When law enforcement relies on vulnerabilities in the system (be it protocols, operating systems, applications, or web sites), they are incentivized to keep it insecure. If it were secure, how would they get in? Would the FBI patch their own systems against the bugs they know about? How would they control that information across all their systems? (This is an old hackers' puzzle: if you had an OpenSSH 0day, would you patch yourself against it?) If I were a communications provider (e.g. Silent Circle), and I found that the FBI was hacking me to learn customer data... what is my recourse? To borrow from the CFAA, the FBI is certainly performing unauthorized access or exceeding authorized access to a computer system. Am I allowed to kick them out? Sue them? What if they accidently crash a system because they're crappy exploit writers? Just like when Matt Blaze wrote it in Wired, this feels like a mistimed April Fools joke. -tom -- Unsubscribe, change to digest, or change password at: https://mailman.stanford.edu/mailman/listinfo/liberationtech ----- End forwarded message ----- -- Eugen* Leitl <a href="http://leitl.org">leitl</a> http://leitl.org ______________________________________________________________ ICBM: 48.07100, 11.36820 http://www.ativel.com http://postbiota.org 8B29F6BE: 099D 78BA 2FD3 B014 B08A 7779 75B0 2443 8B29 F6BE