Tuesday, April 18, 2017

Exploits are not weapons

An exploit demonstrates a vulnerability, either by simply showing that a given impact is possible or adding nice features, logic and ingenuity to make exploitation more comfortable or reliable.

Notice that nothing about that description has a single thing to do with weapons, or anything being weaponized. That's why it's extremely annoying to logic-minded folks when others, some of which are actual security experts and others who couldn't spot a security bug from an oreo cookie, conflate the two. When entire industries and even countries are built on the principle that there's a difference between using something for good and evil, it becomes a problem when a fundamental topic becomes stigmatized for either lack of logical reasoning, profit to be gained or just pure anarchy.

Just as a fancy car can be used to run someone over, or just to drive to work, or how a knife is essential to half your sandwich, but can also be used to stab or stick, practically everything in the world is dual-use, for good or for evil. Banning exploits because evil can be done with them is the same logic as banning lighters or rope.

So sure, an exploit could technically be included in a weapon. We could imagine this just as easily as someone writing with a pen and only seconds later deciding to jab it into skin. There's a big difference and we can see the intent in each. Popping a shell on a box isn't a weapon. Crashing a mail server isn't a weapon. Redirecting your calls via malformed SMS message isn't a weapon unless you use it as one. And most folks are not using it in any relation to one (unless you're the government as has been well documented via years worth of leaks).

Honor the expression of free speech in code: exploits are not weapons and are generally never a component of one. Stop saying the ugly and misrepresented word weaponized in the context of computer security, because you're probably wrong. Remove it from your vocabulary if not only because it's illogical, but because it's offensive to those who have spent sweat, blood and tears staying up all night for years and years coding beautiful ways to travel unintended paths. Consider regulating obvious things which are almost always weapons, but not weird machines.

No comments:

Post a Comment