I promised myself I wouldn't write about VEP anymore on this blog. But we have reached stage 2 in the argument and it's important to note that originally everyone was claiming the VEP was necessary as a function of public safety, to coordinate defense against systemic risks that were pertinent to our national structure. Now they say it is an ethical issue, as Ari eventually did on stage at CyCon.
More correctly, the idea of the Government holding exploits, and in particular the NSA, makes people feel "icky" and when you talk to congressional staffers they don't trust the NSA to make decisions in the best interests of the American people with the exploits they do have and use. People who support the VEP rationalize their feelings of ickyness and distrust into an "Ethics problem".
Mozilla and Microsoft and Google and every other large software company would love to make it seem like the Ethics of the issue basically requires that the government get out of the business of having and using exploits at all. But they don't secure their systems because of ethical issues - they secure them because of market forces.
From a purely ethical issue, who knows: it may be that SIGINT is an unethical thing to ever do. Or it may be that it is a proportional and reasonable response to our national security needs. If we want to get out of the SIGINT business, we should just say so.
To put this in concrete terms for Jeff: Going through with the VEP is eventually going to require strict export controls on what you are allowed to say at Defcon. The ethical judgments on that seem to point towards a less free society.