In that way, law is not a science, as much as engineering. So not to pick on any particular lawyer, but I want to quote some brief twitter exchanges to help illustrate the concept.
 |
| My analysis of how OPSEC decisions are made is entirely aligned with everyone else in the field, but we don't usually let lawyers in on it because we have to start our discussion from scratch, is what I read from that. :) |
 |
| I enjoyed her responses a lot more knowing she had no idea what my background was. Someday Susan and I will have a beer and a good laugh about it. |
Let's talk about a better mental model for lawyers to use when they are talking about the wild and wonderful world of vulnerabilities! It may help them understand why the concept of "0day" is so slippery in real life, and even of "exploit" and "vulnerability". (c.f. This Phrack Paper for some historical details on terminology dating to 2002, which were already widely used within the world of security engineers.)
Here are some key concepts:
- Code flaws are often used to create multiple primitives. Multiple primitives are used to create exploit logic - and you can combine them in lots of exciting ways, like when you create cookies.
- 0day is a label that assumes what other people don't know. It is a model of the mind, not a scientific principle you can hang regulation on.
- Exploit engineers don't generally use the term "payload" - and incident response people use it to mean "trojan stage" or "dropper" which is confusing.
You can imagine how an auto engineer might scoff at lawyers trying to pen some traffic regulation, "that is not how engineers talk about cars", "this ignores that I can attach an engine to a box and make it move", "we don't use the term 'tires', we say 'rotational discs'"...etc. Those laws still kinda seem to work though, right?
ReplyDeleteI don't share your optimism about that analogy. The repercussions for failure here are huge, and are clearly demonstrated by Wassenaar agreement, among others.
ReplyDelete