Introduction
For years, the FBI has expressed concerns that advancements in communication technologies have obstructed its electronic surveillance capabilities Valerie Caproni, the FBI's General Counsel, articulated this issue during Congressional testimony.
The variety and complexity of accessing communications networks have significantly increased due to recent innovations in handheld devices This evolution has transformed communication services from a simple customer-provider relationship, typically involving a single CALEA-covered provider like a telephone company, to a more intricate environment Now, customers can utilize multiple access methods to engage simultaneously with various providers, including those located overseas or outside the jurisdiction of CALEA regulations.
While the government can secure a court order for collecting specific communications, it frequently issues this order to a provider that is not required by CALEA to be equipped to carry it out.
The FBI’s solution is “legislation that will assure that when we get the appropriate court order…companies…served…have the capability and the capacity to respond ” 9
The request to expand CALEA to include IP-based communications is concerning, especially given the current national cybersecurity threats and the documented harm caused by CALEA in the past This expansion prioritizes the needs of the Electronic Surveillance Unit over critical security risks associated with integrating wiretapping capabilities into communications infrastructure It overlooks the increased vulnerabilities faced by other government agencies from hackers and nation-states, as well as the national imperative for innovation that fuels economic growth Instead of focusing on the broader social implications, this approach risks compromising both security and progress.
7 See, for example, “Going Dark: Lawful Electronic Surveillance in the Face of New Technologies”,
I don't know!
The FBI, as highlighted by Director Robert S Mueller III in a Senate Judiciary Committee statement, is exploring the possibility of requiring web platforms to be wiretap-ready, as reported by CNET News This initiative raises concerns regarding the implications for various investigations, including those related to terrorism and drug trafficking, suggesting that the FBI's approach may overlook critical long-term national interests.
The FBI's proposal to modify social networking sites and VoIP services for wiretap accessibility poses significant security risks to our already fragile Internet infrastructure, increasing vulnerability to espionage and attacks on critical systems while stifling innovation Strengthening communication infrastructure is a national priority, and the FBI's approach could inadvertently aid adversaries, contradicting the bureau's intentions and sound national priorities.
The evolution of technology over the past thirty years has transitioned from a centralized Public Switched Telephone Network (PSTN) operated by a monopoly to a decentralized Internet-Protocol (IP) network managed by numerous providers This shift necessitated the Communications Assistance for Law Enforcement Act (CALEA) to aid law enforcement in managing wiretaps across multiple providers However, challenges arise with peer-to-peer communications and end-to-end encryption, which can hinder authorized wiretaps While law enforcement may not face immediate issues, future complications are likely, raising significant concerns about how to address these challenges The FBI's proposals for regulating peer-to-peer networks and encryption have been criticized as inadequate solutions.
We suggest an alternative strategy where government wiretappers mimic malicious actors by leveraging existing security vulnerabilities, rather than embedding wiretapping features directly into communication infrastructure and applications This approach allows for a more covert method of surveillance while utilizing the abundant security weaknesses present in current systems.
10 Declan McCullagh, “FBI: We Need Wiretap- ‐Ready Web Sites—Now”, CNET News, May 4, 2012, available at http://news.cnet.com/8301- ‐1009_3- ‐57428067- ‐83/fbi- ‐we- ‐need- ‐wiretap- ‐ready- ‐web- ‐ sites- ‐now/
11 Indeed, sometimes the benefits are directly to the military One NSA program, Commercial
Solutions for Classified combines government research with private-sector products to create highly secure communication tools This approach utilizes a layering technique, enhancing security by integrating independent solutions, as discussed by Fred Roeper and Neal Ziring at the RSA Conference 2012.
12 Charlie Savage, “U.S is Working to Ease Wiretaps on the Internet,” N EW Y ORK T IMES (September 27,
Six months after the New York Times reported on the FBI's pursuit of enhanced Internet wiretapping capabilities, FBI General Counsel Valerie Caproni indicated that the Administration is still exploring potential solutions and aims to collaborate with Congress soon However, as of now, no legislative proposals have emerged to address the vulnerabilities present in nearly all operating systems and applications, which could be exploited to access the communications of individuals subject to wiretap orders.
We are not promoting the creation of new security vulnerabilities; instead, we highlight that exploiting existing ones is a more effective alternative to the FBI's proposals for enforcing infrastructure insecurity Essentially, the dilemma lies in either formalizing the limited use of current vulnerabilities by law enforcement, a practice already employed by agencies like the FBI without significant oversight, or accepting the risks of these vulnerabilities while deliberately introducing new, predictable weaknesses that could be exploited by anyone despite efforts to prevent it.
Leveraging vulnerabilities to develop exploits and wiretap targets presents significant ethical concerns When an exploit for a specific security flaw is deployed outside a controlled environment, it can be repurposed for malicious activities, potentially leading to severe consequences Therefore, any initiative aimed at utilizing vulnerabilities for wiretapping must prioritize minimizing these associated risks.
