Lawful Hacking 1

Lawful Backing:
0sing Existing vulneiabilities foi Wiietapping on the Inteinet
1

Steven N. Bellovin
*
, Natt Blaze

, Sanuy Claik

, Susan Lanuau

BRAFT - August 18, 2u1S

Foi yeais, legal wiietapping was stiaightfoiwaiu: the officei uoing the inteicept
connecteu a tape iecoiuei oi the like to a single paii of wiies. By the 199us, though,
the changing stiuctuie of telecommunicationstheie was no longei just "Na Bell"
to talk toanu new technologies such as ISBN anu cellulai telephony maue
executing a wiietap moie complicateu foi law enfoicement. Simple technologies
woulu no longei suffice. In iesponse, Congiess passeu the !"##$%&'()&"%*
,**&*)(%'- ."/ 0(1 2%."/'-#-%) ,') 3!,02,4
2
, which manuateu a stanuaiuizeu lawful
inteicept inteiface on all local phone switches. Technology has continueu to
piogiess, anu in the face of new foims of communicationSkype, voice chat uuiing
multiplayei online games, many foims of instant messaging, etc.law enfoicement
is again expeiiencing pioblems. The FBI has calleu this "uoing Baik":
S
theii loss of
access to suspects' communication. Accoiuing to news iepoits, they want changes
to the wiietap laws to iequiie a CALEA-like inteiface in Inteinet softwaie.
4

CALEA, though, has its own issues: it is complex softwaie specifically intenueu to
cieate a secuiity holeeavesuiopping capabilityin the alieauy-complex
enviionment of a phone switch. It has unfoitunately maue wiietapping easiei ."/
-5-/6"%-7 %") 8$*) 9(1 -%."/'-#-%). Congiess faileu to heeu expeits' wainings of the
uangei poseu by this manuateu vulneiability, but time has pioven the expeits iight.
The so-calleu "Athens Affaii", wheie someone useu the built-in lawful inteicept
mechanism to listen to the cell phone calls of high uieek officials, incluuing the

1
This papei was piesenteu at the Piivacy Legal Scholais Confeience in }une 2u1S; the authois have
veiy much benefitteu fiom the uiscussion anu comments maue theie. We woulu especially like to
thank Beiiuie Nulligan, Naity Stansell-uamm, anu }uuge Stephen Smith, as well as Baniel
Immeiman.
*
Steven N. Bellovin is a piofessoi of computei science at Columbia 0niveisity.

Natt Blaze is an associate piofessoi of computei science at the 0niveisity of Pennsylvania.

Sanuy Claik is a Ph.B. stuuent in computei science at the 0niveisity of Pennsylvania.

Susan Lanuau is a 2u12 uuggenheim Fellow.

2
Pub. L. No. 1uS-414, 1u8 Stat. 4279, couifieu at 47 0SC 1uu1-1u1u.
S
valeiie Capioni, ueneial Counsel of the FBI, Statement Befoie the Bouse }uuiciaiy Committee,
Subcommittee on Ciime, Teiioiism, anu Bomelanu Secuiity, Febiuaiy 17, 2u11, available at
https:www.fbi.govnewstestimonygoing-uaik-lawful-electionic-suiveillance-in-the-face-of-
new-technologies
4
Beclan NcCullagh, "'Baik' motive: FBI seeks signs of caiiiei ioaublocks to suiveillance", CNET
News, Nov. S, 2u12, available at http:news.cnet.com8Su1-1SS78_S-S7S4SSSS-S8uaik-motive-
fbi-seeks-signs-of-caiiiei-ioaublocks-to-suiveillance
Lawful Hacking 2
Piime Ninistei,
S
is but one example. In an eailiei woik, we showeu why extenuing
CALEA to the Inteinet woulu cieate veiy seiious pioblems, incluuing the secuiity
pioblems it's visiteu on the phone system.
6

In this papei, we exploie the viability anu implications of an alteinative methou foi
auuiessing law enfoicements neeu to access communications: legalizeu hacking of
taiget uevices thiough -:&*)&%; vulneiabilities in enu-usei softwaie anu platfoims.
The FBI alieauy uses this appioach on a small scale; we expect that its use will
inciease, especially as centializeu wiietapping capabilities become less viable.
Relying on vulneiabilities anu hacking poses a laige set of legal anu policy
questions, some piactical anu some noimative. Among these aie:
Will it cieate uisincentives to patching.
Will theie be a negative effect on innovation. (Lessons fiom the so-calleu
"Ciypto Wais" of the 199us, anu in paiticulai the uebate ovei expoit contiols
on ciyptogiaphy, aie instiuctive heie.)
Will law enfoicement's paiticipation in vulneiabilities puichasing skew the
maiket.
Bo local anu even state law enfoicement agencies have the technical
sophistication to uevelop anu use exploits. If not, how shoulu this be
hanuleu. A laigei FBI iole.
Shoulu law enfoicement even be paiticipating in a maiket wheie many of the
selleis anu othei buyeis aie themselves ciiminals.
What happens if these tools aie captuieu anu iepuiposeu by miscieants.
Shoulu we sanction otheiwise-illegal netwoik activity to aiu law
enfoicement.
Is the piobability of success fiom such an appioach too low foi it to be
useful.
As we will show, though these issues aie inueeu challenging we iegaiu them as, on
balance, piefeiable to auuing moie complexity anu insecuiity to online systems.

S
vassilis Pievelakis anu Biomiuis Spinellis, "The Athens Affaii", <222 =>-')/$# 44:7, }uly 2uu7, pp.
26-SS, available at http:spectium.ieee.oigtelecomsecuiitythe-athens-affaiiu
6
Steven N. Bellovin, Natt Blaze, Sanuy Claik, anu Susan Lanuau, "uoing Biight: Wiietapping without
Weakening Communications Infiastiuctuie", <222 =-'$/&)6 ? @/&5('6, }anFeb 2u1S.
Lawful Hacking S
I. Intiouuction .......................................................................................................................................... 4
II. CALEA: The Change in Wiietap Aichitectuie ....................................................................... 8
A. Bistoiy of CALEA .......................................................................................................................... 8
B. Wiietap Consequences of Splitting Seivices anu Infiastiuctuie .......................... 1u
C. New Technologies: uoing Baik oi uoing Biight. ......................................................... 14
B. The Bifficulties of CALEA II ................................................................................................... 18
III. The vulneiability 0ption ........................................................................................................... 24
A. Befinition of Teims ................................................................................................................... 24
B. Bow vulneiabilities Belp ....................................................................................................... 26
C. Why vulneiabilities Will Always Exist .............................................................................. 28
B. Why the vulneiability Solution Nust Exist Anyway ................................................... S2
Iv. vulneiability Nechanics ............................................................................................................. SS
A. Waiiant Issues ............................................................................................................................ SS
B. Aichitectuie .................................................................................................................................. S4
C. Technical Aspects of Ninimization ..................................................................................... SS
B. Technical Reconnaissance ..................................................................................................... S8
E. Finuing vulneiabilities ............................................................................................................ 4u
F. Exploits anu Piouuctizing ....................................................................................................... 41
u. The vulneiabilities Naiket .................................................................................................... 4S
v. Pieventing Piolifeiation .............................................................................................................. 47
A. Policy Conceins in Beploying Exploits to Wiietap ...................................................... 47
B. Ethical Conceins of Exploiting vulneiabilities to Wiietap ...................................... Su
C. Technical Solutions to Pieventing Piolifeiation .......................................................... S2
vI. Repoiting vulneiabilities .......................................................................................................... S2
A. Secuiity Risks Cieateu by 0sing vulneiabilities .......................................................... SS
B. Pieventing Ciime ....................................................................................................................... S4
C. A Befault 0bligation to Repoit ............................................................................................. 6u
vII. Policy anu Legislative Issues .................................................................................................. 62
A. Enfoicing Repoiting ................................................................................................................. 62
B. Exceptions to the Repoiting Rule ....................................................................................... 6S
C. Pioviuing 0veisight .................................................................................................................. 6S
B. Regulating vulneiabilities anu Exploitation Tools ..................................................... 66
vIII. Conclusions ................................................................................................................................... 69
Lawful Hacking 4

!" !#$%&'()$*&#
Foi seveial yeais, the FBI has waineu that newei communications technologies
have hinueieu the buieau's ability to conuuct electionic suiveillance.
7
valeiie
Capioni, ueneial Counsel of the FBI, put it this way in Congiessional testimony:
8

Nethous of accessing communications netwoiks have similaily giown in
vaiiety anu complexity. Recent innovations in hanu-helu uevices have
changeu the ways in which consumeis access netwoiks anu netwoik-baseu
seivices. 0ne iesult of this change is a tiansfoimation of communications
seivices fiom a stiaight-foiwaiu ielationship between a customei anu a
single CALEA-coveieu pioviuei (e.g. customei to telephone company) to a
complex enviionment in which a customei may use seveial access methous
to maintain simultaneous inteiactions with multiple pioviueis, some of
whom may be baseu oveiseas oi aie otheiwise outsiue the scope of CALEA.
As a iesult, although the goveinment may obtain a couit oiuei authoiizing
the collection of ceitain communications, it often seives that oiuei on a
pioviuei who uoes not have an obligation unuei CALEA to be piepaieu to
execute it.
The FBI's solution is "legislation that will assuie that when we get the appiopiiate
couit oiuei.companies.seiveu.have the capability anu the capacity to
iesponu..."
9

While on the one hanu this iequest is pieuictable (given past pieceuent), it is iathei
iemaikable given cuiient national cybeisecuiity conceins in light of staik eviuence
of the significant haim causeu by CALEA . The iequest to expanu CALEA to IP-baseu
communications places the neeus of the Electionic Suiveillance 0nit above all else,
above the secuiity iisks that aiise when you builu wiietapping capabilities into
communications infiastiuctuie anu applicationsabove that of othei goveinment
agencies who face incieaseu iisk fiom hackeis anu nation states who may exploit
this new vulneiability, anu above to the national neeu foi innovation which uiives
economic piospeiity. Rathei than examining the issue in teims of social goouan
examination that occuis each time a uecision is maue in piioiitizing ceitain types of

7
See, foi example, "uoing Baik: Lawful Electionic Suiveillance in the Face of New Technologies",
A-(/&%; B-."/- )C- =$B'"##&))-- "% !/&#-7 D-//"/&*#7 (%E A"#-9(%E =-'$/&)6 ". )C- !"##&))-- "% )C-
F$E&'&(/67 A"$*- ". G->/-*-%)()&5-*, 112
th
Congiess, Febiuaiy 17, 2u11, Seiial No. 112-S9, available at
http:juuiciaiy.house.govheaiingspiinteis112th112-S9_64S81.PBF.
8
<E. at 14.
9
=-- Statement foi the Recoiu, Robeit S. Nuellei, III, Biiectoi, Feueial Buieau of Investigation,
Committee on the }uuiciaiy, 0niteu States Senate, 0veisight of the Feueial Buieau of Investigation,
Nay 16, 2u12, 112
th
Congiess; *-- (9*" Beclan NcCullagh, "FBI 'Looking at' Law Naking Web Sites
Wiietap-Reauy, Biiectoi Says", !H2D H-1*, Nay 18, 2u12, available at http:news.cnet.com8Su1-
1uu9_S-S74S7S91-8Sfbi-looking-at-law-making-web-sites-wiietap-ieauy-uiiectoi-says.
Lawful Hacking S
investigations (teiioiism cases, uiug cases, etc.), oi in ueteimining whethei to
conuuct a paiticulai investigationthe FBI has thiown uown a gauntlet that ignoies
long-teim national inteiest.
The FBI's piefeiieu solution"iequiiing that social-netwoiking Web sites anu
pioviueis of voIP, instant messaging, anu Web e-mail altei theii coue to ensuie theii
piouucts aie wiietap-fiienuly"
1u
will cieate secuiity iisks in oui alieauy-fiagile
Inteinet infiastiuctuie leaving the nation moie vulneiable to espionage anu oui
ciitical infiastiuctuie moie open to attack, anu hinuei innovation.
11
. The neeu foi
secuiing communications infiastiuctuie is a national piioiity. By weakening
communications infiastiuctuie anu applications, the FBI's pioposal woulu mostly
give aiu to the enemy. Suiely that is neithei what the buieau intenus noi what
sounu national piioiities uictate.
The pioblem is technology. 0vei the couise of the last thiee uecaues, we have
moveu fiom a ciicuit-switcheu centializeu communications netwoikthe Public
Switcheu Telephone Netwoik (PSTN)iun by a monopoly pioviuei, to a ciicuit-
switcheu centializeu communications netwoik iun by multiple pioviueis, to a
Inteinet-Piotocol (IP) baseu uecentializeu netwoik iun by thousanus of pioviueis.
The fiist change, fiom the monopoly pioviuei to multiple pioviueis, gave iise to the
neeu foi the Communications Assistance foi Law Enfoicement Act (CALEA),
simplifying law-enfoicement's effoits to manage wiietaps with multiple, though
ielatively few, pioviueis. But on ceitain occasions, such as the use of peei-to-peei
communications oi communications enciypteu enu-to-enu, legally authoiizeu
wiietaps may be impeueu. Even if law enfoicement uoes not cuiiently have a
seiious pioblem in conuucting authoiizeu wiietaps, with time it will. Thus theie is a
seiious question of what is to be uone. In appeaiing to iequest contiols on peei-to-
peei netwoiks anu on the use of enciyption,
12
the FBI has floateu highly flaweu
solutions.
1S

We piopose anothei appioach. Insteau of builuing wiietapping capabilities into
communications infiastiuctuie anu applications, goveinment wiietappeis can
behave like the bau guys. That is, they can exploit the iich supply of secuiity

1u
Beclan NcCullagh, "FBI: We Neeu Wiietap-Reauy Web SitesNow", !H2D H-1*, Nay 4, 2u12,
available at http:news.cnet.com8Su1-1uu9_S-S7428u67-8Sfbi-we-neeu-wiietap-ieauy-web-
sites-now.
11
Inueeu, sometimes the benefits aie uiiectly to the militaiy. 0ne NSA piogiam, Commeicial
Solutions foi Classifieu uses piouucts fiom goveinment ieseaich "layeieu" with piivate-sectoi
piouucts to piouuce communication tools with high secuiity (Fred Roeper and Neal Ziring, Building
Robust Security Solutions Using Layering and Independence, RSA Conference 2012).
12
Chailie Savage, "0.S. is Woiking to Ease Wiietaps on the Inteinet," NEW Y0RK TINES (Septembei 27,
2u1u) at A1.
1S
Six months aftei the New Yoik Times iepoiteu the FBI was seeking auuitional capabilities foi
Inteinet wiietapping (Savage, &EI), FBI ueneial Counsel valeiie Capioni testifieu, "Congiessman, the
Auministiation is still woiking on what the solution woulu be, anu we hope to have something that
we can woik with Congiess on in the neai futuie." See "uoing Biight," *$>/( note 6 at 4u. As of this
wiiting, no bill has been pioposeu.
Lawful Hacking 6
vulneiabilities alieauy existing in viitually eveiy opeiating system anu application
to obtain access to communications of the taigets of wiietap oiueis.
14

We aie not auvocating the cieation of %-1 secuiity holes,
1S
but iathei obseiving that
exploiting )C"*- )C() (9/-(E6 -:&*) iepiesents a viable - anu significantly bettei -
alteinative to the FBI's pioposals foi manuating infiastiuctuie insecuiity. Put
simply, the choice is between foimalizinganu constiainingthe ability of law
enfoicement to occasionally use existing secuiity vulneiabilitiessomething we
note the FBI anu othei law enfoicement agencies alieauy uo when necessaiy
without much public oi legal sciutinyoi living with those vulneiabilities (%E
intentionally anu systematically cieating a set of pieuictable new vulneiabilities
that uespite best effoits will be exploitable by -5-/6"%-.
0sing vulneiabilities to cieate exploits anu wiietap taigets, howevei, iaises ethical
issues. 0nce an exploit foi a paiticulai secuiity vulneiability leaves the lab, it may
be useu foi othei puiposes anu cause gieat uamage. Any pioposal to use
vulneiabilities to enable wiietaps must minimize such iisks.
In pievious woik,
16
we uiscusseu the technical feasibility of ielying on the
vulneiability appioach;

heie we focus on the legal anu policy issues poseu by this
appioach. In paiticulai, we examine the tension between the use of natuially
occuiiing softwaie vulneiabilities to legitimately aiu law enfoicement
investigations anu the abuse of the same vulneiabilities by ciiminals. We piopose
that law enfoicement auopt a stiict policy of immeuiately uisclosing to the venuoi
any vulneiabilities that come to theii attention as soon they aie uiscoveieu. As we
will uiscuss, such a policy allows law enfoicement to fully suppoit ciime pievention,
anubecause of the natuial lag of the softwaie lifecyclecan still allow law
enfoicement to builu a sufficiently iich toolkit to conuuct investigations in piactice.
The uiscussion in this papei is limiteu to use of vulneiabilities foi '"##$%&'()&"%*
&%)-/'->)*, iathei than geneiic "iemote seaich." While the two concepts have much
in common, incluuing the use of vulneiabilities to achieve access, theie aie uistinct
uiffeiences in both the technical anu legal aspects.
Section II sets the stage, fiist by uiscussing how CALEA fit into the communications
enviionment of the time, anu then its uisjunction with newly evolving
communication systems. We then examine the ieasons anu iisks of extenuing
CALEA to IP-baseu communications. The continueu existence of vulneiabilities,
funuamental to oui pioposal, is uiscusseu in Section III. In section Iv, we uiscuss
theii use foi wiietapping. 0sing exploits to enable wiietapping iaises a numbei of

14
See Bellovin -) (9I7 footnote 6, *$>/(.
1S
That is inueeu fai fiom the case. Some of the authois have uevoteu much of oui piofessional
caieeis to pieventing oi coping with them anu the pioblems they cause.
16
See Bellovin -) (9I7 footnote 6, *$>/(.
Lawful Hacking 7
tioubling questions. As the Stuxnet cybeiattack
17
amply uemonstiates, even
caiefully tailoieu exploits can extenu past theii intenueu taiget. Law-enfoicement's
use of vulneiabilities theiefoie iequiies caieful consiueiation of how to limit the
piolifeiation, which we uiscuss in section v, anu whethei law enfoicement use of
vulneiabilities shoulu influence noims aiounu vulneiability iepoiting which we
uiscuss in section vI. In section vII we uiscuss how to implement vulneiability
iepoiting. We concluue oui aigument in section vIII.


17
=-- Nicolas Fallieie, Liam 0 Nuichu, anu Eiic Chien, JIKL =)$:%-) M"**&-/, veision 1.4, Febiuaiy
2u11,
http:www.symantec.comcontentenusenteipiisemeuiasecuiity_iesponsewhitepapeiswS2
_stuxnet_uossiei.puf. Stuxnet was appaiently uevelopeu anu launcheu by intelligence oi
cybeiwaifaie agencies; as such, its uesign is likely quite fiom a law enfoicement exploit.
Lawful Hacking 8


!!" ,-./-0 123 ,24#53 *# 6*%3$47 -%)2*$3)$(%3
The Communications Assistance foi Law Enfoicement Act (CALEA) was boin of a
ceitain time anu ceitain place. It was a law cieateu with the expectation of multiple,
but ielatively few, communications pioviueis, anu of a telephone netwoik, while not
exactly the woilu of the Public Switcheu Telephone Netwoik (PSTN) of the 19Sus-
198us, not substantively iemoveu fiom it. It was anticipateu that both the technical
anu business stiuctuie of communications netwoiks woulu iemain centializeu. The
changing telecommunications inuustiy of multiple pioviueis anu uigitizeu tianspoit
unueilay the law, but the impact of the moie funuamental changes that weie
peicolating at the time of CALEA's passageIP-baseu communications anu
enoimous numbeis of seivicesweie not anticipateu at the time. In this section,
we uiscuss the pioblems that CALEA was intenueu to auuiess anu the pioblems it
was not, biiefly mention the secuiity iisks cieateu by these solutions, anu the
patchwoik of solutions that have emeigeu to covei IP-baseu voice communications.
We concluue by uesciibing the impact on wiietapping anu CALEA of these changes.
!" 8*9$&%: &; ,-./-
CALEA hau its ioots in the nascent switch to uigital tianspoit of voice ovei the
phone netwoik's local loops in the eaily 199us. ISBN was touteu as the next wave of
telephony, since it coulu pioviue what was foi the time veiy high speeu uata ovei a
switcheu line.
18
Foi all ISBN's auvantages, howevei, it was not possible to tap ISBN
lines with the tiauitional "two alligatoi clips anu a tape iecoiuei". Fuitheimoie,
cellulai telephony was giowing iapiuly; because the communication was wiieless
anu mobile, cellulai communications, too, coulu not be tappeu that way. While
specializeu inteiception geai coulu have been uevelopeu, the FBI insteau pioposeu
what was oiiginally known as the Bigital Telephony Bill, a stanuaiuizeu inteiface foi
wiietaps. Aftei consiueiable uebate ovei the scope of coveiage,
19
the cuiient foim
of CALEA was passeu, specifically excluuing "infoimation seivices".
2u

CALEA was intenueu to apply only to telephony. Noie piecisely, CALEA was
intenueu to apply to "local exchange seivice", i.e., local phone seivice but not long

18
ISBNIntegiateu Seivices Bigital Netwoikwas uefineu in N. Becina; E. Scace (Nay 1986).
"CCITT Recommenuations on the ISBN: A Review". !!<DD G-E N""O ! (S): S2u-2S In its most
common foim, it pioviueu so-calleu 2B+B seivice: two 64 kilobitseconu "beaiei" channels, anu a 16
Kbps uata channel foi signaling, e.g., call setup anu teaiuown. The two beaiei channels coulu be
combineu into a single 128 Kbps link foi puie uata; this is moie than twice as fast as any single-line
analog phone mouem can evei pioviue. Foi a vaiiety of ieasons, it nevei caught on in the 0niteu
States as a common seivice.
19
In 1992, the FBI pioposeu legislation that woulu have "alloweu the technical uesign manuates on
any pioviuei of any electionic communications, incluuing the Inteinet." (=-- Coiiecteu Petition foi
Reheaiing 2% N(%', Case 1S-uSu4, Am. Council on Euuc. v FCC, Couit of Appeals foi the B.C. Ciicuit,
}uly 28, 2uu6 at 12, available at https:www.cut.oigwiietapcalea2uu6u7S1caleaieheaiing.puf.)
The pioposal was "iejecteu out of hanu". (<EI4
2u
47 0SC 1uu1(8)(C)(i)
Lawful Hacking 9
uistance caiiieis. Then-FBI Biiectoi Louis Fieeh maue cleai in his 1994
Congiessional testimony that the Inteinet was not coveieu:
21

