less exploits being produced != more bugs being fixed.
-
-
Replying to @qwertyoruiopz @rmhrisk and
No, but I thought we already agreed it buys more time, and also moves incentives towards fixing bugs rather than exploiting them. But... I am curious if you're in favour of key escrow for governments?
2 replies 0 retweets 0 likes -
i'm strong in favour of 0day, strong against key escrow.
2 replies 1 retweet 3 likes -
Replying to @qwertyoruiopz @rmhrisk and
What's your rationale, it seems like key escrow aligns with your philosophy of allowing governments access is a good thing?
2 replies 0 retweets 1 like -
it's a good thing if they do so with 0day, since it 1. has costs which limit scope of usage to only critical stuff, 2. it has a side effect of growing the security research community, meaning more eyeballs overall might end up killing bugs, 3. 0day is there no matter what.
2 replies 0 retweets 7 likes -
Replying to @qwertyoruiopz @rmhrisk and
They both have costs, just different costs. For example, presumably key escrow would require judicial approval. I think maybe you're counting costs per-exploit, not per-compromise, because they're pretty cost effective, no?
1 reply 0 retweets 0 likes -
by cost I don't necessarily mean $, there's also risk of getting caught, which is an implicit cost you must assume *on each compromise*.
2 replies 0 retweets 1 like -
Replying to @qwertyoruiopz @rmhrisk and
Sure, so let's say you buy one exploit for $100k, and compromise 100 targets with it, that's probably a lot cheaper than getting a lawyer in front of a judge for 100 warrants. Still seems like a pretty good deal if you get caught a couple of times, don't you think?
3 replies 3 retweets 4 likes -
my worry is that ultimately, there's an infinite supply of warrants, while at any given point in time the amount of weaponised capabilities is limited, so $ isn't really the point here. if you wanted to use 0day 100x as often, your cost would be much more than 100x.
2 replies 0 retweets 3 likes -
Replying to @qwertyoruiopz @taviso and
.. i guess "$ isn't really the point" shouldn't really be here, since i kinda made it the point just after
1 reply 0 retweets 0 likes
Right, I can see how you could reach "it will cost 3x" more or some similar multiplier, but how do you get to 100x more usage for 100x more cost? As far as I can see, exploits scale really well.
Loading seems to be taking a while.
Twitter may be over capacity or experiencing a momentary hiccup. Try again or visit Twitter Status for more information.