It would be great if multiple options for such escrow are investigated eg. add multi-party, add physical access, add delay/proof of work, make options to scale bad, etc. Problem is, its political sensitive, academicly inpopular, no one wants to get burned by naming the options.
-
-
Replying to @idafanatic @saleemrash1d and
Yeah, I don't want key escrow, but it does bother me that some vocal opponents appear to be encouraging an increase in state 0day usage as an alternative.
4 replies 0 retweets 1 like -
Replying to @taviso @idafanatic and
Do you think that they'll reduce state 0day usage if they have key escrow? They'll hoard 0days anyways, just because they don't know when the ones they have get known and therefore are "burnt". Also: there is no secure way of implementing escrow...
3 replies 1 retweet 1 like -
Yes. The high-end criminals will absolutely adapt to using encryption tools that are opaque to key escrow (see the recent arrests around PhantomSecure) and the government will go back to using 0days on them. Key escrow is for the dumb criminals.
1 reply 0 retweets 12 likes -
Replying to @matthew_d_green @N8Fear and
I think we agree that today, you can just use 0day to achieve, more or less, everything you would want to achieve with key escrow. It would bother me if you're arguing that is acceptable, because hoarding 0day puts people at risk.
2 replies 0 retweets 8 likes -
Replying to @taviso @matthew_d_green and
To be fair building in backdoors also puts people at risk.
1 reply 0 retweets 4 likes -
Replying to @rmhrisk @matthew_d_green and
Sure. I don't like key escrow, but arguing for more 0day hoarding as a substitute seems like arguing to protect the ideological purity of cryptography rather than less risk.
4 replies 0 retweets 1 like -
Do you think that 0day generation rate scales linearly with investment?
1 reply 0 retweets 1 like -
Replying to @gdbassett @rmhrisk and
Definitely not, but one 0day can be used a very large number of times (if that's what you're asking).
1 reply 0 retweets 0 likes -
Do you know of any quantitative research on the relationship between amount of use and effectivity of an 0day?
1 reply 0 retweets 0 likes
You're asking if anyone asked an attacker how many times they used an exploit without being detected before we discovered it? I don't think so.
-
-
Thanks. Twitter will use this to make your timeline better. UndoUndo
-
Loading seems to be taking a while.
Twitter may be over capacity or experiencing a momentary hiccup. Try again or visit Twitter Status for more information.