This article examines the legal and policy challenges associated with using naturally occurring software vulnerabilities in law enforcement It highlights the conflict between leveraging these vulnerabilities for legitimate investigations and their potential misuse by criminals We advocate for a strict policy where law enforcement promptly discloses any discovered vulnerabilities to the software vendor This approach not only aids in crime prevention but also enables law enforcement to maintain a robust toolkit for conducting investigations, despite the inherent delays in the software lifecycle.
This paper focuses specifically on the use of vulnerabilities for communication intercepts, distinguishing it from the broader concept of "remote search." Although both approaches share similarities in utilizing vulnerabilities for access, they differ significantly in their technical and legal implications.
CALEA: The Change in Wiretap Architecture
The Communications Assistance for Law Enforcement Act (CALEA) was established during a time when the telecommunications landscape was predominantly centralized, with expectations of limited communication providers and a structure reminiscent of the Public Switched Telephone Network (PSTN) from the mid-20th century However, CALEA did not foresee the rapid evolution towards IP-based communications and the surge of diverse services that would arise This article explores the issues CALEA aimed to resolve, the unforeseen challenges it created, the security risks associated with its solutions, and the subsequent patchwork of adaptations that have developed to address the needs of IP-based voice communications.
We conclude by describing the impact on wiretapping and CALEA of these changes.
History of CALEA
CALEA originated in the early 1990s with the transition to digital voice transport in local phone networks, where ISDN emerged as a promising technology due to its high-speed data capabilities Despite its advantages, traditional wiretapping methods were ineffective for ISDN lines, and the rapid growth of cellular telephony, characterized by its wireless nature, posed similar challenges for interception In response, the FBI proposed the Digital Telephony Bill, advocating for a standardized interface for wiretaps After extensive discussions regarding its coverage, CALEA was enacted, notably excluding “information services.”
CALEA was intended to apply only to telephony More precisely, CALEA was intended to apply to “local exchange service”, i.e., local phone service but not long
18 ISDN—Integrated Services Digital Network—was defined in M Decina; E Scace (May 1986)
The CCITT Recommendations on ISDN, particularly in the CCITT Red Book 4, detail the 2B+D service, which consists of two 64 Kbps bearer channels and a 16 Kbps data channel for signaling purposes, such as call setup and teardown This configuration allows the two bearer channels to be combined into a single 128 Kbps link, offering speeds significantly faster than traditional single-line analog phone modems Despite its advantages, ISDN never gained widespread adoption in the United States.
In 1992, the FBI introduced legislation aimed at imposing technical design requirements on all electronic communication providers, including those on the Internet However, this proposal was swiftly dismissed without consideration.
20 47 USC 1001(8)(C)(i) distance carriers Then- ‐FBI Director Louis Freeh made clear in his 1994
Congressional testimony that the Internet was not covered: 21
Mr Freeh highlights that our focus is on phone-to-phone conversations transmitted over telecommunications networks, emphasizing the potential for criminal activity in this context.
Senator Pressler What other portions of the information superhighway could people communicate with the new technology that there is not now a means of listening in or following?
Mr Freeh noted that private computer communications, specifically PC-to-PC interactions that do not rely on a common telecommunications network, encompass a broad landscape, including the evolving Internet and various private communication systems He emphasized that these systems are intentionally excluded from the scope of the legislation being discussed.
Senator Pressler Are you seeking to be able to access those communications also in some other legislation?
Mr Freeh expressed satisfaction with the bill, highlighting that it effectively defines the most crucial areas and fosters a consensus that appears to be largely achieved at this stage.
The law defines a "telecommunications carrier" as any individual or entity that provides wire or electronic communication switching or transmission services, as long as the Commission determines that these services significantly replace local telephone exchange services and serve the public interest.
Recently, CALEA coverage has been expanded to include the "last mile" service, which connects residences and businesses to their Internet Service Providers (ISPs) This extension has sparked controversy, particularly due to Freeh's testimony and the exclusion of information services from CALEA However, both the FCC and the courts have determined that this type of connection is not classified under information services.
21 See Joint Hearings before the Subcommittee on Technology and the Law of the Senate Judiciary Committee and the Subcommittee on Civil and Constitutional Rights of the House Judiciary
Committee on H.R 4922 and S 2375, "Digital Telephony and Law Enforcement Access to Advanced Telecommunications Technologies and Services," Testimony of Federal Bureau of lnvestigations Director Freeh, at 203 (August 11, 1994)
22 See 47 U.S.C §1001(8)(B)(ii) exclusion 23 More precisely, the FCC made that ruling; relying on Chevron deference, 24 the Court of Appeals upheld that the FCC’s ruling
The recent changes to CALEA are significant, but law enforcement is more concerned about the rapid decline of the traditional telephone network Currently, over 35% of American households have abandoned landline phone service, and an additional 16% rarely receive calls on their landlines This shift poses challenges for law enforcement as they adapt to the evolving communication landscape.
