Let's avoid the slippery slope argument (i.e. if one government has key escrow, then they all must) for the purposes of discussion. Do you agree that fixing vulnerabilities is a good thing, or should they be hoarded so that key escrow isn't necessary?
-
-
It’s not a slippery slope argument. Your thought experiment is that the existence of key escrow could wipe out the 0day demand. I think that won’t happen, and the UAE not having access is one example of why it will not. (And giving access to the UAE seems a bad compromise.)
3 replies 0 retweets 15 likes -
Replying to @matthew_d_green @taviso and
As far as whether hoarding vulnerabilities is “good”, clearly it is not! But I don’t see a plausible mechanism for KE to wipe it out. If we’re just playing “what if” then I still don’t know. It’s an honestly complicated questions with arguments both ways.
1 reply 0 retweets 9 likes -
Replying to @matthew_d_green @rmhrisk and
Sure, we're talking magic-wand stuff. There is a plausible mechanism to meaningfully move the market though, such as tweaking VEP or other policies. You're correct that we can't eliminate exploits, but we *can* increase scarcity.
1 reply 0 retweets 0 likes -
Replying to @taviso @matthew_d_green and
I suppose my question is, to put it bluntly, are you willing to throw people trying to make exploitation harder under a bus to prevent key escrow?
I think some people are, which bothers me. If you're not, then we're probably on the same page (or at least the same chapter!
)3 replies 0 retweets 1 like -
Replying to @taviso @matthew_d_green and
How about a third option: Being OK with the idea that some data might never be accessible to police agencies, even if it means a guilty person might get away with a crime.
2 replies 1 retweet 6 likes -
Replying to @0xMatt @matthew_d_green and
I mean, that is implicitly one of the options, right? The option I'm not willing to accept is "we don't need key escrow, because you can just hoard more vulnerabilities", because I worry that is putting more people at risk.
1 reply 0 retweets 2 likes -
Replying to @Joshua_Brindle @0xMatt and
Not at all, it is absolutely a risk and I don't think key escrow is a good idea. The problem I have is anyone encouraging 0day as an alternative to key escrow. That seems like protecting the ideological purity of cryptography rather than reducing risk, and gov still has access.
0 replies 0 retweets 0 likes
You're missing the point. You can take away exploits from other people by fixing vulnerabilities, so big players committing to hoarding less exploits forcibly reduces the number of exploits held by adversaries. That is why fixing bugs is good.
Loading seems to be taking a while.
Twitter may be over capacity or experiencing a momentary hiccup. Try again or visit Twitter Status for more information.