Ni. Fieeh. We aie ieally talking about phone-to-phone conveisations which
tiavel ovei a telecommunications netwoik in whole oi pait. That is the aiena
of ciiminal oppoitunity that we aie uiscussing.
Senatoi Piesslei. What othei poitions of the infoimation supeihighway
coulu people communicate with the new technology that theie is not now a
means of listening in oi following.
Ni. Fieeh. Fiom what I unueistanu, anu again, I am piobably the woist
peison in this ioom to answei the question, communications between
piivate computeis, PC-PC communications, not utilizing a
telecommunications common net, woulu be one vast aiena, the Inteinet
system, many of the piivate communications systems which aie evolving.
Those we aie not going to be on by the uesign of this legislation.
Senatoi Piesslei. Aie you seeking to be able to access those communications
also in some othei legislation.
Ni. Fieeh. No, we aie not. We aie satisfieu with this bill. I think it uelimits the
most impoitant aiea anu also makes foi the consensus, which I think it pietty
much has at this point.
This consensus was ieflecteu in the law, which uefineu a "telecommunications
caiiiei" to incluue "a peison oi entity engageu in pioviuing wiie oi electionic
communication switching oi tiansmission seivice to the extent that the Commission
finus that such seivice is a ieplacement foi a substantial poition of the local
telephone exchange seivice anu that it is in the public inteiest to ueem such a
peison oi entity to be a telecommunications caiiiei foi puiposes of this
subchaptei".
22

Noie iecently, CALEA coveiage has been extenueu to "last mile" seivice: the link
between a iesiuence oi business anu its ISP. While contioveisial because of Fieeh's
testimony anu the exclusion of infoimation seivices in CALEA, the FCC anu the
couits have helu that this class of link is not coveieu by the infoimation seivices

21
=-- }oint Beaiings befoie the Subcommittee on Technology anu the Law of the Senate }uuiciaiy
Committee anu the Subcommittee on Civil anu Constitutional Rights of the Bouse }uuiciaiy
Committee on B.R. 4922 anu S. 2S7S, "Bigital Telephony anu Law Enfoicement Access to Auvanceu
Telecommunications Technologies anu Seivices," Testimony of Feueial Buieau of lnvestigations
Biiectoi Fieeh, at 2uS (August 11, 1994).
22
=-- 47 0.S.C. 1uu1(8)(B)(ii).
Lawful Hacking 1u
exclusion.
2S
Noie piecisely, the FCC maue that iuling; ielying on !C-5/"%
uefeience,
24
the Couit of Appeals uphelu that the FCC's iuling.
This change to CALEA, though impoitant, is of less concein to law enfoicement than
is the fate of the tiauitional telephone netwoik. It is going away, anu fai fastei than
anyone hau foiecast. Alieauy, moie than SS% of Ameiican householus uo not have
lanuline phone seivice; about 16% moie who have lanulines nevei oi almost nevei
ieceive calls on them.
2S
Inueeu, the woiking assumption in the Feueial
Communications Commission (FCC) is that the PSTN will effectively cease to exist by
2u18.
26

#" 6*%3$47 ,&#93<(3#)39 &; =7>*$$*#5 =3%?*)39 4#' !#;%49$%()$(%3
It might be tempting to say that the coming enu of the PSTN vinuicates the FBI's
vision when it pioposeu CALEA. The actual situation, though, is fai moie complex;
the uecoupling of seivices fiom the physical link has uestioyeu the chokepoint at
which CALEA coulu theiefoie be applieu. This uoes not appeai to have been
anticipateu at the time of CALEA's passage.
A paiauigmatic case in which the uecoupling piesents seiious wiietapping pioblems
is when communication occuis thiough use of voice ovei Inteinet Piotocol (voIP).
As was shown by Bellovin -) (9I, a voIP phone pioviuei can be locateu fai fiom its
subsciibeis; inueeu, it coulu be in anothei, possibly unfiienuly, countiy.
Fuitheimoie, the "signaling path"the set of links that caiiy the call setup
messagescan uiffei fiom the "voice path", the links that caiiy the actual
conveisation.
27
(Tapping the last mile connection is likely fiuitless, since voIP
connections aie often enciypteu.)
This is best explaineu by a uiagiam. Figuie 1 shows a plausible setup foi a voIP call
fiom Alice to Bob.
28
Alice's anu Bob's phones aie each connecteu to theii own ISPs,
Net 1 anu Net 4. They each subsciibe to theii own voIP pioviuei, which aie in tuin
connecteu to theii own ISPs. The signaling messagesthat is, the messages useu to
set up the call, inuicate iinging, etc.go fiom Alice's phone, thiough hei ISP to voIP

2S
Am. Council on Euuc. v FCC (2uu6, App BC) S71 0S App BC Su7, 4S1 FSu 226, 2S ALR Feu 2u 717,
ieh uen (2uu6, App BC) 2uu6 0S App LEXIS 2Su61.
24
=-- Chevion 0.S.A., Inc. v. Natuial Res. Bef. Council, Inc., 467 0.S. 8S7, 1u4 S.Ct. 2778, 81 L.Eu.2u
694 (1984).
2S
Stephen }. Blumbeig anu }ulian v. Luke, Wiieless Substitution: Eaily Release of Estimates Fiom the
National Bealth Inteiview Suivey, }anuaiy-}une 2u1u2, available fiom
http:www.cuc.govnchsuatanhiseailyieleasewiieless2u1212.puf .
26
Technical Auvisoiy Council, Feueial Communications Commission, Summaiy of Neeting,
Septembei 27th , 2u11, available at http:tiansition.fcc.govoettactacuocstac-meeting-
summaiy-9-27-11-final.uocx.
27
=-- Steven N. Bellovin, Natt Blaze, Einest Biickell, Clinton Biooks, vint Ceif, Whitfielu Biffie, Susan
Lanuau, }on Peteison, anu }ohn Tieichlei. =-'$/&)6 &#>9&'()&"%* ". ,>>96&%; )C- !"##$%&'()&"%*
,**&*)(%'- )" 0(1 2%."/'-#-%) ,') )" P"&'- "5-/ <@, 2uu6, available at
https:www.cs.columbia.euu~smbpapeisCALEAv0IPiepoit.puf, especially Figuie 1 at 4.
28
This figuie is auapteu fiom Bellovin et al., &EI
Lawful Hacking 11
Pioviuei 1's ISP, to hei phone company. It then contacts voIP Pioviuei 2, via its ISP;
voIP Pioviuei 2 senus a message thiough Net 4 to Bob's phone. The actual voice
path, howevei, goes uiiectly fiom Net 1 to Net 4; neithei Net 2, Net S, noi the voIP
pioviueis even caiiy the actual conveisation. As noteu, any oi all of the messages
may be enciypteu.
In this setup, wheie can a tap be placeu. 0n any of the ISPs. Law enfoicement has
no a piioii infoimation wheie Alice anu Bob will betheii cuiient IP auuiesses
piioi to theii setting up a call, so law enfoicement cannot seive the IPSs with a
wiietap oiuei. To make matteis woise, the ISPs have nothing to uo with the voIP
call, noi can they ieau the enciypteu tiaffic. At one of the voIP pioviueis. They uo
not see the voice tiaffic. Anu, of couise, they may be in a uiffeient juiisuiction (foi
example, Skype was oiiginally hosteu in Luxembouig). This is a scenaiio that has no
points amenable to a CALEA-like solution.
0thei seivices aie moie complex still. Consiuei the new phone seivice being
offeieu by Republic Wiieless, which uses a combination of IP anu PSTN netwoiks to
call. The seivice is intenueu to opeiate piimaiily ovei WiFi netwoiks anu the
Inteinet; howevei, it can switch to Spiint's Su cellulai netwoik as neeueu.
29
Wheie
coulu a CALEA tap be placeu. Ceitainly, a tap coulu be placeu on the Inteinet-facing
siue of Republic's facilities,
Su
but that woulu miss Spiint calls. Conveisely, theie
coulu be one on Spiint's netwoik, but that woulu miss calls maue via voIP. It is of
couise possible to place taps on both netwoiks, but the piotocols aie veiy uiffeient
anu special coue woulu be neeueu to hanu off not just the call but also the
infoimation necessaiy to caiiy out the tap, since the oiuinaiy signaling mechanisms
woulu not be useu.
S1
Pen iegistei taps woulu be even moie involveu.
Apait fiom ieasonably stiaightfoiwaiu (though stiuctuially uiffeient) PSTN
ieplacements, a laige vaiiety of othei communications schemes have gaineu
populaiity. Email anu text messages aie the obvious ieplacements, though even
these pose challenges foi law enfoicement uue to issues of juiisuiction anu lack of
ieal-time access to content. Skype is peihaps the most extieme case. Its
aichitectuie, which the FCC iepoit calls "ovei the top,"
S2
has no cential switches.
Even apait fiom questions of juiisuiction, theie aie %" locations wheie a CALEA-

29
Waltei Nossbeig, "Foi $19, an 0nlimiteu Phone Plan, Some Flaws", J(99 =)/--) F"$/%(9, Febiuaiy
19, 2u1S, available at http:allthingsu.com2u1Su219foi-19-an-unlimiteu-phone-plan-some-
flaws.
Su
Tapping the customei's own Inteinet connection woulu not suffice, since the customei is likely to
use multiple WiFi netwoiks that such a tap woulu miss. Also note that while Republic Wiieless is a
0.S. company, theie is no ieason why a similai seivice coulu not be offeieu by an offshoie company
ovei which 0.S. couits have no juiisuiction.
S1
As of this wiiting, the Republic Wiieless netwoik cannot uo hanuoffs of an in-piogiess call fiom a
WiFi netwoik to Spiint oi vice-veisa. Accoiuing to Nossbeig, *$>/( footnote 297 that featuie is
planneu foi the neai futuie.
S2
FCC Ciitical Legacy Tiansition Woiking uioup, "Sun-setting the PSTN" at S, Septembei 27, 2u11,
available at http:tiansition.fcc.govoettactacuocsmeeting92711Sun-
Setting_the_PSTN_Papei_vuS.uocx at 1.
Lawful Hacking 12
style inteiface coulu be pioviueu. Eveiything is uone peei-to-peei; oiuinaiy Skype
useis foiwaiu signaling tiaffic foi each othei.
SS
Because of this, theie aie no tiusteu
elements that coulu seive as wiietap noues at least foi pen iegistei oiueis;
fuitheimoie, calls aie always enciypteu enu-to-enu.
S4

It is useful to contiast the Skype aichitectuie with the conventional client-seivei
aichitectuie shown in Figuie 1. In that configuiation, the voIP pioviueis iun
seiveis to which the inuiviuual phonesthe clientsconnect. These aie
aichitectuially uiffeient ioles; when setting up calls, phones talk only to theii
associateu seiveis; the seiveis talk to the clients but also to each othei. It is not
possible foi Alice's phone to contact voIP Pioviuei 2 uiiectly; they have no business
ielationship, anu theiefoie cannot set up a uiiect netwoik link.
SS
In a peei-to-peei
setup such as is useu by Skype, theie aie %" seiveis, i.e., no aichitectuially
uistinguisheu ioles.
S6
Rathei, -5-/6 computei oi uevice iunning a Skype client can
paiticipate in the signaling. Alice's phone (somehow) finus anothei Skype client anu
asks it to connect to Bob. This noue finus anothei, which finus anothei, etc., until

SS
It is uncleai how tiue this still is. Skype has long hau the concept of a "supeinoue", a well-
connecteu computei that caiiies consiueiably moie tiaffic. 0f late, Niciosoftthe cuiient ownei of
Skypehas been ueploying ueuicateu supeinoues in its own uata centeis; *-- Ban uoouin, "Skype
ieplaces P2P supeinoues with Linux boxes hosteu by Niciosoft (upuateu)", ,/* D-'C%&'(, Nay 1,
2u12, available at http:aistechnica.combusiness2u12uSskype-ieplaces-p2p-supeinoues-with-
linux-boxes-hosteu-by-miciosoft. Theie have been some allegations that the ieplacement was uone
piecisely to peimit suiveillance (*--, e.g., }ohn B. Scuuuei, "Can Skype 'wiietap' viueo calls.", CNN,
}uly 24, 2u12, available at http:www.cnn.com2u12u724techwebskype-suiveillance); these
aie uisputeu by Naiy Bianscombe, "Foiget the conspiiacy theoiies: Skype's supeinoues belong in the
clouu", ZBNet, }uly 27, 2u12, available at http:www.zunet.comfoiget-the-conspiiacy-theoiies-
skypes-supeinoues-belong-in-the-clouu-7uuuuu172u. The one-time piincipal aichitect of Skype,
Natthew Kaufman, has explaineu that the change was uone to accommouate the switch fiom always-
on uesktops to batteiy-poweieu mobile uevices; *-- Zack Whittakei, "Skype uitcheu peei-to-peei
supeinoues foi scalability, not suiveillance", ZBnet, }une 24, 2u1S, available at
http:www.zunet.comskype-uitcheu-peei-to-peei-supeinoues-foi-scalability-not-suiveillance-
7uuuu1721S. Niciosoft has applieu foi a patent on mechanisms foi eavesuiopping on voIP
netwoiks; some commentatois have allegeu that this technology will be incoipoiateu into Skype.
=--7 -I;I7 }aikumai vijayan, "Niciosoft seeks patent foi spy tech foi Skype", !"#>$)-/1"/9E, }une 28,
2u11, available at
https:www.computeiwoilu.comsaiticle9218uu2Niciosoft_seeks_patent_foi_spy_tech_foi_Sky
pe.
S4
Foi a goou, albeit uateuanu paiu foi by Skypeieview of the enciyption aichitectuie, *-- Tom
Beison, "Skype Secuiity Evaluation", 0ctobei 18, 2uuS, available at
http:www.anagiam.combeisonabskyeval.html.
SS
This is not a technical limitation pei se; howevei, voIP Pioviuei 2 knows nothing of Alice's phone,
anu hence is not willing to believe any asseitions about its phone numbei, the peison who uses it,
etc. Noie impoitantly, because of the lack of a business ielationship it will not pioviue seivice to
Alice's phone since it will not be paiu foi its effoits.
S6
This is not stiictly tiue. The Skype seiveis, howevei, aie involveu only in iegisteiing new useis
anu pioviuing them with ciyptogiaphic cieuentials. They aie not involveu in call setup, let alone
being in the voice path.
Lawful Hacking 1S
Bob's phone is locateu.
S7
At point, Alice's anu Bob's phones exchange signaling
messages anu set up the voice path. This voice path is in piinciple uiiect, though foi
vaiious ieasons incluuing the existence of fiiewalls othei Skype noues may ielay the
(enciypteu) voice packets. The lack of cential seiveis, othei than foi usei
iegistiation anu enhanceu seivices such as calling out to PSTN numbeis,
uiamatically cut the opeiational costs anu alloweu Skype to offei fiee oi extiemely
cheap phone calls.
S8

All that saiu, one of the Snowuen ievelations is that the NSA can inueeu inteicept
Skype calls.
S9
No technical uetails have been uiscloseu; all we know is that the NSA
can inteicept auuio anu viueo, with complete metauata. It iemains uncleai if the
solution is one that is usable by oiuinaiy law enfoicement, oi if it ielies on
techniques (such as auvanceu ciyptanalysis) that aie peculiai to the intelligence
community.
4u

Text messaging has also changeu. 0iiginally, it was a simple piotocol foi mobile
phones. Recently a numbei of vaiiant implementations that eithei pioviue a bettei
expeiience in some fashion (Apple's iNessage, foi example, will senu copies of
inbounu messages to all of a usei's uevices; these can incluue tablets anu Nac
computeis as well as phones), oi can pioviue phone-like text messaging have been
intiouuceu foi non-phone uevices such as tablets.
41

Non-tiauitional text messaging applications have alieauy pioven pioblematic.
Accoiuing to one iepoit, attiibuteu to a Biug Enfoicement Auministiation memo,
42

the enciyption useu by Apple's iNessage has alieauy stymieu wiietap oiueis.
4S


S7
Bow the call eventually ieaches Bob's phone is a iathei complex technical mattei, anu not ielevant
heie. Let it suffice to say that Skype noues iegulaily exchange enough navigational messages that it
can be uone.
S8
The lack of cential seiveis was a uelibeiate aichitectuial choice, uesigneu to evaue legal
constiaints. Aichitectuially, it was baseu on the Kazaa file-shaiing netwoik; it in tuin was uesigneu
to opeiate without vulneiable noues that coulu be taigeteu by copyiight infiingement lawsuits. That
notwithstanuing, the opeiatoi, Shaiman Netwoikswhich piofiteu fiom aus uisplayeu by the Kazaa
softwaieeventually shut uown the seivice to settle seveial suits.
S9
=-- ulenn uieenwalu, Ewen NacAskill, Lauia Poitias, Spencei Ackeiman anu Bominic Rush, "Bow
Niciosoft hanueu the NSA access to enciypteu messages", DC- Q$(/E&(%, }uly 11, 2u1S, available at
http:www.guaiuian.co.ukwoilu2u1Sjul11miciosoft-nsa-collaboiation-usei-uatapiint.
4u
Niciosoft has claimeu that in 2u12 it has piouuceu "no content" to law enfoicement fiom Skype
calls. =-- Biau Smith, "Niciosoft Releases 2u12 Law Enfoicement Requests Repoit", Naich 21, 2u1S,
available at https:blogs.technet.combmiciosoft_on_the_issuesaichive2u1SuS21miciosoft-
ieleases-2u12-law-enfoicement-iequests-iepoit.aspx; (9*" *-- the linkeu-to iepoits at
https:www.miciosoft.comaboutcoipoiatecitizenshipen-usiepoitingtianspaiency.
41
Theie aie many such applications available. http:ipou.about.comouiphoneappsieviewstp4-
Ways-To-Text-With-The-Ipou-Touch.htm gives one list, but new ones aie constantly appeaiing.
42
=-- Beclan NcCullagh, "Apple's iNessage Enciyption Tiips up Feus' Suiveillance", !H2D H-1*7 Apiil
4, 2u1S, available at http:news.cnet.com8Su1-1SS78_S-S7S77887-S8apples-imessage-
enciyption-tiips-up-feus-suiveillance.
4S
Since the uesign of the piotocol has not been publisheu, it has not been possible foi outsiue expeits
to assess this claim. Some have asseiteu, baseu on ceitain exteinally-visible chaiacteiistics (e.g., the
ability to uo a passwoiu ieset anu still see olu messages), that the messages must be stoieu
Lawful Hacking 14
Theie aie even instant messaging applications uesigneu not just to enciypt tiaffic,
but to pioviue "iepuuiation", the ability to ueny that you sent ceitain tiaffic.
44

Beyonu that, many non-obvious communications mechanisms can seive foi uiiect
communications as well. In one well-known case, ueneial Baviu Petiaeus anu Paula
Bioauwell appaiently sent each othei messages by cieating anu saving uiaft email
messages in a shaieu umail account.
4S
Nany multiplayei games incluue text oi even
ieal-time voice communications between playeis; while nominally intenueu to lenu
iealism to the gamesoluieis in the same unit in action games can talk to each
othei; fighteis on opposing siues can yell challenges oi insultssuch applications
can also be useu foi suiieptitious communications. uiven that the Inteinet &* a
communications netwoik, this iaises the spectei that (99 piogiams can be
consiueieu communications systems.
$" @3A 13)2#&>&5*390 B&*#5 C4%D &% B&*#5 E%*52$F
Collectively, the changes in telephony, the iise of new communications technology,
anu (to some extent) the incieasing use of enciyption have been calleu the "uoing
Baik" pioblem: law enfoicement has been unable to keep up with these changes anu
is losing access to ciiminals' communications. Technology woiks both ways,
howevei; otheis have claimeu iightly that mouein uevelopments have actually
&%'/-(*-E the piactical ability of law enfoicement,
46
peihaps even without the neeu
foi piobable cause-baseu waiiants. Bow seiious is the uoing Baik pioblem. Bow
has the balance changeu.
A fiim, quantitative answei to the foimei question is piobably not possible. We
cannot say how many tap attempts have faileu because law enfoicement has saiu
that it will not seek wiietap oiueis foi calls it cannot inteicept. Fuitheimoie, the

unenciypteu on Apple's seiveis; *--, foi example, }ulian Sanchez, "0ntappable Apple oi BEA
Bisinfoimation.", Apiil 4, 2u1S, available at http:www.cato.oigbloguntappable-apple-oi-uea-
uisinfoimation. If that is tiue, a couit oiuei unuei the Stoieu Communications Act, 18 0SC 2u71 -)
*-RI7 woulu pioviue law enfoicement with the content, albeit peihaps not in ieal-time.
44
=-- Nikita Boiisov, Ian uolubeig, anu Eiic Biewei. "0ff-the-iecoiu communication, oi, why not to
use PuP." @/"'--E&%;* ". )C- LSST ,!U 1"/O*C"> "% @/&5('6 &% )C- -9-')/"%&' *"'&-)6. ACN, 2uu4. Note
that "iepuuiation" (ueiiveu fiom its moie ciyptogiaphic common counteipait, "noniepuuiation") is
useu heie as a computei scientist woulu use it. It iefeis to ceitain ciyptogiaphic piopeities: in teims
of the enciyption mechanisms useu, it is not possible to show mathematically that a given peison has
sent ceitain messages. Concepts that a lawyei might iely on, -I;I, ciicumstantial eviuence oi
eyewitness testimony to the contiaiy, aie not pait of this mathematical mouel.
4S
=-- "Beie's the E-Nail Tiick Petiaeus anu Bioauwell 0seu to Communicate", J(*C&%;)"% @"*),
Novembei 12, 2u12, available at
http:www.washingtonpost.comblogswoiluviewswp2u121112heies-the-e-mail-tiick-
petiaeus-anu-bioauwell-useu-to-communicate.
46
The claim is that the existence anu availability of othei infoimation, such as location uata,
commeicial uata uossieis, anu ieauily available contact infoimation has given law enfoicement foi
moie than technology has taken away. =--7 -I;I7 Petei Swiie anu Ahmau, Kenesa, Enciyption anu
ulobalization (Novembei 16, 2u11). Columbia Science anu Technology Law Review, vol. 2S, 2u12;
0hio State Public Law Woiking Papei No. 1S7. Available at SSRN: http:ssin.comabstiact=196u6u2
oi http:ux.uoi.oig1u.21S9ssin.196u6u2
Lawful Hacking 1S
situation is not static; both ciiminals anu police auapt theii tactics in iesponse to the
othei siue's abilities anu tactics. Consiuei cellulai telephony. 0nuei the V#%&B$*
!/&#- !"%)/"9 (%E =(.- =)/--)* ,'), the Auministiative 0ffice of the 0.S. Couits (A0)
iepoits annually on all Title III wiietaps, incluuing the offense unuei investigation,
who the piosecuting attoiney was, who the authoiizing juuge was, how many
inteicepts, how many inciiminating inteicepts, the cost of the suiveillance, etc.
47
In
2uuu, the iepoit began listing how many wiietaps weie of poitable uevices; theie
weie 719 out of a total 119u Title III wiietaps.
48
By 2uu9 it was 2276 out of 2S76, oi
96%.
49
This, of couise, miiiois the tienus of society as a whole; as noteu, a majoiity
of Ameiicans iely on mobile phones foi most of theii incoming calls.
Su

