likelihood of anyone at all finding 0day is lower if there's a weaker economic incentive to do so, and hey, people who sell 0day may even report a good amount of bugs, too.
-
-
Replying to @qwertyoruiopz @saleemrash1d and
Hmm, I think your argument is that it's better to have people incentivized to find bugs and exploit them, because there's a small chance they will be caught. If they didn't find them, that would buy people trying to fix them time, so isn't that worse?
1 reply 0 retweets 1 like -
Replying to @taviso @saleemrash1d and
not really, you assume that the bad guys wouldn't also be looking?
1 reply 1 retweet 1 like -
Replying to @qwertyoruiopz @saleemrash1d and
No, because it makes no difference to those of us trying to fix bugs what the 0day market looks like. So if bad guys are looking less because they have less incentives, that gives us an advantage.
2 replies 0 retweets 0 likes -
Replying to @taviso @saleemrash1d and
as in sure, there's less incentives market, bugs aren't used as much overall, but you're only really changing the rate at which "the good guys" use 0day, making 0day overall cheaper for "the bad guys"
1 reply 1 retweet 1 like -
Replying to @qwertyoruiopz @taviso and
you argue that this is still good anyway because it buys "people who kill bugs" time, but is that really good for the hypothetical innocent person who now is half as expensive to pwn?
1 reply 0 retweets 0 likes -
Replying to @qwertyoruiopz @saleemrash1d and
That's not what happens though, you know how difficult an exploit is to create, you literally cannot do it for minimum wage, even if that's the market rate. If the market evaporates, then less exploits are produced.
2 replies 0 retweets 1 like -
Replying to @taviso @saleemrash1d and
like, sure, true: *overall* less exploits will be produced, but the amount of exploits that the bad guys will have available will be just the same or more.
1 reply 1 retweet 0 likes -
Replying to @qwertyoruiopz @saleemrash1d and
I don't follow sorry, if less exploits will be produced then how will they have more available?
2 replies 0 retweets 0 likes -
Replying to @taviso @saleemrash1d and
assume 100 exploits/yr are being produced, of which 70 go to govt and 30 go to terrorist-in-a-cave. govt stops buying 0day, how does that affect the 30/yr that terrorist-in-a-cave makes? probably turns it into 60/yr.
3 replies 0 retweets 3 likes
There are two problems with that, firstly we're not talking about minerals here - selling it to one party doesn't prevent another party from independently exploiting it. Secondly, as the price falls less are produced, you can't write an exploit for pennies, so people just don't.
Loading seems to be taking a while.
Twitter may be over capacity or experiencing a momentary hiccup. Try again or visit Twitter Status for more information.