Communications Commission (FCC) is that the PSTN will effectively cease to exist by
Wiretap Consequences of Splitting Services and Infrastructure
The impending end of the Public Switched Telephone Network (PSTN) raises questions about the FBI's original vision behind the Communications Assistance for Law Enforcement Act (CALEA) However, the reality is more complicated, as the separation of services from physical connections has eliminated the critical chokepoint where CALEA could be effectively enforced This significant shift does not seem to have been foreseen during the enactment of CALEA.
A paradigmatic case in which the decoupling presents serious wiretapping problems is when communication occurs through use of Voice over Internet Protocol (VoIP)
As was shown by Bellovin et al., a VoIP phone provider can be located far from its subscribers; indeed, it could be in another, possibly unfriendly, country
The signaling path, which consists of links that transmit call setup messages, may differ from the voice path, responsible for carrying the actual conversation Additionally, attempting to tap the last mile connection is likely ineffective, as VoIP connections are frequently encrypted.
A VoIP call setup between Alice and Bob is illustrated in Figure 1, where both individuals' phones are linked to their respective ISPs, Net 1 and Net 4 Each user subscribes to their own VoIP provider, which is also connected to distinct ISPs The signaling messages, essential for establishing the call and indicating ringing, travel from Alice's phone through her ISP to the VoIP provider.
23 Am Council on Educ v FCC (2006, App DC) 371 US App DC 307, 451 F3d 226, 25 ALR Fed 2d 717, reh den (2006, App DC) 2006 US App LEXIS 23061
24 See Chevron U.S.A., Inc v Natural Res Def Council, Inc., 467 U.S 837, 104 S.Ct 2778, 81 L.Ed.2d
In their study, "Wireless Substitution: Early Release of Estimates From the National Health Interview Survey," Stephen J Blumberg and Julian V Luke provide early insights into the prevalence of wireless phone usage in the United States The report, based on data collected between January and June 2010, highlights significant trends in wireless substitution among households For detailed statistics and analysis, the full report can be accessed at the CDC's National Center for Health Statistics website.
26 Technical Advisory Council, Federal Communications Commission, Summary of Meeting,
September 27th , 2011, available at http://transition.fcc.gov/oet/tac/tacdocs/tac- ‐meeting- ‐ summary- ‐9- ‐27- ‐11- ‐final.docx
27 See Steven M Bellovin, Matt Blaze, Ernest Brickell, Clinton Brooks, Vint Cerf, Whitfield Diffie, Susan Landau, Jon Peterson, and John Treichler Security implications of Applying the Communications
Assistance to Law Enforcement Act to Voice over IP, 2006, available at https://www.cs.columbia.edu/~smb/papers/CALEAVOIPreport.pdf, especially Figure 1 at 4
28 This figure is adapted from Bellovin et al., id
The communication process begins with Provider 1's ISP connecting to her phone company, which then reaches out to VoIP Provider 2 through its ISP VoIP Provider 2 transmits a message via Net 4 to Bob's phone Notably, the voice path travels directly from Net 1 to Net 4, bypassing Net 2, Net 3, and the VoIP providers, which do not carry the actual conversation Additionally, all messages exchanged in this process may be encrypted for enhanced security.
In the current communication setup, law enforcement faces significant challenges in implementing wiretaps, as they lack prior knowledge of Alice and Bob's IP addresses before a call is established Consequently, they cannot issue wiretap orders to Internet Service Providers (ISPs), which are uninvolved in the VoIP call and unable to decrypt the encrypted traffic Additionally, VoIP providers do not access voice traffic and may operate under different jurisdictions, complicating enforcement efforts further This scenario presents a complex landscape that is not conducive to traditional CALEA-like solutions for surveillance.
Republic Wireless offers a complex new phone service that combines IP and PSTN networks for calling This service is designed to function mainly over WiFi networks, enhancing connectivity and user experience.
A CALEA tap could be strategically placed on the Internet-facing side of Republic's facilities; however, this would miss Sprint calls Alternatively, placing a tap on Sprint's network would overlook VoIP calls Although it's feasible to install taps on both networks, the differing protocols require special coding to manage not only the call handoff but also the necessary information for the tap, as standard signaling mechanisms are not utilized Additionally, implementing pen register taps would involve even more complexity.
In addition to traditional PSTN replacements, various communication methods have emerged, such as email and text messaging, which present challenges for law enforcement regarding jurisdiction and real-time content access Skype exemplifies this issue with its "over the top" architecture, lacking central switches, complicating compliance with CALEA regulations.
29 Walter Mossberg, “For $19, an Unlimited Phone Plan, Some Flaws”, Wall Street Journal, February
19, 2013, available at http://allthingsd.com/20130219/for- ‐19- ‐an- ‐unlimited- ‐phone- ‐plan- ‐some- ‐ flaws/
Tapping into a customer's Internet connection alone is inadequate, as they often utilize various WiFi networks that could be overlooked Additionally, while Republic Wireless operates in the U.S., it is feasible for an offshore company to provide a similar service, which would be beyond the reach of U.S courts.
As of now, the Republic Wireless network does not support transferring ongoing calls between WiFi and Sprint networks However, this feature is expected to be implemented soon, according to industry sources.