That last fact pioviues a paitial answei to the question of gaining anu losing
capabilities as a iesult of mouein communication systems. Because they aie fai
moie likely to captuie the taiget's conveisationsiathei than a spouse oi business
associate'smobile phone taps aie moie valuable than wiieline taps. Fuitheimoie,
mobile uata can incluue infoimation on wheie someone is. This means that 96% of
wiietappeu communications pioviue law enfoicement with extiemely valuable
location infoimation. The same is tiue of many Inteinet connections, whethei fixeu
oi mobile.
S1
In othei woius, the pievalence of immeuiate communicationstexting,
cellulai calls, anu the likeanu centializeu seivicesumail, Facebookhas vastly
simplifieu law-enfoicement's ability to both tiack suspects anu access theii
communications.
Anothei way to assess the oveiall iisk is to look at the net effect of piioi thieats:
how much has the police ability to monitoi communications affecteu by piioi
technological changes, such as enciyption. The issue has long been a concein, so
much so that in 199S, the goveinment announceu the so-calleu "Clippei Chip", an
enciyption uevice uesigneu so that the goveinment coulu ieau otheiwise-enciypteu
tiaffic.
S2
The A0 wiietap iepoits now incluue uata on how often enciyption has

47
Auministiative 0ffice of the 0.S. Couits, Wiietap Repoits,
http:www.uscouits.govStatisticsWiietapRepoitsWiietapRepoits_Aichive.aspx |last vieweu
Febiuaiy 2S, 2u1Sj.
48
Auministiative 0ffice of the 0.S. Couits, Wiietap Repoit 2uuu, Table 7.
49
Auministiative 0ffice of the 0.S. Couits, Wiietap Repoit 2uu9, Table 7.
Su
=-- Stephen }. Blumbeig anu }ulian v. Luke, J&/-9-** =$B*)&)$)&"%W 2(/96 G-9-(*- ". 2*)&#()-* X/"#
)C- H()&"%(9 A-(9)C <%)-/5&-1 =$/5-67 F(%$(/6YF$%- LSZL7 Becembei 2u12, available at
http:www.cuc.govnchsuatanhiseailyieleasewiieless2u1212.puf.
S1
A technology known as "IP geolocation" can be useu to ueteimine wheie an Inteinet usei is. It is
fiequently useu to enfoice geogiaphic iestiictions on access to content; *--7 -I;I7
http:mlb.mlb.commlbofficial_infoabout_mlb_comteims_of_use.jsp#4I. While many IP
geolocation seivices pioviue faiily coaise iesolution, some companies have uone fai bettei by
combining IP auuiess infoimation with outsiue uata such as seaich queiies, puichase ueliveiy
iecoius, etc.
S2
=-- }ohn Naikoff, "Electionics Plan Aims to Balance uoveinment Access With Piivacy", H-1 ["/O
Times, Apiil 16, 199S, available at http:www.nytimes.com199Su416uselectionics-plan-aims-
to-balance-goveinment-access-with-piivacy.html. =-- (9*" Natt Blaze, "Notes on key esciow meeting
with NSA", G&*O* M&;-*) 1S:48, Febiuaiy 8, 1994, at http:catless.ncl.ac.ukRisks1S.48.html#subj1:
"They inuicateu that the thinking was not that ciiminals woulu use key escioweu ciypto, but that
Lawful Hacking 16
been encounteieu.
SS
The uata aie inteiesting. The total between 2uu1-2u11 is 87;
of these, only one of these was the subject of a feueial wiietap oiuei.
S4
The A0 noteu
that law enfoicement was able to ueciypt all the wiietappeu communications.
Theie is not a lack of communications piouucts that pioviue enu-to-enu enciyption;
RIN's Blackbeiiies, Skype, etc. While theie aie theie aie smait ciiminals who uo
useanu even builutheii own enciypteu communications netwoiks,
SS
the A0
numbeis uemonstiate that ciiminals against whom Title III wiietaps aie useu aie
typically not in that categoiy. Insteau they tenu to simple solutions: Commeicial
0ff-The-Shelf (C0TS) equipment anu communications in the clouu (umail,
Facebook). Few use the peei-to-peei communication channels that aie pioblematic
foi law-enfoicement wiietaps. The implication foi law-enfoicement use of
vulneiabilities foi peifoiming Title III wiietaps is simple: law enfoicement will not
neeu to go that ioute veiy often.
Put anothei way, ciiminals aie like othei people: few use cutting euge oi
expeiimental uevices to communicate. Insteau they stick with C0TS. If nothing else,
C0TS piouucts aie geneially easiei to use anu woik bettei, a uefinite auvantage.
Fuitheimoie, unueistanuing of the fine uetails of new technologies such as
enciyption is limiteu. The uistinction between enu-to-enu enciyption anu client-to-
seivei enciyption is lost on most people, ciiminals incluueu; similaily, the question
of whethei the enciyption is going to the iight paity is often not even askeu. uoou

they shoulu not fielu a system that ciiminals coulu easily use against them. The existence of key
esciow woulu uetei them fiom using ciypto in the fiist place. The FBI iepiesentative saiu that they
expect to catch 'only the stupiu ciiminals' thiough the esciow system."
SS
As a iesult of Public Law 1u6-197, since 2uuu the A0 has iepoiteu the annual total of state anu
feueial wiietap oiueis encounteiing enciyption.
S4
Theie weie (Auministiative 0ffice of the 0.S. Couits, Wiietap Repoit 2uu1, at S), an auuitional 18
foi 2uu1 iepoiteu in 2uu2 as well as 16 foi 2uu2 (Auministiative 0ffice of the 0.S. Couits, Wiietap
Repoit 2uu2, at S), one in 2uuS (Auministiative 0ffice of the 0.S. Couits, Wiietap Repoit 2uuS, at S),
two in 2uu4 (Auministiative 0ffice of the 0.S. Couits, Wiietap Repoit 2uu14, at S), 1S in 2uuS
(Auministiative 0ffice of the 0.S. Couits, Wiietap Repoit 2uu1, at S), none in 2uu6 (Auministiative
0ffice of the 0.S. Couits, Wiietap Repoit 2uu6, at S), none in 2uu7 (Auministiative 0ffice of the 0.S.
Couits, Wiietap Repoit 2uu7, at S), two in 2uu8 (Auministiative 0ffice of the 0.S. Couits, Wiietap
Repoit 2uu8, at S), one in 2uu9 (Auministiative 0ffice of the 0.S. Couits, Wiietap Repoit 2uu9, at 9),
six in 2u1u (Auministiative 0ffice of the 0.S. Couits, Wiietap Repoit 2u1u, at 9), anu twelve in 2u11
(Auministiative 0ffice of the 0.S. Couits, Wiietap Repoit 2u11, at 8-9); all but one these weie state
wiietaps (the one feueial case occuiieu in 2uu4).
SS
Spencei Ackeiman, "Rauio Zeta: Bow Nexico's Biug Caitels Stay Netwoikeu," WIREB, Becembei 27,
2u11, http:www.wiieu.comuangeiioom2u1112caitel-iauio-mexico (last vieweu Febiuaiy
18, 2u1Sj.
Lawful Hacking 17
softwaie usually peifoims the piopei checks,
S6
but even piouuction coue has hau
seiious eiiois.
S7

Fiom this peispective, the most seiious thieat to legally authoiizeu wiietapping is
exemplifieu by the Skype aichitectuie. viitually all email seivices featuie (at most)
enciyption fiom the client to the mail seivei; the messages iesiue in plaintext on the
mail pioviueis' uisks.
S8
By contiast Skype pioviues tianspaient enu-to-enu
enciyption fiom the senuei to the ieceivei; theie is no miuule man that sees the
communication "in the cleai." Skype is gaining an incieasing shaie of the
inteinational telephony maiket.
S9
But even with Skype, though, investigatois aie
not shut out completely; as it tuins out, anu even without ieauing the enciypteu
text, Skype leaks the IP auuiesses of its useis.
6u
This pioviues the equivalent of pen
iegistei uata anu often location infoimation as well.
61

Technological changes will also play a iole. Bowevei, it is uifficult at this point to
make confiuent pieuictions about the futuie uiiection of technology. The two
populai tienus, clouu computing anu peei-to-peei netwoiking, have opposite effects
on law enfoicement's ability to monitoi communications.
Clouu computing moves moie anu moie stoiage anu computation to uistant,
netwoik-connecteu seiveis. Touay's email scenaiio is an olu but telling example: all
of a taiget's email passes thiough easily monitoieu iemote seiveis. These seiveis
tenu to have stiingent backup iegimens anu log eveiything, out of opeiational
necessity. Even ueletion opeiations aie less than peimanent;
62
pieseivation of uata

S6
The best example is how web biowseis use enciyption. When a biowsei connects via BTTPS, the
web seivei senus its "ceitificate" to the biowsei. A full explanation of ceitificates is out of scope
heie; what is impoitant is that they contain a ciyptogiaphically piotecteu association between the
web site's name anu a unique ciyptogiaphic key. Biowseis veiify that the name of the web site
contacteu actually appeais in the ceitificate; thus, you won't enu up with an enciypteu connection to
EvilBackeiBuuez.oig when you aie tiying to log in to youi bank.
S7
=--7 -I;I7 Sascha Fahl, Naiian Baibach, Thomas Nuueis, Natthew Smith, Lais Baumgitnei, Beinu
Fieisleben, "Why Eve anu Nalloiy Love Anuioiu: An Analysis of Anuioiu SSL (In)Secuiity," @/"'I ,!U
!!= LSZLI
S8
Although piobably technically feasible (though uifficult, given the neeu to comply with inuustiy
stanuaius), it is highly unlikely that pioviueis such as uoogle's umail anu Niciosoft's Botmail will
switch to enu-to-enu enciyption. Theie is little consumei uemanu, it is uifficult, anu uoogle at least
ielies on being able to scan messages in oiuei to uisplay appiopiiate aus. It cannot uo so if the
messages aie enciypteu.
S9
=-- "The bell tolls foi telcos.", D-9-;-";/(>C6, Febiuaiy 1S, 2u1S, available at
http:www.telegeogiaphy.compiouuctscommsupuateaiticles2u1Su21Sthe-bell-tolls-foi-
telcos.
6u
=-- }oel Schectman, "Skype Knew of Secuiity Flaw Since Novembei 2u1u, Reseaicheis say", J(99
=)/--) F"$/%(9, Nay 1, 2u12, available at http:blogs.wsj.comcio2u12uSu1skype-knew-of-
secuiity-flaw-since-novembei-2u1u-ieseaicheis-say.
61
=-- Footnote S1, *$>/(.
62
=--7 -I;I7 Section 4.S of the Niciosoft Seivices Agieement: "please note that while content you have
ueleteu oi that is associateu with a closeu account may not be accessible to you, it may still iemain on
oui systems foi a peiiou of time." Available at http:winuows.miciosoft.comen-uswinuows-
Lawful Hacking 18
is paiamount, even unuei extieme ciicumstances.
6S
In theoiy, clouu stoiage coulu
be enciypteu; in piactice, because of useis' uesiie to be able to seaich theii email
messages anu the lack of customei uemanu, theie has been little, if any, ieal-woilu
ueployment.
64
In fact, in oiuei to bettei seive aus, the Facebook anu uoogle
business mouels iely on the clouu uata being unenciypteu.
The othei tienu, peei-to-peei, is uecentializeu, with no convenient points foi
wiietaps oi content monitoiing. Rathei than clients anu seiveis, computeis,
phones, anu othei gaugets talk to each othei. Why, foi example, must email fiom
Alice to Bob flow fiom hei phone to hei ISP's outbounu mail seivei to Bob's ISP's
inbounu mail seivei to Bob's computei. Inueeu, in some scenaiios even ISPs
uisappeai; in a technology known as "mesh netwoiking"
6S
computeis ask othei peei
computeis to ielay theii tiaffic. 0ne veiy active aiea of uevelopment foi mesh
netwoiks is cai-to-cai tiaffic foi automotive safety anu congestion contiol;
66
this
coulu enu up uenying law enfoicement access to location uata fiom cellulai
netwoiks.
In a clouu woilu, monitoiing will be easiei, in a peei-to-peei woilu, haiuei. It is
quite possible that both tienus will continue, with uiffeient applications anu
uiffeient maikets opting foi one solution ovei the othei.

%" 123 C*;;*)(>$*39 &; ,-./- !!

CALEA II, the extension of CALEA to covei all communications applications, poses
thiee seiious pioblems: it hinueis innovation by iestiicting communications
application uevelopeis to ceitain topological anu tiust mouels, it imposes a financial
tax on softwaie, anu it cieates secuiity holes (anu hence incieases the iisk of
computei ciime, cybeiepionage, anu cybeiteiioiism,). This last point is peihaps the
least-mentioneu in the uebate. Aiguably, though, it is the most impoitant, since it is

livemiciosoft-seivices-agieement. 0thei pioviueis have similai piovisions, out of technical
necessity.
6S
In 2u1u, a softwaie pioblem causeu thousanus of Niciosoft's Botmail useis to lose theii entiie
mailboxes. Although it took seveial uays, Niciosoft was able to ietiieve anu iestoie the uata fiom
backup meuia. =-- Sebatian Anthony, "Botmail useis lose entiie email inboxes, Niciosoft iestoies
them S uays latei", A$..>"*) D-'C =1&)'C-E, }anuaiy S, 2u11,
http:uownloausquau.switcheu.com2u11u1uShotmail-useis-lose-entiie-email-inboxes-
miciosoft-iestoies-them.
64
Enciypteu stoiage anu enciypteu seaich aie active ieseaich aieas. Bowevei, except unuei special
ciicumstances (e.g., a stiuctuieu uatabase, as opposeu to email), enciypteu iemote seaich iemains
much moie expensive than the plaintext equivalent anu is likely to iemain that way.
6S
=--7 -I;I7 Rafe Neeuleman, "0nbieakable: Nesh netwoiks aie in youi smaitphone's futuie", !H2D,
}uly 1S, 2u1S, available at http:www.cnet.com8Su1-Su976_1-S7471447-1uS48864unbieakable-
mesh-netwoiks-aie-in-youi-smaitphones-futuie.
66
=-- }on Bioukin, "Wiieless mesh netwoiks at 6SNPBlinking cais to pievent ciashes", ,/*
D-'C%&'(, }anuaiy 1u, 2u1S, http:aistechnica.cominfoimation-technology2u1Su1wiieless-
mesh-netwoiks-at-6Smph-linking-cais-to-pievent-ciashes.

Lawful Hacking 19
the one not auuiessable by peifect (oi at least veiy, veiy goou) softwaie
uevelopment piactices anuoi ieuse of stanuaiu CALEA compliance libiaiies.
An implicit assumption behinu CALEA-style laws is that theie is a "goou" place
wheie inteicepts can take place. Such a place woulu be iun by tiustwoithy people
who aie not implicateu in the investigation,
67
anu wheie the tap cannot be uetecteu.
Noie oi less of necessity, this tianslates to ielying on a centializeu facility,
piefeiably one iun by a laige, accountable company. This woikeu well foi the
telephone taps, wheie all lines weie connecteu to a phone switch iun by a
conventional phone company. By contiast, consiuei a Skype-like aichitectuie with
tiansmissions ovei a mesh netwoik. Theie aie %" laige companies involveu in
eithei the call setup oi uata paths; iathei, both use effectively ianuom links.
Fuitheimoie, theie may be little oi no logging piesent; not only is the path useu foi
one call piobably not the path useu foi anothei, theie will be no logs to show what
paths weie useu. This means little oi no accountability foi any paities who leak
infoimation, anu no assuiance whatsoevei that any will be able to complete the tap.
The fact that a peei-to-peei seivice is not facilities-baseuthat is, it uoes not iely on
pioviuei-owneu equipmentalso means theie may be no paities to whom the law
applies. Foi example, CALEA iequiies that "a telecommunications caiiiei shall
ensuie that its equipment, facilities, oi seivices. enable the goveinment. to
inteicept. all wiie anu electionic communications caiiieu by the caiiiei.
concuiiently with theii tiansmission to oi fiom the subsciibei's equipment."
68

Theie aie, within the uefinitions of the statute, no caiiieis in some peei-to-peei
aichitectuies: "The teim "telecommunications caiiiei" means a peison oi entity
engageu in the tiansmission oi switching of wiie oi electionic communications as a
common caiiiei foi hiie"
69
oi "a peison oi entity engageu in pioviuing wiie oi
electionic communication switching oi tiansmission seivice to the extent that the
Commission finus that such seivice is a ieplacement foi a substantial poition of the
local telephone exchange seivice."
7u
In a peei-to-peei netwoik, theie is no such
thing as "local" seivice; a "peei" neeu not be geogiaphically close to any of the
paities. Similaily, theie may be no "manufactuiei of telecommunications
tiansmission oi switching equipment" who can be compelleu to "make available to
the telecommunications caiiieis using its equipment, facilities, oi seivices such
featuies oi mouifications as aie necessaiy to peimit such caiiieis to comply with
the capability iequiiements";
71
they, the peei noues, anu any commeicial entities

67
Pei 18 0.S.C. 2S11, "No pioviuei of wiie oi electionic communication seivice, officei, employee,
oi agent theieof . shall uisclose the existence of any inteiception oi suiveillance oi the uevice useu
to accomplish the inteiception oi suiveillance with iespect to which the peison has been fuinisheu a
couit oiuei oi ceitification unuei this chaptei. Any such uisclosuie, shall ienuei such peison liable
foi the civil uamages pioviueu foi in section 2S2u." Bamages aftei the fact aie one thing, but law
enfoicement woulu much iathei the tap weie not uiscloseu in the fiist place.
68
18 0.S.C. 1uu2(a).
69
18 0.S.C. 1uu1(8)(A).
7u
18 0.S.C. 1uu1(8)(B)(ii)
71
18 0.S.C. 1uuS(b)
Lawful Hacking 2u
involveu in the seivice opeiation (anu theie neeu not be any such) may be locateu
outsiue of 0.S. juiisuiction.
72

To sum up, the laws assume a tiustable, uisinteiesteu inteimeuiaiy within the
couits' juiisuiction. But as the net moves towaius a moie uecentializeu aichitectuie,
such thiiu paities simply uo not exist. Cuiient technological tienus pose a seiious
(anu piobably insuimountable) philosophical challenge to CALEA-style laws.

If CALEA weie to be extenueu to covei IP-baseu communications, the law woulu
have to specify which pait of the seivice is iesponsible foi supplying wiietap
capability. As noteu eailiei, peei-to-peei netwoiking is one plausible path foi the
technical futuie. Imposing iequiiements that effectively block this appioach woulu
have a veiy seiious effect on innovation. Peei-to-peei communications have enableu
some impoitant applications such as BitToiient, useu by NASA foi shaiing satellite
images, by vaiious computei companies foi shaiing laige files (e.g., open souice
opeiating systems), by gaming companies foi shaiing upuates, anu even by content
pioviueis such as CBS anu Wainei Bios. foi ueliveiing piogiamming.
7S

Theie is a seconu buiuen on innovation: the extia cost, both in uevelopment effoit
anu uevelopment time, to incluue wiietap inteifaces in eaily veisions of softwaie is
piohibitive. CALEA compliance, at fiist blush, seems simple: "all" that is wanteu is
uialeu anu uialing phone numbeis, anu voice. At that level, it is simple; neveitheless,
the uocument uefining the stanuaiu inteiface to a CALEA-compatible switch is moie
than 2uu pages long.
74
Imagine, then, the stanuaius necessaiy to covei inteiception
of email, web pages, social netwoiking status upuates, instant messaging (foi which
theie aie seveial incompatible piotocols), images, viueo uownloaus, viueo calls,
viueo confeience calls, file tiansfei layeieu on top of any of these, veiy many
uiffeient soits of games that have voice oi instant messaging functions incluueu, anu
moie. It is simply not a feasible appioach. Noi aie these impiobable uses of the
Inteinet; all of them aie useu veiy iegulaily by millions of people.
Applying CALEA to Inteinet applications anu infiastiuctuie will be a "tax" on
softwaie uevelopeis. The much lowei baiiieis to entiy pioviueu by the open
aichitectuie of the Inteinet to entiy have bieu many staitups. These aie small anu
agile; they'ie often the pioveibial "two guys in a gaiage". Nany will fail; even the
eventual successes often stait slowly. That saiu, they aie essential to the Inteinet's

72
A seivice without any opeiatois uoes not imply that no one piofits. The oiiginal KaZaA fileshaiing
seivice was au-suppoiteu (*-- https:en.wikipeuia.oigwikiKazaa). It is unieasonable anu
piobably infeasible to impose wiietap iequiiements on auveitiseis; the chain of inuiiection fiom the
softwaie uevelopei to the auveitiseis is too long anu tenuous; *--7 -I;I7 Kate Kaye, "The Puichase-to-
Au Bata Tiail: Fiom Youi Wallet to the Woilu", ,E ,;-, Naich 18, 2u1S, available at
http:auage.comaiticleuatawoikspuichase-taigeteu-aus-uata-s24uSuu.
7S
=--7 -I;I7 Biau King, "Wainei Bios. to Bistiibute Films 0sing Bit Toiient", U<D D-'C%"9";6 G-5&-1,
Nay 9, 2uu6, available at http:www.technologyieview.comview4uS794wainei-bios-to-
uistiibute-films-using-bit-toiient.
74
=-- 0(1.$996 ,$)C"/&\-E 29-')/"%&' =$/5-&99(%'-7 }-STB-u2S, Rev. A, 2uuu,
http:ciyptome.oigespyTR4S-jstuu2Sa.puf.
Lawful Hacking 21
success. Skype staiteu small; it is, as noteu, now one of the laigest inteinational
phone caiiieis.
7S
Foi that mattei, one neeu look no faithei than Facebook (staiteu
by an unueigiauuate in his uoim ioom) foi an example. Inueeu, the Web began as
an infoimation uistiibution system at a Euiopean physics lab. It is haiu to say at
what point an expeiiment has become laige enough to be a "seivice" woithy of
being wiietap-fiienuly; it is cleai, though, that iequiiing such functionality to be
built in fiom the stait is a non-tiivial economic buiuen anu a biake on innovation.
By contiast, the PSTN is piimaiily composeu of laige, establisheu companies who
buy essentially all of theii equipment fiom othei laige, establisheu companies.
76

