Exploits of "lawful access" interfaces, such as the Chinese attack reported today by the WSJ, appeared almost immediately after they became standardized in the 90's. The most famous example is the case known as "the Athens Affair" https://spectrum.ieee.org/the-athens-affair .

It was a bad idea then, and still a bad idea now.

Mandated wiretap interfaces and cryptographic backdoors are *expensive*, both in terms of money and, more importantly, exposure to risk. Worse, those burdens are borne inequitably.

Overall, almost no one is the subject of a lawful wiretap, even in places where wiretapping is an important investigative tool. Most people aren't suspects. But these mandates degrade security (and impose other costs) for *everyone*, the vast majority of whom will never be wiretapped.

@mattblaze

So you want law enforcement to not report security-holes in software, because they will need them to stay open for "lawful hacking" purposes ?

That doesn't sound particular workable to me... ?

@SteveBellovin @mattblaze

Yeah, that's what I think too.

But Matt just said that court orders would have to be satisfied by "lawful hacking", so how does that work, if there are no vulnerabilities to exploit ?

To me it sounds like having your cake and eating it too:

You want perfect encryption and perfect software, and then police must rely on "lawful hacking" to satisfy a court-order for wiretapping.

What precisely is "lawful hacking" then ?

@bsdphk @SteveBellovin If only we had written an entire paper about this, and if only Steve had included a link to it.

But I understand if you'd rather just yell at people on the Internet.

@mattblaze @SteveBellovin

I've read your paper, I dont recall you answering the question I asked anywhere in it ?

What have I overlooked ?