I understand, but the counter argument would be there's no way for a government to hoard 0day without putting innocent people at risk (because you can't prevent other people discovering bugs and abusing them). This is why I don't like governments using 0day.
-
-
if you can't sell your vulnerabilities to governments, aren't there fewer people looking for them now? so the bugs still aren't getting fixed.
2 replies 0 retweets 3 likes -
Replying to @saleemrash1d @taviso and
there's also an argument to be made that for each time anyone uses an 0day, the risk of 0day being caught ITW increases.
1 reply 0 retweets 11 likes -
Replying to @qwertyoruiopz @saleemrash1d and
(so governments making use of 0day might even be a net security positive vs 0days staying dormant until criminals make use of them)
1 reply 0 retweets 7 likes -
Replying to @qwertyoruiopz @saleemrash1d and
I dunno, it's a pretty weak argument, the victim can detect it and then use it to attack other people. That has really happened, e.g. Shadow Brokers.
1 reply 0 retweets 6 likes -
Replying to @taviso @saleemrash1d and
are entities capable of detecting use of such 0day really unable to procure 0day on their own anyway?
3 replies 1 retweet 10 likes -
Replying to @qwertyoruiopz @saleemrash1d and
In some cases, sure - hard to imagine some terrorist in a cave has access to a 0day broker. To be clear, I absolutely think the military should be able to get access to comms equipment of dangerous people, but... not by putting innocent people at risk.
2 replies 0 retweets 4 likes -
Replying to @taviso @saleemrash1d and
is some terrorist in a cave able to detect use of 0day and re-weaponize it against others? seems far-fetched. and as long as governments aren't actively planting 0day, i'd assume innocent people were at risk the whole time anyway, but unaware.
3 replies 0 retweets 8 likes -
Replying to @qwertyoruiopz @saleemrash1d and
Yes, innocent people are at risk the whole time anyway, and I think you're obligated to help them. Otherwise it's like finding someone having a heart attack and saying "If I had taken the long way home, I wouldn't have found you, so no ethical obligation to call an ambulance"?
1 reply 0 retweets 3 likes -
Replying to @taviso @saleemrash1d and
likelihood of anyone at all finding 0day is lower if there's a weaker economic incentive to do so, and hey, people who sell 0day may even report a good amount of bugs, too.
1 reply 2 retweets 3 likes
Hmm, I think your argument is that it's better to have people incentivized to find bugs and exploit them, because there's a small chance they will be caught. If they didn't find them, that would buy people trying to fix them time, so isn't that worse?
-
-
Replying to @taviso @saleemrash1d and
not really, you assume that the bad guys wouldn't also be looking?
1 reply 1 retweet 1 like -
Replying to @qwertyoruiopz @saleemrash1d and
No, because it makes no difference to those of us trying to fix bugs what the 0day market looks like. So if bad guys are looking less because they have less incentives, that gives us an advantage.
2 replies 0 retweets 0 likes - 73 more replies
New conversation -
Loading seems to be taking a while.
Twitter may be over capacity or experiencing a momentary hiccup. Try again or visit Twitter Status for more information.