On Thu, Mar 09, 2017 at 10:36:07PM +0200, Jari Arkko wrote: > 2. There is no such thing as privileged access to the good guys. It > will leak / break / be shared. > > 3. Secretly held vulnerabilities make us all less safe. Two points: A) Worth noting (h/t to Richard Forno): Rand: The Life and Times of Zero-Day Vulnerabilities and Their Exploits http://www.rand.org/pubs/research_reports/RR1751.html The key findings are highly illuminating -- particularly the observation that the median time -- the *median* time -- to develop an exploit for a zero-day vulnerability is 22 days. B) What one government knows, another will know soon. There are enormous resources available for this task and vulnerability information, unlike some other forms of intelligence, can be immediately used with plausible deniability and without attribution. ---rsk