When law enforcement relies on vulnerabilities in the system (be it protocols, operating systems, applications, or web sites), they are incentivized to keep it insecure. If it were secure, how would they get in?
Would the FBI patch their own systems against the bugs they know about? How would they control that information across all their systems? (This is an old hackers' puzzle: if you had an OpenSSH 0day, would you patch yourself against it?) If I were a communications provider (e.g. Silent Circle), and I found that the FBI was hacking me to learn customer data... what is my recourse? To borrow from the CFAA, the FBI is certainly performing unauthorized access or exceeding authorized access to a computer system. Am I allowed to kick them out? Sue them? What if they accidently crash a system because they're crappy exploit writers? Just like when Matt Blaze wrote it in Wired, this feels like a mistimed April Fools joke. -tom -- Unsubscribe, change to digest, or change password at: https://mailman.stanford.edu/mailman/listinfo/liberationtech
