[neilv]

> But they did so quietly and without notifying the developers of Tails afterwards of the major security flaw,

I don't immediately see an ethical problem with developing a zero-day exploit to catch a suspected/presumed very bad person like that, so long as: (1) it's used only for that one target; (2) you promptly start the responsible disclosure to upstream, and later public.

Unfortunately, the nice, clean ethics gets more complicated when that zero-day is temporarily in the hands of an organization that would presumably also use it for other targets.

Historically, some good and important government organizations have had complications, such as some personnel not believing in the rules and checks&balances under which they're supposed to operate, or personnel acting under direction of leadership or outside politicians who're misaligned with national laws and values.

If someone with the ability to develop a zero-day wanted to catch the very bad people, while not compromising all the lawful civil rights leaders and journalists who bother some questionable politician, how would they do that?

[benterix]

The vulnerable code was scraped in later releases so I don't think they could use this exploit against other people anyway.

[neilv]

I should've clarified that I meant to ask a more general question.

Going back to a particular exploit, certainly it could be used against multiple targets, in a small time window.

There multiple potential targets (for various reasons) at any time.

And there's also the option of mass-compromising endpoints or servers of a platform, and adding new hidden backdoors/weaknesses that persist long after the initial vulnerability is removed (e.g., in various kinds of firmware).

Or even just mass-cataloging of one-time compromised identities.

[2OEH8eoCRo0]

I disagree with number 2 but otherwise agree with you. I'd prefer they do this but it's not a moral imperative IMO.