Which legal systems? It’s entirely unrealistic to believe it would just be USG (just as it is any would promise and live up to promises not use zero days).
-
-
It's not just USG, but they sure are a big player. It would meaningfully move the market for sure. They could promise not to build a key escrow system and do it anyway, so that argument works both ways I think.
2 replies 0 retweets 0 likes -
There is no “market” where governments compete for which one keeps the most promises :)
1 reply 0 retweets 2 likes -
Honestly I also think there are legitimate cases where governments need zero days to do their jobs; if they did keep their empty promise not to use them I would not be happy.
1 reply 0 retweets 2 likes -
That's really interesting, it's not governments accessing data that bothers you, it really is literally the implementation details of that access. I guess that answers my question!
1 reply 0 retweets 1 like -
I think that is a fair summation of my position; one is at scale and largely impossible to defend against (legaly compelling) especially on a global scale and the other is natural law and impossible to prevent.
1 reply 0 retweets 3 likes -
I understand, but the counter argument would be there's no way for a government to hoard 0day without putting innocent people at risk (because you can't prevent other people discovering bugs and abusing them). This is why I don't like governments using 0day.
2 replies 0 retweets 2 likes -
if you can't sell your vulnerabilities to governments, aren't there fewer people looking for them now? so the bugs still aren't getting fixed.
2 replies 0 retweets 3 likes -
Replying to @saleemrash1d @taviso and
there's also an argument to be made that for each time anyone uses an 0day, the risk of 0day being caught ITW increases.
1 reply 0 retweets 11 likes -
Replying to @qwertyoruiopz @saleemrash1d and
(so governments making use of 0day might even be a net security positive vs 0days staying dormant until criminals make use of them)
1 reply 0 retweets 7 likes
I dunno, it's a pretty weak argument, the victim can detect it and then use it to attack other people. That has really happened, e.g. Shadow Brokers.
-
-
Replying to @taviso @saleemrash1d and
are entities capable of detecting use of such 0day really unable to procure 0day on their own anyway?
3 replies 1 retweet 10 likes -
Replying to @qwertyoruiopz @saleemrash1d and
In some cases, sure - hard to imagine some terrorist in a cave has access to a 0day broker. To be clear, I absolutely think the military should be able to get access to comms equipment of dangerous people, but... not by putting innocent people at risk.
2 replies 0 retweets 4 likes - 9 more replies
New conversation -
Loading seems to be taking a while.
Twitter may be over capacity or experiencing a momentary hiccup. Try again or visit Twitter Status for more information.