Let me clarify something, are you in favour of the *results* of key escrow (e.g. state access to private data), so long as something other than key escrow is used to achieve that?
-
-
So let me answer your first question with a question: if Western governments mandate key escrow, will the government of UAE be able to use it under the UAE’s legal regime? If yes, then I *am* objectively uncomfortable with key escrow. If no, hello lucrative 0day market.
2 replies 1 retweet 12 likes -
Replying to @matthew_d_green @rmhrisk and
Let's avoid the slippery slope argument (i.e. if one government has key escrow, then they all must) for the purposes of discussion. Do you agree that fixing vulnerabilities is a good thing, or should they be hoarded so that key escrow isn't necessary?
2 replies 0 retweets 1 like -
It’s not a slippery slope argument. Your thought experiment is that the existence of key escrow could wipe out the 0day demand. I think that won’t happen, and the UAE not having access is one example of why it will not. (And giving access to the UAE seems a bad compromise.)
3 replies 0 retweets 15 likes -
Replying to @matthew_d_green @taviso and
As far as whether hoarding vulnerabilities is “good”, clearly it is not! But I don’t see a plausible mechanism for KE to wipe it out. If we’re just playing “what if” then I still don’t know. It’s an honestly complicated questions with arguments both ways.
1 reply 0 retweets 9 likes -
Replying to @matthew_d_green @rmhrisk and
Sure, we're talking magic-wand stuff. There is a plausible mechanism to meaningfully move the market though, such as tweaking VEP or other policies. You're correct that we can't eliminate exploits, but we *can* increase scarcity.
1 reply 0 retweets 0 likes -
Replying to @taviso @matthew_d_green and
I suppose my question is, to put it bluntly, are you willing to throw people trying to make exploitation harder under a bus to prevent key escrow?
I think some people are, which bothers me. If you're not, then we're probably on the same page (or at least the same chapter!
)3 replies 0 retweets 1 like -
Replying to @taviso @matthew_d_green and
i mean, this is kind of like trying to build a plane and then arguing that the physicists who point out that gravity exists are throwing you under the bus
1 reply 0 retweets 2 likes -
Replying to @saleemrash1d @matthew_d_green and
No it isn't, I've already explained how a policy change can either increase the scarcity of exploits, or decrease it. If you're okay with decreasing the scarcity to avoid key escrow, then that is my problem.
1 reply 0 retweets 0 likes -
Replying to @taviso @matthew_d_green and
but that policy change never happens because key escrow is never going to be a suitable replacement for exploitation...
1 reply 0 retweets 1 like
Disagree, exploits can be used against gov by other parties, it's in their interest to minimize the amount they have to hoard to reduce the risk they're used against them/allies/civilians/etc. If they need less exploits, it's in their interests to fix them, agreed?
Loading seems to be taking a while.
Twitter may be over capacity or experiencing a momentary hiccup. Try again or visit Twitter Status for more information.