viruses that can hijack the camera and microphone on your phone or laptop; and more — are the modern equivalent of landmines and cluster bombs: antipersonnel weapons that end up in the hands of criminals, thugs and dictators who use them to figure out whom to arrest, torture, and murder.

Holy hyperbole Batman! 

Landmines and cluster munitions kill indiscriminately long after conflicts have ended and the originators have disappeared off the map. 

Malware depends on other actors to cause physical damage. It isn’t a landmine so much as an informant. 

I’m going to set my kids the task of creating a new operating system on their Raspberry Pis this weekend, or no allowance.  And they’re grounded.

A non-lethal arms race sounds like a huge improvement on the last one.

It’s worse than that: Software bugs affect people who depend on software, and dependence on software is something that increases massively as the complexity of your modern infrastructure increases.

By contrast, software attacks, while not free, are cheap enough to be within the capabilities of even fairly feeble nation states and assorted private actors, and it is (comparatively) easy to scale your attack capabilities with nothing more than nationalism and petty cash.

For the US to act in a way that decreases computer security for everyone would be like the US acting in a way that decreases the strength of concrete for everyone. Yeah, sure, that will make busting a few bunkers easier; but it will also cause massive costs and damage across large swaths of our own infrastructure. Not a good trade-off. 

If software bugs affected us all equally, playing for exploits rather than fixes would still be quite likely to be a zero-sum game; but that would be a hell of an improvement over the actual state of things, where it is a negative-sum game that we(along with other high-infrastructure populations) cannot possibly hope to even lose less than the other guy does.

The reason I mention this is even though there are super sekret zero day vulns that none of us mere mortals know about, there are an order of magnitude more that we do know about–in client side Java and Adobe reader.  Want to pwn a mortgage company that resells loans to the largest financial companies in the world?  Apply for said loan, and embed something interesting.

So do I have answers for what to do, general answers that help the broader community and not just one (slightly contrived) example?  Sure.  Lots of us in this space have answers.  The downside is they are modestly complex, not entirely free, and slightly hostile to users who don’t care for technology; but most of all the right answers take work and vigilance, which don’t usually lend themselves to ‘set and forget’.

Anyway, happy 2/14!!  

Second we should not reward “researchers” for finding and then extorting cash for bugs.

Third, your government is making you LESS safe by supporting a trade in malware. This costs more in the end due to all the insurance, fraud and organized crime, but hey who cares about externalities, we just want to bag the bad guy!