[tptacek]

When a government researcher (or government-funded researcher) discovers a new Flash vulnerability, the government hasn't created the vulnerability, nor have they prevented anyone else from discovering that same vulnerability.

Lobbying against SIGINT vulnerability collection doesn't actually make us materially safer --- even if things like the "Shadow Brokers" became routine (rather than the unprecedented shitstorm it actually was), the number and caliber of the vulnerabilities we're talking about are a tiny fraction of the threat we face.

[woodman]

Thankfully those who shutdown biological weapons development in the DoD didn't follow the same logic. Purely from a strategic perspective: defense costs much more than offense, it doesn't make sense for a superpower to spend more on offense than defense when their potential adversaries can't afford to defend themselves against low cost attacks.

[tptacek]

As regards software security vulnerabilities, defensive spending in the USG utterly and completely dwarfs offensive spending.

The median venture capitalist in the valley could outspend the US --- actually, probably the world --- on vulnerability acquisition. But there probably isn't an investor and there may not be a single tech company that outspends the USG on defensive security acquisitions.

[woodman]

I'd really love to know how you know this. I can think of a handful of very public DARPA, NIST, USN and NSA programs that are dedicated to hardening (most are little more than academic curiosities, measured in millions) - whereas the NSA's black budget (measured in billions) easily dwarfs those. Are you saying that the NSA is secretly spending large sums of money on hardening software outside of their black cube?

I don't disagree on the lack of private hardening spending, which is really beside the point, because obviously there is very little incentive for a company when all they have to do is budget for useless CYA lifelock service.

[tptacek]

And? What do you think they're spending those billions on? Giant computing centers in Utah and all the signals intelligence the entire country does --- all the satellites, all the underseas cable taps, all the deployments of hardware implants on Chinese military computers.

Exploit development is a rounding error in that budget.

[woodman]

Satellites and undersea cable taps fall to the NRO and the USN, though I'm sure the NSA pays for some of it. That is beside the point though, the issue is exploit to hardening ratio - not exploit to everything-else ratio.

[tptacek]

Yes, and the USG (and DOD) spend vastly more on hardening than on offensive security. By orders of magnitude; note plural. Both in opex and (particularly) capex.

Is the money being spent wisely? Different question. But: nobody really knows how to effectively spend 100MM on hardening (a nice round number I picked at random).