Matt BlazeOct 5, 2024
We’ve been warning about this for literally three decades, ever since CALEA mandated wiretap-ready telecom infrastructure. And this is merely the latest example of how these dangerous interfaces can be turned against us by our adversaries.
https://mastodon.social/@fj/113253726161428151
Show threadMatt BlazeOct 5, 2024
Tl;dr: creating one-stop shopping for attackers is a bad idea.
Show threadMatt BlazeOct 5, 2024

Exploits of "lawful access" interfaces, such as the Chinese attack reported today by the WSJ, appeared almost immediately after they became standardized in the 90's. The most famous example is the case known as "the Athens Affair" https://spectrum.ieee.org/the-athens-affair .

It was a bad idea then, and still a bad idea now.

The Athens Affair

How some extremely smart hackers pulled off the most audacious cell-network break-in ever

IEEE Spectrum
Show threadMatt BlazeOct 5, 2024
The Athens Affair is interesting for a number of reasons, but it's particularly notable that the switch that was compromised didn't actually have the CALEA option installed from the factory (since it wasn't then required in Greece). But it was added through a software update (induced by the attacker), and then exploited.
Show threadMatt BlazeOct 5, 2024
Anyway, my "told you so" muscles are pretty weary at this point.
Show threadMatt BlazeOct 5, 2024
Also, I'd be remiss if I didn't note that all the reasons that "lawful access" features in telecom infrastructure are risky apply at least equally to the periodically revived proposals for "key escrow" backdoors in cryptographic systems. Fortunately, we've mostly held back the tide on those, but they come up every few years. It would be a security disaster if they're ever mandated.
Show threadMatt BlazeOct 5, 2024

Mandated wiretap interfaces and cryptographic backdoors are *expensive*, both in terms of money and, more importantly, exposure to risk. Worse, those burdens are borne inequitably.

Overall, almost no one is the subject of a lawful wiretap, even in places where wiretapping is an important investigative tool. Most people aren't suspects. But these mandates degrade security (and impose other costs) for *everyone*, the vast majority of whom will never be wiretapped.

Show threadMatt BlazeOct 5, 2024
A far more equitable, more secure, and less expensive approach is to devote law enforcement resources to targeting actual suspects, e.g., by the traditional methods such as informants and technical approaches such as "lawful hacking". While these aren't particularly pleasant for those targeted by warrants, they have the great virtue of allowing law enforcement to do its work without degrading security or privacy for the rest of us.
Show threadPoul-Henning KampOct 6, 2024

@mattblaze

So you want law enforcement to not report security-holes in software, because they will need them to stay open for "lawful hacking" purposes ?

That doesn't sound particular workable to me... ?

Show threadSteve BellovinOct 6, 2024
@bsdphk @mattblaze In fact, Matt and I and our co-authors said the exact opposite of your claim; see Section VI of https://scholarlycommons.law.northwestern.edu/cgi/viewcontent.cgi?article=1209&context=njtip. From ¶162: ‘Any policy short of full and immediate reporting is simply inadequate. “Report immediately” is the policy that any crime-prevention agency should have, even though such an approach will occasionally hamper an investigation.’
Show threadPoul-Henning KampOct 6, 2024

@SteveBellovin @mattblaze

Yeah, that's what I think too.

But Matt just said that court orders would have to be satisfied by "lawful hacking", so how does that work, if there are no vulnerabilities to exploit ?

To me it sounds like having your cake and eating it too:

You want perfect encryption and perfect software, and then police must rely on "lawful hacking" to satisfy a court-order for wiretapping.

What precisely is "lawful hacking" then ?

Show threadMatt BlazeOct 6, 2024

@bsdphk @SteveBellovin If only we had written an entire paper about this, and if only Steve had included a link to it.

But I understand if you'd rather just yell at people on the Internet.

Show threadPoul-Henning Kamp

@mattblaze @SteveBellovin

I've read your paper, I dont recall you answering the question I asked anywhere in it ?

What have I overlooked ?

Oct 6, 2024 at 6:03pmWeb
Show threadMatt BlazeOct 6, 2024
@bsdphk @SteveBellovin I don't believe that you actually have, frankly.
Show threadSteve BellovinOct 6, 2024
@bsdphk @mattblaze You believe in perfect software. I don’t, except as an ideal to aspire to. We're very far from it—look at, e.g., the number of critical holes in almost every Microsoft Patch Tuesday. (Open source? I run about a dozen Linux VMs and have to do apt update/apt upgrade several times a week to deal with security issues. BSD? Most of the 3rd party applications are the same save for OS-specific patches.)
Show threadPoul-Henning KampOct 6, 2024

@SteveBellovin @mattblaze

No, I do not believe in perfect software, and that has nothing to do with what I'm asking you guys:

Your suggestion is taht law enforcement can only execute wiretaps through "already present [...] software vulnerabilities".

My question is: How do you guarantee that there are already vulnerabilities available when a court order must be executed ?

And if there is a shortage, how will they be meted out ?

As I said: That is no way to run "A country built on laws"

Show threadMatt BlazeOct 6, 2024
@bsdphk @SteveBellovin The same way you guarantee that evidence sought in a search will be present, that witness will give reliable statements, or that people's faces will be recognizable on security cameras. You don't. There's no 100% reliable investigative technique, and never has been.
Show threadMatt BlazeOct 6, 2024
@bsdphk @SteveBellovin Anyway, forgive me for thinking you aren't being serious, since every aggressive "question" you've asked and every assertion you've made about our motivations is directly addressed in our papers. Bye now.
Show threadPoul-Henning KampOct 6, 2024

@mattblaze @SteveBellovin

You overlooked that I'm not from USA ?

Your paper does not address the situation in any other country, than USA.

And I will posit, that if your "solution" for USA is adopted, it will kneecap the judicial system in almost all other countries.

Because, surely you realize, that there can not be one solution for USA and another for Denmark, right ?

Show threadJeff CraigOct 6, 2024
@bsdphk @mattblaze @SteveBellovin I didn't realize computers work differently in Denmark than in the US.
Show threadSteve BellovinOct 6, 2024
@bsdphk @mattblaze As I said, we believe that bugs are dense and that one *will* be available. As we describe in the papers, most of the code that they need is payload and is independent of the bug necessary to install it. And we don't want it to be too easy. Speaking in that case of GPS surveillance in US v Jones, Justice Sotomayor wrote ‘it evades the ordinary checks that constrain abusive law enforcement practices: “limited police resources and community hostility.”’ Too easy is bad.
Show threadPoul-Henning KampOct 6, 2024

@SteveBellovin @mattblaze

How do you expect a small country like Denmark will obtain an adequate supply of vulnerabilities ?

Show threadMatt BlazeOct 6, 2024
@bsdphk @SteveBellovin How does Denmark solve crimes now? And why do expect US law to solve Denmark's law enforcement problems?
Show threadMatt BlazeOct 6, 2024
@bsdphk @SteveBellovin Anyway, I'm bored with you now. Bye.