> We are calling for a conversation around how the government uses that technology.
...
> If the Snowden revelations taught us anything, it’s that the government is in little danger of letting law hamstring its opportunistic use of technology. Nor is the executive branch shy about asking Congress for more leeway when hard-pressed. That’s how we got the Patriot Act and the FISA Amendments Act, not to mention the impending changes to Federal Rule of Criminal Procedure 41 and the endless encryption “debate.”
I'd be worried that this would be mean that the conversation would be fruitless. The constituencies just won't hold Congress accountable because they don't understand or they don't care. Even though these events generate major headlines, I think most individuals think that it doesn't impact them, or that the only villains to be found are the ones in foreign states, but not ours. I kinda wish that Ars story about the corrupt DEA agents [1] were more publicized. It clearly illustrates the kind of damage that corrupt law enforcement can do. These are the same individuals who are able to summon the power of the Stingrays and similar technology.
> I'd be worried that this would be mean that the conversation would be fruitless. The constituencies just won't hold Congress accountable because they don't understand or they don't care.
In my opinion, this is the biggest issue. I'm more concerned that our democracy isn't functioning properly. Trust in the media is at an all-time low, conspiracy theories are flying left and right about everything, and now that some of them have been proven... the existing systems we have in place to change things... are not changing things. I don't get where we go from here.
Person in late 20s-early-30s in coastal California city (demo info given in anticipation of "out of touch old people"-type blaming followups): "What do you do?"
Me: "Computer software, internet stuff."
Them: "Oh, is that like that Snowden stuff? How are we going to prevent more people like him from leaking stuff?"
The EFF and such are generally awful at presenting their arguments in ways that are convincing to a general audience.
One of the effects of the generational differences in how we obtain our information about the world also impacts how we view current events in the world. The internet offers a much less filtered version. Unfortunately that means it also requires a higher degree of critical thinking.
Unfortunately, though, I think if your strategy is "hope people adjust their behavior on your own" then your sales pitch isn't going to be effective.
So if we want to change the status quo, how do we make it over that preaching-to-the-choir hump? (This sounds rhetorical, but it's more cynical/frustrated, actually - I don't have the answer.)
Stop saying "You disagree? You must be an idiot." to start. It's not always so explicit, of course, but it's pretty easy for a solid dose of scorn to slip into an argument that the true believers won't notice.
Another exercise is to try presenting (to yourself) the very best argument for the opposing side that you can. Now compare, is this the argument that you are refuting?
Does anyone know what provisions CFAA has to allow government hacking? Generally speaking, what are the laws relating to government investigative entities' compliance with law generally?
(asking with real curiosity and not taking any position)
Found this quote in an article[1] about the FBI's hacking to identify Ross Ulbricht, which made me curious to understand the underlying principles:
> “Even if the FBI had somehow ‘hacked’ into the [Silk Road] Server in order to identify its IP address, such an investigative measure would not have run afoul of the Fourth Amendment,” the prosecutors’ new memo reads. “Given that the SR Server was hosting a blatantly criminal website, it would have been reasonable for the FBI to ‘hack’ into it in order to search it, as any such ‘hack’ would simply have constituted a search of foreign property known to contain criminal evidence, for which a warrant was not necessary.”
Do breaking and entering statutes have specific exceptions for police? That's a real question, because now that I think about it, I don't know the answer.
In any case, you'll have a hard time convincing a prosecutor to file charges.
A warrant grants the holder specific exceptions. In the case of not having a warrant I'm not aware of any police-specific exceptions - there are general exceptions ("lawful excuse"), and qualified immunity would also apply provided they didn't violate clearly established law. IANAL.
A better submission for discussion would be Dave Aitel's piece at Lawfare, which is making the rounds in the industry right now, and is linked from this EFF advocacy piece. Nobody at EFF is as close to this issue as Aitel is.
I don't know enough to say whether that is the case here, but I trust the opinion of a non-profit organization established to defend my rights over an ex-NSA security firm CTO whom I admittedly know nothing about except what I just looked up.
Yes by all means read Aitel's piece before reading TFA's point-by-point critique.
I do think EFF is worried about too much here, which helps to distract from the main issues. I don't really care about vulns that the State finds or purchases from researchers. I do care about vulns that the State creates, abusing its position to weaken standards or infrastructure. More broadly, I definitely care about unlawful actions the State uses its vulns to commit.
Granted, it's difficult to sort one category from the other, from the outside. If we've learned anything, however, it's that we can't simply trust the insiders. EFF wants to know more, and so do I.
Dave's article's certainly worth reading, and he makes some good points. He's certainly closer to the intelligence agency and vulnerability market side of things than EFF is; but that's not the only aspect of the issue.
And as others have pointed out, closeness isn't always an advantage. Dave criticized the EFF post by saying
"This is a fundamental misstatement of how 0days work in the real world—in reality, the vulnerabilities used by the US government are almost never discovered or used by anyone else—and these falsehoods further confuse the conversation about 0day policy solutions."
Except of course that as the Shadow Brokers leak showed, quite a few of these vulnerabilities _have_ been discovered (and for all we know, used). The risk of something like this happens is something that EFF et al. always bring up, and the intelligence agencies and their supporters always dismiss it ... where's the "falsehood"?
The point you're making is orthogonal to the point Aitel is. Aitel is saying that on a day-to-day operational basis, Russia and China are usually using a different set of vulnerabilities than the USG is. So, putting Russian discoveries of USG tradecraft aside, the point he's making is very simple: is the USG is obligated to disclose its bugs, and meanwhile Russia is clearly not and never will be, then Russia has an advantage: it's bugs are safe, but its adversary has to churn through new ones.