The most seiious pioblem with CALEA, though, is that it has cieateu a new class of
vulneiabilities. A wiietap inteiface is, by uefinition, a secuiity hole, in that it allows
an outsiue paity to listen to what is noimally a piivate conveisation. It is supposeu
to be contiolleu, in that only authoiizeu paities shoulu have access. Restiicting
access to such facilities is fai moie uifficult than it woulu appeai; the histoiy of such
mechanisms is not encouiaging.
The iisks aie not theoietical. In the 2uu4-2uuS "The Athens Affaii",
77
new coue that
useu the lawful inteicept mechanisms to eavesuiop on about 1uu mobile phones, up
to anu incluuing the Piime Ninistei's, was injecteu into the phone switch. In a
similai, though less publicizeu, inciuent in Italy, between 1996-2uu6, about 6,uuu
people weie the taiget of impiopei wiietaps, appaiently uue to coiiupt insiueis
who sought financial gain. Again, the lawful inteicept mechanism was abuseu.
78

The 0.S. is at iisk, too. Phone switches aie alieauy laige, extiemely complex
computei systems; as such, they aie &%C-/-%)96 at iisk. An NSA evaluation of CALEA-
compliant phone switches founu vulneiabilities in eveiy single one evaluateu.
79
It is
not known publicly if any Ameiican phone switches have been penetiateu; howevei,

7S
=-- footnote S9, *$>/(I
76
Even foi such companies, the expense of auuing CALEA facilities was non-tiivial. The statute (18
0.S.C. 1uu7-1uu8) authoiizeu $Suu million "to pay telecommunications caiiieis foi all ieasonable
costs uiiectly associateu with the mouifications peifoimeu by caiiieis in connection with equipment,
facilities, anu seivices installeu oi ueployeu on oi befoie }anuaiy 1, 199S, to establish the capabilities
necessaiy to comply with section 1uu2 of this title." The funuing was appioveu in the 0mnibus
Consoliuateu Appiopiiations Act, anu it pioviueu foi funuing thiough a combination of money
supplieu by vaiious intelligence agencies, as well as $6u million in uiiect funuing. An auuitional $12
million was pioviueu thiough unspent Bepaitment of }ustice funus. Noie than 9S% of the money
was actually spent; about $4u million was iescinueu by Congiess in 2uu7. =-- "Implementation of
the Communications Assistance foi Law Enfoicement Act by the Feueial Buieau of Investigation",
Auuit Repoit u8-2u, 0.S. Bepaitment of }ustice, Auuit Bivision, Reuacteu foi public ielease, Naich
2uu8, available at http:www.justice.govoigiepoitsFBIau82ufinal.puf.
77
=-- vassilis Pievelakis anu Biomiuis Spinellis, "The Athens Affaii", <222 =>-')/$# 44:7, }uly 2uu7,
pp. 26-SS, available at http:spectium.ieee.oigtelecomsecuiitythe-athens-affaiiu.
78
=-- Pieio Colapiico, "Ba Telecom uossiei sui Bs Nancini paila uei politici," 0( G->$BB9&'(, }anuaiy
26, 2uu7.
79
=-- Susan Lanuau, "The Laige Immoital Nachine anu the Ticking Time Bomb," }.
Telecommunications anu Bigh Technology Law, vol. 11, no. 1, 2u1S, pp. 1-4S.
Lawful Hacking 22
news iepoits uo suggest foieign inteiest in Ameiican use of suiveillance technology
to ueteimine who the suiveillance taigets aie.
8u

Theie is one moie aspect of secuiity that has to be taken into account: who the
enemies aie. As has been wiuely iepoiteu in the piess, vaiious countiies have oi aie
cieating cybeiespionage anu cybeiwaifaie units. These aie highly skilleu anu well-
equippeu gioups, easily capable of finuing anu exploiting subtle flaws in systems. To
use an easy analogy, compaiing the capabilities of such units to those of gaiuen-
vaiiety hackeis is like compaiing the fighting powei of mouein infantiymen to that
of a compaiable-sizeu gioup of uiug gang membeis. When consiueiing the secuiity
of any Inteinet-connecteu systems that might attiact the hostile gaze of foieign
poweis, this must be taken into account.
Communications systems fall into this categoiy anu have uone so foi many, many
yeais. Even apait fiom theii puiely militaiy significance, Ameiican economic
inteiests have long been taigeteu by othei nations. In the eaily 197us, foi example,
the Soviets iepoiteuly useu high-tech electionic eavesuiopping uevices to listen to
the phone calls of Ameiican giain negotiatois.
81
These uays the attempts at
economic espionage come not just fiom Russia, but also fiom China, Fiance,
ueimany, Isiael, }apan, South Koiea, Inuia, Inuonesia, anu Iian.
82

In 2uuu, the Inteinet Engineeiing Task Foice, the engineeiing gioup that uevelops
Inteinet communications stanuaius thiough its "Requests foi Comment" (RFCs)
uocuments, concluueu, "auuing a iequiiement foi wiietapping will make affecteu
piotocol uesigns consiueiably moie complex. Expeiience has shown that complexity
almost inevitably jeopaiuizes the secuiity of communications; theie aie also
obvious iisks iaiseu by having to piotect the access to the wiietap. This is in conflict
with the goal of fieeuom fiom secuiity loopholes."
8S
The secuiity vulneiabilities
that a wiietap intiouuces into a communications system is a seiious pioblem, yet it
appaiently gets little attention fiom law enfoicement in its effoits to expanu CALEA
to IP-baseu communications.


8u
=-- Kenneth Coibin, "'Auioia' Cybei Attackeis Weie Really Running Countei-Intelligence", !<V7
Apiil 22, 2u1S, available at
http:www.cio.comaiticle7S2122_Auioia_Cybei_Attackeis_Weie_Really_Running_Countei_Intell
igence.taxonomyIu=Su89.


8S
Inteinet Engineeiing Task Foice, RFC 28u4, IETF Policy on Wiietapping (Nay 2uuu). 0ne of the
authois of this papei was on the Inteinet Aichitectuie Boaiu at the time anu helpeu wiite the
uocument.
Lawful Hacking SU

#$%&'( )* + ,-$.( -/(' 01 2,-0134 56-7$8% 96:5$.;< <$8=54 >6( 5$%8;<$8% 9;>64 ;8? >6( /-$.( 9;>6@
!"#$ $&"'()*& + !"#$ $&"'()*& ,
-(./01(/.
2(/34
!"(5*
6*7 +
6*7 ,
6*7 8
6*7 9
Lawful Hacking 24

!!!" 123 G(>#3%4H*>*$: I7$*&#

We have aigueu that extenuing CALEA to IP-baseu communications piesents
intoleiable secuiity iisks anu how mouein communications systems aie likely to
impeue wiietapping effoits. uiven that, how might law enfoicement wiietap
mouein communications.. Beie we uesciibe the vulneiability option: how they can
iesolve the wiietap pioblem, why vulneiabilities exist, anu why the vulneiability
"solution" must, in fact, always be pait of the law-enfoicement wiietap toolkit. We
begin with a uefinition of teims.
-" C3;*#*$*&# &; 13%J9
We neeu to uefine a few commonly useu technical teims in oiuei to piesent the
mechanics of employing a vulneiability foi accessing a taiget system.
,&<8(';A$<$>:: A vulneiability is a weakness in a system that can potentially be
manipulateu by an unauthoiizeu entity to allow exposuie of some aspect of the
system. vulneiabilities can be bugs (uefects) in the coue, such as a "buffei
oveiflow"
84
oi a "'use-aftei-fiee instance"
8S
', oi misconfiguiations, such as not
changing a uefault passwoiu oi iunning open, unuseu seivices.
86
Anothei common
type of vulneiability iesults fiom not coiiectly limiting input text (this is also known

84
A buffei oveiflow is causeu by a piogiam accepting moie input than memoiy has been allocateu
foi. Conceptually, imagine a cleik wiiting uown someone's name, but the name as given is so long
that it uoesn't fit in the box on a foim anu spills ovei into the "0fficial 0se 0nly" section of the foim.
A buffei oveiflow eiioi was a cential pait of the Inteinet Woim of 1988, which iesulteu in the fiist
case evei biought unuei the !"#>$)-/ X/($E (%E ,B$*- ,'), 18 0.S.C. 1uSu; *-- 0niteu States v.
Noiiis, 928 F.2u Su4; 1991 0.S. App. LEXIS S682. In some piogiamming languages, e.g., }ava, such
oveiflows aie uetecteu automatically by the system; piogiammeis using oluei languages, such as C,
can use safe piogiamming techniques that avoiu the pioblem. A vaiiety of tools can be useu to uetect
potentially unsafe aieas of piogiams. These have become incieasingly common in the last 1u yeais,
to veiy goou effect.
8S
Piogiams can iequest stoiage space, then ielease"fiee"it when they aie uone; aftei that, the
space is available foi othei uses. A use-aftei-fiee bug involves caiefully ciafteu accesses to memoiy
no longei allocateu foi its oiiginal puipose; if some othei section of the piogiam is now ieusing that
stoiage, this section of the piogiam may be confuseu by the impiopei ieuse.
86
A seivice is a mechanism by which piogiams listen foi anu act on iequests fiom othei piogiams;
often, these seivices aie available to any othei computei that can contact this one via the Inteinet.
The best analogy is to ioom numbeis in a builuing. The builuing itself has a single auuiess (the
computei analog is the IP auuiess), but the mailioom is in ioom 2S, the infoimation countei is in
ioom 8u, anu so on. Secuie computei systems geneially "listen" on veiy few poits, since each one
iepiesents a potential exteinal vulneiability. Suppose, foi example, that a computei that is not
intenueu to act as a web seivei is in fact iunning web seivei coue. A flaw in that web seivei can
iesult in system penetiation; the simplest fix is to tuin off the web seivice since it is unneeueu on
that computei. =-- CERT Auvisoiy CA-2uu1-19, }uly 19, 2uu1, foi an example of pioblems causeu by
open, unneeueu seivices.
Lawful Hacking 2S
as not sanitizing input ), e.g., "SL injection";
87
alteinatively, a vulneiability can be
as simple as using a biith-uate of a loveu one as a passwoiu. A vulneiability can be
(B9<-$>(? by an attackei. A special instance of vulneiability is the:
C('-D?;: (oi u-uay vulneiability): A zeio-uay is a vulneiability uiscoveieu anu
exploiteu piioi to public awaieness oi uisclosuie to the venuoi. Zeio-uays aie
fiequently solu in the vulneiabilities maiket. The venuoi anu the public often only
become awaie of a zeio-uay aftei a system compiomise.
EB9<-$>: an exploit is the means useu to gain unauthoiizeu access to a system. This
can be a softwaie piogiam, oi a set of commanus oi actions. Exploits aie usually
classifieu by the vulneiability of which they take auvantage, whethei they iequiie
local (hanus-on) access to the taiget system, oi can be executeu iemotely oi thiough
a web page oi email message (Biive-by).
88
The type of iesult obtaineu fiom iunning
the exploit (iootkit, spoofing, key-loggei) uepenus on the 9;:<-;?@ The payloau is
chosen when the exploit is iun oi <;&8.6(?. An exploit uemonstiates the use of the
vulneiability in actual piactice.
1;:<-;?* The payloau of an exploit is the coue that is executeu on the taiget system
giving the attackei the uesiieu access. Payloaus can be single action, such as
suiieptitiously cieating a new usei account on the system that allows futuie access,
oi multi action, such as opening a iemote connection to an attackei's seivei anu
executing a stieam of commanus. The payloau geneially must be customizeu to the
specific system aichitectuie of the taiget.
F'-99('* A uioppei is a malwaie component oi malicious piogiam that installs the
payloau on the taiget system. A uioppei can be single stage, a piogiam that
executes on the taiget system as a uiiect iesult of a successful exploit anu caiiies a
hiuuen instance of the payloau, oi it can be multi-stage, executing on the taiget
system, but uownloauing files (incluuing the payloau) fiom a iemote seivei.
G;8D$8D>6(DG$??<( ;>>;.=: A Nan-in-the-Niuule attack is a methou of gaining
access to taiget infoimation in which an active attackei inteiiupts the connection
between the taiget anu anothei iesouice anu suiieptitiously inseits itself as an
inteimeuiaiy. This is typically uone between a taiget anu a tiusteu iesouice, such
as a bank oi email seivei. To the taiget the attackei pietenus to be the bank, while
to the bank the attackei pietenus to be the taiget. Any authentication cieuentials
iequiieu (e.g., passwoius oi ceitificates) aie 59--H(? by the attackei, so that each
siue believes they aie communicating with the othei. But because all

87
In some contexts, paits of the input to a piogiam can be inteipieteu as piogiamming commanus
iathei than as uata. SL injection attacksin vaiiant foims, they uate back to at least the 197us
occui when piogiammeis uo not filtei input piopeily to uelete such commanus.
88
A uiive-by uownloau is an attack peipetiateu simply visiting a malicious oi infecteu web site. No
fuithei action by the usei is necessaiy foi the attack to succeeu. Such attacks (91(6* iesult fiom
unueilying flaws in the web biowsei.
Lawful Hacking 26
communications aie being tiansmitteu thiough the attackei, the attackei is able to
ieau anu mouify any messages it wishes to.
I9--H$8%: In the context of netwoik secuiity, a spoofing attack is a situation in
which one peison oi piogiam successfully masqueiaues as anothei by falsifying
uata anu theieby gaining an illegitimate auvantage.
89


#" 8&A G(>#3%4H*>*$*39 83>7

0ui claim is that pie-existing vulneiabilities in softwaie makes extenuing CALEA
unnecessaiy.
9u
To unueistanu the scenaiios, it is necessaiy to give a simplifieu
uesciiption of the stiuctuie of mouein computei opeiating systems.
91
Systems aie
uesciibeu in teims of "layeis"; each layei pioviues some seivices to the layei above
it, anu iequests seivices of the layei below it. 0ften, a combination of haiuwaie anu
softwaie enfoices the bounuaiy between layeis, ensuiing that only ceitain iequests
can be maue of the lowei layei.

The lowest layei we will mention is the haiuwaie: CP0 chips such as Intel's Pentium
seiies, uevices such as netwoik inteifaces anu haiu uiives, 0SB poits, etc. Foi oui
puiposes, we will assume that this layei is eiioi-fiee anu secuie. While not stiictly
tiue, attacks at this level aie geneially moie feasible foi national-secuiity puiposes
than foi law enfoicement.
92


The next layei is geneially calleu the "keinel". The keinel piotects itself (with aiu
fiom the haiuwaie); it is also the only component that uiiectly communicates with
exteinal haiuwaie such as the netwoik. When a piogiam neeus to ieau oi wiite
fiom the netwoik oi a uisk uiive, it cannot uo so uiiectly; insteau, it asks the keinel
to peifoim the action foi it. A consequence of this is that the keinel has to enfoice
"file peimissions": which useis of the computei own which file, who can ieau oi
wiite them, etc. That in tuin implies that theie must be some stiong sepaiation
between piogiams iun by uiffeient useis; again, the keinel enfoices this.

The last layei of inteiest is the "usei level" oi "application level". viitually all
piogiams of inteiestweb biowseis, maileis, uocument euitois anu vieweis, anu
so oniun at usei level. Piogiams iunning aie typically associateu with some usei.
The usei may be a physical inuiviuual; howevei, all mouein systems have a laige
numbei of helpei piocesses, sometimes known as "uaemons," iunning as some

89
Shiiey, &E., uefines "spoofing" as equivalent to "masqueiaue attack" anu uefines the lattei as "a type
of thieat action wheieby an unauthoiizeu entity gains access to a system oi peifoims a malicious act
by illegitimately posing as an authoiizeu entity."
9u
Some of this mateiial appeaieu in uiffeient foim in Bellovin et al., *$>/( note 6, Q"&%; N/&;C) papei.
91
These uays, smait phones aie built the same way; theie is no neeu to uiscuss them sepaiately.
92
We will not uiscuss attacks like eavesuiopping on enciypteu WiFi signals. In piinciple, though,
theie might be exploitable vulneiabilities in the taiget's WiFi access point oi ioutei. These uevices,
though, aie just computeis anu can be hackeu like any othei computeis.
Lawful Hacking 27
flavoi of system pseuuo-usei. These hanule such applications as the auuio system,
inuexing files, inseition of 0SB uevices, anu moie. A quick check of a mouein Apple
Nac showeu no fewei than 1u uiffeient pseuuo-useis active on the machine.

All mouein opeiating systems have a featuie known as a "sanubox". A sanubox is a
way of enfoicing secuiity by allowing piogiam to iun with fewei piivileges than the
usei who has invokeu it. Sanuboxes aie fiequently useu foi piogiams peiceiveu as
exceptionally vulneiable to secuiity holes; these incluue PBF vieweis, web
biowseis, etc.

vulneiabilitiesanu hence exploits of use to law enfoicementcan occui at any
layei, but the capabilities available to the exploit aie uiffeient at uiffeient layeis.
While we uefei uetails until Section Iv, we note that foi an exploit to woik, moie
coue is neeueu than just something that taigets the vulneiability. In paiticulai, to
peifoim a wiietapthat is, to acquiie the contents of a communicationthe actual
uata sent oi ieceiveu has to be captuieu. This can be uone in a paiticulai
application (e.g., Skype oi a game with a voice communications featuie), oi it coulu
be uone at keinel level by tampeiing with a "uevice uiivei,"
9S
in which case uata
fiom any application coulu be captuieu. A keinel exploit is well-positioneu to
mouify uevice uiiveis; howevei, foi complex technical ieasons such an attack woulu
finu it moie uifficult to ieau anu wiite files, expoit captuieu uata via the netwoik,
etc.
94


Nost initial penetiations take place at application level.
9S
The mechanisms vaiy
wiuely, incluuing infecteu attachments in email, malwaie on web pages, pooi
implementations of netwoik piotocols, anu useis uownloauing anu voluntaiily
executing booby-tiappeu piogiams unuei a misappiehension as to the piogiams'
puipose, piovenance, anu goou intent.
96
The iesults aie the same: some piogiam
the usei hau not intenueu is being iun with the usei's file access iights.

0nuei ceitain ciicumstances, this is sufficient foi law-enfoicement puiposes. It
geneially pioviues auequate means foi inteicepting email; it may also suffice foi

9S
A E-5&'- E/&5-/ is a special pait of the keinel that communicates with inputoutput uevices such as
uisks, auuio poits, netwoik inteifaces, etc. =--, e.g., Anuiew S. Tanenbaum anu Albeit S. Woouhull,
V>-/()&%; =6*)-#* M-*&;% (%E <#>9-#-%)()&"%, S
iu
Euition, Pientice-Ball, 2uu6.
94
Even a sketchy explanation of this is well beyonu the scope of this papei. The piimaiy pioblems
aie the natuie of I0 APIsthey'ie geneially uesigneu to copy essential paiameteis fiom application
levelanu the uifficulty of waiting foi an I0 opeiation to complete without a "piocess context". =--
any stanuaiu opeiating systems textbook, e.g., D(%-%B($# (%E J""EC$99, footnote 9S, *$>/(.
9S
It is geneially believeu that since keinels uo almost no piocessing of netwoik packet contents (as
opposeu to theii "heaueis"), they aie theiefoie much less vulneiable to attacks. Examination of
vaiious compenuia of vulneiabilities confiims this.
96
A significant peicentage of softwaie uownloaueu via peei-to-peei netwoiks contains malwaie; *--,
e.g., Nichal Kiyczka et al. "Toiientuuaiu: stopping scam anu malwaie uistiibution in the BitToiient
ecosystem." (/]&5 >/->/&%) (/]&5WZZS^IK_`Z (2u11). Anuiew B. Beins anu Eunjin E} }ung, at 4 in
"Seaiching foi malwaie in BitToiient." a%&5-/*&)6 ". <"1(7 D-'CI G->I a<!=bScbS^7 ,>/&9 24 (2uu8), note
that much of this is "key geneiation oi activation utility|iesj", i.e., tools foi stealing softwaie.
Lawful Hacking 28
looking at the tiansciipt files kept by some instant messaging piogiams. 0sei level
exploits aie also useful foi "iemote seaich", though that poses othei issues beyonu
the scope of this papei.

0n the othei hanu, if the piogiam penetiateu is not useu foi the actual
communications of inteiest, these exploits alone will not suffice. Consiuei that on
most mouein platfoims, useisanu hence the piogiams they iunuo not have the
ability to tampei with the keinel oi system-owneu files; this lattei categoiy
geneially incluues applications such as Skype. Accoiuingly, if a law enfoicement
penetiation foi the puipose of eavesuiopping is executeu at usei level, a seconu
exploit known as a "local piivilege escalation" attack is neeueu. This seconu attack
gives the piogiam elevateu piivileges anu hence the ability to change uevice uiiveis,
mouify othei files, etc.
97
While the two exploits aie geneially inuepenuent,
fiequently both aie necessaiy; this complicates the attack.

Theie is one special case woith mentioning. Some uaemons iun with full system
piivileges; if these have faulty implementations of netwoik piotocols, only a single
attack is neeueu. This is a veneiable technique, going back to the fiist Inteinet
woim.
98
While mouein system uesigns tiy to avoiu uaemons with full piivileges, in
some situations this is unavoiuable.

Bistoiically, some applications have been consiueiably moie vulneiable to usei
level attacks than otheis; these incluue web biowseis anu PBF vieweis. As noteu,
mouein opeiating systems often iun these piogiams in "sanuboxes", to pievent
theft of oi uamage to usei files.
99
Sanuboxes may also ueny the confineu piogiam
the ability to iun othei system commanus that may be utilizeu foi piivilege
escalation. Accoiuingly, a thiiu exploit may be necessaiy, to escape fiom the
sanubox; following that, piivilege escalation is useu as befoie.

