Exploits of "lawful access" interfaces, such as the Chinese attack reported today by the WSJ, appeared almost immediately after they became standardized in the 90's. The most famous example is the case known as "the Athens Affair" https://spectrum.ieee.org/the-athens-affair .
It was a bad idea then, and still a bad idea now.
Mandated wiretap interfaces and cryptographic backdoors are *expensive*, both in terms of money and, more importantly, exposure to risk. Worse, those burdens are borne inequitably.
Overall, almost no one is the subject of a lawful wiretap, even in places where wiretapping is an important investigative tool. Most people aren't suspects. But these mandates degrade security (and impose other costs) for *everyone*, the vast majority of whom will never be wiretapped.
So you want law enforcement to not report security-holes in software, because they will need them to stay open for "lawful hacking" purposes ?
That doesn't sound particular workable to me... ?
Yeah, that's what I think too.
But Matt just said that court orders would have to be satisfied by "lawful hacking", so how does that work, if there are no vulnerabilities to exploit ?
To me it sounds like having your cake and eating it too:
You want perfect encryption and perfect software, and then police must rely on "lawful hacking" to satisfy a court-order for wiretapping.
What precisely is "lawful hacking" then ?
@bsdphk "but what if no bugs" is dealt with in exactly the same way as every other form of "but what if no evidence": do something else to get the necessary evidence, or else learn to live with the fact that, in the real world, unlike TV, sometimes the bad guys get away with it.
@womble @dave_aitel @SteveBellovin @mattblaze
Then any non-stupid asshole is totally free to send dick-picks to any woman he can find coordinates for ?
Ask you mom if she is OK with that ?
Today most instances of intimidation, harassment and blackmail are never investigated, much less resolved or brought to justice.
I wonder how people like you can miss the connection between "almost all communication is digital" and "almost all crime involves digital communication" ?
@bsdphk I don't miss that connection, because it's not true. I also don't miss that the overwhelming majority of cases of intimidation, blackmail and harassment are over media which is already entirely accessible to law enforcement, which means that the reason they're not investigated has nothing to do with a lack of lawful access to the evidence.
@womble @dave_aitel @SteveBellovin @mattblaze
And you say this because you live in USA, right ?
Countries like Luxembourg and Denmark do not have police resources on the scale that FBI do.
A lot of services which are "entirely accessible" to FBI are not accessible to police in countries which cannot intimidate the owners of said service.
This is why I say: EU are going to legislate something which works for police in all EU countries, so "solutions" must not depend on massive resources.
@bsdphk no, I do not live in the USA.
Your arguments that police need access to everyone's private communications all the time are nonsense, because even the crimes that *can* be prosecuted with existing available evidence aren't, so the problem isn't a lack of evidence.
@womble @dave_aitel @SteveBellovin @mattblaze
I have said nothing remotely like that.
What societies built on laws need, is for court orders to be executed.
IT-liberalists insist that /everything/ must be encrypted so that it can /never/ become evidence in a court of law.
Clausewitz warns to never back your enemy into a corner, from which the only way out is through your own destruction.
IT-liberalists did that.
PS: My next column in queue.acm.org will be about this very problem.
@womble @dave_aitel @SteveBellovin @mattblaze
And yes, it is possible and valid to hold a nuanced opinion which is neither "wiretap it all" and "encrypt it all", and I do that.
It's called "A compromise" Look it up.
Matt Blaze
Poul-Henning Kamp
Steve Bellovin
Matt Palmer