I saw the talk. Much of the talk made the assumption that the hacker community has the same goals and values of the NSA. This NEEDS to be justified.
This is a hacker community and while not a single minded collective I believe there are many popular views that are diametrically opposed to some of the goals of the NSA. He mentioned that he wished the internet would be perfectly secure and then went on to mention how this would protect American IP laws. His definition of secure internet does not include values such as censorship resistance or freedom of expression/information.
He also tried to tell everything how great it would be if we all had IDS's that reported back to the NSA in realtime.
We were not allowed to ask questions. They brought up a paper with questions that must have been determined BEFORE the talk happened which isn't fair to the attendees.
I wish there was a DEFCON panel to discuss this. Everyone just clapped and seemed cool with him from my perspective. I'm not against the director talking at DEFCON, but I don't think we shouldn't be accepting his ideas without more public criticism and discourse.
The questions weren't scripted, at least some of them weren't. DT was checking his twitter and I saw at least dave aitel's one about Cyber Command growth/size on there.
Even if they weren't scripted, they were mostly softballs, and the talk was more an introduction than a detailed roadmap.
The most interesting question was about whether the NSA would prefer a perfectly secure internet or a usefully insecure one (roughly paraphrased).
That's not far from what I wanted to ask: given the offensive value of 0-day exploits (as seen with Stuxnet, regardless of who actually did it), can agencies in "Cyber Command" really be trusted to give theirs up via responsible disclosure?
Your definition of "responsible" is not the same as everyone else. Try asking an actual question, not a question disguised to inject a moral judgment and re-ignite the disclosure debate that everyone was sick of 20 years ago.
Late to the party, but... you really couldn't find a question in there? Let me try again.
My definition of "responsible" doesn't matter. I was suggesting that the government could adopt a policy it considers responsible, rather than just sitting on the exploits and using them for strategic advantage.
Unless there's a definition of "disclosure" that involves failing to disclose things to those in a position to fix the problems.
This is a hacker community and while not a single minded collective I believe there are many popular views that are diametrically opposed to some of the goals of the NSA. He mentioned that he wished the internet would be perfectly secure and then went on to mention how this would protect American IP laws. His definition of secure internet does not include values such as censorship resistance or freedom of expression/information.
He also tried to tell everything how great it would be if we all had IDS's that reported back to the NSA in realtime.
We were not allowed to ask questions. They brought up a paper with questions that must have been determined BEFORE the talk happened which isn't fair to the attendees.
I wish there was a DEFCON panel to discuss this. Everyone just clapped and seemed cool with him from my perspective. I'm not against the director talking at DEFCON, but I don't think we shouldn't be accepting his ideas without more public criticism and discourse.