No, this is where he's talking about how "The phenomenon of adding more noise than signal is now practically characteristic of misguided policy proposals in this area".
Specifically, he's using the EFF's statement "The problem is that if a vulnerability has been discovered, it is likely that other actors will also find out about it" as an example -- describing it as a "fundamental misstatement" because "the vulnerabilities used by the US government are almost never discovered or used by anyone else".
And then just ten days after his article, we've just seen a bunch of vulnerabilities not only discovered by somebody else but actually released on the web.
And the EFF's point is, that sounds nice, but how do we know the US is using different vulns than Russia and China? Especially when the US is sourcing those vulns from third parties?
This article is response to Dave Aitel's piece, which references an earlier post by the EFF.
I'm curious, where do you fall on this point Aitel makes:
> the EFF recently posted a blog stating,“The problem is that if a vulnerability has been discovered, it is likely that other actors will also find out about it, meaning the same vulnerability may be exploited by malicious third parties, ranging from nation-state adversaries to simple thieves.” This is a fundamental misstatement of how 0days work in the real world—in reality, the vulnerabilities used by the US government are almost never discovered or used by anyone else—and these falsehoods further confuse the conversation about 0day policy solutions.
There's a lot I don't agree with Aitel about and we do not generally think alike. However, a pretty useful rule of thumb for me has been, unless I have strong evidence to the contrary, if Aitel says something about zero-days, and particular about how they're used by governments, what he says is probably the way you should bet.
What is your basis for trusting him on that? Not trolling, I really want to know, because EFF is telling me not to trust him without evidence, which seems pretty rational to me.
He worked for NSA and his firm does a ton of vulnerability research and development, including creating probably the most sophisticated pentesting toolkit this side of a nation state(in fact I believe its explicit design goal is to simulate just that).
The whole point the EFF is trying to make is, apparently our government has a lot of knowledge and power with regards to computer vulnerabilities and exploits, and is using it all secretly with no oversight and no restraints that we normally hope to enjoy due to things like the 4th amendment. I feel weird even needing to explain this.
So, please forgive us when you say, "just trust this guy," and we are leery.
Do you have something more than an appeal to a much weaker authority? All I see as a counterargument is "EFF says otherwise". But EFF does not in fact staff experts in the development of zero-day exploits, and Dave Aitel --- apart from himself being one of those experts --- clearly does.
Update: slightly better summary of Dave Aitel's article.
I'm speaking about the greater issue of unchecked government power that the EFF raised. That does not come from a a simple appeal to authority, I hope we don't need to rehash the reasons we have a Bill of Rights and a government based on checks and balances. Dave Aitel's article was very focused on one of the EFF's concerns, management and disclosure of vulnerabilities, and much of what he said boiled down to, "Our enemies operate without oversight and so we need to also. Sorry, you are just going to have to trust us."
I'm sorry, but if we can't even agree about the facts, or even how we might arrive at the same ballpark of facts, what makes you think a debate of meta-facts is going to be productive?
We do seem to be talking past each other. Against better judgement, I'll try once more.
Dave Aitel can be the world's foremost expert on developing zero days with no peer in sight, but that doesn't automatically make him (or any expert) trustworthy. One of the great things about our government (when it functions correctly) is that we don't have to trust any one person in our government too much. We have things like transparency, checks and balances, competing interests and so on that help force everyone to be at least somewhat honest and responsible. The arguments that we should just shut up and trust the FBI and the NSA go counter to that. The EFF may not be expert in exploits, but even school children in the US understand basics about government corruption and the need for checks and balances.
I do think I understand Dave's argument. Oversight and transparency applied to US agencies with regards to exploits will not also be uniformly applied to non-US agencies and their use of exploits. Why does that matter even matter? Well, nobody seems to be coming out and saying as much but Dave and others strongly imply that we are in the middle of a secret all-out no-holds-barred high-stakes computer security war with other countries right now. Burdening the FBI and NSA with any kind of transparency or oversight requirements will put us at a disadvantage in that war and Bad Things will happen if we lose.
If that's really the case, then it sounds like we need Geneva Conventions for cyber war, something that protects all the worlds citizens from the land mines and mustard gasses of state sponsored computer hacking. Before that could ever happen we'd need to first admit we are in the middle of a cyber war, and nobody seems to want to do that.
I'm not sure there is a productive conversation to be had. Even in the very unlikely case of the US changing their policy, there's nothing stopping anyone else. Even in the very unlikely event that hackers can agree to how the Internet in its implementation should protect basic humans rights, it will be hindered by business interests. At this point we more or less have wait until robustness rather than growth becomes a competitive advantage and with the shift to Asia this could be many centuries.
...
> If the Snowden revelations taught us anything, it’s that the government is in little danger of letting law hamstring its opportunistic use of technology. Nor is the executive branch shy about asking Congress for more leeway when hard-pressed. That’s how we got the Patriot Act and the FISA Amendments Act, not to mention the impending changes to Federal Rule of Criminal Procedure 41 and the endless encryption “debate.”
I'd be worried that this would be mean that the conversation would be fruitless. The constituencies just won't hold Congress accountable because they don't understand or they don't care. Even though these events generate major headlines, I think most individuals think that it doesn't impact them, or that the only villains to be found are the ones in foreign states, but not ours. I kinda wish that Ars story about the corrupt DEA agents [1] were more publicized. It clearly illustrates the kind of damage that corrupt law enforcement can do. These are the same individuals who are able to summon the power of the Stingrays and similar technology.
[1] http://arstechnica.com/tech-policy/2016/08/stealing-bitcoins...