To summaiize: theie aie many uiffeient points foi initial attack; all have theii
limitations. System piivileges aie neeueu to mouify applications oi uevice uiiveis;
these can be obtaineu via eithei a uiiect keinel attack, an attack on a system-level
uaemon, oi via piivilege escalation following an application level penetiation.
$" 62: G(>#3%4H*>*$*39 6*>> ->A4:9 /K*9$

We aie suggesting use of pie-existing vulneiabilities foi lawful access to
communications. To unueistanu why this is plausible, it is impoitant to know a

97
0n Winuows, the piivilegeu usei is known as "Auministiatoi"; on 0nix-like systems, incluuing
Nac0S anu Linux, it is known as "ioot".
98
=--7 e.g., Eugene Spaffoiu, "The Inteinet Woim Piogiam", !"#>$)-/ !"##$%&'()&"%* G-5&-1 19:1,
}anuaiy 1989, at 17-S7, anu }.A. Rochlis anu N.W. Eichin, "With Nicioscope anu Tweezeis: The Woim
fiom NIT's Peispective", !"##I ,!U S2:6, }une 1989, at 689-7uS.
99
A "sanubox" is a mechanism to give application piogiams fewei piivileges than those of the usei
who has invokeu them.
Lawful Hacking 29
funuamental tenet of softwaie engineeiing: bugs happen. In his classic DC- U6)C&'(9
U(%bU"%)C, Fieueiick Biooks explaineu why:
1uu

Fiist, one must peifoim peifectly. The computei iesembles the magic of
legenu in this iespect, too. If one chaiactei, one pause, of the incantation is
not stiictly in piopei foim, the magic uoesn't woik. Buman beings aie not
accustomeu to being peifect, anu few aieas of human activity uemanu it.
Aujusting to the iequiiement foi peifection is, I think, the most uifficult pait
of leaining to piogiam.
Because computeis, of couise, aie uumbthey uo exactly what they'ie tolu to uo
piogiamming has to be absolutely piecise anu coiiect. If a computei is tolu to uo
something stupiu, it uoes it, while a human being woulu notice theie's a pioblem. A
peison tolu to walk Su meteis then tuin left woulu iealize that theie was an
obstacle piesent, anu piefei the path S2 meteis uown iathei than walking into a
tiee tiunk. A computei woulun't, unless it hau been specifically piogiammeu to
check foi an impeuiment in its path. If it hasn't been piogiammeu that wayif theie
is viitually any impeifection in couea bug will iesult. This might be a iaie one,
but it will nonetheless be a bug.
1u1
If this bug shoulu happen to be in a secuiity-
ciitical section of coue, the iesult may be a vulneiability.
A National Reseaich Council stuuy uesciibeu the situation this way:
1u2

|Ajn oveiwhelming majoiity of secuiity vulneiabilities aie causeu by "buggy"
coue. At least a thiiu of the Computei Emeigency Response Team (CERT)
auvisoiies since 1997, foi example, concein inauequately checkeu input
leauing to chaiactei stiing oveiflows (a pioblem peculiai to C piogiamming
language hanuling of chaiactei stiings). Noieovei, less than 1S peicent of all
CERT auvisoiies uesciibeu pioblems that coulu have been fixeu oi avoiueu
by piopei use of ciyptogiaphy.
It woulu seem that bugs shoulu be easy to eliminate: test the piogiam, anu fix any
pioblems that show up. Alas, bugs can be fienuishly haiu to finu. Anu complex
piogiams have simply too many possible bianches execution paths to be able to test
them all.
1uS


1uu
Fieueiick P. Biooks, DC- U6)C&'(9 U(%bU"%)C, Auuison-Wesley, 2u
th
Anniveisaiy Euition, 199S, at
S.
1u1
In one classic inciuent, a single missing hyphen in a piogiam contiibuteu to the loss of the U(/&%-/
Z space piobe. =-- http:nssuc.gsfc.nasa.govnmcspaceciaftBisplay.uo.iu=NARIN1.
1u2
Fieu Schneiuei, eu., D/$*) &% !6B-/*>('-, National Acauemy Piess, 1999, at 11u.
1uS
The single capability that gives a computei most of its powei is the ability to uo things
conuitionally. That is, it can test a conuitionis this numbei gieatei than zeio. Boes this stiing of
chaiacteis contain an apostiophe. Is theie ioom on the page foi anothei line.anu continue along
one piogiam path oi anothei, uepenuing on the iesult of the test. Each conuitional opeiation can in
piinciple uouble the numbei of possible execution paths. (The ieality is not quite that bau, because
not all tests aie inuepenuent.) This means that a piogiam with just 2u conuitionals has moie than
Lawful Hacking Su
Biooks shows a uiagiam on bug compaiing the pieuicteu anu actual iate of bugs in
some complex coue.
1u4
The piojection assumeu a slow stait, a iapiu inciease in the
uebugging iate, anu a leveling off that suggesteu that the last bugs hau been founu.
Insteau, the iate nevei leveleu off, anu the total numbei of bugs founu was
significantly highei than hau been foiecast.
1uS
Biooks himself suggests that testing
takes about half of total uevelopment time.
1u6
Even this isn't enough, though:
"Testing shows the piesence, not the absence of bugs."
1u7

We will not iecount the myiiau techniques othei than testing that have been tiieu in
an effoit to eliminate bugs; let it suffice to say theie have been many. These incluue
foimal mathematical methous, bettei piogiamming anu uebugging tools, uiffeient
oiganizational anu pioceuuial schemes, impioveu piogiamming languages, anu
moie. Nany of these iueas have helpeu, but none have pioveu a panacea. The ability
to piouuce eiioi-fiee coue is the Boly uiail of systems uevelopment: heavily uesiieu
but unattainable.
1u8

When we aie uealing with computei secuiity, though, the question is somewhat
uiffeient than "uoes this piogiam have bugs." Rathei, the piopei question is "uo
the secuiity-sensitive paits of this system have bugs." When foimulateu this way,
theie woulu seem to be an obvious solution: uiviue a complex system up into
secuiity-sensitive anu secuiity-insensitive pieces; bugs in the lattei, though
annoying, woulu not iesult in uisastei. Such an appioach has the auueu auvantage
of impioving the coiiectness of the secuiity-ciitical components. The bug iate in
coue incieases moie than lineaily in the size of the piogiam; a piogiam that is twice

2
2u
1,uuu,uuupossible paths thiough it; one with 4u conuitionals (a veiy tiny numbei foi a
iealistic piogiam) has moie than 1,uuu,uuu,uuu,uuu. Exhaustive testing is not possible unuei these
ciicumstances.
1u4
=-- Biooks, *$>/( foonote 1uu, at 42. The uiagiam is a pieviously unpublisheu one by }ohn Baii.
1uS
Neithei the giaph noi the text make it cleai whethei the giaph enueu because the pioject was
finisheu oi simply because it is a snapshot of a single yeai's expeiience anu uoesn't look at the entiie
pioject. The giaph, piesenteu at the 1969 Spiing }oint Computei Confeience, shows one yeai of
expeiience builuing the #1 ESS; the piogiamming unuoubteuly took longei. =-- Phil Lapsley,
2:>9"E&%; )C- @C"%-, uiove Piess, 2u1S at 2SS anu W. Keistei, R.W. Ketchleuge, anu B.E. vaughn, "No.
1 ESS: System 0iganization anu 0bjectives", N-99 =6*)-# D-'C%'&(9 F"$/%(9 4S:S, Pait 1 (Septembei
1964) at 18S2. New veisions of the coue weie unlikely to have fewei bugs; iathei, the bug iate
&%'/-(*-* aftei some point (Biooks, *$>/(, at SS-S4).
1u6
=-- Biooks, *$>/( footnote 1uu, at 1u; *-- also the latei explanation of the complexity of that
mouel at 117.
1u7
Eusgei Bijkstia, quoteu in }.N. Buxton anu B. Ranuell, eus., =".)1(/- 2%;&%--/&%; D-'C%&R$-*W
G->"/) "% ( '"%.-/-%'- *>"%*"/-E B6 )C- H,DV ='&-%'- !"##&))--7 G"#-7 <)(967 L`YKZ V')"B-/ Zd_d,
Apiil 197u, at 16.
1u8
0peiational eiiois aie common, too. See, e.g., Baiton uellman, "NSA bioke piivacy iules
thousanus of times pei yeai, auuit finus", J(*C&%;)"% @"*), August 16, 2u1S, available at
http:www.washingtonpost.comwoilunational-secuiitynsa-bioke-piivacy-iules-thousanus-of-
times-pei-yeai-auuit-finus2u1Su81SSS1ueSS4-uSca-11eS-au7f-49uuc741712S_stoiy.html:
"0ne in 1u inciuents is attiibuteu to a typogiaphical eiioi in which an analyst enteis an incoiiect
queiy anu ietiieves uata about 0.S phone calls oi e-mails." Anothei bug was confusing the countiy
anu city coues foi Caiio, Egypt (2u 2) with the aiea coue foi Washington, BC (2u2). These soits of
eiiois leu to liteially thousanus of inciuents of impiopei collection of suiveillance uata.
Lawful Hacking S1
as laige has moie than twice as many bugs. Peihaps the secuiity-sensitive section,
which by uefinition is smallei, will theieby have many fewei bugs than the system
as a whole.
This appioach has been at the heait of most secuie system uesigns foi moie than Su
yeais. It was set out mostly cleaily in the so-calleu "0iange Book", the 198S
Bepaitment of Befense ciiteiia foi secuie opeiating system uesign.
1u9
The 0iange
Book piesciibeu something calleu a "Tiusteu Computing Base", the secuiity-
essential poitions of a system:
11u

The heait of a tiusteu computei system is the Tiusteu Computing Base (TCB)
which contains all of the elements of the system iesponsible foi suppoiting
the secuiity policy anu suppoiting the isolation of objects (coue anu uata) on
which the piotection is baseu. The bounus of the TCB equate to the "secuiity
peiimetei" iefeienceu in some computei secuiity liteiatuie. In the inteiest
of unueistanuable anu maintainable piotection, a TCB shoulu be as simple as
possible consistent with the functions it has to peifoim.
This uieam has pioveu elusive foi two veiy uiffeient ieasons. Fiist, mouein TCBs
aie themselves extiemely laige, significantly biggei than the entiiety of the 197us-
anu 198us-vintage systems. Although mouein softwaie is fai moie ieliable, that
uoes not tianslate into absolutely ieliability. Seconu, the notion of the TCB is less
cleai than it once was. Noie anu moie seiious secuiity inciuents taiget components
that fit no one's uefinition of "tiusteu", but the attacks aie effective neveitheless.
Inueeu, the veiy fiist Inteinet woim, in 1988, exploiteu holes outsiue what woulu
likely have been consiueieu pait of the TCB.
111
It was, in essence though not by
intent, a uenial of seivice attack: it consumeu most of the capacity of the infecteu
machines. This all happeneu at usei level; the affecteu piogiams weie not pait of
the TCB.
112
Put anothei way, tiying to bieak up the system into tiusteu anu
untiusteu paits uoes not woik as well as hau been hopeu; bugs anywheie can be
anu have been exploiteu by malwaie. It is woith noting that even one of touay's
complex applications is tens of times laigei than entiie systems of the 198us, when
the 0iange Book was wiitten. Touay's opeiating systems aie vastly laigei.
We concluue that foi the foieseeable futuie, computei systems will continue to have
exploitable, useful holes. The uistinction between flaws in the TCB anu flaws

1u9
BoB Computei Secuiity Centei, M"M D/$*)-E !"#>$)-/ =6*)-# 25(9$()&"% !/&)-/&(, 198S, S2uu.28-
STB, available at http:csic.nist.govpublicationssecpubsiainbowstuuu1.txt. The nickname
comes fiom the coloi of its covei; it is pait of a seiies of publications known collectively as "The
Rainbow Seiies".
11u
<EI at 6S.
111
=-- Spaffoiu oi Eichin anu Rochlis, fn 98, *$>/(.
112
This is not stiictly tiue. Foi technical ieasons, one of the piogiams that was successfully attackeu
uiu iun with elevateu piivileges; howevei, neithei the penetiation noi the excess iesouice
consumption by it weie ielateu to those piivileges. It ian as piivilegeu (anu hence by uefinition as
pait of the TCB) because the impoitance of avoiuing excess piivilege was not as well unueistoou in
the geneial community at the time as it is touay.
Lawful Hacking S2
outsiue it is impoitant. Non-TCB piogiamsfiequently known as "usei moue" oi
"application moue" piogiamhave the piivileges of the usei who iuns them; TCB
piogiams aie geneially all-poweiful anu have access to moie files, incluuing the
ability to change them.
11S

%" 62: $23 G(>#3%4H*>*$: =&>($*&# L(9$ /K*9$ -#:A4:
Consiueiing lawful inteicept puiely as an economic question, it is tempting to ask
which is a cheapei solution, a vulneiability-baseu appioach oi a CALEA-like law.
The question, howevei, is not that simple. Even apait fiom oui oveiiiuing theme
that applying CALEA to Inteinet softwaie caiiies many veiy seiious iisks, to both
secuiity anu innovationanu apait fiom the cost-shifting issue (with CALEA-like
solutions, the bulk of the cost is not caiiieu by law enfoicement), theie is a fuithei,
moie funuamental issue: a vulneiability-baseu inteicept capability must exist in any
event. The question, then, is not which costs less but whethei the inciemental cost
of CALEA is justifiable given that the othei appioach must be puisueu in any case.
No mattei what a CALEA-like law says, theie will always be impoitant cases wheie
CALEA inteifaces will not help law enfoicement to conuuct suiveillance. 0ften,
these instances will be extiemely impoitant, uigent cases: national secuiity oi
counteiteiioiism investigations, oi majoi uiug gangs.
114
These gioups, especially
the fiist two, aie moie likely than aie common ciiminals to use non-Ameiican oi
even custom-wiitten communications softwaie anu pioceuuies.
11S
0thei situations
in which a new law won't help incluue people who use oluei softwaie that hasn't
been upgiaueu to incluue a lawful inteicept featuie, anu moie geneially any
communications application that automatically pioviues enu-to-enu enciyption
capability.
116

In situations like these, wheie the case is impoitant anu built-in lawful inteicept
mechanisms aie not available, using vulneiabilities becomes an attiactive

11S
This staik uichotomy, between all-poweiful anu ielatively poweiless coue, is geneially seen by
the computei secuiity anu opeiating system communities as a bau iuea. Nany schemes have been
pioposeu to cieate inteimeuiate levels of piivilege; few, if any, have caught on (%E been moie than
miminally effective at piotecting the system. Theie has been moie success of late with "sanuboxes.",
114
The Nexican Zeta uiug gang uses a home-built, enciypteu iauio netwoik; *-- Nichael
Weissenstein, "Nexico's caitels builu own national iauio system", Associateu Piess, Becembei 27,
2u11, available at http:news.yahoo.commexicos-caitels-builu-own-national-iauio-system-
2uu2S1816.html.
11S
Witness the case of the Russian sleepei agent iing aiiesteu in 2u1u. They useu special piogiams
foi *)-;(%";/(>C6, a way of concealing the veiy existence of messages. =-- Noah Schactman, "FBI:
Spies Biu Seciet Nessages on Public Websites", J&/-E M(%;-/ G""# N9";, }une 29, 2u1u,
http:www.wiieu.comuangeiioom2u1uu6allegeu-spies-hiu-seciet-messages-on-public-
websites.
116
Even the cuiient CALEA statute states that "A telecommunications caiiiei shall not be iesponsible
foi ueciypting, oi ensuiing the goveinment's ability to ueciypt, any communication enciypteu by a
subsciibei oi customei, unless the enciyption was pioviueu by the caiiiei anu the caiiiei possesses
the infoimation necessaiy to ueciypt the communication." 47 0SC 1uu2(b)(S). The "infoimation
necessaiy to ueciypt the communications" is, typically, a ciyptogiaphic key. If enu-useis uo theii
own key management, the pioviuei is unlikely to have the keys.
Lawful Hacking SS
alteinative. The alteinativea so-calleu "black bag job", a coveit seaichis fai
iiskiei.
117

As with so many othei things in high technology, the notion of using vulneiabilities
foi eavesuiopping has a ielatively high stait-up cost; continueu use uoes not. Apait
fiom the obvious uiop in the cost pei inteiception, the opeiational softwaie is likely
to impiove ovei time. That is, as the uevelopeis have moie time anu gain moie
expeiience, the oveiall package will impiove. It will pioviue moie functionality,
highei efficiency, anu stiongei iesistance to uetection. The actual exploits useu will,
as noteu, change ovei time; even those, howevei, aie likely to be usable in many
moie cases than in a CALEA-baseu woilu; this, too, will uiive uown the cost of each
inteiception. In othei woiusanu to a much gieat uegiee than in a CALEA-baseu
appioachusing vulneiabilities will impiove law enfoicement's abilities in all
cases, especially the most ciitical ones.
!G" G(>#3%4H*>*$: L3)24#*)9
In this section we examine the potential use of vulneiabilities. We begin by
exploiing waiiant issues foi using exploits to wiietap. We uiscuss how
vulneiabilities may be exploiteu, anu consiuei minimization in this enviionment
anu what tools anu pioceuuies aie available that law enfoicement authoiities might
use oi mouify to gain access. We also uiscuss the vulneiability anu exploit maikets.
Finally, we uiscuss what steps woulu be neeueu foi piouuctizing an exploit
specifically foi lawful access.
-" 64%%4#$ !99(39
0bviously, any use of vulneiabilities foi wiietapping iequiies piopei authoiization.
Bowevei, the technologies involveu suggest that the piocesses may be somewhat
moie involveu than foi conventional wiietaps.
0ne issue is that theie aie two uistinct steps, exploiting the vulneiabilitythat is,
hacking the taiget's machine, albeit with piopei peimissionanu actually caiiying
out the uesiieu inteiception. Aiguably, two uiffeient couit oiueis shoulu be
obtaineu. This is uone on some occasions touay in similai situations. Consiuei, foi
example, the piocess useu in at least one case foi the FBI's Computei anu Inteinet
Piotocol Auuiess veiifiei (CIPAv), which has been installeu on subjects' computeis
to senu auuiessing anu piotocol uata of the taiget machine to the FBI.
118
The
technical uetails of CIPAv aie not public, but infoimation fiom uocuments ieleaseu

117
Such seaiches aie peifoimeu when necessaiy; *--, e.g., Schactman, *$>/( footnote 11S.
118
}. Lynch, "New FBI Bocuments Pioviue Betails on uoveinment's Suiveillance Softwaie," Electionic
Fiontiei Founuation, 29 Api. 2u11; https:www.eff.oigueeplinks2u11u4new-fbi-uocuments-
show-uepth-goveinment#footnote2_u1mhuxa . CIPAv is a cuiient FBI softwaie package analogous
to what we aie pioposing heie. Its capabilities, as uesciibeu in an affiuavit foi a seaich waiiant,
incluue collecting the taiget machine's IP auuiess, NAC auuiess, opeiating system type anu veision,
biowsei type anu veision, "ceitain iegistiy-type infoimation", last 0RL visiteu, etc.
Lawful Hacking S4
unuei the Fieeuom of Infoimation Act shows that the FBI uiu inueeu use a two-step
piocess to obtain the infoimation in that case. The buieau fiist sought a seaich
waiiant to install CIPAv on the taiget's machine. Baving obtaineu the IP auuiess
anu othei ielevant infoimation conuucting suiveillance, the FBI then sought a pen
iegisteitiap-anu-tiace oiuei fiom the couit. This, howevei, is not always uone. In
<% G- J(//(%) )" =-(/'C ( D(/;-) !"#>$)-/ () @/-#&*-* a%O%"1%, Southein Bistiict
of Texas, Bouston Bivision7 2u1S WL 172976S (S.B. Tex. Apiil 22, 2u1S), the FBI
submitteu a single Rule 41 waiiant application, coveiing all activities: finuing the
taiget, installing theii own softwaie, gatheiing auuiesses, taking pictuies, etc.
119


Anothei issue that can cause complications is the neeu foi technical
ieconnaissance'' to iuentify the piopei taiget machine.
12u
This may involve listening
to othei content of othei conveisations; this woulu, piesumably, iequiie its own
authoiization.

Finally, the uesign of this soit of tap piesents some oppoitunities foi minimization
by technical means, piioi to the usual minimization that is iequiieu by law.
Aiguably, this shoulu be specifieu in the waiiant as well.
121


E" -%)2*$3)$(%3
Bow shoulu a law enfoicement exploit softwaie platfoim be uesigneu. The special
legal iequiiements, the technical quiiks involveu in exploitation, the speeu
technology changes, the lifetime of a vulneiability, the neeu foi non-piolifeiation,
anu even buugetaiy constiaints all suggest that any fiamewoik of tools uevelopeu
foi suiveillance be easily configuiable anu ieauily auaptable. This in tuin suggests
that a highly mouulai aichitectuie is neeueu foi a vulneiability-baseu
communications inteicept vehicle.
122


119
Naik Eckenwilei, foimeily a top }ustice Bepaitment authoiity on suiveillance, has inuicateu that
intiusions neeueu to execute pen iegistei oiueis can be peifoimeu solely on that lessei stanuaiu; *--
"FBI Taps Backei Tactics to Spy on Suspects", J(99 =)/--) F"$/%(9, August S, 2u1S, available at
http:online.wsj.comaiticleSB1uuu1424127887S2S997uu4S7864199SS882S9674.html.
12u
=-- Section Iv.B, &%./(.
121
=-- Section Iv.C, &%./(.
122
Besigning systems to use mouules is stanuaiu softwaie engineeiing piactice. By uefinition,
mouules communicate via well-uefineu inteifaces, allowing easy substitution of uiffeient veisions.