32 FCC Critical Legacy Transition Working Group, “Sun- ‐setting the PSTN” at 3, September 27, 2011, available at http://transition.fcc.gov/oet/tac/tacdocs/meeting92711/Sun- ‐
The PSTN paper outlines a peer-to-peer interface for Skype users, where signaling traffic is forwarded among users, eliminating trusted elements that could function as wiretap nodes for pen register orders Additionally, all calls are encrypted end-to-end, ensuring a high level of privacy and security in communications.
Skype's architecture differs significantly from traditional client-server models, where VoIP providers operate servers that individual phones connect to In the conventional setup, phones communicate exclusively with their designated servers, which in turn interact with both clients and other servers, preventing direct connections between different VoIP providers In contrast, Skype employs a peer-to-peer architecture, eliminating the need for dedicated servers In this model, any device running a Skype client can engage in signaling, allowing Alice's phone to locate another Skype client to establish a connection with Bob, facilitating a direct network link without intermediary servers.
Skype has evolved its architecture by replacing traditional peer-to-peer (P2P) supernodes with dedicated servers hosted in Microsoft data centers This shift, initiated by Microsoft, aims to enhance traffic management and improve overall performance.
In 2012, Skype transitioned from peer-to-peer supernodes to Linux boxes hosted by Microsoft, sparking allegations of potential surveillance capabilities (Scudder, CNN, 2012) However, these claims were contested by experts like Mary Branscombe, who argued that the shift was necessary for cloud integration (ZDNet, 2012) Matthew Kaufman, Skype's former principal architect, clarified that the change aimed to enhance scalability for mobile devices rather than enable monitoring (Whittaker, ZDNet, 2013) Additionally, Microsoft has sought a patent for eavesdropping mechanisms on VoIP networks, raising further concerns about their potential application in Skype.
See, e.g., Jaikumar Vijayan, “Microsoft seeks patent for spy tech for Skype”, Computerworld, June 28,
2011, available at https://www.computerworld.com/s/article/9218002/Microsoft_seeks_patent_for_spy_tech_for_Sky pe
New Technologies: Going Dark or Going Bright?
The "Going Dark" problem refers to the challenges law enforcement faces due to advancements in telephony, new communication technologies, and the growing use of encryption, which hinder their access to criminal communications While some argue that these technological changes have left law enforcement at a disadvantage, others contend that modern developments have enhanced their capabilities, potentially even without the necessity for probable cause-based warrants This raises important questions about the severity of the Going Dark problem and how the balance of power has shifted in the realm of communications.
Determining the exact number of failed wiretap attempts is challenging, as law enforcement has indicated it will not pursue wiretap orders for calls that are beyond interception Additionally, the data stored unencrypted on Apple's servers raises further questions regarding accessibility and privacy.
The article discusses the implications of disinformation and the potential legal frameworks that could be utilized to address it Specifically, it references a court order under the Stored Communications Act, which may allow law enforcement access to content, although this access might not be immediate The source of this information is attributed to a blog post from April 4, 2013, on the Cato Institute's website.
In their 2004 paper, "Off-the-record communication, or, why not to use PGP," Nikita Borisov, Ian Goldberg, and Eric Brewer discuss the concept of "repudiation" from a computer science perspective, highlighting its distinction from legal interpretations They emphasize that in cryptographic systems, it is mathematically impossible to definitively prove that a specific individual sent certain messages, as the model does not incorporate elements like circumstantial evidence or eyewitness testimony typically used in legal contexts.
In a revealing article by the Washington Post, dated November 12, 2012, the communication method used by David Petraeus and Paula Broadwell is examined The piece details the specific email trick that facilitated their correspondence, shedding light on the complexities of their relationship For more insights, you can access the full article [here](http://www.washingtonpost.com/blogs/worldviews/wp/2012/11/12/heres-the-e-mail-trick-petraeus-and-broadwell-used-to-communicate/).
The availability of various information sources, including location data and commercial dossiers, has provided law enforcement with advantages that outweigh the challenges posed by technology This dynamic landscape sees both criminals and police continuously adjusting their strategies in reaction to each other's capabilities For instance, the evolution of cellular telephony highlights how these adaptations occur in real-time.
The Crime Control and Safe Streets Act mandates the Administrative Office of the U.S Courts (AO) to provide annual reports on Title III wiretaps These reports include critical details such as the nature of the offense being investigated, the prosecuting attorney, the authorizing judge, the total number of intercepts, the number of incriminating intercepts, and the overall cost of the surveillance.
Since 2000, the number of wiretaps on portable devices has significantly increased, with 719 out of 1,190 Title III wiretaps recorded that year By 2009, this figure rose to 2,276 out of 2,376, representing 96% of all wiretaps This trend reflects the broader societal shift, as most Americans now depend on mobile phones for their primary communication.
