. The number of organizations across the world that have nuclear capabilities is quite small, however the number of those with offensive security operations capabilities is quite high. The anonymity provided by the depth of the internet is a double-edged sword.
Furthermore the splash damage from Stuxnet/Flame is a testament to the distinct lack of surgical precision normally afforded by missiles.
Also, zero-day exploits can retain their usefulness even after it's been deployed, meanwhile a missile is gone when deployed.
The zero-day exploit market[2] deserves fair mention too, especially since a variety of three-letter agencies across the planet are some of the largest purchasers. Zero-day exploit purchases and sales haven't had any news publicity at all, even though it's effectively comparable to trafficking nuclear warheads.
Both nuclear warheads and zero-day exploits are used as leverage between competing security organizations and competing nation states, both are being stockpiled, and both are exceedingly dangerous. We're on the cusp of global network warfare and it's just starting to become clear how terrifying and widespread it is. America's rivalry with China is in over-drive now.
I'm not saying that security researchers don't deserve to be paid for their work, but that we should be plain and honest about their work: it can be for the good of humanity or it can be for the destruction of humanity, there's very little inbetween.
And yet what is it for? Fighting terrorists and drug dealers, and protecting children and intellectual property?
[1] http://www.schneier.com/essay-146.html
[2] https://www.eff.org/deeplinks/2012/03/zero-day-exploit-sales...