are entities capable of detecting use of such 0day really unable to procure 0day on their own anyway?
-
-
Replying to @qwertyoruiopz @taviso and
There was an office 0day a few years ago. It was first detected in Pakistan, and then about a month later it was detected in India. The Pakistanis had caught it, and then repackaged with their own payload and sent back. It was only discovered after a third party got popped
1 reply 3 retweets 10 likes -
what's the rate at which this happens, and what's the rate at which exploits are found ITW by security companies that then kill them? I'd speculate that latter is a lot more likely.
1 reply 0 retweets 2 likes -
Replying to @qwertyoruiopz @taviso and
I have no idea of the real numbers for either. I was offering it up as an amusing anecdote. I don’t think it is really relevant anyway. How does key escrow enable stuxnet? If it can’t, then how does key escrow replace 0day as tools for nation states?
2 replies 1 retweet 6 likes -
Replying to @thegrugq @qwertyoruiopz and
You order Microsoft to put a signed update on WSUS?
4 replies 0 retweets 3 likes -
In this scenario there is a increased risk of being caught vs a built in backdoor; it also requires being to compel not only signing but construction of the hacked binary which atleast in the US has been determined to be illegal. Beyond that it doesn’t scale to needed volumes.
1 reply 0 retweets 1 like -
A similar attack worked when the feds used it for hushmail, no? Not sure I agree it's illegal, because it's really happened in the past.
2 replies 0 retweets 1 like -
Hushmail case is interesting; First was Canada not US; second the company had limited resources and wouldn’t have been able to (even if they wanted) to defend from a government with infinite resources.
2 replies 0 retweets 0 likes -
Right, although It was part of a mutual assistance treaty. Hmm, but who can defend against a government with infinite resources? Not clear Apple would have won if the FBI didn't give up and bought a 0day instead, right?
1 reply 0 retweets 0 likes -
Apples 1 trillian value (public market) vs Hushmails 10-20m (private market) value at the time makes for a slightly fairer fight.
1 reply 0 retweets 0 likes
Maybe, not sure if I'm convinced it's relevant. I think we both agree that the current system is dependent on Apple wanting to do the right thing though, right?
-
-
True, and while it’s convenient to use Apple as the actor here because of their public stance on this topic and I ACK that not all companies would we have to accept that there is at least a incentive system at work here, enough that Apple now markets this behavior indirectly.
0 replies 0 retweets 0 likesThanks. Twitter will use this to make your timeline better. UndoUndo
-
Loading seems to be taking a while.
Twitter may be over capacity or experiencing a momentary hiccup. Try again or visit Twitter Status for more information.