Modern communication systems significantly enhance law enforcement's capabilities to track suspects and access their communications Mobile phone taps are particularly valuable because they are more likely to capture conversations with targets rather than acquaintances, and they also provide critical location information In fact, 96% of wiretapped communications yield valuable data on a person's whereabouts The rise of instant communication methods, such as texting and cellular calls, along with centralized services like Gmail and Facebook, has streamlined the process for authorities, making it easier to monitor and gather evidence on individuals.
To evaluate overall risk, it's essential to consider the impact of previous threats on law enforcement's ability to monitor communications, particularly in light of technological advancements like encryption This concern dates back to 1993 when the government introduced the "Clipper Chip," an encryption device intended to allow government access to encrypted communications Current AO wiretap reports now provide insights into the frequency of encryption usage, highlighting its ongoing relevance in discussions about surveillance and privacy.
47 Administrative Office of the U.S Courts, Wiretap Reports, http://www.uscourts.gov/Statistics/WiretapReports/WiretapReports_Archive.aspx [last viewed February 25, 2013]
48 Administrative Office of the U.S Courts, Wiretap Report 2000, Table 7
49 Administrative Office of the U.S Courts, Wiretap Report 2009, Table 7
According to the early release estimates from the National Health Interview Survey conducted by Stephen J Blumberg and Julian V Luke, there has been a notable trend in wireless substitution among households in the United States during the first half of 2012 The findings, published in December 2012, highlight the increasing reliance on wireless communication, reflecting a significant shift in how individuals access and utilize telecommunication services For further details, the full report is available at the CDC website.
IP geolocation technology enables the identification of an Internet user's location, often utilized to impose geographic restrictions on content access Although many IP geolocation services offer limited accuracy, some companies enhance their precision by integrating IP address data with external information like search queries and delivery records.
I don't know!
Research indicates that the concern was not primarily about criminals utilizing key escrowed cryptocurrency Between 2001 and 2011, there were a total of 87 cases, with only one involving a federal wiretap order Notably, law enforcement successfully decrypted all communications obtained through these wiretaps.
Many communication products, such as RIM's Blackberries and Skype, offer end-to-end encryption Although some savvy criminals create their own encrypted networks, statistics show that most individuals targeted by Title III wiretaps typically use simpler solutions These criminals often rely on commercially available equipment and cloud-based communication services, like Gmail.
The Difficulties of CALEA II
The Vulnerability Option
Extending the Communications Assistance for Law Enforcement Act (CALEA) to IP-based communications poses significant security risks, complicating wiretapping efforts in modern communication systems To address the challenges of wiretapping in today’s digital landscape, we explore the vulnerability option, examining how law enforcement can effectively navigate the wiretap dilemma, the reasons behind the existence of these vulnerabilities, and the implications they carry for security and privacy.
“solution” must, in fact, always be part of the law- ‐enforcement wiretap toolkit We begin with a definition of terms.
Definition of Terms
We need to define a few commonly used technical terms in order to present the mechanics of employing a vulnerability for accessing a target system
A vulnerability refers to a weakness within a system that unauthorized entities can exploit, potentially compromising its integrity These vulnerabilities may arise from coding defects, such as "buffer overflow" or "use-after-free" instances, as well as misconfigurations like failing to change default passwords or leaving unnecessary services open Additionally, improper input text limitations can also create vulnerabilities, highlighting the importance of robust security measures in system design.
A buffer overflow occurs when a program receives more input than the allocated memory can handle, leading to data overflow For example, envision a clerk attempting to write a name that is too lengthy for the designated box on a form, causing the excess characters to spill into the "Official Use Only" section.
The 1988 Internet Worm incident highlighted the dangers of buffer overflow errors, leading to the first prosecution under the Computer Fraud and Abuse Act (18 U.S.C §1030) in the case of United States v Morris While modern programming languages like Java automatically detect such overflows, older languages such as C require programmers to implement safe coding practices to prevent these vulnerabilities In the past decade, a variety of tools have emerged to identify potentially unsafe code areas, significantly improving software security.
Programs can request and release storage space, making it available for other uses once they are finished A use-after-free bug occurs when a program accesses memory that is no longer allocated for its original purpose This can lead to confusion if another part of the program is reusing that storage, potentially causing errors or unexpected behavior.
A service is a mechanism that allows programs to listen for and respond to requests from other programs, often accessible via the Internet This can be compared to a building with a single address (the IP address) but multiple rooms designated for specific functions, such as a mailroom or information counter Secure systems typically limit the number of open ports to reduce external vulnerabilities For instance, if a computer not meant to serve as a web server inadvertently runs web server code, it could be exploited through flaws, emphasizing the importance of disabling unnecessary services Vulnerabilities can arise from various issues, such as unvalidated input leading to SQL injection attacks or weak passwords based on personal information.
A zero-day vulnerability refers to a security flaw that is identified and exploited before the vendor or the public is aware of it These vulnerabilities are often traded in the vulnerabilities market, and typically, both the vendor and the public learn about a zero-day only after a system has been compromised.
