Search Mailing List Archives


Limit search to: Subject & Body Subject Author
Sort by: Reverse Sort
Limit to: All This Week Last Week This Month Last Month
Select Date Range     through    

[liberationtech] RFC Metasploit for the Masses

J.M. Porup jm at porup.com
Fri Jan 30 08:16:34 PST 2015


coderman:
> as one who is always fond of the question,
>  "what's your threat model?"

If I may suggest, the threat model is not to the individual, but rather
to the macro-organism. To society as a whole. To the Internet.

What is that threat?

That a small number of power-hungry thugs pwn the world.

> this is currently considered a "Hard Problem" (TM)(R) even with
> decades dedicated to the challenge.

I would argue that end point security is not a Hard Problem (TM). It is
an Impossible Problem (TM). Flawed human beings write flawed code. Some
of those flaws are security vulnerabilities. Those zero-days scale. Etc.

Let me propose an analogy. What other common technology are we familiar
with that exhibits the same characteristics as Internet security? That
is: Attack is cheap and defense is difficult, bordering on impossible?

What about the personal firearm?

Now, the solution to a threat to the macro-organism is to create tools
that scale. Democratic tools. Security journalism is hugely important,
but it doesn't scale. How many journalists would you have to murder to
silence that work? 200? 500? Less than a thousand, anyway.

Consider the origins of American democracy. At the time of the American
Revolution, the colonists and the British Army carried basically the
same weapons. The only difference at the start was a question of
organization and discipline.

The Second Amendment was created not to give you the right to defend
your TV from burglars but as a poison pill against tyranny for the
republic. If a small group of people tried to seize power, a general
uprising by a well-armed populace would be sufficient to prevent such
seizure.

But in the online world, the personal firearm is now obsolete, replaced
by offensive hacking tools. Tools that all of us should fear.

Pop quiz: If liberty is when the government fears the people, and
tyranny when the people fear the government, how would you describe the
existing power balance?

And if you answered "tyranny", then the question becomes, how do you
reverse that power balance?

Not by developing defensive tools. However important they are, they
cannot, by themselves, remove the threat to the macro-organism.

The best defense is sometimes a good offense. What if someone were to do
something like this:

1. Take what Anonymous is doing
2. Automate it
3. Scale it

I'm thinking a Metaploit for the Masses with a UX your grandma could
use. A kind of LOIC to the tenth power.

Thought experiment: If someone built such a tool, and distributed to
hundreds of millions of people--and if this tool was powerful
enough--would it not right the power balance, and remove the threat to
the macro-organism?

Furthermore, I believe that a strong legal argument could be made that
the creation and distribution of such a tool was Constitutionally
protected under the Second Amendment. [0]

Naturally, I am not promoting the creation of such a tool. Nor am I
competent to design and build it--I was never more than a mediocre
programmer. On the other hand, the invention of such a tool would be
newsworthy, and I would be happy to report on it.

Regards,

Jens

[0] Be sure to use Sotomayor's dissent as kindling at your witch-burning.





More information about the liberationtech mailing list