(See, e.g., B.L. Painas, "0n the ciiteiia to be useu in uecomposing systems into mouules."
!"##$%&'()&"%* ". )C- ,!U 1S.12 (1972): 1uSS-1uS8.) A goou example of a mouulai fiamewoik is a
pictuie euitoi. Nany uiffeient file foimats}PEu, TIFF, PNu, etc.can be impoiteu. The euiting is
uone the same way, iegaiuless of the input foimat; following that, the new veision can be stoieu in
any of these foimats. In othei woius, a file foimat inputoutput ioutine is a sepaiate mouule. The
same is tiue foi vulneiability-baseu suiveillance. With a well-uesigneu fiamewoik, execution of a
wiietap coulu be as simple as choosing a wiietap mouule, an exploit, anu waiiant infoimation,
enteiing the taiget infoimation, anu piessing "uo". The system will then builu the payloau foi
Lawful Hacking SS
The paiticulai components to be useu against any given taiget will vaiy wiuely.
Consiuei the choice of initial exploit. Foi a taiget with an oluei (anu unpatcheu)
system, an oluei anu publicly-known exploit might be sufficient. Foi wiietapping
someone using a newei opeiating system, oi one that's fully patcheu, an olu
vulneiability will no longei suffice, thus foicing the use of a newei but moie
sensitive one. Anothei taiget, not using the common application taigeteu by eithei
of the pievious two, might iequiie yet a thiiu vulneiability. Any of these exploiteu
weakness coulu potentially be closeu on the taigets' systems at any time, which
coulu iequiie the use of yet anothei one.
12S

Theie aie othei consiueiations as well. If only voice communications aie to be
pickeu up, theie is no neeu to incluue any keystioke-logging capability in the
payloau. Inueeu, the less coue is incluueu, the less the iisk of the tap being
uiscoveieu. Peihaps moie impoitant, coue that isn't incluueu can't be iepuiposeu
by someone else, thus aiuing in non-piolifeiation.
124
Beyonu that, selective
inclusion aius in waiiant compliance, by limiting what is collecteu to what the
couit's oiuei peimits. This is uiscusseu in moie uetail below.
12S

A mouulai fiamewoik can be extiemely cost-effective ielative to othei uesigns. By
uesign mouules aie plug-anu-play. No mattei how uiffeient they may be on the
insiue, the way the mouules communicate with the fiamewoik is stanuaiuizeu. The
uesign makes it easy to have many uiffeient people to uevelop exploits foi the same
fiamewoik, anu stiaightfoiwaiu foi people to use new ones. When an exploit
become obsolete, only the mouule containing that exploit neeus to be iewiitten.
Pie-configuieu waiiant mouules pioviue assuiance to law enfoicement that exploit
will collect the communications they neeu,
126
anu to the juuge that the exploit anu
payloau behave as specifieu in the waiiant. If the investigation changes anu a new
waiiant mouule is neeueu, the exploit executable only neeus to be iecompileu with
the new mouule, anu ieinstalleu.

," 13)2#*)4> -973)$9 &; L*#*J*M4$*&#
The wiietap statue specifies that "Eveiy oiuei anu extension theieof . shall be
conuucteu in such a way as to minimize the inteiception of communications not
otheiwise subject to inteiception unuei this chaptei".
127
While this is noimally a
mattei foi tiial anu appellate juuges to iule on, a piopeily uesigneu inteicept
package can caiiy out some of this task. This pioviues gieatei piivacy foi

automatic installation. New exploits oi new waiiant infoimation aie sepaiate mouules; the iest of
the piogiam isn't affecteu.
12S
=-- Section Iv.E, &%./(7 foi a uiscussion of the lifetime of these components
124
=-- Section v, &%./(I
12S
=-- Section Iv.C, &%./(.
126
=-- Section Iv.C, &%./(.
127
18 0.S.C. 2S18(S).
Lawful Hacking S6
inuiviuuals not taigeteu by the waiiant. Noie subtly, by automatically eliminating a
lot of the extianeous content, it eases the task of humans chaigeu with minimization
anu thus likely ieuuces theii eiioi iate.
128

A waiiant must cleaily specify what communications may anu may not be collecteu:
Each oiuei authoiizing oi appioving the inteiception of any wiie, oial, oi
electionic communication unuei this chaptei shall specify.
(a) the iuentity of the peison, if known, whose communications aie to be
inteicepteu;
.
(c) a paiticulai uesciiption of the type of communication sought to be
inteicepteu.
129

Inteicepts that collect moie than is authoiizeu aie legally pioblematic, to say the
least.
1Su

A mouulai aichitectuie gieatly simplifies the execution of the waiiant. Nouules foi
common waiiant specifications woulu contain pie-configuieu values (such as types
of uata to collect oi ignoie, specifieu poits to listen on, anu time-limits). The
fiamewoik woulu compile these values into a piopeily tailoieu exploit executable
automatically, without the neeu foi any special configuiation by the law
enfoicement technicians.
1S1


128
While we uo not suggest oi think that a piogiam can peifoim full minimization, it can ceitainly
caiiy out mechanical aspects, e.g. excluuing seivices anu peihaps useis not coveieu by the waiiant.
129
18 0.S.C. 2S18(4).
1Su
According to documents obtained by the Electronic Privacy Information Center under FOIA, when
the FBIs UBL unit (Usama bin Laden) was conducting FISA surveillance, The software was turned on
and did not work properly. The FBI software not only picked up the E-mails under the electronic
surveillance of the FBIs target [redacted] but also picked up E-mails on non-covered targets.
The FBI technical person was apparently so upset that he destroyed all the E-mail take, including the take
on [redacted] under the impression that no one from the FBI [redacted] was present to supervise the FBI
technical person at the time. (Memo from [redacted] to Spike (Marion) Bowman, Subject: [redacted],
April 5, 2000, http://www.epic.org/privacy/carnivore/fisa.html, last viewed August 18, 2006).
1S1
"Compilation" is the piocess of tuining human-ieauable "souice coue", wiitten in a language like C
oi C++, into the stiing of bytes that aie actually unueistoou by the unueilying haiuwaie. At
compilation time, it is possible to select which sections of the piogiam shoulu be incluueu in the
eventual mouule.
Lawful Hacking S7

#$%&'( J* + 5;K9<( 7;'';8> .-8H$%&';>$-8 5.'((8 H'-K L;'8$/-'(@ M6$5 H$<>(' $5 5(> &9 >- $8>('.(9> ;<<
$8A-&8? 21N13 ;8? -&>A-&8? 2IGM13 (K;$< H'-K &5(' K?-(@
The waiiant configuiation scieen
1S2
fiom the (now obsolete) Cainivoie wiietapping
system
1SS
pioviues a useful example. Note how it has options foi full content anu
pen iegistei captuie, fielus foi iuentifying which piotocols shoulu be captuieu,
which IP auuiesses oi useis shoulu have theii uata monitoieu, anu so on. A similai
scheme shoulu be useu heie, with a ciucial uiffeience: mouules not selecteu woulu
not be incluueu in the payloau installeu on the taiget's machine.


1S2
This image is taken fiom Figuie C-16 of Stephen P. Smith, Beniy B. Peiiitt, }i., Baiolu Kient,
Stephen Nencik, }. Allen Ciiuei, Nengfen Shyong, anu Laiiy L. Reynolus, <%E->-%E-%) G-5&-1 ". )C-
!(/%&5"/- =6*)-#: X&%(9 G->"/), Becembei 8, 2uuu, IITRI CR-uSu-21, available at
http:www.epic.oigpiivacycainivoiecainiv_final.puf .
1SS
Cainivoie was latei ienameu as the BCS 1uuu, anu has since been ietiieu in favoi of commeicial
solutions. The appaient abanuonment of the package is uiscusseu in the 2uu2 anu 2uuS FBI iepoits
to Congiess (!(/%&5"/-eM!=bZSSS G->"/) )" !"%;/-**7 Febiuaiy 24, 2uuS, anu Becembei 18, 2uuS,
available at https:epic.oigpiivacycainivoie2uu2_iepoit.puf anu
https:epic.oigpiivacycainivoie2uuS_iepoit.puf ).

IITRI CR-030-216
IITRI/IITDoJ Sensitive Page C-17
C.8.3 FILTER SETUP
To collect Mary Does e-mail, the Carnivore filter was set up using the following parameters:
Full mode
TCP protocol on SMTP (port 25) and POP3 (port 110)
SMTP user is mdoe@iitri.org
POP3 user is mdoe
The filter screen filled in with the collection parameters is displayed in Figure C-16.

Figure C-16. Filter Setup for Power Failure Test
C.8.4 RESULT
Test not passed. Carnivore did not recover consistently to a collecting state. The primary test
system exhibited a Telephony Application Programming Interface error in connecting to the
Ethernet card. It appears this error is caused by a race condition within Carnivore. The backup
Carnivore system used in testing seemed not to exhibit this error condition. Others, including
Lawful Hacking S8
0thei infoimation can also be useu foi minimization. Assume, foi example, that
police know fiom othei means that theii suspect uses only one of the usei piofiles
(i.e., logins) on a shaieu computei.
1S4
The inteicept mouule, if piopeily configuieu,
can opeiate only when that usei is loggeu in. Similai filteis can be useu foi
communications applications, e.g., Skype, that have theii own logins.
C" 13)2#*)4> N3)&##4*994#)3
The ieconnaissance phaseleaining enough about the taiget to install the
necessaiy monitoiing softwaieis essential to a successful compiomise. Because
exploits must be exquisitely tailoieu to paiticulai veisions anu patch levels, using
the wiong exploit fiequently iesults in failuies, anu can even iaise aleits oi cause
suspicious ciashes. Theie aie a numbei of wiuely useu, ieauily available tools.
Nany of the best tools aie even available in a fiee, ieauy-to-use uownloauable
toolbox; see, e.g., the Backtiack-Linux Penetiation Testing Bistiibution.
The most common fiist step is to check publicly available infoimation. BNS
1SS
anu
Whois
1S6
lookups aie useu to finu Inteinet uomain anu IP infoimation. Simple use
of seaich engines anu scouiing the social meuia sites often pioviues some
infoimation about the taiget's opeiating system, cell-phone platfoim, seivice
pioviuei, anu commonly useu applications. With the appiopiiate legal piocess, e.g.,
a subpoena oi couit oiuei unuei 18 0.S.C. 27uS(u), some of this infoimation may
also be available fiom the seivice pioviuei.
If the investigatois have access to some emails fiom the taiget, a gieat ueal of
infoimation may be founu by stuuying the heaueis. An examination of some of oui
test emails showeu such lines as:
Nime-veision: 1.u (Nac 0S X Nail 6.2 (1499))
X-Nailei: Apple Nail (2.1499)
anu
X-Nailei: iPhone Nail (1uB146).
which aie iathei cleai inuicatois of which opeiating system is in use.

1S4
This is sometimes the case; *--7 -I;I7 State of 0hio v. Castagnola, 2u1S 0hio 121S, 2u1S 0hio App.
LEXIS 111S (2u1S).
1SS
The BNSthe Bomain Name Systemis useu to conveit human-fiienuly names such as
www.fbi.gov to the numbei IP auuiess unueistoou by low-level Inteinet haiuwaie. Infoimation in
the BNS is especially useful when tiying to bieak into oiganizations iathei than inuiviuual useis'
computeis; *--7 -I;I7 Chaptei 6 of William Cheswick, Steven N. Bellovin, anu Avi Rubin, X&/-1(99* (%E
<%)-/%-) =-'$/&)6, Seconu Euition, Auuison-Wesley, 2uuS.
1S6
Whois is a seivice listing the owneiship of uomain names, auuiess blocks, etc.
Lawful Hacking S9
To iemotely access a machine an attackei geneially neeus to know the IP anuoi
NAC auuiesses of the machine,
1S7
the opeiating system (incluuing exact veision anu
patch level), what seivices aie iunning on the machine, which communications
poits aie open, what applications aie installeu anu whethei theie the system
contains any known vulneiabilities. This piocess of uiscoveiy is iefeiieu to as
"Napping" anu "Enumeiation".
1S8

Napping can be of the system oi the netwoik (oi both). Netwoik mapping can be
WiFi oi Etheinet, anu can iefei to finuing hiuuen netwoiks, oi to enumeiating all
the uevices anu theii auuiesses connecteu to a paiticulai netwoik. Napping the
taiget uevice oi system iequiies finuing the so-calleu "NAC auuiess", a haiuwaie
auuiess tiansmitteu when speaking ovei Etheinet, WiFi, anu Bluetooth netwoiks. If
the taiget of a tap is using a smaitphone at a public hotspot, uetecting that peison's
NAC auuiess coulu, foi example, ieveal what bianu of phone is being useu.
Anothei way to asceitain the system veision is to peifoim "0S fingeipiinting". 0S
fingeipiinting involves looking foi subtle uiffeiences in the netwoik piotocol
implementations of uiffeient opeiating systems, anu in paiticulai the iesponse of
the system being examineu to vaiious piobes. NNAP, a fieely available populai
netwoik secuiity tool,
1S9
is most commonly useu. In auuition to 0S fingeipiinting,
NNAP uoes open seivice anu open poit iuentification anu limiteu vulneiability
scanning.
The final step in the infoimation-gatheiing phase is to scan the taiget system to see
if it is vulneiable to common vulneiabilities.
14u


1S7
IP anu NAC auuiesses aie netwoiking concepts. NAC auuiesses aie geneially haiu-wiieu in a
computei's communications haiuwaie, though sophisticateu useis can change them. IP auuiesses
aie often tiansient, but tenu to iemain the same foi a given computei in a given location. While IP
auuiesses aie typically assigneu by the netwoik auministiatoi of the site at which the computei is
locateu, NAC auuiesses aie assigneu by the manufactuiei anu theiefoie inuicate the computei type
anu mouel.
1S8
0n netwoikeu computei systems, seivices offeieu aie assigneu to paiticulai (anu geneially
stanuaiuizeu) "poit numbeis", a moie oi less aibitiaiy value between 1-6SSSS. Poit enumeiation is
the piocess of seeing what poits, anu hence what seivices, aie available on a given system. 0sing
open poits foi intiasystem communication, iathei than moie secuie alteinatives, was one of the
items citeu in the FTC complaint against BTC; *-- <% )C- U())-/ ". AD! ,#-/&'(7 ( !"/>"/()&"%,
Complaint, FTC File No. 122 Su49, 2u1S.
1S9
uoiuon "Fyouoi" Lyon, H#(> H-)1"/O ='(%%&%;W DC- V..&'&(9 H#(> @/"8-') Q$&E- )" H-)1"/O
M&*'"5-/6 (%E =-'$/&)6 ='(%%&%;4 Nmap Pioject, 2uu9.
14u
Theie aie a numbei of wiuely-useu vulneiability scanning systems. Nessus (available fiom
http:www.tenable.compiouuctsnessus) is the most wiuely useu one; it can scan foi thousanus of
vulneiabilities anu plug-ins, anu even pioviues uetaileu mobile uevice infoimation (seiial numbeis,
mouel, veision, last connection timestamps). Anothei populai one is Nexpose
(https:www.iapiu7.compiouuctsnexpose).
Lawful Hacking 4u
/" O*#'*#5 G(>#3%4H*>*$*39
0nce the taiget has been auequately iuentifieu anu scanneu, a suitable vulneiability
must be iuentifieu. The piimaiy ciiteiion, of couise, is compatibility with the usei's
opeiating system; anothei ciucial one is moue of ueliveiy. Some exploits, foi
example, can be ueliveieu by email messages; otheis iequiie the usei visiting a
paiticulai web page, oi opening a file with a specific, vulneiable application. Email
ueliveiy is easiest because it uoesn't iequiie the usei to take any paiticulai action,
but apait fiom the fact that it might be noticeu theie is always the iisk that a spam
filtei will catch it.
141
Anothei class of exploits iequiies being on the same local
netwoik
142
as the victim, oi on an inteiconnecteu netwoik if theie aie no
inteivening fiiewalls.
14S
Even infecteu 0SB flash uiives have been useu; inueeu, the
Stuxnet attack on the Iianian nucleai centiifuge plant is believeu to have staiteu
that way.
144


Nany exploits aie publicly announceu;
14S
these aie often available in easy-to-launch
pie-packageu sciipts. The Netasploit Pioject hosts the laigest uatabase of these
sciipteu publicly available exploits (calleu 'mouules').
146
These mouules can be
utilizeu by a numbei of uiffeient exploitation applications such as the Netasploit
Fiamewoik anu Coie Impact Pio.
147
The NIST National vulneiability

141
Senuing email messages ciafteu to appeai genuine to a paiticulai taiget is known as "speai-
phishing". In skilleu hanus, speai-phishing is extiemely effective. Piess iepoits suggest that is one of
the piimaiy schemes useu by cybeiespionage units; *--7 -I;I7 }aikumai vijayan, "BBS wains of speai-
phishing campaign against eneigy companies", !"#>$)-/1"/9E, Apiil S, 2u1S, available at
https:www.computeiwoilu.comsaiticle92S819uBBS_wains_of_speai_phishing_campaign_agai
nst_eneigy_companies.
142
A LAN (Local Aiea Netwoik) is geneially a high-speeu netwoik that coveis a ielatively small aiea.
Typical LANs incluue most home netwoiks, WiFi hotspots, oi, in an enteipiise, a single uepaitment.
LANs aie inteiconnecteu to each othei oi to WANs (Wiue Aiea Netwoik) by /"$)-/*.
14S
Nost home iouteis aie technically known as Netwoik Auuiess Tianslatois (NATs). Foi these
puiposes, NATs seive the same puipose as fiiewalls; these attacks cannot be launcheu at a taiget that
is behinu a NAT.
144
=-- =)$:%-)7 *$>/( footnote 17. It is uncleai how the initial Stuxnet infection was launcheu. 0ne
theoiy is auvanceu in Bamfoiu, "NSA Snooping Was 0nly the Beginning. Neet the Spy Chief Leauing
0s Into Cybeiwai", Wiieu Thieat Level Blog, }une 12, 2u1S, available at
http:www.wiieu.comthieatlevel2u1Su6geneial-keith-alexanuei-cybeiwaiall.
14S
The 0S Computei Emeigency Reauiness Team 0S-CERT maintains a fiequently upuateu list of
vulneiabilities. Secuiity ieseaicheis anu piivately owneu ieseaich laboiatoiies such as vulneiability
Lab anu Immunityinc announce vulneiabilities on websites anu Twittei when they aie uiscoveieu.
veiifieu vulneiabilities aie collecteu, categoiizeu, anu enumeiateu in the compiehensible, seaichable
NIST NvB uatabase.
146
The Netasploit Pioject (owneu by Rapiu7). Each of these exploits in the uatabase consists of a
specific vulneiability packageu into a mouule which can be loaueu into an attack application, such as
the Netasploit Fiamewoik, to iun. Because of the populaiity of the Netasploit Fiamewoik, many
exploits solu aie available as Netasploit mouules. See https:exploithub.com foi some examples.
147
The Netasploit Fiamewoik, available fiom http:www.metasploit.com, is the most wiuely useu
exploitation application available touay. It is available in both fiee anu commeicial veisions anu has
a wiue uevelopei base. Coie Impact Pio is a sepaiate commeicially piouuct. Coie Impact Pio may be
puichaseu fiom http:www.coiesecuiity.com
Lawful Hacking 41
Batabase(NvB) lists all the known vulneiabilities, incluuing what veisions of what
systems aie affecteu anu iefeiences to moie infoimation (but no actual exploit
infoimation). Actual infoimation about the exploit, incluuing an executable sciipt
oi some pioof-of-concept souice coue is often publisheu on one of a numbei of well-
iegaiueu websites anu public mailing lists.
The seconu class contains the piivately helu exploits; these incluue the zeio-uays
uesciibeu above,

as well as exploits foi sale by piofessional secuiity vulneiability
ieseaicheis. We uiscuss these in uetail in Section u.
Sometimes, no publicly available vulneiabilities will be usable, anu the option of
puichasing one fiom the vulneiabilities maiket will be unueisiieable oi unavailable.
In that case, law enfoicement agentsmoie likely, a cential "vulneiability Lab"
must finu one.
148
While this issue is out of scope heie, we note theie aie many
commonly available tools iegulaily useu foi this puipose by softwaie venuois
tiying to piotect theii piouucts anu by attackeis.
Finally, in the iaie case wheie uiiectly compiomising a taiget platfoim thiough an
exploit is not possible, a technique known as a "Nan-in-the-Niuule" (NitN) attack
might be useu.
149
Such attacks involve inteiiupting the communications path
between the taiget anu some site the taiget is tiying to access; the attack tool then
inteicepts communications intenueu foi that iesouice. A successful NitN attack
might be anothei way to launch an attack; alteinatively, it coulu peimit acquisition
of passwoius anu account infoimation that woulu pioviue law enfoicement with
access to othei useful iesouices.
1Su


O" /K7>&*$9 4#' P%&'()$*M*#5
While off-the-shelf exploits may be available to law enfoicement on the black
maiket, police uo not iequiie theii functionality, which is installing geneial-puipose
iemote-access malwaie to senu spam, steal bank account numbeis, etc. Rathei, they
wish to gathei specific items of uata authoiizeu by the waiiant, anu to uo so in a
foim suitable foi piesentation in couit. In auuition, access to a taiget system by a

148
The FBI alieauy opeiates the Bomestic Communications Assistance Centei, which appaiently uoes
at least some of this; *--7 -I;I7 Capioni, "uoing Baik: Lawful Electionic Suiveillance in the Face of New
Technologies," Subcommittee on Ciime, Teiioiism, anu Bomelanu Secuiity, Committee on }uuiciaiy,
Febiuaiy 17, 2u11, http:juuiciaiy.house.govheaiingsheai_u2172u11.html, anu B. NcCullagh,
"FBI uietly Foims Secietive Net-Suiveillance," !H2D, Nay 22, 2u12, http:news.cnet.com 8Su1-
1uu9_S-S74S97S4-8Sfbi-quietly-foims-secietive -net-suiveillance-unit.
149
NitN attacks can be useu at any time. Bowevei, they aie almost always haiuei to uo, since they
iequiie inteifeiing with the tiaffic of exactly one usei who may be at an unknown location. They aie
also moie uetectable than othei attacks, albeit only by veiy sophisticateu useis.
1Su
Bepenuing on the piovisions of the oiiginal waiiant, it may be necessaiy to seek a mouification.
In paiticulai, a waiiant peimitting inteiception of communications uoes not giant the iight to seaich
stoieu email aichives; that woulu iequiie an oiuei unuei the Stoieu Communications Act (18 0.S.C.
27u1 -) *-R).
Lawful Hacking 42
law enfoicement agent must take caie to pieseive eviuence anu chain of custouy.
1S1

This implies uue attention to piecise logging of exactly what was uone, when, anu by
whom. Consequently, off-the-shelf exploits (as opposeu to vulneiabilities) aie by
themselves not likely to be paiticulaily useful to law enfoicement, except as a
staiting point oi peihaps unuei exigent ciicumstances.
1S2

The thiee paits of a law enfoicement eavesuiopping piouuctthe exploit, which
pioviues access to the system, the eavesuiopping coue, anu the suppoiting
infiastiuctuieall have uiffeient chaiacteiistics anu lifetimes. Bue to theii
specificity, installation chaiacteiistics, venuoi patches, etc., exploits have the
shoitest lifetime. Accoiuingly, a goou methouology foi theii use is the
uioppeipayloau mouel, wheie the piouuct is composeu of two paits, a >-%-)/()"/
anu a specially enciypteu payloau )C() &* *>-'&.&'(996 -%'/6>)-E ."/ )C- >(/)&'$9(/
)(/;-). The penetiatoi is the uioppei, the initially injecteu pait that exploits the
actual vulneiability anu thus gaining access to the taiget system. 0nce access is
acquiieu, the penetiatoi will ueciypt the law enfoicement-specific payloau.
Enciypting the payloau is a secuiity measuie to ensuie that the penetiation coue
can't easily be uetecteu oi ieuseu by ciiminals; it also ensuies that the payloau
taigets the coiiect system.
The lattei is accomplisheu by using taiget-specific infoimation, such as seiial
numbeis, the NAC auuiess, IP auuiess, etc., as the key to enciypt anu ueciypt the
payloau.
1SS
The penetiatoi picks this up at payloau installation time; the eailiei
technical ieconnaissance woulu have acquiieu the same infoimation. This methou
piotects untaigeteu machines fiom compiomise: if the coue is executeu on the
wiong machine, ueciyption will fail.
The payloau itself shoulu be uesigneu to pioviue the access specifieu in the waiiant
with minimal changes to the taiget system. What changes aie necessaiy shoulu be
loggeu anu time-stampeu in such a way as to pioviue uocumentation that vital
eviuence was neithei alteieu noi uestioyeu. If the waiiant incluues piovisions foi
iecoiuing communications, the payloau shoulu also contain piovisions foi
minimization, incluuing "iecoiuing onoff" switches anu the length anu time of
communications iecoiueu. Payloaus uon't change veiy much ovei time. While they
may neeu to auapt to uiffeient majoi veisions of opeiating systems, they geneially
iely on featuies not likely to change veiy often. Similaily, malicious payloaus that
have alieauy been installeu aie iaiely uisableu by venuoi patches.