An exploit refers to the method used to gain unauthorized access to a system, which can take the form of a software program or a series of commands Exploits are categorized based on the vulnerabilities they target, and whether they require local access to the system or can be executed remotely via web pages or emails (known as Drive-by exploits) The outcome of executing an exploit, such as a rootkit, spoofing, or keylogger, is determined by the chosen payload at the time of execution Essentially, an exploit serves as a practical demonstration of leveraging a vulnerability.
In the context of cybersecurity, the payload of an exploit refers to the code executed on a target system to grant the attacker desired access Payloads can be categorized as single-action, like secretly creating a new user account for future access, or multi-action, which involves establishing a remote connection to the attacker's server and executing a series of commands It is essential for the payload to be tailored to the specific system architecture of the target for effective exploitation.
A dropper is a type of malware that installs malicious payloads on a target system It can operate in one of two ways: as a single-stage program that directly executes and reveals the hidden payload following a successful exploit, or as a multi-stage component that runs on the target system while downloading files, including the payload, from a remote server.
A Man-in-the-Middle (MitM) attack is a cyber threat where an attacker intercepts the communication between a target and a trusted resource, effectively positioning themselves as an intermediary In this scenario, the attacker masquerades as the bank to the target while simultaneously impersonating the target to the bank By spoofing authentication credentials such as passwords or certificates, the attacker ensures that both parties believe they are engaging in a secure communication, thereby compromising sensitive information without either party's knowledge.
SQL injection attacks exploit improperly filtered input in programming, allowing parts of the input to be interpreted as commands instead of data These attacks, which have existed in various forms since the 1970s, highlight the importance of input validation to prevent unauthorized command execution.
A drive-by download attack occurs when a user unknowingly visits a malicious website, leading to an automatic download of harmful software without any additional action required These attacks exploit vulnerabilities in web browsers, allowing attackers to intercept and manipulate communications, thereby gaining access to sensitive information.
Spoofing in network security refers to an attack where an individual or program impersonates another by falsifying data, allowing them to gain unauthorized advantages.
How Vulnerabilities Help
Pre-existing vulnerabilities in software render the extension of CALEA unnecessary To grasp this assertion, it's essential to understand the layered structure of modern computer operating systems Each layer in these systems delivers specific services to the layer above while requesting services from the layer below The interaction between hardware and software often establishes boundaries between these layers, ensuring that only designated requests can be made to the lower layers.
The foundational layer of a computer system consists of hardware components, including CPU chips like Intel’s Pentium series, network interfaces, hard drives, and USB ports For the sake of this discussion, we will consider this layer to be free of errors and secure Although this assumption may not reflect reality, it is important to note that attacks targeting this hardware layer are typically more relevant for national security concerns than for law enforcement activities.
The kernel is a crucial layer of an operating system that safeguards itself with hardware support and serves as the sole interface for communication with external hardware, including networks When applications require access to network resources or disk drives, they must request the kernel to execute these operations on their behalf, making the kernel responsible for enforcing system security and resource management.
File permissions determine which users own specific files and dictate who can read or write them This necessitates a robust separation between programs executed by different users, a separation that is enforced by the kernel.
The final layer of focus is the user or application level, where most programs of interest, such as web browsers, email clients, and document editors, operate These applications are generally linked to a specific user, who may be a physical person Additionally, contemporary systems often run numerous background processes, commonly referred to as "daemons," which support the main user-level programs.
Spoofing, often referred to as a masquerade attack, is a type of threat where an unauthorized entity illegitimately poses as an authorized user to gain access to a system or carry out malicious activities.
90 Some of this material appeared in different form in Bellovin et al., supra note 6, Going Bright paper
91 These days, smart phones are built the same way; there is no need to discuss them separately
While we won't delve into specific attacks such as eavesdropping on encrypted WiFi signals, it's important to note that vulnerabilities may exist in the target's WiFi access point or router, which are essentially computers that can be hacked Additionally, modern operating systems utilize various pseudo-users to manage applications, including audio systems, file indexing, and USB device integration For instance, a recent examination of a contemporary Apple Mac revealed the presence of at least ten active pseudo-users on the device.
Modern operating systems incorporate a security feature called a "sandbox," which enables programs to operate with limited privileges compared to the user who launched them Sandboxes are commonly utilized for applications that are considered highly susceptible to security vulnerabilities, such as PDF viewers and web browsers.
Vulnerabilities can exist at any layer of a system, but the effectiveness of exploits varies across these layers For an exploit to function, it requires more than just targeting a vulnerability; it must also capture the actual data being communicated This can occur within specific applications, such as Skype or gaming platforms with voice features, or at the kernel level by manipulating device drivers, allowing for data capture from any application While kernel exploits can effectively modify device drivers, they face challenges in reading and writing files and exporting captured data over the network due to complex technical limitations.
Most initial cybersecurity breaches occur at the application level, utilizing various methods such as infected email attachments, malware on websites, and poorly implemented network protocols Additionally, users may unknowingly download and execute malicious programs, mistaking them for legitimate software Regardless of the method, the outcome is the same: unauthorized programs are executed with the user's file access rights.
