Long post 

@icedquinn@niu.moe fair points, and thanks for taking the time to lay them out in detail. There's a lot to unpack here. I'm on Mastodon so I'll have to do a series of posts addressing different aspects of your post.

Follow

Long post 

@icedquinn@niu.moe the ethics of keeping exploits secret is another kettle of fish. I'm guessing you're offering this as an example of when secrecy of approach might be justified. The thing is, the method here is not secret, just the current inventory of the armoury. I mean, you just described the approach to me in a public medium.

Long post 

@icedquinn@niu.moe you may also be offering this as a justification for security by obscurity. I hope not, because that would miss the point of how I'm applying the phrase here. I'm talking about the design of the agencies' own security, such that they can publish their operational "source code" (*not* the equivalent of their system passwords, private keys etc of course), without that information being of any use to opponents trying to break their security (evade detection etc).

Long post 

@icedquinn@niu.moe one way to approach the question of whether secret police ought to be allowed to keep armouries of zero day exploits is a utilitarian one. What causes the greater harm to the greater number? Not responsibly disclosing security bugs to software developers, platform sysadmins etc, or people who violent actions can reliably be prevented by the use of undisclosed exploits? But as mentioned in the other branch of my replies, the public have no way to quantify the latter.

Long post 

@icedquinn@niu.moe whereas we have mountains of publicly available data on the harms caused when undisclosed exploits are used by Bad Actors, in some cases professionals working for competing governments or corporations. I think it's reasonable to say that the very "national security" or "public safety" the secret police purportedly exist to protect is regularly harmed by this. So to me, the burden of proof is on the secret police to justify the utility of their exploit armouries.

Long post 

@icedquinn@niu.moe arguably both national security and public safety would be greatly increased by redirecting most of the funds spent on secret police in "democratic" countries, to the developers of the essential components that everyone's security depends on, in a myriad of different ways, and to teams working on robust encryption, pen testing of all the above with responsible disclosure etc. Less security theatre (vampires! werewolves! zombies!), more actual security work done.

Sign in to participate in the conversation
Mastodon - NZOSS

The social network of the future: No ads, no corporate surveillance, ethical design, and decentralization! Own your data with Mastodon!