A number of organizations that should be standing up for our right to write code are instead taking a pro-regulatory stance. Chief among these is the ACLU, which has hired Chris Soghoian to run around saying that software exploit sellers are "merchants of death". Let's be explicitly clear: code is speech. Even the Supreme Court has acknowledged as such. Speech is an inalienable right endowed by my creator which the government is fundamentally tasked to protect. When Chris Soghoian calls software exploit sellers "arms dealers", he unknowingly touches on another point. If these are digital arms, we have a 2nd Amendment right to bear them. Any reasonable interpretation of the Constitution will allow all to freely author and widely distribute software exploits to pretty much anyone that can pay.
This is sad, because as a free speech activist the ACLU and I should have interests that are aligned, but now they aren't. It isn't their fault. I generally believe Chris Soghoian wants everyone to be free of government surveillance. We do not want the government using software exploits to illegally spy on us. I get that. I hate on this problem more than anything, which is why I'm starting a new hedge fund to provide software exploit authors with incentives to not sell their 0day to the government. However, Chris Soghoian is not very smart. Firstly, I can tell he has never written a software exploit. He has never spent the long hours in IDA pro or Ollydbg. Secondly, I am pretty sure he has autism. See, I run around trolling the Internet a lot. I consider myself pretty good at infuriating people on the Internet. I know when I do this I am not going to make friends. That is okay, because I do not want to make friends with some people. Chris Soghoian wanted to make friends, and is now surprised that people are spewing vitriol at him. This is because like most autistic people he lacks "theory of mind", the understanding of what kind of response one of your actions will provoke in other people. He really thought he was going to be applauded for wanting people's liberties and livelihoods taken away. Also his voice is so uppity that hearing five seconds of him talk makes people want to punch him in the face and I do not think he realizes this.
Because Chris Soghoian has never authored an exploit and probably has autism, there are a couple key points he is missing.
1) Regulating exploit sales will only reduce the government's costs when using software exploits to illegally spy on people.
There is no regulatory environment that will possibly come out of Congress that reduces the ability of the government to use software exploits. That means regulating software exploits will only remove other bidders from the market, thus driving the price of exploits down. In addition, 3rd parties will be less capable of informing themselves about new software exploit methodologies and thus less able to defend themselves from attack. Regulating software exploit sales is equivalent to making sure the government gets a key that unlocks access to every computer in the world at great discount, and nobody else will possibly have those keys and know how they work. This should be obvious to any fucking tenth grader that knows how market forces work, but of course Chris Soghoian lives in a magical autistic fairyland full of rainbows and unicorns.
Nobody in this community actually wants to sell our exploits to our oppressive and terrible government. Our oppressive and terrible government just happens to frequently pay a lot more for them, and many community members have bills to pay and kids to feed. Drafting legislation that limits the number of parties that they can sell to is making it harder for them to pay their bills and feed their kids. They will end up having to write more exploits and sell them to the government to compensate for the reduced market value of exploits in a no-bidding environment. I myself have never sold an exploit to the US government and generally tell people it is bad to do so, but I am not so clueless as to expect skilled tradesmen with mortgages and children to universally abandon their trade because they think it is ethically questionable.
Strong software exploit regulation is the best possible option for domestic surveillance capabilities, period. The ACLU now holds a position that is in support of illegal government surveillance. Great job, guys.
2) Fucking a, there are a lot of bugs. They are only worth so much money because they are artificially scarce.
When a developer sells an exploit for a bug in a given product, that isn't the only bug the developer saw. Usually you see multiple bugs, and know there are even more you didn't see. A lot of people are impressed by a 0day exploit. Chris Soghoian is certainly one of them. People that write these things are less impressed by them, because they have first-hand experience on exactly how bullshit software security actually is.
Frequently the argument gets made from Soghoian's ilk that if 0day authors are disallowed from selling their bugs they will instead report them to vendors and the software will be fixed. In reality, if everyone reported the bugs that they sold exploits for, all the products they targeted would still be incredibly vulnerable. Exploit development is hard work and people want to be compensated for it. This is a skill that takes years to hone. Telling people that they can't profit off of anymore will remove the incentive to look for bugs. There will still be exploitable holes.
Chris Soghoian operates from a fundamental misunderstanding. He views exploitable bugs as scarce things. Bugs are not scarce. They are everywhere. What is scarce is the people with the talent necessary to write exploits for them. These people are not going to stop exercising their talents lucratively just because the government says they can't. Nobody needs to live in America anymore. They can take their skills elsewhere and tell our government to eat shit. Many of them will go to Russia, too, in the event that our government attempts to regulate their activities. As we know, that's a government with a human rights and surveillance record almost as terrible as ours.
Computational rights is an important battleground in civil liberties. The ACLU is supposed to be on our side, but somehow they've ended up attacking it. I think this is because they hired up someone who has no experience in writing software vulnerabilities. Ethics in computation is an extremely nuanced issue, and requires people who have a lot of familiarity with the realities of the situation to sanely evaluate. Having Chris Soghoian try to ethically police software exploit developers is like having medical ethics overseen by someone who is not a doctor. Generally, people who do not write software exploits should defer to those who do in matters of industry ethics, just as we defer to doctors to judge what is best for the standards in hospitals. It would be best if Chris Soghoian issued a public apology for his terrible positions and promised to not defame exploit developers again.