58 comments

[ 3.0 ms ] story [ 141 ms ] thread
Interesting that his most common feedback is to use simpler language and write shorter pieces; personally I've felt he does very well at using accessible language but is handcuffed by the intrinsic inaccessibility of the topic to people without knowledge in the cybersecurity/privacy domain. This article, I think, is a good illustration of his abilities there.
As long as someone is coherent and concise, I don't care how they write / talk. Also if they cut out superfluous language and try not to use esoteric phrases & words, that's a bonus.
It's difficult to find good resources to learn how to do this.

Strunk and White sounds "old" to many modern ears.

Williams': "Style" is hands-down the best modern guide. https://sites.duke.edu/niou/files/2014/07/WilliamsJosephM199...

Here's where the dearth of editors on the internet is felt.

There's nothing wrong with an individual style to writing and speech, but editors can help push authors towards a more uniform standard.

I wonder if that feedback was about technical knowledge, or just the style he writes in. I would 100% characterize his style as “someone who thinks he’s smart”. I don’t mean that to be totally offensive, only a little bit.

> One of the interesting things for me about this shared space of ours is to be able to see what it is that you most enjoy

This is pretty clearly a backwards way of writing a normal American English sentence.

This is a very common problem. He could just use an editor/trusted friend who has experience writing for pop audiences.
I'm not blaming him, but he could use simpler words.

> ... to witness indicia of that ...

> ... the ultima ratio regum of a state that has exhausted ...

> ... which is the raison d’etre of the insecurity industry ...

That's fair, especially since in my opinion the first two examples are definitely unnecessarily flowery language for the topic.
His gratuitous use of "25 cent words" is the most singular annoying and off-putting aspect of Snowden. It's extreme with him, which to me indicates a hugely inflated ego -- many more would listen to him if he would not try to sound so damn professorial.
Fascinating—part of the reason I thoroughly enjoy reading him is the language he employs.
It may just be an attempt to use precise language in an (unsuccessful) attempt to not be misunderstood.
I’ve primarily listened to him interviewed and while he uses big words there, it doesn’t seem as much as in his writing. And he seems to me, in these interviews, as surprisingly normal considering everything.
Here's an example of purple prose that has nothing to do with the complexity of cybersecurity, from his first post on Substack (https://edwardsnowden.substack.com/p/lifting-the-mask):

> Though my relationship to time fluctuates, the gravamen of my disclosures remains constant. In the past eight years, the depredations of surveillance have merely become more entrenched, with the capabilities that used to be the province of governments now in the hands of private companies, too, which employ them to track and tether us and attenuate our freedoms.

I don't know, this is exactly how I would talk if I wanted to poison the data of anyone trying to run word-use analysis against my public posts. On anonymous channels I'd probably type like an 8-year-old.
Whatever you may think about Snowden, the stuff he does and writes is pretty thought provoking.
>That’s the crucial caveat that I think many missed regarding my call for a global moratorium: it is a prohibition on the commercial trade—that is to say, specifically the for-profit exploitation of society at large, which is the raison d’etre of the insecurity industry—rather than the mere development, production, or use of exploit code.

I don't see how prohibition would solve the problem here, people would just sell it in [insert rogue market].

Raison d'être is not trade, it's demand, and demand doesn't care about the DOJ.

Also, exploits aren't just an arbitrary good, but a tool of power themselves, so effective prohibition seems even more absurd.

What am I missing?

There's a difference between underground criminal gangs discovering exploits and selling them on black markets and being able to raise capital, have legal protection, etc. while you hire experienced developers to find exploits that you sell to despotic regimes like Saudi Arabia.

I suspect that distinction is what you are missing.

Exactly, it wouldn't necessarily change the demand, but would hopefully reduce the supply (by raising costs). Being a legal entity has much lower cost of funding and much lower cost of operations than being an illegal entity. Otherwise most entities/corporations would not bother to be legal, which is clearly not the case.
Look how magnificently such a strategy worked for drugs.
It works for nuclear weapons.
It's a crude comparison, but software is a lot more like drugs than it is like nuclear weapons.
Is it? The fundamental reason the war on drugs failed is that drugs have relatively inelastic demand. Someone addicted to meth will find a way to get meth if it costs $10 or $500. Software exploits aren't like that at all. They are a tool used by gangs and governments that are only useful if they cost less than they're worth.
Software takes no less than a crappy laptop and a brain to create.

The Manhattan project consumed 10% of the total US energy output in the mid 1940s. And obviously uranium is hard to come across.

More notable is the fact that (like software transactions) drug transactions happen in private between consenting parties. The war on non-addictive drugs (say, psychedelics) failed too.
That's only because they're weapons of mass destruction. Nuclear capacity is essentially a step function - you either have it or you don't. Those who have it get to push around those who don't. There are some very strong incentives for the haves to prevent the list of nuclear powers from growing.

