I appreciate your honesty and taking responsibility. The time I spent in security research had me putting blame pretty far away from middle-people: (a) the users and buyers who almost exclusively go with insecure crap, even if secure ones are highly-usable and/or free; (b) the developers who do nothing to make their software secure. On (b), some vulnerabilities could've been prevented with push-button tools like AFL that they just don't bother to run. Fish in a Barrel LLC makes that point more comically. Those groups driving the vulnerabilities would have to get their shit together before folks selling them become truly bad to me. Do have two points to address, though.
"Literally every single paper on the topic cites newspaper articles rather than academic research."
You mention that everyone is doing it with no citations of academic sources. I'd be interested in reading any recent research you believe is high quality and represents the current market. That other paper was dated 2007. I figure there's been some changes.
"Let’s take it for granted that the IC counter terrorist units and the legal authorities hunting for child abusers are acting in good faith. "
We can't take that for granted. Ok, so the prior precedent I pushed Schneier et al to use in media was J Edgar Hoover. He used blackmail on initially a small number of politicians in control of his budget and power to massively increase his budget and power. The Feds committed all kinds of civil rights abuses. His reign lasted a long time with his power growing. He accomplished it all through surveillance using ancient methods that required actual people listening in on calls and such. Both Feds and I.C. stay doing power grabs even though some or all of that was stopped. We'll never know since FBI continued to have its budget and power.
I predicted that, post-9/11, they'd do a power grab as a USAP. If it's a USAP, then only a few in Congress can oversee the program and therefore only a few need to be controlled. Sure enough, Snowden leaks confirmed they did that for nation-wide surveillance, Congress kept doing nothing more than they usually do (didn't even read reports per GAO), gave them retroactive immunity for abuses, the warrants weren't for specific individuals ("targeting criteria"), they shared data with all kinds of non-terrorism-related agencies, at least one (DEA) regularly arrested folks after lying about sources, and they're steadily expanding that. Again, with criminal immunity for whatever secret things they're doing.
So, no we can't consider them acting in good faith. They've constantly lied to Americans and Congress about programs that are used to put people in jail for all sorts of stuff. There's no telling what they'll do if we give them too much power. That's why some of us advocated warrants for information or specific acts of surveillance. One can also hold people in contempt for not giving up keys. It needs to be targeted with evidence behind what they're doing.
And, yes, some horrible people will get away with crimes like they do with our other civil rights. You'd have to be non-stop spying on every person anywhere near a child 24/7 to achieve the goal of preventing that. Yet, we don't do that because we as a society made a trade-off. This is another one. This isn't hypothetical: the FBI is so corrupt they pay people to recruit/bust terrorists with Presidents and Congress usually taking bribes from companies to get elected. We should always treat them as a threat that acts in their own self-interest that might differ greatly from ours.
> I appreciate your honesty and taking responsibility.
It is a fatal character flaw I have. When people want to know about something I try to help them.
> You mention that everyone is doing it with no citations of academic sources. I'd be interested in reading any recent research you believe is high quality
There is nothing that I am aware of that discusses the current market. The RAND paper is closest.
> acting in good faith.
I should not have used a blanket statement. My point is that there are people in IC who are legitimately going after terrorists and child abusers. They have a legitimate need for capabilities that enable them to do that.
I am not saying that the IC is a benign and wonderful government organ. I am saying that within IC there are people who are actually hunting terrorists and pedophiles. I didn't want to explain all of that because it is obvious that it is true. Hence, "lets take it for granted". Rather than discussing the history of the IC, I wanted to explain that there are legitimate uses for 0day and that is the issue being discussed.
The rest is not relevant to explaining how the vulnerability market operates. (Well, how it did in 2011.) When someone asks "how do shares work?" you don't start off by talking about boom and bust markets and macroeconomics. Same thing here. "How does the market work?" is not a question about the IC. It is about how the market works. If you're talking about the vulnerability market you talk about the vulnerability market. You have to assume that there are legitimate players who are acting in good faith.
This entire post is why I abridged it to "lets assume good faith."
Leaving it out because it was mostly irrelevant makes sense. There's definitely folks doing good with these capabilities. I'm a big fan of their work and grateful for their sacrifices. And thanks for the RAND link. I'll check it out later.
"Literally every single paper on the topic cites newspaper articles rather than academic research."
You mention that everyone is doing it with no citations of academic sources. I'd be interested in reading any recent research you believe is high quality and represents the current market. That other paper was dated 2007. I figure there's been some changes.
"Let’s take it for granted that the IC counter terrorist units and the legal authorities hunting for child abusers are acting in good faith. "
We can't take that for granted. Ok, so the prior precedent I pushed Schneier et al to use in media was J Edgar Hoover. He used blackmail on initially a small number of politicians in control of his budget and power to massively increase his budget and power. The Feds committed all kinds of civil rights abuses. His reign lasted a long time with his power growing. He accomplished it all through surveillance using ancient methods that required actual people listening in on calls and such. Both Feds and I.C. stay doing power grabs even though some or all of that was stopped. We'll never know since FBI continued to have its budget and power.
I predicted that, post-9/11, they'd do a power grab as a USAP. If it's a USAP, then only a few in Congress can oversee the program and therefore only a few need to be controlled. Sure enough, Snowden leaks confirmed they did that for nation-wide surveillance, Congress kept doing nothing more than they usually do (didn't even read reports per GAO), gave them retroactive immunity for abuses, the warrants weren't for specific individuals ("targeting criteria"), they shared data with all kinds of non-terrorism-related agencies, at least one (DEA) regularly arrested folks after lying about sources, and they're steadily expanding that. Again, with criminal immunity for whatever secret things they're doing.
So, no we can't consider them acting in good faith. They've constantly lied to Americans and Congress about programs that are used to put people in jail for all sorts of stuff. There's no telling what they'll do if we give them too much power. That's why some of us advocated warrants for information or specific acts of surveillance. One can also hold people in contempt for not giving up keys. It needs to be targeted with evidence behind what they're doing.
And, yes, some horrible people will get away with crimes like they do with our other civil rights. You'd have to be non-stop spying on every person anywhere near a child 24/7 to achieve the goal of preventing that. Yet, we don't do that because we as a society made a trade-off. This is another one. This isn't hypothetical: the FBI is so corrupt they pay people to recruit/bust terrorists with Presidents and Congress usually taking bribes from companies to get elected. We should always treat them as a threat that acts in their own self-interest that might differ greatly from ours.