Sure. I don't like key escrow, but arguing for more 0day hoarding as a substitute seems like arguing to protect the ideological purity of cryptography rather than less risk.
-
-
My point is that 0day hoarding is absolutely inevitable. No matter how many key escrow systems you mandate. There will always be an abundance of criminals that don’t use the key escrow system (which right now is as simple as downloading an app) or who just store data locally.
2 replies 1 retweet 15 likes -
Replying to @matthew_d_green @rmhrisk and
It's not inevitable at all, the government is big enough to move markets and a shift in policy can drastically change the risks people are exposed to. I'm not in favour of key escrow, but encouraging more government exploit usage is even worse.
2 replies 0 retweets 2 likes -
Replying to @taviso @matthew_d_green and
Let me clarify something, are you in favour of the *results* of key escrow (e.g. state access to private data), so long as something other than key escrow is used to achieve that?
3 replies 2 retweets 1 like -
So let me answer your first question with a question: if Western governments mandate key escrow, will the government of UAE be able to use it under the UAE’s legal regime? If yes, then I *am* objectively uncomfortable with key escrow. If no, hello lucrative 0day market.
2 replies 1 retweet 12 likes -
Replying to @matthew_d_green @taviso and
In any case, the “reduction in 0days” effect you propose seems like it will mainly affect purchases *western* law enforcement agencies. Foreign intelligence and wealthy governments with different ‘legal regimes’ will still hoard 0days even if key escrow is 100% effective.
3 replies 0 retweets 4 likes -
Replying to @matthew_d_green @taviso and
And even the best case reduction effect will be short-lived. As sophisticated criminals migrate away from the affected systems, even the FBI will have to start buying exploits again.
1 reply 0 retweets 5 likes -
Replying to @matthew_d_green @rmhrisk and
The problem is there is overlapping independent discovery of vulnerabilities. If I have an exploit, nothing is stopping you from finding it. This is why it's important to fix and not hoard exploits, agree?
1 reply 0 retweets 4 likes -
Replying to @taviso @matthew_d_green and
people would always empathise with the government's "boo hoo the mean infosec people stopped us from hoarding 0days and now we can't get into this iPhone" everyone places the blame solely on the Shadow Brokers because the NSA were "just doing their job"
1 reply 0 retweets 1 like -
Replying to @saleemrash1d @taviso and
of course it is a terrible idea for the government to hoard 0days! but the government has no incentive not to, because no one will blame them if another country finds the same vulnerability because they didn't patch it.
2 replies 0 retweets 1 like
of course they have an incentive not to, they can't prevent the vulnerabilities from being exploited by adversaries against us/allies/civilians/etc. If they don't hoard them, they can fix them, making everyone safer. This is the (supposedly) the job of the VEP to balance.
-
-
Replying to @taviso @saleemrash1d and
Correct, but the imbalance favors profit over safety b/c the plutocracy discounts the well being of the people in favor of their wealth. Like the airline industry willfully resisting reinforced cockpit doors till the bail out of 9/11 Tragedy seems to be the catalyst for change
0 replies 0 retweets 0 likesThanks. Twitter will use this to make your timeline better. UndoUndo
-
Loading seems to be taking a while.
Twitter may be over capacity or experiencing a momentary hiccup. Try again or visit Twitter Status for more information.