Also, unlike software vulnerabilities, nuclear weapons don't have a half-life counted in weeks.

Nuclear weapons don’t grow on trees. Bug grow by a side effect of programming.
Illegal recreational drugs are usually used by the buyer in a way that will only affect themselves. So they can't complain to the police if things go bad and they certainly won't if things go good. Enforcement is a huge problem.

NSO style products are used by one entity against another entity. As a result enforcement is a fundamentally different sort of problem. There is a complainant.

And there’s still a market for hitmen too.

This is such a shallow comparison, which seems to come up with every discussion around criminalization. Law enforcement isn’t 100% effective but that doesn’t mean every criminalized activity should be legal.

> people would just sell it in [insert]

This is a specific form of a general argument against any law - "people would just break the law by [insert a way to break the law]".

These arguments are obviously generally true (any law can be broken) but you usually don't need an absolute victory, just a legal weapon against the bad guys, which hopefully is hard to use against the good guys.

You may underestimate how much government funding has widened and deepened the production side of the exploit world. Once TLAs outsourced and started buying exploits on the open market, the whole thing professionalized and became much more liquid. That kind of intellectual capital formation really changes things.

Mind you, the genie is out of the bottle. A half-hearted moratorium is unlikely to undo what Pointexter wrought.

When /r/jailbait was the most popular subreddit on reddit, it was generating millions of pageviews in traffic. Sure, you can download Tor and see similar content on the deep web, but you have to know the .onion links and be tech savvy. The added friction goes a long way in removing access - and dissuades people who are on the fence.
That's not a good analogy. I don't agree with OP but the potential "customer" for /r/jailbait comes from a way bigger pool than the potential 0-day buyer. OPs point is that the people looking to buy this things will not mind jumping through hoops.
Why have any law if bad guys will just break them?
There are different kind of things one law can forbid

- things that are in itself bad. (E.g. killing, stealing, ...)

- things that are neutral, but could be used to do other illegal things (encrypted message, selling weapons, ...)

The second category of things doesn't need to be illegal since the perpetrators would only be doing something bad if they violate a law for the first category and therefore can be prosecuted for that. But making it illegal prevent the potentially good use of it.

Snowden is specifically talking about how this prohibition will deter security researchers from working for this "companies". Having been in the field a while back, I agree with him. Most people won't jump the extra hoop you need to jump to work for an illegal industry if they can make bank without breaking bad.
> Another little-understood property that make exploits more dangerous than bombs—and they definitely are—is that, as with the viral strain of a biological weapon, as soon as an adversary catches a sample of an exploit, they can perfectly reproduce it... and then use it themselves against anyone they want.

On the other hand, once an exploit is used against a _good_ actor, they can neutralize the use of that kind of "bomb" against anyone.

I'm searching for a good comparison about mutating codes and innoculations against them...

What's to stop defense departments from buying and selling exploits behind closed doors? I think the point raised about lack of accountability in government compartments is a huge huge problem. The new way to skirt the law seems to be go from government-run to private contractors or vice versa.
Like many aspects of security, it's not about stopping every possible instance of a bad thing from happening, it's about making bad things less likely to occur.

If Saudi Arabia has to develop their own 0-day spying toolkit instead of buying one off the shelf, then at the margin they will be able to do less spying.

There's nothing stopping Saudi Arabia from setting up their own team to build such hacks, but it would cost them more. Further down the road, there's nothing stopping a bunch of smaller countries from teaming up to get the economies of scale that NSO brings by selling to multiple countries -- but these toolkits seem to be the sort of closely guarded secrets that even allies don't share (if the NSA is anything to go by they are more likely to use these techniques to spy on their allies), so I doubt that is very likely; could be wrong on that point though.

A little game theory:

I really believe that it's not in the US government interest to increase computer security.

I think the NSA is at least 5 or 6 steps ahead of the security game, so for now the NSA dominates cyber warfare, which is why they don't want more security in software, so they will constantly make everything possible so that software is insecure.

But at some point, it is going to sting because China, Russia and others are catching up.

I always found it weird that there are a lot of security standards for other industries, OSHA, etc, but for software, there is nothing, no companies are required to comply to software security standards. No software is being inspected at all. Isn't it weird?

If the NSA is ahead on discovering exploits shouldn't they want a ban on selling exploits, so others have a harder time catching up, and it's less likely that any of the exploits that they've discovered in-house get "burned" by being used by someone else?
Not if they're also a big purchaser of exploits.
It's quite possible for the government to outlaw selling things to anyone other than them. Cf. a lot of military hardware.
> I really believe that it's not in the US government interest to increase computer security

Agreed. It's just doublespeak[0]. We all know it's the National Insecurity Agency, and that the NSA hoards & stockpiles 0day. They very rarely release tools and research papers designed to strengthen our IT infra, since they sit on so much 0day. There's no balance.

I don't buy that they're 50% red team, and 50% blue team. More like 99% red team and 1% blue team.

