Using vulnerabilities instead of new laws [LWN.net]

By Jake Edge
September 11, 2013

A paper presented at the Privacy Law Scholars Conference in June asks an interesting question: what are the implications of allowing law enforcement to use existing vulnerabilities to wiretap the internet? In some sense, current events have outrun the paper's focus as we now know that the NSA has been using vulnerabilities in its quest for every last bit of internet traffic, but there are legitimate questions raised by the paper. If, someday, the US returns to the idea of actual oversight of domestic (at least) internet surveillance, it will be worth considering the tradeoffs described in the paper.

The paper starts by pointing out that critics of the Communications Assistance for Law Enforcement Act (CALEA), which mandated wiretap-friendly interfaces for telephony equipment, were fully justified by later events. Those interfaces were illegally used in a number of different ways, including wiretapping a large number of Greek politicians in 2005. Extending CALEA to the internet, which is something the FBI has been advocating, will predictably lead to similar abuses, so it is worthwhile to look at alternatives.

The authors, Steven M. Bellovin, Matt Blaze, Sandy Clark, and Susan Landau, instead propose that the FBI be authorized to use existing vulnerabilities for wiretapping. Rather than requiring vendors to insert vulnerabilities into their code so that the FBI can wiretap voice-over-IP (VoIP) and other communications, just recognize that there are already vulnerabilities available that allow the required access. But, there are a number of consequences—along with ethical questions—that stem from allowing that behavior.

The wide-ranging paper covers a lot of ground. Some of the more interesting technical discussion has to do with vulnerabilities themselves. The authors' argument, essentially, is that there will always be vulnerabilities available that will allow the capabilities needed by law enforcement. It is simply a matter of finding or obtaining them, then using them against the target for whom a warrant has been issued. Even if a CALEA-style law were passed for internet communications, they argue, there would still be a need for vulnerability-based wiretapping. There is existing software that doesn't implement the interfaces and targets may be using end-to-end encryption, for example.

But in order to gain access to the "right" vulnerabilities for the target (which would need to be determined by some kind of "technical reconnaissance"), the FBI would need to access the vulnerability "black market". Since the goal of wiretapping is different than that of typical attackers, any exploit would likely need to be modified to have a "wiretapping payload" rather than the usual spambot, remote-access, or credential-stealing payloads. There is, in short, quite a bit of work that would need to be done before bits of VoIP data start flowing to the cops. From what we know now, it would be far easier to just ask the NSA.

But, assuming the NSA option closes down at some point, the ethical dilemmas surrounding this whole idea still pose some significant hurdles. For example, if the FBI knows about a highly useful vulnerability that is also being exploited by botnet herders or other criminals, will it report the hole? Or if a company is about to release an update that closes a hole being actively used, will pressure be applied to delay (or subvert) the release? How does the FBI ensure that its wiretapping tools aren't disseminated to the underworld? There are, of course, plenty more questions beyond just those.

Overall, it is an interesting quandary. On the one hand, routing around a "CALEA for the internet" is certainly attractive. The harm to both innovation and privacy that could be caused by such legislation is huge. On the other hand, though, turning the FBI and other law enforcement organizations into players on the malware stage has its own set of dangers. The authors conclude that those dangers (or "uncomfortable issues" as they call them) are less of a concern than the legislative solution. Unfortunately for all of us, legislators and law enforcement rarely grasp the idea that there might be solutions outside of new laws. In fact, the NSA revelations may have shown an entirely different way to operate without any new laws.

(Log in to post comments)

Using vulnerabilities instead of new laws

Posted Sep 12, 2013 18:40 UTC (Thu) by wtanksleyjr (subscriber, #74601) [Link]

Yes, it's safe to assume for the sake of argument that the NSA's supplying of illegal information from classified sources INTO law enforcement can be stopped. Assuming that doesn't require that we can stop the NSA (nor all of the military versions of the NSA's program); it only requires that the boundaries be enforced.

Granted that this is a hard problem, it doesn't mean we can't prepare for it. In fact, the preparations for it will help define and clarify the boundaries.

Using vulnerabilities instead of new laws

Posted Sep 12, 2013 18:48 UTC (Thu) by drag (subscriber, #31333) [Link]

The best way to deal with NSA is to de-fund it.

They only get to do what they do because they have billions of dollars to burn through each financial year. Take that away along with their ability to make things "top secret" and then they'll be forced to actually do their jobs rather then turning the USA into one big surveillance grid.

As long as they have billions of dollars and no accountability then it will always be a disaster no matter what bureaucratic things you put in place to try to manage them.

