Yes. The high-end criminals will absolutely adapt to using encryption tools that are opaque to key escrow (see the recent arrests around PhantomSecure) and the government will go back to using 0days on them. Key escrow is for the dumb criminals.
-
-
Replying to @matthew_d_green @N8Fear and
I think we agree that today, you can just use 0day to achieve, more or less, everything you would want to achieve with key escrow. It would bother me if you're arguing that is acceptable, because hoarding 0day puts people at risk.
2 replies 0 retweets 8 likes -
Replying to @taviso @matthew_d_green and
To be fair building in backdoors also puts people at risk.
1 reply 0 retweets 4 likes -
Replying to @rmhrisk @matthew_d_green and
Sure. I don't like key escrow, but arguing for more 0day hoarding as a substitute seems like arguing to protect the ideological purity of cryptography rather than less risk.
4 replies 0 retweets 1 like -
My point is that 0day hoarding is absolutely inevitable. No matter how many key escrow systems you mandate. There will always be an abundance of criminals that don’t use the key escrow system (which right now is as simple as downloading an app) or who just store data locally.
2 replies 1 retweet 15 likes -
Replying to @matthew_d_green @rmhrisk and
It's not inevitable at all, the government is big enough to move markets and a shift in policy can drastically change the risks people are exposed to. I'm not in favour of key escrow, but encouraging more government exploit usage is even worse.
2 replies 0 retweets 2 likes -
Replying to @taviso @matthew_d_green and
Let me clarify something, are you in favour of the *results* of key escrow (e.g. state access to private data), so long as something other than key escrow is used to achieve that?
3 replies 2 retweets 1 like -
So let me answer your first question with a question: if Western governments mandate key escrow, will the government of UAE be able to use it under the UAE’s legal regime? If yes, then I *am* objectively uncomfortable with key escrow. If no, hello lucrative 0day market.
2 replies 1 retweet 12 likes -
Replying to @matthew_d_green @taviso and
In any case, the “reduction in 0days” effect you propose seems like it will mainly affect purchases *western* law enforcement agencies. Foreign intelligence and wealthy governments with different ‘legal regimes’ will still hoard 0days even if key escrow is 100% effective.
3 replies 0 retweets 4 likes -
Replying to @matthew_d_green @taviso and
And even the best case reduction effect will be short-lived. As sophisticated criminals migrate away from the affected systems, even the FBI will have to start buying exploits again.
1 reply 0 retweets 5 likes
The problem is there is overlapping independent discovery of vulnerabilities. If I have an exploit, nothing is stopping you from finding it. This is why it's important to fix and not hoard exploits, agree?
-
-
Replying to @taviso @matthew_d_green and
people would always empathise with the government's "boo hoo the mean infosec people stopped us from hoarding 0days and now we can't get into this iPhone" everyone places the blame solely on the Shadow Brokers because the NSA were "just doing their job"
1 reply 0 retweets 1 like -
Replying to @saleemrash1d @taviso and
of course it is a terrible idea for the government to hoard 0days! but the government has no incentive not to, because no one will blame them if another country finds the same vulnerability because they didn't patch it.
2 replies 0 retweets 1 like - 2 more replies
New conversation -
Loading seems to be taking a while.
Twitter may be over capacity or experiencing a momentary hiccup. Try again or visit Twitter Status for more information.