Here's the problem with that argument, the government has effectively unlimited resources. They can literally drop people with guns out of helicopters. It is not necessary to put innocent people in harm's way, there are other options to achieve the same goals.
-
-
Replying to @taviso @scriptjunkie1 and
Without good intelligence, they don't know where to drop those people out of the helicopters. People also generally prefer to not involve shooting except as a last resort, and I think that's a good thing.
1 reply 0 retweets 2 likes -
Replying to @tylerni7 @scriptjunkie1 and
You're not discussing this in good faith, I cannot enumerate all the things that the military can do in a tweet dude. There are other options available to the military other than exploits and shooting people.
2 replies 1 retweet 1 like -
I get that you need to rationalize selling exploits to the military. You do that by saying "It's 100% ethical because I only sell to the good guys", and don't think about someone selling the same bug to repressive regimes instead.
1 reply 1 retweet 1 like -
Totalitarian governments can just backdoor your device with their own CA and mitm all your comms. If you refuse, you can just be arrested. It's not like the one secret 0-day is making that much of a difference.
1 reply 0 retweets 0 likes -
If totalitarian governments don't need 0day, then how come they keep getting caught using them, and companies keep getting caught trying to sell to them? I don't buy the "It's just little old me, I can't make a difference" argument, sorry
1 reply 1 retweet 1 like -
I agree 0day is useful, but I think the argument that usgov can find another way applies to repressive governments too. If I found a bug that was used to hurt innocent people, I would feel guilty. I don't know if disclosing it publicly makes it less likely for that to happen.
1 reply 0 retweets 0 likes -
Right, they can find another way. The reason that's important is because I think it's reasonable to trust the military to competently safeguard equipment from abuse. It is *impossible* to prevent bad actors from finding the same bug, so they cannot prevent it being abused.
2 replies 1 retweet 2 likes -
That is why I would prefer they use intelligence techniques that cannot easily fall into the hands of others, and we find and fix vulnerabilities instead of hoarding them.
1 reply 0 retweets 1 like -
I think hoarding implies stockpiling excess beyond need. The vulnerabilities equities process is supposed to avoid hoarding, although it's obviously not perfect.
1 reply 0 retweets 1 like
It's supposed to balance it, but it doesn't seem to work. The VRP will pay for and fix unlimited bugs, but Tyler says he can sell the same amount for more to exploit brokers - that does sound like stockpiling?
Loading seems to be taking a while.
Twitter may be over capacity or experiencing a momentary hiccup. Try again or visit Twitter Status for more information.