That's really interesting, it's not governments accessing data that bothers you, it really is literally the implementation details of that access. I guess that answers my question!
-
-
I think that is a fair summation of my position; one is at scale and largely impossible to defend against (legaly compelling) especially on a global scale and the other is natural law and impossible to prevent.
1 reply 0 retweets 3 likes -
I understand, but the counter argument would be there's no way for a government to hoard 0day without putting innocent people at risk (because you can't prevent other people discovering bugs and abusing them). This is why I don't like governments using 0day.
2 replies 0 retweets 2 likes -
if you can't sell your vulnerabilities to governments, aren't there fewer people looking for them now? so the bugs still aren't getting fixed.
2 replies 0 retweets 3 likes -
Replying to @saleemrash1d @taviso and
there's also an argument to be made that for each time anyone uses an 0day, the risk of 0day being caught ITW increases.
1 reply 0 retweets 11 likes -
Replying to @qwertyoruiopz @saleemrash1d and
(so governments making use of 0day might even be a net security positive vs 0days staying dormant until criminals make use of them)
1 reply 0 retweets 7 likes -
Replying to @qwertyoruiopz @saleemrash1d and
I dunno, it's a pretty weak argument, the victim can detect it and then use it to attack other people. That has really happened, e.g. Shadow Brokers.
1 reply 0 retweets 6 likes -
Replying to @taviso @saleemrash1d and
are entities capable of detecting use of such 0day really unable to procure 0day on their own anyway?
3 replies 1 retweet 10 likes -
Replying to @qwertyoruiopz @saleemrash1d and
In some cases, sure - hard to imagine some terrorist in a cave has access to a 0day broker. To be clear, I absolutely think the military should be able to get access to comms equipment of dangerous people, but... not by putting innocent people at risk.
2 replies 0 retweets 4 likes -
Replying to @taviso @saleemrash1d and
is some terrorist in a cave able to detect use of 0day and re-weaponize it against others? seems far-fetched. and as long as governments aren't actively planting 0day, i'd assume innocent people were at risk the whole time anyway, but unaware.
3 replies 0 retweets 8 likes
Yes, innocent people are at risk the whole time anyway, and I think you're obligated to help them. Otherwise it's like finding someone having a heart attack and saying "If I had taken the long way home, I wouldn't have found you, so no ethical obligation to call an ambulance"?
-
-
Replying to @taviso @saleemrash1d and
likelihood of anyone at all finding 0day is lower if there's a weaker economic incentive to do so, and hey, people who sell 0day may even report a good amount of bugs, too.
1 reply 2 retweets 3 likes -
Replying to @qwertyoruiopz @saleemrash1d and
Hmm, I think your argument is that it's better to have people incentivized to find bugs and exploit them, because there's a small chance they will be caught. If they didn't find them, that would buy people trying to fix them time, so isn't that worse?
1 reply 0 retweets 1 like - 24 more replies
New conversation -
Loading seems to be taking a while.
Twitter may be over capacity or experiencing a momentary hiccup. Try again or visit Twitter Status for more information.