No, but I thought we already agreed it buys more time, and also moves incentives towards fixing bugs rather than exploiting them. But... I am curious if you're in favour of key escrow for governments?
-
-
i'm strong in favour of 0day, strong against key escrow.
1 proslijeđeni tweet 3 korisnika označavaju da im se sviđa -
Odgovor korisnicima @qwertyoruiopz @rmhrisk i sljedećem broju korisnika:
What's your rationale, it seems like key escrow aligns with your philosophy of allowing governments access is a good thing?
0 proslijeđenih tweetova 1 korisnik označava da mu se sviđa -
it's a good thing if they do so with 0day, since it 1. has costs which limit scope of usage to only critical stuff, 2. it has a side effect of growing the security research community, meaning more eyeballs overall might end up killing bugs, 3. 0day is there no matter what.
0 proslijeđenih tweetova 8 korisnika označava da im se sviđa -
Odgovor korisnicima @qwertyoruiopz @rmhrisk i sljedećem broju korisnika:
They both have costs, just different costs. For example, presumably key escrow would require judicial approval. I think maybe you're counting costs per-exploit, not per-compromise, because they're pretty cost effective, no?
1 reply 0 proslijeđenih tweetova 0 korisnika označava da im se sviđa -
by cost I don't necessarily mean $, there's also risk of getting caught, which is an implicit cost you must assume *on each compromise*.
0 proslijeđenih tweetova 1 korisnik označava da mu se sviđa -
Odgovor korisnicima @qwertyoruiopz @rmhrisk i sljedećem broju korisnika:
Sure, so let's say you buy one exploit for $100k, and compromise 100 targets with it, that's probably a lot cheaper than getting a lawyer in front of a judge for 100 warrants. Still seems like a pretty good deal if you get caught a couple of times, don't you think?
3 proslijeđena tweeta 4 korisnika označavaju da im se sviđa -
my worry is that ultimately, there's an infinite supply of warrants, while at any given point in time the amount of weaponised capabilities is limited, so $ isn't really the point here. if you wanted to use 0day 100x as often, your cost would be much more than 100x.
0 proslijeđenih tweetova 3 korisnika označavaju da im se sviđa -
Odgovor korisnicima @qwertyoruiopz @rmhrisk i sljedećem broju korisnika:
Hmm... but aren't you assuming you can only use an exploit once? If I want buy an exploit and use it 100x as often, sure it's useful life will be shorter but it's clearly not going to cost me 100x more? How do you get to that number?
1 reply 0 proslijeđenih tweetova 2 korisnika označavaju da im se sviđa -
i'm not really assuming that. i'm just saying that costs become non-linear once you scale things up and want to be able to keep doing what you're doing over time rather than just briefly. a "big brother" scenario seems a lot more likely to come from key escrow than 0day.
1 reply 0 proslijeđenih tweetova 3 korisnika označavaju da im se sviđa
Dunno, you could just use a 0day once to compromise the build server... that scales really well, and has really happened 
-
-
Odgovor korisnicima @taviso @qwertyoruiopz i sljedećem broju korisnika:
That presumes the code signing system is online and automated; bad design x2.
1 reply 0 proslijeđenih tweetova 0 korisnika označava da im se sviđa -
Most code signing system compromises have been due to online keys. That’s why sensitive keys are kept offline.
1 reply 0 proslijeđenih tweetova 0 korisnika označava da im se sviđa - Još 50 drugih odgovora
Novi razgovor -
-
-
that's a fair point ;)
0 replies 0 proslijeđenih tweetova 3 korisnika označavaju da im se sviđaHvala. Twitter će to iskoristiti za poboljšanje vaše vremenske crte. PoništiPoništi
-
Čini se da učitavanje traje već neko vrijeme.
Twitter je možda preopterećen ili ima kratkotrajnih poteškoća u radu. Pokušajte ponovno ili potražite dodatne informacije u odjeljku Status Twittera.