[0] https://en.wikipedia.org/wiki/Doublespeak

Hell the NIST does more to fulfill the NSA's mission of domestic IT security than the NSA does. Ghidra is the only good thing out of the NSA is a long time.
> I think the NSA is at least 5 or 6 steps ahead of the security game

NSA isn't.

There is no lead, and the barrier for entry is at a historical low.

Many people just don't bother because it's boring, not because it's hard.

Breaking into stuff became so simple that it just doesn't attract talent any more.

It might not be fair to assume that OSHA, etc, and the NSA, etc, operate under the same agenda. Some industries do have standards for tech. HIPAA, for instance, sets some minimum expectations for cyber security with regard to private health information (PHI). And there are HIPAA inspections, right along with OSHA ones. Of course, it's a fairly clunky solution given that government is slow and tech is fast, but it's certainly there, and it's certainly helpful.
>I always found it weird that there are a lot of security standards for other industries, OSHA, etc

Can't speak for all, but look into things like the CISA[1]. I don't think they have much of legal authority over industries, perhaps in some deemed critical but not others, but to say there's no "standards" is a bit wrong.

[1]: https://www.cisa.gov/

Count me as a Snowden skeptic. The guy is completely full of himself, and rarely if ever has anything truly insightful to say. I have a friend in the Navy who worked with him at the NSA facility on Oahu when he made the leaks, and we've talked about this extensively. It's not like he was some lone wolf who happened to get ahold of some unique information. They were all dealing with it, and they all took an oath to protect the United States and defend its' secrets.

He's a traitor, plain and simple. But he parlayed that treachery into a highly lucrative position, where he occasionally comments and gets paid to speak on some obvious points about whatever is in the news, and is now seen as some kind of guru when he never really did anything of note. He's not a computer scientist. He's not a security expert. He's a cause célèbre for certain factions of people who would like to see the US knocked down a peg.

Regardless of Snowden's personal character, the simple facts of the matter are:

1) The NSA was illegally and unconstitutionally spying on US citizens without warrants.

2) The NSA and other intelligence agencies explicitly lied about this to congress and other elected/appointed bodies responsible for overseeing the activities of these agencies. See, in particular, James Clapper perjuring himself before congress.

3) Without Snowden or someone similar leaking this information to the public, we never would have found out about these blatant illegal and unconstitional acts, since everyone with the power to do anything about it was either complicit or ignorant (see point 2).

I wasn't going to downvote you because I strongly disagree with your dismissive smearing of someone who had the guts to call out his government for doing illegal things, but then you said this:

> He's not a security expert.

Which is such an incredibly vacuous statement that you deserve a downvote for saying provably incorrect things.

>Which is such an incredibly vacuous statement that you deserve a downvote for saying provably incorrect things.

Where's the research? Where's the white papers? Where's the detailed technical blogs of some security related issues he's handling?

The guy is an impostor. He's been an impostor his entire life. He's just highly intelligent and really good at it.

He's not a security researcher. Not every doctor of medicine has actively done research either.
(comment deleted)
I would characterize your friend as the traitor, rather than Snowden.

Correct me if I'm wrong, but isn't the oath they took to defend the US Constitution, against all threats, foreign and domestic?

Snowden literally fulfilled that oath at great personal cost.

Your friend, on the other hand, is an accessory to enormous (and ongoing) crimes against every man, woman and child in America.

> However, we also have to recognize that until your neighbors are lining up to storm the Bastille

Too soon, man, too soon.

> a prohibition on the commercial trade — that is to say, specifically the for-profit exploitation of society at large, which is the raison d’etre of the insecurity industry—rather than the mere development, production, or use of exploit code.

If the "use of exploit code" is protected then why bother? The law would have to prove an unauthorized use or "for-profit exploitation" of code, and at that point it doesn't matter if it's exploit code; any code could be used for unauthorized use.

Worse this would put corporations at the center of what's an exploit. Every time a company makes software there could be someone arguing that its an exploit or makes unauthorized use (of info or computing). Companies already avoid the GPL when they can because of legal FUD and this would extend those fears to all software they release. The Sony CD rootkit [0] was clearly over the line but what of iTunes encrypting local music files? Apple locked you out of your files by encrypting them and then offered to sell you the key -- sound familiar?

[0] https://en.wikipedia.org/wiki/Sony_BMG_copy_protection_rootk...

Commercial trade isn't the right definition. Exploit code is: using or bypassing an API in an unintended manner (for the benefit?, or to the detriment?, of the owner.)

> what of iTunes encrypting local music files? Apple locked you out of your files by encrypting them and then offered to sell you the key -- sound familiar?

Yes, and? That is malware/cyberattack and should be subject to felony prosecution.

>what of iTunes encrypting local music files? Apple locked you out of your files by encrypting them and then offered to sell you the key -- sound familiar?

Did Apple actually do this? Locking people out of files they already had without DRM?