If you were careful, you MIGHT be able to get away from everything using cyanogenmod and opting to NOT install ANY google services but then you'd have a mostly useless overpowered dumb phone...

Maybe you could get one of these Firefox phones.

I don't think it matters whether we take Exodus or the US Government. I'm not really sure why being a mercenary is so bad? What is the difference if the US Government pays Exodus or hires the people working for Exodus to write exploits directly?

The difference is motivation. If you're partisan -- if you're motivated because you think the cause is just -- then maybe it's ethical to fight. If you're motivated by money and otherwise don't care, it's clearly unethical.

(I say "maybe" because it's not ethical to fight if you're mistaken in your belief that the cause is just -- it has to genuinely be so. But if you don't care, fighting is unethical even before considering the justness of the cause because it's not your fight.)

And yes, people are using Tor to fight against the US; certainly hackers and terrorists use Tor. (I don't believe more than a small fraction of Tor users are malicious, but malicious users undoubtedly exist.

If the American Revolution were happening today, the Founding Fathers would be labeled "hackers and terrorists" from the perspective of the British Crown. In other words, unless you're purposefully targeting innocents, those sorts of labels are a matter of perspective. I'm not at all convinced that using TOR to fight against the US government is actually a bad thing.

If you have responsibly disclosed every exploit you know about, you are not going to be able to hack into the computer which triggers the bomb. I'm not sure why this isn't obvious. Unless somehow your "responsible disclosure" allows for holding on to exploits until you need them for dire situations, you have no way to stop such a computerized device.

Let's be more concrete here: someone has hooked up a Raspberry Pi to detonate a bomb, which is triggered, say, over Tor. Whoever made this wasn't stupid: it has a heartbeat which will detonate the bomb if it fails, so you can't just jam it or cut off internet access. It has normal motion sensors, etc. You have 1 hour to disable it. I propose that given the possibility of such a scenario (or scenarios like this; obviously this is an extreme and contrived example to try to prove a point), it is ethical to withhold disclosure of vulnerabilities. In your proposed scenario, the government has "emptied its cyber arsenal". It has nothing it can do to prevent such an attack. I believe it is superior to have the capability to prevent such an attack.

First of all, I understood your previous scenario to be that you're discovering a new exploit in the process of defusing the bomb, and deciding whether to responsibly disclose it afterwards or to keep it in your pocket for later use. That's different from what you wrote this time, which is that you're using a previously-discovered but undisclosed exploit to defuse a bomb at the present time.

The problem with your scenario is that you're presupposing it "will" happen, and judging your actions after the fact. That's not a valid mode of reasoning, since there's no way to know that the scenario will actually occur (or even that it's more than infinitesimally likely to occur) at the time you're making the decision to disclose or not.

In other words, you're saying that it's perfectly ethical to do actual harm now because you guess that it might lessen the possibility of doing potential harm later. If you don't understand the problem with this, there's nothing more I can do to explain it to you more clearly.

It's like saying we shouldn't have fought in Wold War II against Hitler, because war is bad. The Allied forces were the "lesser of two evils"--evil, of course, because war is unethical just like hacking is. Why choose to actively help the lesser of two evils? We should have remained neutral.

That's exactly what we did do until the Japanese attacked us directly at Pearl Harbor. I think we acted pretty appropriately in that case!

Incorrect. You jump to some really broad interpretation of the article really fast. Maybe this hits a little to close to your behavior?

On the contrary, you've just proven my point!

Feminist hypocrites? First time for everything I suppose.

We all know prison rapes don't count. After all, only evil people are in prison to begin with.

Not all sexual assaults are rape. Way to move the goalposts. You work for the FBI?

/golfclap

Nobody expects the....

Wait. Wrong meme.

The same exact reasoning to justify TSA

They're incomparable. TSA is mandated by governments, you have no choice in the matter. Using a particular brand of smartphone is not. You are free to use a smartphone that doesn't use Google services and indeed are free to buy a Nexus 5 and then say "no" to the billion and one "trade data for feature?" prompts that appear when switched on the first time. No government goon is going to step in and insist that you send all your data to Google.

In fact, if you would prefer a smartphone that has a different data/features tradeoff then - conveniently! - Google provides a rather good open source operating system for free that you can use to build one. If others feel the same way you do you can even sell them without paying Google a dime.

Depends how you define "very popular" I guess. The most popular way to bypass state-level censorship in the Arab world and elsewhere is a product called HotSpot Shield. When Turkey blocked Twitter some time ago, HSS experienced 1000% growth and reached 1.1 million installs in the iOS App Store alone within only four days, with 800,000 regular users.

In contrast Tor went from 30,000 to 40,000 "direct connects" from Turkey.

HSS doesn't get much press in the geek world as it's just a plain old VPN run by a company in California that inserts ads into people's web pages to pay for the bandwidth costs. But usage wise it utterly dominates Tor.

Looking for tools? Slashdot is the right place.