1S1
See Timothy N. 0'Shea anu }ames Bainell, "Aumissibility of Foiensic Cell Phone Eviuence", in 0S
Attoineys' Bulletin S6:6, Novembei 2u11, available at
http:www.justice.govusaoeousafoia_ieauing_ioomusabS9u6.puf . Also see Bepaitment of
}ustice Electionic Suiveillance Nanual, }une 2uuS, foi a uiscussion of sealing inteicepts to piotect
theii integiity.
1S2
=-- Section vII.B, &%./(I
1SS
Enciyption is accomplisheu thiough the use of an algoiithm, which may be public, anu a O-y, a
piece of seciet uata. If the enciyption algoiithm is stiong, it shoulu be effectively impossible to
ueciypt the file without knowleuge of the key.
Lawful Hacking 4S
The infiastiuctuie has an inteimeuiate lifetime. Some of it, such as the coue to set
up enciypteu channels to the investigatois, is stiaightfoiwaiu anu not paiticulaily
tieu to unusual law-enfoicement neeus; this coue will be quite long liveu. The
commanu-anu-contiol subsystemthe mechanism with which investigatois contiol
the tap, tuin iecoiuing on anu off, etc.is similaily stiaightfoiwaiu, although the
fine uetails will be specific to this application. Nuch of this coue will be viitually the
same even acioss many uiffeient opeiating systems. 0n the othei hanu, the
concealment mechanismsthe coue that hiues the existence of the payloau fiom
the computei's ownei, anu even fiom specialists who may have been hiieu to
"sweep" the computei foi bugsis likely to be highly uepenuent on the opeiating
system, incluuing the paiticulai veision, anu will change faiily fiequently.
It is a goou iuea foi the payloau to have a self-uestiuct option, peihaps the time-limit
set by the waiiant aftei which the law enfoicement softwaie iestoies the taiget
system to its pie-exploit state anu eiases itself anu iemoves all eviuence of its
piesence.
1S4
This not only helps pievent piolifeiation, it may be necessaiy to comply
with the legal iequiiements foi time limits on wiietap oiueis.
1SS

A goou example of how this might woik in piactice is uemonstiateu in a vaiiant of
Stuxnet
1S6
calleu uauss.
1S7
Biscoveieu in August 2u12, uauss is appaiently an
espionage tool. It uses a known vulneiability anu shaies some coue with othei
known malwaie in its uioppei, but even touay, aftei seveial months of intense
analysis, the behavioi of its payloau iemain unknown. uauss uses ciyptogiaphic
methous anu tools, anu only installs anu iuns on machines specifically taigeteu by
uauss's uevelopeis; on non-taigeteu machines it iemains enciypteu anu ineit.
uauss also sets up a secuie methou to senu uata to its commanu anu contiol centeis.
,/* D-'C%&'( iepoits that "The setup suggests that the commanu seiveis hanuleu
massive amounts of tiaffic."
1S8

B" 123 G(>#3%4H*>*$*39 L4%D3$
With the availability of openly publisheu vulneiability infoimation anu fiee
exploitation tools, one might question why we uiscuss puichasing vulneiabilities oi

1S4
Fiitz Bohl, "Time limiteu blackbox secuiity: Piotecting mobile agents fiom malicious hosts."
U"B&9- ,;-%)* (%E =-'$/&)6. Spiingei Beilin Beiuelbeig, 1998. 92-11S, available at
http:citeseeix.ist.psu.euuviewuocsummaiy.uoi=1u.1.1.4u.8427
1SS
18 0.S.C. 2S18(4)(e).
1S6
=-- =)$:%-), *$>/( footnote 17.
1S7
Ban uoouin, "Nation-sponsoieu malwaie with Stuxnet ties has Nysteiy Waiheau", ,/* D-'C%&'(
=-'$/&)6. August 9, 2u12 See, http:aistechnica.comsecuiity2u12u8nation-sponsoieu-
malwaie-has-mysteiy-waiheau
The iepoit mentioneu in the aiticle can be founu at
https:www.secuielist.comenuownloausvlpufskaspeisky-lab-gauss.puf. Again, this was an
intelligence effoit, not a law enfoicement one; neveitheless, it pioviues a pioof of concept.
)OP
Ban uoouin, Naich 14, 2u1S. "Puzzle box: The quest to ciack the woilu's most mysteiious
malwaie waiheau", Ais Technica Secuiity, http:aistechnica.comsecuiity2u1SuSthe-woilus-
most-mysteiious-potentially-uestiuctive-malwaie-is-not-stuxnet
Lawful Hacking 44
exploits fiom ieseaicheis at all. The answei is the impioveu secuiity of taiget
systems. As softwaie uevelopeis anu venuois have impioveu the quality of theii
softwaie anu incoipoiateu uefenses such as fiiewalls anu anti-viius packages,
vulneiabilities have become haiuei to finu anu to exploit.
Softwaie companies have also geneially acceleiateu the iate at which they ielease
secuiity patches aftei ciitical vulneiabilities have been announceu. This may iesult
in a well-patcheu anu well-maintaineu system being moie uifficult to compiomise.
Auuitionally, as stateu above, exploits must be caiefully tailoieu to the inuiviuual
taiget machine. This means it iequiies moie skill to uevelop a woiking exploit,
making new effective exploits a valuable commouity foi theii cieatoi. Thus a
technically savvy taiget, someone who is conscientious about maintaining theii
system with up-to-uate secuiity patches, is caieful about not installing softwaie
fiom unveiifieu souices, uses enciyption, uoesn't open links fiom email, anu uoesn't
access questionable websites may not be vulneiable to the easy public exploits. If
law enfoicement wishes to use a zeio-uay oi lessei-known vulneiability to exploit a
taiget, it must eithei have the appiopiiate vulneiability anu exploit alieauy on the
shelf oi else it must puichase one on the open maiket, itself a ielatively iecent
phenomenon.
Finally, theie may sometimes be a neeu to tap a paiticulai suspect as quickly as
possible. If theie aie no suitable off-the-shelf exploits available to the investigatois
anu no time to finu a new one, puichasing one may be the best option.
1S9

The oveit vulneiabilities maiketplace hau its stait in 2uu4 when Nozilla launcheu
the fiist successful bug-bounty piogiam.
16u
This piogiam, still in effect touay, pays
secuiity ieseaicheis foi oiiginal vulneiabilities they uiscovei.
161
Nany othei
companies have followeu suit with theii own bug-bounty piogiams. Piouuct
uevelopeis aie not the only gioups that aie inteiesteu in obtaining infoimation
iegaiuing softwaie vulneiabilities. uoveinments anu computei secuiity seivice
pioviueis such as iBefense anu ZBI also pay foi vulneiability infoimation
paiticulaily if the uetails on how to use it have not been maue public (zeio-uays)
162


1S9
That an exploit has been puichaseu insteau of being uevelopeu in-house uoes not change the neeu
to iepoit it piomptly. Bowevei, unuei uigent conuitions some uelay may be appiopiiate. =--
Section vII.B.
16u
The oiiginal Nozilla Founuation piess ielease announcing the Nozilla Secuiity Bug Bounty
Piogiam can be founu heie: https:www.mozilla.oigen-0Spiessmozilla-2uu4-u8-
u2.html, Foi fuithei examples see, Kim Zettei, "With Nillions Paiu in Backei Bug Bounties, Is the
Inteinet Any Safei.," J&/-E U(;(\&%- - which lists piices, total paiu out anu uate launcheu foi
seveial Bug Bounty piogiams. Available at http:www.wiieu.comthieatlevel2u1211bug-
bountiesall
161
See https:www.mozilla.oigsecuiitybug-bounty.html
162
In Feb 2006, iDefense, a vulnerability research company owned by Verisign Inc, offered $10,000 prize
for a previously unknown Microsoft security vulnerability. One of the requirements for winning the prize
was that the vulnerability be submitted exclusively to iDefense. Similarly Tipping Points ZDIs FAQ
states that once a vulnerability has been assigned to TippingPoint, it cannot be distributedor even
Lawful Hacking 4S
The oveit anu unueigiounu maikets in vulneiabilities, exploits anu zeio-uays has
expanueu in iecent yeais.
16S
Nany legitimate secuiity ieseaich fiims have maue
finuing vulneiabilities anu ueveloping exploits foi sale pait of theii business
mouel.
164
Companies anu inuiviuual secuiity ieseaicheis sell infoimation about
piivately uiscoveieu vulneiabilities (often with a pioof-of-concept) oi full-blown
exploit coue to gioups of subsciibeis anu to inuiviuuals. The piices anu amount of
uetail maue public vaiies. Some companies (e.g., vulneiability-Lab) anu ieseaicheis
publicly announce that a vulneiability has been uiscoveieu in a paiticulai piouuct,
but ieseive actual uetails foi theii customeis. 0thei fiims, such as Enugame, keep
even the knowleuge of the existence of the vulneiability foi piivate sale. Piices
iange fiom $2u.uu - $2Su,uuu.uu
16S
, but exclusive access to a ciitical zeio-uay is
geneially the most expensive. Recent news iepoits suggest that national
goveinments (in paiticulai intelligence anu militaiy agencies) have become majoi
buyeis.
166

Companies such as vupen anu vulneiability-Lab sell subsciiption seivices, which
pioviue piivate anu exclusive uetaileu infoimation on uiscloseu oi piivate ciitical
vulneiabilities, to goveinments, law-enfoicement authoiities, anu coipoiations.
Annual subsciiptions can iun as high as $1uu,uuu a yeai.
167
These companies also
sell woiking exploits anu offei special taigeteu exploit uevelopment foi auuitional
fees; exploit piices iange between $Suuu anu $2Su,uuu.uu. The most valuable aie
those zeio-uays that can be useu foi cybei waifaie (e.g., the Enugame Systems
piicelist incluues a 2S exploit package foi $2.S million
168
). Zeio-uays anu exploits
can also be puichaseu fiom exploit biokeis such as Netiagaiu oi piivate biokeis

discussedelsewhere until a patch is available from the vendor. See e.g.,
http://blog.washingtonpost.com/securityfix/2006/02/wanted_critical_windows_flaw_r.html
16S
Piesumably, if ciiminals weie the only ones inteiesteu in puichasing vulneiabilities, the maiket
woulu still exist, but it woulu be unueigiounu. Similai maikets uo exist foi othei foims of ciiminal
softwaie, such as bots, cieuit caiu numbei loggeis, etc.
164
Some piominent examples incluue: vupen Secuiity, vulneiability-Laboiatoiy, Immunityinc,
Netiagaiu, NSS Labs, Inc anu Raytheon.
16S
Exploits cuiiently offeieu foi public sale fiom a wiue vaiiety of inuepenuent ieseaicheis may be
puichaseu fiom http:exploithub.com. Fuithei examples can be founu in Anuy uieenbeig, "Neet
the Backeis Who Sell Spies the Tools to Ciack Youi PC anu uet Paiu Six Figuie Fees", X"/B-*
U(;(\&%-. Available at: http:www.foibes.comsitesanuygieenbeig2u12uS21meet-the-
hackeis-who-sell-spies-the-tools-to-ciack-youi-pc-anu-get-paiu-six-figuie-fees
166
=-- Nicole Peilioth anu Baviu E. Sangei, "Nations Buying as Backeis Sell Flaws in Computei Coue",
H-1 ["/O D&#-*, }uly 14, 2u1S, available at
https:www.nytimes.com2u1Su714woilueuiopenations-buying-as-hackeis-sell-computei-
flaws.html.
167
<EI
168
Nichael Riley anu Ashlee vance, "Cybei Weapons: The New Aims Race", N9""#B-/; N$*&%-**1--O
U(;(\&%-I uoting Baviu Bakei, vice-piesiuent foi seivices at the secuiity fiim I0Active, "Enugame
is a well-known biokei of zeio-uays between the community anu the goveinment," anu By
"community," he means hackeis. "Some of the big zeio-uays have enueu up in goveinment hanus via
Enugame," Bakei says. Available at: http:www.businessweek.commagazinecybei-weapons-the-
new-aims-iace-u7212u11.html#p4
Lawful Hacking 46
who biu on exploits fiom selleis anu negotiate with buyeis on behalf of inuiviuual
exploit uevelopeis.
169


____________________________

The FBI has appaiently alieauy useu vulneiabilities to uownloau exploits anu
extiact infoimation fiom vaiious taigets machines. But if law enfoicement uses
vulneiabilities anu exploits to conuuct wiietaps when othei methous fail (anu as an
alteinative to CALEA-style taps in the IP woilu), it will face a uiffeience in scale in
the use of such techniquesanu thus a uiffeience in kinu. That iaises not just
technical questions, but complex ethical anu legal conceins as well. In the sections
that follow, we tuin to those.

169
A numbei of iecent iepoits have been publisheu iecently uocumenting the vulneiabilities maiket
anu the biokeis who negotiate between buyeis anu selleis. See: The Economist, "The Bigital Aims
Tiaue" authoi unknown, available at:. http:www.economist.comnewsbusiness21S74478-
maiket-softwaie-helps-hackeis-penetiate-computei-systems-uigital-aims-tiaue, Netiagaiu, "Zeio
Bay Exploit Acquisition Piogiam, available at: http:www.netiagaiu.comzeio-uay-exploit-
acquisition-piogiam, anu Anuy uieenbeig, "Shopping Foi Zeio-Bays: A Piice-List foi Backeis Seciet
Softwaie Exploits, Foibes, Naich 2S, 2u1S. Available at
http:www.foibes.comsitesanuygieenbeig2u12uS2Sshopping-foi-zeio-uays-an-piice-list-
foi-hackeis-seciet-softwaie-exploits.
Lawful Hacking 47


G" P%3?3#$*#5 P%&>*;3%4$*&#

As might alieauy be cleai, the use of an exploit to uownloau a wiietap is fai moie
complex than the simple placing of two alligatoi clips upon a wiie. But what is fai
moie ciitical is that the exploits employeu in the installation of the wiietap may
spieau beyonu the taigeteu uevice. uiven that possibility, uoes the goveinment even
have the iight to use vulneiabilities in its effoits to combat ciime anu piotect
national secuiity. We consiuei this issue, then move on to examine techniques to
pievent piolifeiation of the exploit beyonu the intenueu taiget.

-" P&>*): ,&#)3%#9 *# C37>&:*#5 /K7>&*$9 $& 6*%3$47

We have staiteu fiom some assumptions. Theie is piobable cause that the suspect
is committing a seiious ciime anu using the taigeteu communications uevice to uo
so; othei means of investigation have been tiieu anu not netteu the iequisite
infoimation. A wiietap oiuei has been authoiizeu. But the taiget is using a
communications uevice, whethei enu-to-enu enciyption oi peei-to-peei technology
oi something not yet uieamt of that pievents the stanuaiu methous of inteiception
fiom woiking. Is it moial to use an exploit to inteicept the communication when
theie is some iisk, howevei smallbut peihaps laigei than anticipateuthat the
exploit may escape the uevice anu be useu elsewheie, causing gieat haim.
The issue of uoing goou but potentially uoing haim in the piocess is a well-known
pioblem in philosophy: "the uoctiine of uouble effect," in which one puisues a moial
action that has a consequence of causing haim. The philosophei Phillipa Foot
aigueu that the uistinctions shoulu be between what we uo (uiiect intention) anu
what we allow (oblique action), between negative uutiesavoiuance of haimanu
positive onesactivities to help,
17u
anu between uuties anu voluntaiy actions.
In using vulneiabilities to execute wiietaps, law-enfoicement investigatois aie
peifoiming theii iequiieu uuty of investigating a ciiminal activity. 0nuei Title III,
being gianteu a wiietap oiuei means that eviuence is essentially unobtainable in
othei ways.
171
The uuty of investigating the ciiminal activity may iequiie

17u
Phillipa Foot, The Pioblem of Aboition anu the Boctiine of the Bouble Effect, in vIRT0ES ANB vICES
ANB 0TBER ESSAYS IN N0RAL PBIL0S0PBY, 0xfoiu (1978) at 19-S2
171
Recall that Section 2S18(S)(c) iequiies that "noimal investigative pioceuuies have been tiieu anu
have faileu oi ieasonably appeai to be unlikely to succeeu if tiieu oi to be too uangeious." This uoes
not mean, howevei, that wiietaps may only be the last iesoit; see 0niteu States v. Smith, 89S F.2u
1S7S, 1S82 (9th Cii.199u).
Lawful Hacking 48
wiietapping. If the only way to effect the wiietap is thiough the use of an exploit,
then, following the logic piesenteu by Foot iegaiuing uuty, this is the way to
pioceeu. N$) )C-/- #$*) B- E$- E&9&;-%'- )" '"%)(&% )C- C(/#. Theie aie seveial
aspects to this, both the iequiiement to fully vet necessity anu balance that against
the goou that may iesult, anu the iequiiement that the exploit be uesigneu to
pievent piolifeiation beyonu the taiget.

The law is all about balancing competing social goous. Foi example, the Fouith
Amenument uoes exactly that, balancing the social goou of society to piotect itself
against the social goou of piotecting inuiviuual piivacy anu secuiity.
172
Consiuei
law enfoicement's use of vulneiabilities in the context of competing social goous.
0se of vulneiabilities, at least without iepoiting them is not unlike police use of
confiuential infoimants (CIs). CIs infoim investigations even while aiuing ciiminal
activity.

A common law enfoicement tactic is to use a lessei ciiminal to gathei eviuence
about a highei-up. Within limits, ciimes (incluuing fuithei ciimes) committeu by a
"flippeu" inuiviuual aie laigely foigiven, so long as that peison is pioviuing goou
eviuence against the ieal taiget of the investigation. As Baniel }. Castleman, chief of
the Investigative Bivision of the Nanhattan uistiict attoiney's office, explaineu,
"With confiuential infoimants we get the benefit of intimate knowleuge of ciiminal
schemes by ciiminals, anu that is a veiy effective way to investigate ciime."
17S


What happens with wiietaps implementeu via exploits is ultimately not veiy
uiffeient. In both cases law enfoicement seeks to catch what it believes to be a
genuinely uangeious ciiminal. But heie it seeks to uo so by the collection of wiietap
eviuence. Installing the tap iequiies exploiting a vulneiability that law enfoicement
hopes will not be iepaiieu befoie the tap is in place.

The puichaseanu seciecyof vulneiabilities iaises seveial similai moial
uilemmas as the use of confiuential infoimants (CIs). The histoiy of police use of CIs
is ieplete with instances wheie an infoimant has gone much too fai, committing oi
failing to stop seiious ciiminal activity; this has even incluueu muiuei.
174
With
wiietaps the "much too fai" is of a somewhat uiffeient chaiactei, but with similai
consequences: some ciimes that the goveinment coulu have stoppeu may not be

172
While the usual inteipietation of the Fouith Amenument is that it centeis on piotecting the
piivacy of the inuiviuual against seaiches by the state, }eu Rubenfelu convincingly aigues that the
amenument ieally conceins pioviuing secuiity foi inuiviuuals against seaiches by the state; *-- }eu
Rubenfelu, DC- 2%E ". @/&5('6, Stanfoiu L.R. vol. 61, Issue 1, (0ctobei 2uu8), 118-199.
17S
Alan Feuei anu Al Bakei, "0fficeis' Aiiest Puts Spotlight on Police 0se of Infoimants," NEW Y0RK
TINES, }anuaiy 27, 2uu8.
174
Theie aie multiple such examples, incluuing the well-known one of the shooting of viola Liuzzo, a
white suppoitei of the Civil Rights movement who was shot by Ku Klux Klan membeis while uiiving
fiom a maich in Selma, Alabama, one of whom was an FBI infoimant (Biane NcWhoitei, CARRY NE
B0NE: BIRNINuBAN, ALABANA: TBE CLINACTIC BATTLE 0F TBE CIvIL RIuBTS REv0L0TI0N, Simon anu Schustei,
at S72-S7S).
Lawful Hacking 49
pieventeu. By not iepoiting the vulneiability to the venuoi anu speeuing its iepaii,
law enfoicement's inactivity is, by silence, potentially enabling ciiminal activity
against othei useis of the same haiuwaie oi softwaie. It is thus useful to examine
how law views the competing inteiests of pieventing ciime veisus investigating
ciiminal activity in the use of confiuential infoimants, the closest analogy theie is in
piactice to the use of uniepoiteu vulneiabilities.

In a%&)-E =)()-* 5I U$/>C67
17S
the Seventh Ciicuit consiueieu a case in which FBI
agents cieateu fictitious cases in the Cook County Couits in oiuei to uncovei
coiiuption within the legal system. The Seventh Ciicuit iuleu that the false cases
weie a legitimate investigatoiy tool, obseiving that, "the phantom cases hau no
uecent place in couit. But it is no moie uecent to make up a phantom business ueal
anu offei to biibe a Nembei of Congiess. In the puisuit of ciime the uoveinment is
not confineu to behavioi suitable foi the uiawing ioom. It may use uecoys, anu
pioviue the essential tools of the offense. The cieation of oppoitunities foi ciime is
nasty but necessaiy business. (internal citations omitted).
176


The choice to use vulneiabilities without also simultaneously iepoiting them to the
venuoi is not piecisely "the cieation of oppoitunities foi ciime," but iathei the
choice not to pio-actively use oppoitunities to pievent ciime. U$/>C6 makes cleai
that this type of appioach can be legally legitimate. Whethei it is acceptable is a
moial, policy, anu political question.

