likelihood of anyone at all finding 0day is lower if there's a weaker economic incentive to do so, and hey, people who sell 0day may even report a good amount of bugs, too.
-
-
Replying to @qwertyoruiopz @saleemrash1d and
Hmm, I think your argument is that it's better to have people incentivized to find bugs and exploit them, because there's a small chance they will be caught. If they didn't find them, that would buy people trying to fix them time, so isn't that worse?
1 reply 0 retweets 1 like -
Replying to @taviso @saleemrash1d and
not really, you assume that the bad guys wouldn't also be looking?
1 reply 1 retweet 1 like -
Replying to @qwertyoruiopz @saleemrash1d and
No, because it makes no difference to those of us trying to fix bugs what the 0day market looks like. So if bad guys are looking less because they have less incentives, that gives us an advantage.
2 replies 0 retweets 0 likes -
Replying to @taviso @saleemrash1d and
as in sure, there's less incentives market, bugs aren't used as much overall, but you're only really changing the rate at which "the good guys" use 0day, making 0day overall cheaper for "the bad guys"
1 reply 1 retweet 1 like -
Replying to @qwertyoruiopz @taviso and
you argue that this is still good anyway because it buys "people who kill bugs" time, but is that really good for the hypothetical innocent person who now is half as expensive to pwn?
1 reply 0 retweets 0 likes -
Replying to @qwertyoruiopz @saleemrash1d and
That's not what happens though, you know how difficult an exploit is to create, you literally cannot do it for minimum wage, even if that's the market rate. If the market evaporates, then less exploits are produced.
2 replies 0 retweets 1 like -
Replying to @taviso @saleemrash1d and
like, sure, true: *overall* less exploits will be produced, but the amount of exploits that the bad guys will have available will be just the same or more.
1 reply 1 retweet 0 likes -
Replying to @qwertyoruiopz @saleemrash1d and
I don't follow sorry, if less exploits will be produced then how will they have more available?
2 replies 0 retweets 0 likes -
Replying to @taviso @qwertyoruiopz and
I don’t get this line of thinking it’s as if the argument being made is the only market for 0 days is the government? That seems specious?
1 reply 0 retweets 0 likes
No, an exploit costs a lot of money to produce, and government spending means that money is available. If that money dries up, then less exploits will be produced.
-
-
the real Q then is: to whom is it good that less exploits are produced? certainly not to the individual bystander. maybe it's good for the "0day slayer" group since it gives them time, but i don't think that's an outcome that is better for anyone else.
1 reply 2 retweets 1 like -
Replying to @qwertyoruiopz @rmhrisk and
Is fixing bugs generally good for society? If you disagree, then it seems you must be in favour of key escrow for governments?
1 reply 0 retweets 0 likes - 48 more replies
New conversation -
Loading seems to be taking a while.
Twitter may be over capacity or experiencing a momentary hiccup. Try again or visit Twitter Status for more information.