I think that is a fair summation of my position; one is at scale and largely impossible to defend against (legaly compelling) especially on a global scale and the other is natural law and impossible to prevent.
-
-
I understand, but the counter argument would be there's no way for a government to hoard 0day without putting innocent people at risk (because you can't prevent other people discovering bugs and abusing them). This is why I don't like governments using 0day.
2 replies 0 retweets 2 likes -
if you can't sell your vulnerabilities to governments, aren't there fewer people looking for them now? so the bugs still aren't getting fixed.
2 replies 0 retweets 3 likes -
Replying to @saleemrash1d @taviso and
there's also an argument to be made that for each time anyone uses an 0day, the risk of 0day being caught ITW increases.
1 reply 0 retweets 11 likes -
Replying to @qwertyoruiopz @saleemrash1d and
(so governments making use of 0day might even be a net security positive vs 0days staying dormant until criminals make use of them)
1 reply 0 retweets 7 likes -
Replying to @qwertyoruiopz @saleemrash1d and
I dunno, it's a pretty weak argument, the victim can detect it and then use it to attack other people. That has really happened, e.g. Shadow Brokers.
1 reply 0 retweets 6 likes -
Replying to @taviso @saleemrash1d and
are entities capable of detecting use of such 0day really unable to procure 0day on their own anyway?
3 replies 1 retweet 10 likes -
Replying to @qwertyoruiopz @saleemrash1d and
In some cases, sure - hard to imagine some terrorist in a cave has access to a 0day broker. To be clear, I absolutely think the military should be able to get access to comms equipment of dangerous people, but... not by putting innocent people at risk.
2 replies 0 retweets 4 likes -
Replying to @taviso @saleemrash1d and
is some terrorist in a cave able to detect use of 0day and re-weaponize it against others? seems far-fetched. and as long as governments aren't actively planting 0day, i'd assume innocent people were at risk the whole time anyway, but unaware.
3 replies 0 retweets 8 likes -
Replying to @qwertyoruiopz @taviso and
i think that 0day use eventually resulting in bugs being patched and making people overall safer as a side-effect is a more likely outcome than our hypothetical terrorist-in-a-cave catching 0day and turning them against innocent people outcome.
1 reply 0 retweets 4 likes
It's a nice rationalization, but you can't prevent other people finding the same bug you did, and using it to support a cause that you would find objectionable. I thought your argument was that "maybe someone will see me exploiting it and fix it, so it's better than nothing"?
-
-
Replying to @taviso @saleemrash1d and
my argument is a bit more than just that, but i do think the likelihood of this happening is higher than the likelihood of overall negative outcomes.
1 reply 0 retweets 2 likes -
Replying to @qwertyoruiopz @saleemrash1d and
Tavis Ormandy Retweeted Samuel Groß
We know for sure that independent rediscoveries happen, and even collide with in-the-wild exploits. Doesn't that prove it's more likely than your scenario of harmless while dormant exploits? Here's a recent example,https://twitter.com/5aelo/status/1143548622530895873 …
Tavis Ormandy added,
2 replies 0 retweets 3 likes - 4 more replies
New conversation -
Loading seems to be taking a while.
Twitter may be over capacity or experiencing a momentary hiccup. Try again or visit Twitter Status for more information.