I love the EFF and what they do but I always feel like their writing style is so often... I'm not sure how to put it... just kind of over the top? e.g. first paragraph, "the charade is over" ... third "this too doesn’t exactly come as a shocker." So much of what they write about is really important but I can't help but think the writing is often maybe too hyperbolic and turns off people that should be following these things closer.
Putting the hyperbole in not only makes people click on it but it makes people be more swayed not only by reason but also by feeling . Sharing the article probably makes a significant people
Donate to the organization. Disclaimer : I am an EFF member.
I respect their opinions, but similarly can't make it past a few paragraphs of their PR pieces. A valuable membership benefit, for me, would be a level-headed newsletter re-writing their PR wires.
How much of the organization's funding is based on donations? That may be part of why most articles have this Chicken Little "the end is near" type of theme to them.
Agreed. While I find the EFF's general tone to be a bit too hyperbolic (something about their mission and site design makes me think their writing would be better served by a level-headed style akin to a BBC article), at the end of the day I am grateful for the work that they do and if they have to be a little melodramatic to spur donations, then so be it.
If serious people stop taking them seriously because of a propensity for melodrama and chicken-little-ism, that's going to make their work harder, not easier.
This is a real problem, but on balance serious people seem to take EFF pretty seriously.
It's a much bigger problem for Fight For The Future, which seems to be fueled entirely by melodrama.
Part of the reason, I think, is that EFF has much better on-staff technical (in the conventional sense and the legal sense) expertise than FFTF does.
EFF does get really dodgy in their pure advocacy pieces (these are the "Your Rights Online" stories where EFF doesn't have much to do with the story). They're better in stories where they have a direct role.
I think this problem was illustrated for us all neatly by Wikileaks. When they released documents with no drama and no fanfare... nobody cared and they struggled to keep the material up. Once they played up the drama, everything changed.
It is certainly a very fine line to have little enough showmanship that the people already interested just ignore it, but enough that new people become interested/concerned.
I've always felt the exact same way. I can rarely get through anything they send me because my natural reaction is to trust what I'm reading LESS when the writing is in that tone.
This changes what "responsible disclosure" of security bugs means. It's no longer appropriate to report security bugs just to the vendor and CERT. They must be disclosed publicly to prevent them from being misused by government. It's now irresponsible to delay disclosure.
No, this has very little at all to do with reporting to vendors. The USG doesn't have a stockpile of vulnerabilities because vendors give them vulnerability feeds (in fact, there's no evidence that anything like this has ever happened, and that's not surprising, because to make that work, vendors would need to knowingly retain vulnerabilities in software they ship to their customers). The USG has a stockpile of vulnerabilities because it employs researchers and buys vulnerabilities from outside researchers.
That is exactly what the newly unredacted VEP the EFF is writing about says: agencies discover vulnerabilities and report them to an internal clearinghouse. That may or may not result in alerts to vendors.
Reporting to vendors remains a solid way of killing vulnerabilities, so long as researchers are aggressive about it (the 60-90 day open publication window seems to do the trick).
While it's not stockpiles of vulnerabilities, I don't think it's valid to say there's no evidence of vulnerability feeds. For example a bigger company can get early notification of embargoed vulnerabilities for various projects they use, sometimes with early patches.
I'd be surprised if USG didn't have access to pretty much every important feed like that. This gives every notified party at least a few days to act. (defence or otherwise)
Do you think that it is likely that NSA, et al., are NOT monitoring messages sent to the security/vulnerability reporting e-mail addresses that many vendors publish?
Knowing what we do just from the Snowden disclosures, monitoring those aliases is exactly the type of thing I would expect them to do. Even if they only get 60-90 days before a vulnerability is "killed", that still leaves them a fair amount of time to utilize them against their targets.
If you think NSA is going to read the emails you send to a vendor, you either PGP the documents you're sending, or you use a different channel to contact the vendor. The big vendors make that easy, and this is exactly the reason most of them post PGP keys.
I super-duper don't care if you alert vendors before telling the public about a vulnerability. I think "responsible disclosure" is doublespeak, and I've generally supported direct- to- the- public disclosures for my whole career; I've written some articles justifying it (for instance: even if there's no patch, people can simply stop using the vulnerable software).
But giving vendors a heads-up is at least neighborly (to the vendor) and, increasingly, a sign of professionalism, and "the NSA will get my bugs" is not a good reason not to do it.
> No, this has very little at all to do with reporting to vendors.
Right, and what little it has to do with reporting to vendors is this: If you want to throw a wrench in the surveillance apparatus, instead of selling privately, disclose to the vendor to spite the government.
But that's not to say that reporting a vulnerability to MITRE/CERT is going to land a 0day in the hands of the NSA. (But on the other hand, if you're lucky, you might kill a vector they were already using.)
The "reasonableness" behind the length of time before public disclosure of vulnerabilities is not based on how long the vendor will take to fix it. It is based on the likelihood that someone else will discover the vulnerability (if not already!) and exploit it.
We must operate under the assumption that if "a good guy" has discovered a vulnerability in a product then "a bad guy" will also find it before long. That "before long" part is really just an assumption based on the best-case scenario: No one else has discovered the vulnerability yet.
Even if the vendor has no fix available disclosure is still of the utmost importance because it gives the public at large a fighting chance at remediating the problem; whether the vendor is ready or not!
Example: If a critical vulnerability is discovered in Nginx and the developers can't put out a release any time soon I can always switch to Apache or some other web server. How "entrenched" or "locked in" you are with a product is neither here nor there. That's your own damned fault if you can't swap it out with something else. Especially if you knew you were locked in ahead of time and have yet to do anything about it.
"We must operate under the assumption that if "a good guy" has discovered a vulnerability in a product then "a bad guy" will also find it before long."
Today, we have to operate under the assumption that if a good guy has discovered a vulnerability, a bad guy is probably already exploiting it.
The problem with full, immediate disclosure is its pretty easy to build an exploit for a known CVE.
Switching Nginx out in your infrastructure (for instance) isn't a simple trick at scale when you have a heavily customized install. (e.g. OpenResty with routing code)