[liberationtech] Bellovin, Blaze, Clark, Landau

[coderman]

On Fri, Feb 8, 2013 at 1:35 PM, Tom Ritter <tom at ritter.vg> wrote:
> When law enforcement relies on vulnerabilities in the system (be it
> protocols, operating systems, applications, or web sites), they are
> incentivized to keep it insecure.  If it were secure, how would they
> get in?

it would be nice if vulns were finite. experience shows us they are
infinite, discovered continuously. only effort required changes over
time.


> If I were a communications provider (e.g. Silent Circle), and I found
> that the FBI was hacking me to learn customer data... what is my
> recourse?

this treatise is focused on end user devices and not service provider
infrastructure. this is a requirement where end-to-end encryption is
applied.


> Just like when Matt Blaze wrote it in Wired, this feels like a
> mistimed April Fools joke.

attacking the client is already reality. there are tools to do it,
weaponized exploit markets, governments pursuing it for intelligence
ops / infowar; it is slowly but surely trickling down into the hands
of LE.

stuxnet, duqu, flame... there are mobile variants. they'll become
better known and more available.

i would prefer LE took this route rather than trying to force CALEA
for IP, but that doesn't make it any nicer a proposition.

best regards,