[liberationtech] Bellovin, Blaze, Clark, Landau

[Tom Ritter]

When law enforcement relies on vulnerabilities in the system (be it
protocols, operating systems, applications, or web sites), they are
incentivized to keep it insecure.  If it were secure, how would they
get in?

Would the FBI patch their own systems against the bugs they know
about?  How would they control that information across all their
systems?  (This is an old hackers' puzzle: if you had an OpenSSH 0day,
would you patch yourself against it?)

If I were a communications provider (e.g. Silent Circle), and I found
that the FBI was hacking me to learn customer data... what is my
recourse?  To borrow from the CFAA, the FBI is certainly performing
unauthorized access or exceeding authorized access to a computer
system.  Am I allowed to kick them out? Sue them? What if they
accidently crash a system because they're crappy exploit writers?

Just like when Matt Blaze wrote it in Wired, this feels like a
mistimed April Fools joke.

-tom