Using vulnerabilities instead of new laws

Posted Sep 16, 2013 16:10 UTC (Mon) by nix (subscriber, #2304) [Link]

De-funding it is never going to happen. All they have to say is 'but the terrorists!' and the govt will re-fund them again, despite terrorists being less of a danger to the citizens of the western world over the last ten years than trousers (precisely how the trousers killed people is not clear, let's spend £100 billion or so building a massive trouser-deaths surveillance infrastructure to find out!)

However, making it accountable *is* possible. Change the culture such that lying to Congress is considered unacceptable. Drop secret courts, and secret laws. Stop trying to surveil everything on the grounds that you might potentially need to look into anyone's private life, anywhere, anytime. i.e. start acting like actual intelligence and law enforcement agents again, not secret policemen.

Using vulnerabilities instead of new laws

Posted Sep 17, 2013 14:49 UTC (Tue) by mathstuf (subscriber, #69389) [Link]

I'd think that getting Congress itself (and specifically, Congress critters) to not lie would be the first step here. Good luck with that :( .

Using vulnerabilities instead of new laws

Posted Sep 12, 2013 11:46 UTC (Thu) by Seegras (subscriber, #20463) [Link]

It's quite clear that Black Hats (aka Secret Services) are using existing vulnerabilities to break into systems. But this is a completely different matter. It's the FBI. Which means LAW enforcement.

If law enforcement gets only garbage when intercepting communications via legal means, like subpoena the ISP for the traffic, then it gets only garbage. The're is NO RIGHT for law enforcement to wiretap, there is only a permission to wiretap upon warrant; no matter what law enforcement agencies would like to have.

And there is certainly no right to compromise (and I mean compromise in every respect, including compromising the evidence) a suspects computer. Law enforcement capabilities are meant to produce evidence, and as soon as law enforcement itself compromises a suspects computer, it compromises their evidence as well, everything learned therefrom cannot be admitted in court and is not evidence any more. Thus it is not only useless in a judicial sense, but also completely not justifiable in view of the state of law (which, as said, only allows law enforcement to do certain things in order to produce evidence. No evidence, no permission).

We are extremely cautious when doing forensics as to not change anything, to not compromise evidence, to be able to prove nothing has been, and actually not even could have been, changed. And there is simply no reason why this should not apply to police work everywhere else.

compromising suspects computers is not law enforcement technique, it's GESTAPO methods -- plant your evidence as you need it.

Using vulnerabilities instead of new laws

Posted Sep 14, 2013 7:44 UTC (Sat) by geofft (subscriber, #59789) [Link]

Okay, after actually RTFAing, page 50 briefly describes some related problems. The authors seem to believe that problems like this are unlikely, but they're addressing slightly different problems -- namely law enforcement not disclosing vulnerabilities they find or buy, and directly pressuring vendors not to patch. While I agree that those are unlikely, I do think that there's still a risk of subtler and longer-term effects.

For instance, while law enforcement would be unlikely to cause the state of libpurple's security response to worsen, if a compelling memory-safe alternative to libpurple were to arise, it would probably be worth it for the DOJ to hire someone to work on libpurple full-time in all earnestness -- not to subvert it, or to sabotage vulnerability reporting, but to make sure that the pile of C remains competitive and doesn't lose users to the new, less-inherently-vulnerability-filled newcomer.

Using vulnerabilities instead of new laws

Posted Sep 14, 2013 14:25 UTC (Sat) by copsewood (subscriber, #199) [Link]

"Or if a company is about to release an update that closes a hole being actively used, will pressure be applied to delay (or subvert) the release?"

It's likely to be a matter of coincidence whether the security agency not wanting the patch and the security company providing the patch are even in the same jurisdiction.

When considering the multiple kinds of fully or semi-legitimate security agencies in each of many nations, states and provinces with this interest, and the number of security companies, the application of such pressure is more likely to work against the objectives of the security agency by increasing the number of people who need to know, or know something about what they are doing. Seems to me that a security company based in Ruritania is likely to respond to a request by a police intelligence agency in Elbonia firstly by being unable to verify the legitimacy and authenticity of the request, and secondly by preferring the interests of their customers to those of claimed legitimate interests of a foreign government.

If the Elbonians have to go through the Ruritanian secret police to make this request, this also increases the size of the population with a need to know. Secrets can only ever be kept secret by limiting the size of the insider group who have to keep them secret, making this kind of coordination seem to me unlikely. More likely that as one exploit closes, others can be investigated and opened.