Under certain circumstances, this is sufficient for law- ‐enforcement purposes It generally provides adequate means for intercepting email; it may also suffice for
93 A device driver is a special part of the kernel that communicates with input/output devices such as disks, audio ports, network interfaces, etc See, e.g., Andrew S Tanenbaum and Albert S Woodhull,
Operating Systems Design and Implementation, 3 rd Edition, Prentice- ‐Hall, 2006
The challenges associated with I/O APIs primarily stem from their design, which typically focuses on transferring essential parameters from the application level, and the inherent difficulties in managing I/O operations without a defined "process context." For a deeper understanding of these issues, refer to standard operating systems textbooks such as Tanenbaum and Woodhull.
It is widely accepted that kernels are less susceptible to attacks because they primarily handle network packet headers rather than their contents This belief is supported by an analysis of various vulnerability databases.
A considerable portion of software obtained through peer-to-peer networks is infected with malware, as highlighted in the study by Michal Kryczka et al titled "TorrentGuard: stopping scam and malware distribution in the BitTorrent ecosystem." This underscores the risks associated with downloading files from these platforms, emphasizing the need for caution among users.
In the University of Iowa's technical report UICS-08-05, dated April 24, 2008, the focus is on identifying malware within BitTorrent, particularly emphasizing the prevalence of key generation and activation utilities that are often employed for software theft The report also examines transcript files from various instant messaging applications, highlighting their relevance in user-level exploits that facilitate remote searches, although such methods introduce additional complexities not addressed in the study.
For effective eavesdropping, simply penetrating a program is insufficient if it is not used for the intended communications Most modern platforms restrict user programs from altering the kernel or system-owned files, such as those used by Skype Therefore, to facilitate law enforcement eavesdropping at the user level, a secondary exploit known as a "local privilege escalation" attack is essential This attack grants the program elevated privileges, allowing it to modify device drivers and other critical files While these two exploits are often independent, their combined necessity complicates the overall attack process.
Why Vulnerabilities Will Always Exist
We are suggesting use of pre- ‐existing vulnerabilities for lawful access to communications To understand why this is plausible, it is important to know a
97 On Windows, the privileged user is known as “Administrator”; on Unix- ‐like systems, including MacOS and Linux, it is known as “root”
98 See, e.g., Eugene Spafford, “The Internet Worm Program”, Computer Communications Review 19:1, January 1989, at 17- ‐57, and J.A Rochlis and M.W Eichin, “With Microscope and Tweezers: The Worm from MIT’s Perspective”, Comm ACM 32:6, June 1989, at 689- ‐703
A "sandbox" is a security mechanism that restricts application programs' privileges compared to the user who runs them This concept aligns with a fundamental principle of software engineering: bugs are inevitable.
Man- ‐Month, Frederick Brooks explained why: 100
Achieving perfection is crucial in programming, akin to the precision required in magical incantations; even a single error or pause can render the process ineffective Unlike many human endeavors that allow for imperfection, programming demands a strict adherence to accuracy Consequently, adapting to this high standard of perfection is often the most challenging aspect of learning to code.
Computers operate strictly based on precise programming, executing commands without the ability to recognize errors or obstacles Unlike humans, who can adapt to unexpected situations, a computer will follow instructions exactly, even if they lead to undesirable outcomes If a program lacks specific checks for impediments, any imperfections in the code can create bugs, which may be rare but still problematic In security-critical areas, such bugs can lead to vulnerabilities, highlighting the importance of meticulous coding practices.
A National Research Council study described the situation this way: 102
A significant portion of security vulnerabilities stems from poorly written code, with over one-third of Computer Emergency Response Team (CERT) advisories since 1997 addressing issues related to insufficiently validated input that leads to character string overflows, particularly in C programming Additionally, fewer than 15 percent of CERT advisories highlight issues that could have been mitigated through the correct application of cryptography.
Eliminating bugs in software may seem straightforward—simply test the program and address any issues that arise However, identifying bugs can be extremely challenging due to the complexity of programs, which often have numerous potential execution paths that cannot all be tested.
100 Frederick P Brooks, The Mythical Man- ‐Month, Addison- ‐Wesley, 20 th Anniversary Edition, 1995, at
101 In one classic incident, a single missing hyphen in a program contributed to the loss of the Mariner
1 space probe See http://nssdc.gsfc.nasa.gov/nmc/spacecraftDisplay.do?id=MARIN1
102 Fred Schneider, ed., Trust in Cyberspace, National Academy Press, 1999, at 110
The primary power of a computer lies in its ability to execute tasks conditionally, allowing it to assess various situations such as whether a number exceeds zero or if a string contains specific characters This conditional testing enables the program to follow different execution paths based on the outcomes of these tests Each conditional operation has the potential to double the number of execution paths, although not all tests are independent, which slightly mitigates this effect For instance, a program with just 20 conditionals can lead to an exponentially large number of possible execution paths.
