| I'm inclined to think that any computer used in good faith by law enforcement duly authorized to obtain evidence ought to be considered a "protected computer if it is specifically targeted as opposed to being affected by a ubiquitous harmful code not distributed with any expectations of causing harm to LEO discovery machines (eg the authors of ransom ware might reasonably expect law enforcement agencies to bare metal install known good OSs) What worries me most about this disclosure is the potential for abuse inside law enforcement agencies and departments . What if a evidence gathering machine is deliberately not patched against this e exploit? If I sold software like Cellebrite I would have at least attempted to make enforceable the cessation of licenses for any out of date instalation. What really confuses me is why vendors like Cellebrite don't have a commercial case for at least some level of independent testing of their wares in order to provide a limited warranty for the operation and results. Until now I actually thought it was necessary to obtain suchlike independent testing and make appropriate assurances to LEO to be able to legally sell such software in the first place. Article concludes the uneasy status quo permits all parties to do their best work respectively. Unmentioned is that that at least pays lip service to the American Way of meriticracy and endeavour and the ideal ultimate effect of fairness to all. ThIs is probably my naivety again ; but why can't laws prohibiting the use of 0Days exploitation work to the advantage of the law and society and commerce alike? If zero day exploits had to be disclosed to a central independent organisation (comprised of members from LEO and civilian life and working on a mandatory equal resources footing to enable citizen participants without any need for corporate sponsorship) and there was a definite widow permitting the use of exploits ended with a mandatory tested patch release and public announcement, I don't see how it would be unfair or the unreasonable for anyone on either side of the law. I would even consider it isn't a bad thing to disclose vulns identified by software engineering and not discovered publicly, to be notified to federal agencies when identified. I actually think that we should do this already for the protection of our diplomats and overseas representatives. Since we already have the instrumentation to selectively patch individual devices in widespread use, why cannot agencies request the exception of devices under surveillance to enable the security of the general public? I realise this doesn't work for covert and unlawful intercepts. And there do exist reasons for covert intercepts to be carried out. However every advanced society should be pushing such incidents to the margins with every available force possible. Security experts are worried about this argument because the global security of the USA is increasingly and credibly threatened. Show me how a well designed infrastructure for the protection of the innocent from unwarranted invasion, how I've outlined here, can possibly be a negative for law enforcement and national security and I'll eat my hat : the suggestions I'm making entirely reinforce the accessibility of intercept capabilities for lawful deployment and instrumentation for device specific code patching only enhances the potential for positive acquisition of intelligence on criminals and foreign agents. The USA should be peeling back the layers of the baseband implementations of 5G and immediately order the decommissioning of all 2G installations that are trivial to abuse. The faster the USA creates a viable OSS 5G RAN code base the faster foreign potentially hostile competition is disabled in the race for budget handsets and deployment. The number of people who have any interest in this field is small enough for background checks to not be prohibitive to open source goals. However serious consideration needs to be given to any blanket release to higher education institutions because the number of overseas students is simply too great to rule out hostile intentions. Along the similar lines we need to undo academic publishing holds on legitimate interest interest in research. Because only hostile nations are served by making the distributors of publicly funded research available to the public. I mentioned that last point because I think the most important argument of the article was about the blurring of the lines where actually really sensitive concerns do exist on the national basis that are being trivialized by a leading vendor of personal privacy communication software touting hacks in the way the author explained he found unbecoming and - unspoken but clear to me at least - dangerous to society as a whole. Last year I implemented so called "content protection" software for my company which enables the restriction of eg sending emails with sensitive words included. Or the attachment of files. And in depth classification and full text inspection tools and services. This is a growth market right now and I would strongly encourage anyone wanting interesting and well paid consulting work to study this area and particularly spend time for looking at how many new entrants are appearing constantly. My company doesn't expect to see much benefits from this expensive software installation, but the purpose we have is to use the obtained metadata for eg graph database analysis for assisting with our own research and development of opportunities from customer provided documentation and research. We're planning on linking back to raw incorporation filing feeds on individual parties and even public LinkedIn posts and comments. I'm mentioning that because the value of captured surveillance data in the raw becomes massively more potent information combined with the associated network of correspondents and individual sources and references. At one time when I was young I thought the cost for academic research papers was the cost of government surveillance of interested parties obtaining advanced insights into technology and analysis and systems. The software my company purchased is in theory capable of tracking the lifetime of a document that has been passed through any number of hands. Obviously it's trivial to air gap your reading device. But consider the volume of individual papers and documents you consume in any given year and certainly for the hn crowd that's likely a large number. Make it difficult for criminals to conceal the pathway taken up to their own devices by a very large number of information sources and the resulting black hole is a hypothetical perfect telltale snitch. Conversely, it's perfectly possible to enable free acquisition of research documents by a intermediary for the consumption of a legitimate researcher or team. I have worked for 30 years in specialist publishing in industry association members journals paid for by advertising. The Internet allegedly destroyed the viability of my business. What did happen was advertising agencies suddenly declared print media dead and ceased operations in my field almost in choreographed unanimity. This was 25 years ago. I actually think that it was my field that Google was interested in when they declared reported in Advertising Age and other trade media to have, along with a consortium of the biggest publishing houses, that their multi year and multiple hundreds of millions of dollars project for trading printed advertising online had failed and mentioned that particular obstacles included the very problems my company overcame just to start trading in 96. I don't think Google wanted to help anyone sell consumer targeted advertising. They almost certainly even in 04 knew that would be their market to themselves. But highly vertical advertising within industry niches where what's being advertised often is incomprehensible without accompanying features commissioned by the publication to cover a niche within a niche and attract everyone in that market as advertisers. Take 200 thousand times 4 for quarterly issues and 50 thousand average readers by name times 4 a low "reach" estimate gives 1.6*10^11 pairs of eyeballs per year in this forgotten and buried business. That's who will be only too happy to bear the infrastructure costs of the document management system necessary for a truly global scale tracking of research dissemination. Don't dismiss this immediately only for concerns about privacy : this couldn't fly without a way to give real privacy for the protection of researchers needing to avoid any giveaway of their direction and interests. Legally double blind intermediary agents as proxies are far from trouble to implement and I know that demand exists for such a proxy among some customers of ours for a additional layer of privacy and discretion for their work. We've almost forgotten because of the global economy how much the USA and critical input from other western nations is advanced compared to the row. I personally think that the expansion of university campus facilities has been happening because of foreign students demand and potentially profits from them assuming that zero interest rates continue until the debts are paid and assuming that that happens before the lifetime expectancy of the buildings erected creates a financial noose around higher educations head. The borrowing I've looked at doesn't have principal repayment horizons early enough by a very long way. Such expansion of a surveillance of research rrs |