One infosec professional's perspective on OST.

Beware, this thread contains nuance...

1 Having watched the OST debate from the sidelines, I have enjoyed the thinking challenge that the debate represents, which is fundamentally searching not for the "best" thing to do, but for the "most right" thing to do - an ethical search at its core.

2 I have worked on the offensive side of the industry for 6+ years (defensive 10+), and have written tools used by both nation state actors (confirmed) as well as defenders. The knowledge that my tools caused others harm is what fundamentally stopped me from releasing more.

3 This was a personal choice on my part, but it is counterweighted by the fact that I rely heavily on so-called "OSTs" for my job as well, whether commercial or open source. The moral quandary here is not lost on me. Good operators need these tools to

4 do the work of revealing vulnerabilities to their clients. This is good and useful work. But the question: Do the "ends", the potential for unintended damage by the use of the released tool, justify the "means", the release of the tool for the betterment of an entire industry?

5 (yes, some individuals release for notoriety, however this is irrelevant concerning the ethical question itself. The tool was released. The motive is inconsequential.)

6 Narrow answer: I believe they do, because I believe an _entire industry_ has benefit potential. Individual organizations (not the entire industry) can also potentially be injured. Imo, there is a straightforward "greater good" argument to be made there.

7 There is more to unpack here of course. I am also doing my best to leave the financial aspects of the industry (i.e. vendors) out of the debate, because it doesn't have great impact on the ethical question, though it is certainly a factor worth discussing.

8 Broad answer: I believe they do, because my ethics align closer with personal responsibility than they do with forced control. In other words, I believe that freedom is a supreme virtue, and thus my "default" when faced with questions such as this is usually more freedom.

9 It is the same reason I support things like driving cars, pocket knives, and owning firearms. Could these be used to hurt others? Yes. Could they be used to defend/help others? Yes. However, I hold individuals, not tools, responsible for their actions - again more freedom.

10 "But they shouldn't be available in the first place!" I understand the argument, but I believe that view #1 restricts personal freedom, #2 unnecessarily hampers progress, #3 (most importantly) does nothing to alter the criminal mind.

11 This debate is one we are having around the world in various forms: freedom vs safety. The two, at their core, are fundamentally at odds. Freedom has *never* been "safe". It provides the avenue to demonstrate humanity's worst but also its best.

12 I understand that may not be your ethical view. This thread makes room for disagreement, which is all fine and productive when had between mature individuals. Taking hard stances usually just reveals shallow or ill-considered opinions, and are thus safely ignored.

13 I also realize there is much more to the debate than my simple thoughts, especially concerning the business aspects of the industry. My fundamental goal was to attempt to introduce nuance to the debate where it seems there has mainly just been hot takes and moral platitudes.

14 tldr: I get both sides, I really do, however my underlying ethic is rooted in freedom, therefore I believe the decision that promotes freedom, rather than restricts it, is usually (not always) the "most right" course.

EOF