Brooks presents a diagram illustrating the disparity between predicted and actual bug rates in complex code, revealing that while projections anticipated a gradual start followed by a rapid increase and eventual leveling off of the debugging rate, the reality showed a continuous rise in bugs found, exceeding forecasts He emphasizes that testing typically consumes about half of the total development time, yet this may still be insufficient.
“Testing shows the presence, not the absence of bugs.” 107
Numerous techniques have been attempted to eliminate bugs in software development, including formal mathematical methods, enhanced programming and debugging tools, improved organizational procedures, and advanced programming languages While many of these approaches have contributed to reducing errors, none have achieved a complete solution The quest for error-free code remains the ultimate goal in systems development, highly sought after yet ultimately unachievable.
When addressing computer security, it's crucial to focus on whether the security-sensitive components of a system contain bugs, rather than just evaluating the overall program for flaws A practical solution is to separate the system into security-sensitive and security-insensitive parts, as issues in the latter, while frustrating, won't lead to catastrophic failures This strategy not only mitigates risks but also enhances the reliability of the security-critical elements, considering that the bug rate tends to increase disproportionately with program size.
2 20 —1,000,000—possible paths through it; one with 40 conditionals (a very tiny number for a realistic program) has more than 1,000,000,000,000 Exhaustive testing is not possible under these circumstances
104 See Brooks, supra foonote 100, at 42 The diagram is a previously unpublished one by John Harr
The graph presented at the 1969 Spring Joint Computer Conference illustrates a single year's experience in the development of the #1 ESS, but it remains unclear whether it concludes due to project completion or merely reflects a snapshot of that specific year It is likely that the programming process extended beyond this timeframe, as indicated by Phil Lapsley.
Exploding the Phone, Grove Press, 2013 at 235 and W Keister, R.W Ketchledge, and H.E Vaughn, “No
1 ESS: System Organization and Objectives”, Bell System Techncial Journal 43:5, Part 1 (September
1964) at 1832 New versions of the code were unlikely to have fewer bugs; rather, the bug rate increases after some point (Brooks, supra, at 53- ‐54)
106 See Brooks, supra footnote 100, at 10; see also the later explanation of the complexity of that model at 117
107 Edsger Dijkstra, quoted in J.N Buxton and B Randell, eds., Software Engineering Techniques:
Report on a conference sponsored by the NATO Science Committee, Rome, Italy, 27–31 October 1969,
Operational errors are prevalent, with the NSA reportedly violating privacy rules thousands of times annually, as highlighted in an audit by Barton Gellman in the Washington Post on August 16, 2013 For more details, visit the original article [here](http://www.washingtonpost.com/world/national-security/nsa-broke-privacy-rules-thousands-of-times-per-year-audit-finds/2013/08/15/3310e554-05ca-11e3-a07f-49ddc7417125_story.html).
One in ten incidents of improper surveillance data collection is due to typographical errors made by analysts when entering queries, resulting in the retrieval of U.S phone call or email data Additionally, confusion between country and city codes, such as mistaking Cairo's area code (20 2) for Washington, DC's (202), has contributed to thousands of data collection errors Although the security-sensitive section of the system is smaller, it may have significantly fewer bugs compared to the larger system, which has been found to have more than twice as many errors.
This approach has been at the heart of most secure system designs for more than 50 years It was set out mostly clearly in the so- ‐called “Orange Book”, the 1985
Department of Defense criteria for secure operating system design 109 The Orange Book prescribed something called a “Trusted Computing Base”, the security- ‐ essential portions of a system: 110
The Trusted Computing Base (TCB) is the core of a secure computer system, encompassing all elements that uphold the security policy and ensure the isolation of critical objects, such as code and data Often referred to as the "security perimeter" in computer security discussions, the TCB should be designed to be as simple as possible while effectively performing its necessary functions, promoting both understandable and maintainable protection.
The dream of achieving a fully reliable Trusted Computing Base (TCB) remains elusive due to two main factors Firstly, modern TCBs are significantly larger than those from the 1970s and 1980s, despite advancements in software reliability Secondly, the concept of what constitutes a TCB has become less clear, as increasing numbers of security incidents target components that fall outside traditional definitions of "trusted." Notably, the first Internet worm in 1988 exploited vulnerabilities beyond the recognized TCB, illustrating that attacks can effectively compromise systems at the user level This indicates that the separation of trusted and untrusted components is less effective than anticipated, as vulnerabilities in any part of the system can be exploited by malware Furthermore, contemporary applications are vastly more complex, often exceeding the size of entire systems from the 1980s, highlighting the challenges in achieving a secure operating environment today.
We conclude that for the foreseeable future, computer systems will continue to have exploitable, useful holes The distinction between flaws in the TCB and flaws
The 1985 DoD Trusted Computer System Evaluation Criteria, identified as 5200.28-STD, is published by the DoD Computer Security Center and can be accessed at http://csrc.nist.gov/publications/secpubs/rainbow/std001.txt This document is commonly referred to by its nickname, which originates from the color of its cover, and it is a key part of the collective known as “The Rainbow Series.”
111 See Spafford or Eichin and Rochlis, fn 98, supra