[liberationtech] no-disclosure / other-disclosure [was: Foxacid payload]
Michael Rogers
michael at briarproject.org
Sun Jul 20 08:00:12 PDT 2014
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
On 18/07/14 01:02, coderman wrote:
> as thought experiment: a hidden site is setup by presumed
> trustworthy experts. exploits are funneled there, then they all
> dry up.
>
> - congratulations! NSA is out of 0day! ? - congratulations! NSA is
> not using 0day over Internet! ? - technique for catching 0day has
> been compromised. start over,...
>
> explain to me how any public effort will not fall into the last
> trap, repeatedly.
Assuming the effort doesn't stop when exploits dry up, but instead
looks for new ways to attract exploits, what's the problem?
> if your concern is security for the public, do it by making the
> software we use more difficult to exploit as a whole, rather than
> fixating on free exploits from NSA for a particular vulnerability
> among many.
That sounds like a false dichotomy to me. Publicising a specific
exploit may spur the development of general as well as specific
mitigations.
Cheers,
Michael
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.12 (GNU/Linux)
iQEcBAEBCAAGBQJTy9l8AAoJEBEET9GfxSfMfgkH/RSVybypdVyJJprzT860Gm5v
XEzwDG8fK1f+BHfC7ougO6JfQODdCigC6gfNlhSG5eyhAUoQ1+YctrjKz1tGS3S+
DdzI4zplRnVZrFkHZOyps36W+DnO1v199xgT1nPsFlxwc9lGAFqhfkQos7CkF2e9
YxPgC0xfsKupxt1PfStkm6s1CLPUA+o9RVvO4nN8ARTRnp3LrAZW/zjh7FynJ9rj
Elfb8wttCd3SzFMcRF7bor/M0fCgW76zTCLJEjAIYTADvp4iMmacjM8Xs4VVDql0
RyJZrK1yQGY3X5H3Zv0Qj00TYbMgrF8oXQTHeo+9p6xE+mcfN2X9AMIhjqL+aJY=
=TXzt
-----END PGP SIGNATURE-----
More information about the liberationtech
mailing list