My point is that 0day hoarding is absolutely inevitable. No matter how many key escrow systems you mandate. There will always be an abundance of criminals that don’t use the key escrow system (which right now is as simple as downloading an app) or who just store data locally.
-
-
Replying to @matthew_d_green @rmhrisk and
It's not inevitable at all, the government is big enough to move markets and a shift in policy can drastically change the risks people are exposed to. I'm not in favour of key escrow, but encouraging more government exploit usage is even worse.
2 replies 0 retweets 2 likes -
Replying to @taviso @matthew_d_green and
Let me clarify something, are you in favour of the *results* of key escrow (e.g. state access to private data), so long as something other than key escrow is used to achieve that?
3 replies 2 retweets 1 like -
Replying to @taviso @daveaitel and
i might be in the minority with this controversial opinion, but i would be in favour of eradicating the 0day market if it were an option — however, it is *tolerable* in comparison to key escrow systems because it's a law of nature and doesn't itself increase attack surface
1 reply 0 retweets 5 likes -
Replying to @saleemrash1d @daveaitel and
interesting thanks, but the counter argument is that while it doesn't *increase* attack surface - a policy change (perhaps tweaking VEP, or something) can get vulnerabilities fixed that are being abused by adversaries. That is a positive thing, right?
1 reply 0 retweets 1 like -
Replying to @taviso @daveaitel and
key escrow isn't an alternative to 0days, so no government would give up their exploit capability: - you can't target smart criminals that move to "illegal encryption" - you lose other capabilities that aren't at all related to encrypted communications
1 reply 0 retweets 5 likes -
Replying to @saleemrash1d @daveaitel and
I know how 0days work, the question is whether it's acceptable to encourage increasing the adoption of exploitation in exchange for dropping attempts at building key escrow. I have a problem with that.
3 replies 0 retweets 0 likes -
Replying to @taviso @saleemrash1d and
There is a difference between “encouraging zero day adoption” and the false premise that key escrow would eliminate or even reduce zero day hoarding.
1 reply 0 retweets 1 like -
Replying to @rmhrisk @saleemrash1d and
Nobody wants to hoard 0day, because your enemies can use them against you. They do so because they balance that risk against the value of that additional capability, if that capability reduces in value, the calculus changes. Explain to me how that won't reduce hoarding?
1 reply 0 retweets 0 likes -
"Nobody wants to hoard 0day" at the nation state level, no. I know quite a few people that do hoard 0day in products they've boycotted.
2 replies 0 retweets 4 likes
True, should have been more precise, was just talking about nation states.
-
-
Replying to @taviso @CiPHPerCoder and
I’m still wondering what the downside to encouraging just that trade is?
1 reply 0 retweets 0 likes -
Replying to @mdhardeman @taviso and
Arrogant and/or ignorant policymakers will insist the geeks "just get access somehow" which leads to more offense and less defense, which in turn makes everyone more vulnerable. It's a valid concern, but not enough to justify key escrow.
1 reply 0 retweets 0 likes - 23 more replies
New conversation -
Loading seems to be taking a while.
Twitter may be over capacity or experiencing a momentary hiccup. Try again or visit Twitter Status for more information.