Consiuei anothei appioach, namely the Bepaitment of }ustice's guiuelines
177
on the
use of confiuential infoimants. These state that a }ustice Law Enfoicement Agent
(}LEA) is nevei peimitteu to authoiize a CI to "paiticipate in an act of violence;
paiticipate in an act that constitutes obstiuction of justice (e.g., peijuiy, witness
tampeiing, witness intimiuation, entiapment, oi the fabiication, alteiation, oi
uestiuction of eviuence); paiticipate in an act uesigneu to obtain infoimation foi the
}LEA that woulu be unlawful if conuucteu by a law enfoicement agent (e.g., bieaking
anu enteiing, illegal wiietapping, illegal opening oi tampeiing with the mail, oi
tiespass amounting to an illegal seaich); oi initiate oi instigate a plan oi stiategy to
commit a feueial, state, oi local offense."
178
The guiuelines uo not state that a CI
#$*) woik to pievent a ciime fiom occuiiing. In the use of vulneiabilities the
analogous situation woulu be that law enfoicement is not iequiieu to let venuois
know about the vulneiabilities they finu anu exploit.

Immeuiately iepoiting veisus using foi some time befoie iepoiting is a clash of
competing social goous. That is what we neeu to weigh heie. If oui piimaiy concein

17S
642 F.2u 699 (2u Cii. 198u).
176
<EI at 1S29.
177
Illegal activity must be authoiizeu in auvance foi a peiiou of up to ninety uays.
178
Bepaitment of }ustice, u0IBELINES REuARBINu TBE 0SE 0F C0NFIBENTIAL INF0RNANTS, }anuaiy 8, 2uu1,
http:www.justice.govagieauingioomciguiuelines.htm#suitability |last vieweu Febiuaiy 2S,
2u1Sj.
Lawful Hacking Su
is pieventing the piolifeiation of exploits, that makes a stiong aigument that society
is bettei piotecteu by iepoiting the vulneiability eaily even if that iisks the ability
of the ciiminal investigation to conuuct its authoiizeu wiietap.

We also note that the uangei of piolifeiation means that each use of an exploit, even
if it that has been successfully iun pieviously, incieases the iisk that the exploit will
escape the taigeteu uevice. As we know fiom othei situations, whethei iaie uiseases
oi the effect of colu weathei on shuttle 0-iings,
179
a iaie siue effect is moie likely to
appeai when woiking with a laigei population sample.



E" /$2*)4> ,&#)3%#9 &; /K7>&*$*#5 G(>#3%4H*>*$*39 $& 6*%3$47

Even though wiietaps aie a long-accepteu tool in the law-enfoicement collection,
theie is something somewhat uistasteful about using an exploit to uownloau
inteiception capability. 0nuoubteuly, pait of that stems fiom the stiong sense that
vulneiabilities aie to be patcheu, not exploiteu. But one thing even if law
enfoicement weie nevei to iepoit the vulneiabilities it uiscoveis oi puichases, law-
enfoicement's use of vulneiabilities woulu not make the vulneiability situation
woise. Law enfoicement is not cuiiently a suppliei of vulneiabilities to venuois.
Thus, weie law enfoicement to use vulneiabilities anu not iepoit them to the
venuois, theie woulu be no change to the status quo ante. That saiu, theie aie some
conceins iaiseu by law enfoicement 's use of vulneiabilities.

0ne uangei of law-enfoicement's paiticipation in the zeio-uay maiket is the
possibility of skewing the maiket, eithei by incieasing incentives against uisclosuie
of the vulneiability oi by incieasing the maiket foi vulneiabilities anu thus
encouiaging gieatei paiticipation in it. Because of the size of the maiket anu the
ielatively minimal neeu by law enfoicement, we uo not believe that this will be the
case. Since the FBI has not uiscusseu unuei what technical ciicumstances they have
encounteieu uifficulties wiietapping, it is haiu to know exactly unuei which
ciicumstances vulneiabilities will be useu, but we uo believe usage will be iaie.

What is the goveinment's iesponsibility in cases wheie the opeiationalizeu
vulneiability uoes the wiong thing anu escape the taiget. It is not unknown foi
physical seaiches to go amiss. Sometimes law enfoicement executes a waiiant on
the wiong location, sometimes law enfoicement executes a wiietap waiiant on the
wiong phone line.
18u
Such a seaich woulu, of couise, invaliuate collection. But a

179
Bowaiu Beikes, G->"/)&%; ( M&*(*)-/f* !"9E7 A(/E X(')* (}anuaiy 28, 2uu6, 1:27 pm), NPR,
http:www.npi.oigtemplatesstoiystoiy.php.stoiyIu=S17S1S1 |last vieweu Naich 12, 2u1Sj.
18u
See, foi example, Intelligence 0veisight Boaiu Nattei, |XXXj Bivision, Feueial Buieau of
Investigation, I0B Nattei 2uuS-16u, }une Su, 2u1u. It is iaie that such activity is publicly iepoiteu
("Bocuments 0btaineu by EFF Reveal FBI Patiiot Act Abuses," Naich S1, 2u11,
Lawful Hacking S1
wiietap exeiciseu thiough a opeiationalizeu payloau changes the situation in a
substantive way. 0nlike an incoiiectly executeu wiietap waiiant, which might
simply collect infoimation on the wiong paity, the effect of a opeiationalizeu
payloau gone awiy is woise; a bauly uesigneu payloau coulu escape its taiget anu
potentially affect a much laigei gioup of people.

If the opeiationalizeu softwaie weie to escape its taiget, it might be auapteu foi
malicious puiposes by otheis, a seconu-oiuei effect that incieases the neeu foi gieat
caie in ueveloping the systems. While the goveinment may have some liability
when it knocks uown the wiong uooi in the couise of exeicising a seaich
waiiant,
181
with wiietap softwaie the liabilityin uollais oi simply in costs to
society is less well unueistoou.

It is ciitical that the tools employeu by law enfoicement be tiustwoithy anu ieliable.
In paiticulai, the technical implementation must captuie exactly what is authoiizeu.
In auuition, all the usual secuiity piovisions apply: the system must employ full
auuiting
182
, each usei of the system must log on inuiviuually, etc. Such caieful
contiols have not always been exeiciseu in the past, as is eviuenceu by flaws
uiscoveieu in the FBI's BCS Suuu system
18S
as well pooi uocumentation of
telephone tiansactional uata iequests uuiing FBI investigations post-Septembei
11
th
.
184
This aigues foi not only juuicial oveisight, but technical oveisight as well.

Finally, one might imagine a scenaiio in which law enfoicement puts piessuie on
venuois not to fix vulneiabilities so as to facilitate exploits. Asiue fiom being bau
public policy, such an appioach woulu iepiesent a uangeious poison pill foi both
goveinment anu inuustiy. If such piessuie became publicly known, the venuoi
woulu suffei seiious ieputational haim. It is not inconceivable that the venuoi
woulu also be liable foi customei uamages if the company knew of a seiious
vulneiability about which it hau neithei infoimeu its customeis noi patcheu.





https:www.eff.oigueeplinks2u11uSuocuments-obtaineu-eff-ieveal-fbi-patiiot-act |last vieweu
Naich S, 2u1Sj).
181
}im Aimstiong, "FBI 0ses Chainsaw 0n Wiong Fitchbuig Apaitment," CBS Boston, }anuaiy S1,
2u12, http:boston.cbslocal.com2u12u1S1fbi-uses-chainsaw-in-iaiu-on-wiong-fitchbuig-
apaitment |last vieweu Naich S, 2u1Sj.
182
This was missing in the uieek wiietapping caseg *-- Pievelakis anu Spinellis7 *$>/( note S.
18S
The system was pieviously known as Cainivoie. =-- Steven N. Bellovin, Natt Blaze, Baviu Faibei,
Petei Neumann, anu Eugene Spaffoiu, Comments on the Cainivoie System Technical Review
(Becembei S, 2uuu), unpublisheu manusciipt,
http:www.ciypto.compapeiscainivoie_iepoit_comments.html |last vieweu Naich 11, 2u1S).
184
0.S. BEPARTNENT 0F }0STICE, 0FFICE 0F TBE INSPECT0R uENERAL, 0vERSIuBT ANB REvIEW BIvISI0N, A
REvIEW 0F TBE FEBERAL B0REA0 0F INvESTIuATI0N'S 0SE 0F EXIuENT LETTERS ANB 0TBER INF0RNAL
RE0ESTS F0R TELEPB0NE LETTERS (}anuaiy 2u1u) at 46-47 anu 7u.
Lawful Hacking S2
," 13)2#*)4> =&>($*&#9 $& P%3?3#$*#5 P%&>*;3%4$*&#

The piinciple of only haiming the taiget must be a goveining one foi the use of
vulneiabilities by law enfoicement. 0ne means of ensuiing this is to employ
technical mechanisms to iestiict an exploit to a given taiget machine. The simplest
foims check vaiious elements of theii enviionment when they iun, e.g., the
machine's seiial numbei oi NAC auuiess; if they'ie on the wiong machine, they
silently exit. Stuxnet
18S
employeu moie oi less this technique. A moie sophisticateu
technique uses enviionmental uata to constiuct a ciyptogiaphic key; if this isn't
piesent, the uata will not ueciypt piopeily, anu the coue will not be compiehensible
to any analyst. As noteu,
186
the uauss malwaie uses this technique; it has stymieu
top ciyptanalysts foi months.

Fiom one peispective, the pait of the exploit that contains the vulneiability is the
most impoitant piece, since knowleuge of it will let people wiite theii own exploit
coue. The best uefense theie is to use a uioppeipayloau aichitectuie; that way,
aftei the initial penetiation, theie's no fuithei neeu foi the vulneiability anu the
coue ielying on it can be ueleteu.

Piomiscuous spieau of penetiation tools also incieases the iisk of piolifeiation. The
moie machines a piece of coue is on, the moie likely it is that someone will notice
the coue anu ieveise-engineei it. This woulu expose not just a caiefully husbanueu
secuiity hole, but also the suiiounuing infiastiuctuie necessaiy to use it foi lawful
inteicepts. This calculus is similai to that long useu in the intelligence community: if
one acts on intelligence, it iisks giving away the souice of infoimation, which will
then be unavailable in the futuie.
187
Beie, though, theie is the auuitional constiaint
of legal iequiiements against uoing haim, haim that becomes moie likely if
malefactois uiscovei the penetiation tools.

G!" N37&%$*#5 G(>#3%4H*>*$*39
With the CIPAv cases uemonstiating
188
that the state employs vulneiabilities foi
seaiches anu the likethe "can" pioblemwe tuin to the "may" pioblem, namely
shoulu law enfoicement uo so.
189
We have alieauy aigueu that the iisks of
extenuing CALEA to IP-baseu communications make that paiticulai tiauethe
secuiity pioviueu by the extia suiveillance veisus the secuiity iisks cieateu by
intiouucing secuiity bieaches into netwoik infiastiuctuie anu applicationsa pooi
choice. As the vulneiability being useu to intiouuce a wiietap alieauy exists, the
issue is somewhat uiffeient, anu the question insteau conceins patching. If a

18S
See =)$:%-), *$>/( footnote 17.
186
See Section Iv.F; also see the footnotes uesciibing uauss.
187
See Baviu Kahn, DC- !"E-B/-(O-/*, Nacmillan, 1967. The theme peivaues the book, but see
especially the uiscussion of the assassination of Aumiial Isoioku Yamamoto at S9S.
188
Lynch, *$>/( note 118.
189
We aie inuebteu to Naity Stansell-uamm foi the phiasing of the "may" veisus "can" pioblem.
Lawful Hacking SS
vulneiability in a communications application oi infiastiuctuie is patcheu, the
vulneiability cannot be exploiteu foi a wiietap. But if the vulneiability is left
unpatcheu, the iesult is that many aie left open to attack. Thus the issue is not so
much about intiouucing an exploit, but about when, anu peihaps whethei, to infoim
the venuoi of the secuiity pioblem.

What is law enfoicement's iesponsibility with iegaiu to iepoiting. We stait by
examining the secuiity iisks cieateu by using vulneiabilities, then put that iisk in
the context of law-enfoicement's iole in ciime pievention.


!" =3)(%*$: N*9D9 ,%34$3' H: Q9*#5 G(>#3%4H*>*$*39

As we have alieauy noteu in section v, theie is a uangei that even the most caiefully
ciafteu exploitation tools may not function as intenueu. Theie aie at least two
secuiity conceins that must be weigheu in choosing to use a vulneiability to conuuct
a wiietap: (i) the iisk that the vulneiability's use will leau to oveicollection, anu (ii)
the uangei that the vulneiability will acciuentally escape its taiget uevice anu finu
use elsewheie.

0nfoitunately theie is much pieceuent foi oveicollection. Recent examples incluue
the NSA's oveicollection
19u
as a iesult of the FISA Amenuments Act
191
anu the FBI's
use of "exigent" letteis to collect communications tiansactional uata.
192
0se of the
vulneiabilities iequiies close sciutiny by juuges to ensuie that what is collecteu is
exactly what is to be collecteu, no moie anu no less. }uuges will theiefoie neeu to
evaluate just how intiusive a paiticulai exploit may be, a technical as well as legal
issue.

Law enfoicement use of vulneiabilities poses at least two iisks of unintenueu haim.
Fiist, the penetiation tools may have unintenueu siue-effects on the taigeteu
system.
19S
Seconu, the tools may somehow escape into the wilu, haiming innocent
paities. Both aie pioblematic anu beai fuithei examination.

The wiietap statute iequiies that taps be uone "with a minimum of inteifeience"
with the seivice being monitoieu.
194
If an exploit causes othei haim to the taiget
computei, such as uamaging files oi applications oi leauing to fiequent ciashes, use

19u
}ames Risen anu Eiic Lichtblau, "E-Nail Suiveillance Renews Concein in Congiess," NEW Y0RK
TINES, }une 16, 2uu9.
191
P.L. 9S-11, 92 Stat. 1782.
192
0.S. Bepaitment of }ustice, 0ffice of the Inspectoi ueneial, 0veisight anu Review
Bivision, A REvIEW 0F TBE FEBERAL B0REA0 0F INvESTIuATI0N'S 0SE 0F EXIuENT LETTERS ANB 0TBER
INF0RNAL RE0ESTS F0R TELEPB0NE REC0RBS, }anuaiy 2u1u.
193
Siue effects coulu incluue uisiupting othei functionality, as occuiieu in the uieek wiietapping
case (see Pievelakis anu Spinellis, *$>/( note S).
194
=-- 18 0SC 2S18(4).
Lawful Hacking S4
of the exploit woulu violate this piovision. At least one couit has alieauy quasheu
an eavesuiopping oiuei on these giounus:
19S

Looking at the language of the statute, the "a minimum of inteifeience"
iequiiement ceitainly allows foi *"#- level of inteifeience with customeis'
seivice in the conuucting of suiveillance. We neeu not ueciue piecisely how
much inteifeience is peimitteu. "A minimum of inteifeience" at least
piecluues total incapacitation of a seivice while inteiception is in piogiess.
Put anothei way, eavesuiopping is not peifoimeu with "a minimum of
inteifeience" if a seivice is '"#>9-)-96 shut uown as a iesult of the
suiveillance.
(Emphasis in oiiginal.) It is woith noting that in this case, theie weie no allegations
of instances of the customei tiying anu failing to use the seivice; howevei, use of the
wiietap woulu make the oiiginal seivice unavailable to the customei if iequesteu.
Apait fiom legal consiueiations, it is woith noting that inteifeience can leau to
uiscoveiy of the tap. This has happeneu at least twice in what appeai to have been
intelligence opeiations. In one, a veiy sophisticateu wiietap opeiation mounteu
against a uieek cellphone opeiatoi, a bug in the attacking softwaie causeu some text
messages not to be ueliveieu. The iesulting eiioi messages leu to uiscoveiy of the
implanteu coue.
196
In a bettei-known case, the Stuxnet viius aimeu at the Iianian
nucleai centiifuge plant was uiscoveieu when some computei usei became
suspicious anu sent a computei to a Belaiussian antiviius fiim foi analysis.
197



#" P%3?3#$*#5 ,%*J3

The question of when to iepoit vulneiabilities that aie being exploiteu is not new
foi the 0.S goveinment. In paiticulai, the National Secuiity Agency (NSA) has faceu
this issue seveial times in its histoiy.

NSA peifoims two missions foi the 0.S. goveinment: the well-known one of signals
intelligence, oi SIuINT, "ieauing othei people's mail,"
198
anu the lessei-known one
of communications secuiity, C0NSEC, piotecting 0.S. militaiy anu uiplomatic
communications.
199
It has been an extiemely useful to house the 0.S. signals
intelligence mission in the same agency as the 0.S. communications secuiity

19S
!"#>(%6 5I a%&)-E =)()-* (in ie 0niteu States) (2uuS, CA9 Nev) S49 FSu 11S2.
196
=-- Pievelakis anu Spinellis, *$>/( note S, at S1.
197
=-- =)$:%-)7 *$>/( footnote 17I
198
Beniy Stinson, the Secietaiy of State who shut uown the "Black Chambei," the Aimy's signals
intelligence section uuiing anu aftei Woilu Wai I, famously saiu, "uentlemen uo not ieau each othei's
mail." Bis views changeu uuiing Woilu Wai II when he was Secietaiy of Wai; the 0.S. ielieu heavily
on signals intelligence uuiing that conflict. Though the quote is attiibuteu to Stinson, theie is some
eviuence that he was acting on Piesiuent Boovei's oiueis; *-- Baviu Kahn, DC- G-(E-/ ". Q-%)9-#-%f*
U(&9W A-/B-/) [(/E9-6 (%E )C- N&/)C ". ,#-/&'(% !"E-B/-(O&%;, Yale 0niveisity Piess, 2uu4.
199
The C0NSEC mission is peifoimeu by the NSA's Infoimation Assuiance Bivision.
Lawful Hacking SS
mission. Each is in a position to leain fiom the othei. SIuINT's ability to penetiate
ceitain communication channels coulu infoim C0NSEC's knowleuge of potential
weaknesses in oui own; C0NSEC's awaieness of secuiity pioblems in ceitain
communications channels might infoim SIuINT's knowleuge of a taiget's potential
weakness.

That's an "if only"; ieality is in fact veiy uiffeient. C0NSEC's awaieness of the neeu
to secuie ceitain communications channels has often been thwaiteu by SIuINT's
uesiie that patching be uelayeu so that it can continue to exploit tiaffic using the
vulneiability in question. Bow this contiauictoiy situation is hanuleu uepenus
piimaiily on wheie the vulneiable communications system is opeiating. If the
insecuie communications system is being useu laigely in the 0.S. anu in smallei
nations that aie unlikely to haim the 0.S., then patching woulu not huit the SIuINT
mission. In that situation, C0NSEC woulu be alloweu to infoim the venuoi of the
pioblem. In most othei instances, infoiming the venuoi woulu have been uelayeu
so that SIuINT coulu continue haivesting piouuct. Although this was nevei a
publicly stateu NSA policy, this mouus opeianui was a faiily open seciet.

But law enfoicement opeiates in a uiffeient uomain than the militaiy, anu its
consiueiations anu values aie uiffeient. The FBI concein that it is "going uaik" is
piecisely on uomestic wiietapping; law enfoicement will want to exploit the
vulneiabilities -:(')96 when theie aie useis in the 0.S. Thus the balancing that NSA
uoes between its SIuINT anu C0NSEC missions uoes not paiticulaily illuminate
what the state of affaiis shoulu be foi the FBI. We must insteau examine the issue
fiom othei vantage points.

0ne uiffeientiatoi is the likelihoou of collateial uamage fiom using vulneiabilities.
By theii natuie some vulneiabilities aie easiei to exploit than otheis. Noie
ciitically, some (but not all) vulneiabilities aie likely to be easiei foi law
enfoicement to exploit than foi the geneial population of attackeis to uo so. Any
attack that is aiueu by the ability to use compulsoiy legal piocess against a thiiu
paity, such as an ISP, falls into this categoiy. In these cases, failuie to iepoit the
vulneiability to the venuoi is less likely to have an effect on its exploitation by
otheis.

Theie may also be a numbei of othei factois that can also complicate launching an
exploit, incluuing knowleuge of special infoimation oi mateiial about the taiget. If
such possession is necessaiy foi the vulneiability to be exploiteu, then law
enfoicement can be faiily confiuent that theie is little iisk in not iepoiting the
vulneiability to the venuoi.

In consiueiing whethei to iepoit, one might attempt to consiuei is how uangeious a
paiticulai vulneiability may be. Some aspects of the question aie veiy easy to
answei. If the vulneiability is in a netwoik ioutei oi a switch, its impact is likely to
be veiy laige. Inueeu, vulneiabilities in netwoik infiastiuctuie aie funuamentally a
national secuiity iisk because netwoik uevices aie eithei ISP-giaue geai, whose
Lawful Hacking S6
compiomise coulu be useu to shut uown oi tap a laige poition of the netwoik, oi
enteipiise geai, in which case compiomise coulu be useu foi taigeteu espionage
attacks, oi else consumei geai, likely to be of wiue usage anu thus the compiomise
woulu effect a laige population. Without question such vulneiabilities shoulu be
iepoiteu to the venuoi immeuiately.

0n the othei hanu, theie aie subtleties involveu even if a vulneiability uoes not
initially appeai to be one that coulu cieate a national-secuiity iisk (pei the issue just
vulneiability just uesciibeu). If the vulneiability is foi an uncommon platfoim, it
woulu seem that not infoiming the venuoi of the pioblem is unlikely to cieate much
iisk. If the vulneiability is foi an outuateu veision of a platfoim, uepenuing on how
outuateu the platfoim is, the iisk may also be ielatively minoi.
2uu
The lattei is
especially tiue foi uevices that aie ieplaceu fiequently, e.g., smait phones. Yet it is
often the case that outuateu systems may be wiuely ueployeu in non-ciitical systems
oi ueployeu in ciitical systems.
2u1
So a vulneiability that applies to an outuateu
veision of a platfoim may still be wiuely uangeious; it uepenus on exactly on who is
using the platfoim anu in what situation. This points to the complexity of
ueteimining when the situation is such that the venuoi shoulu be tolu about the
vulneiability.

This iaises the concein of whethei the FBI will actually be able make such an
evaluation. The ability to uiscein the potential iisk fiom any paiticulai vulneiability
ianges fiom ielatively tiivial to quite uifficult. 0ne limitation is that the Bomestic
Communications Assistance Centei (BCAC) will not be a cybeisecuiity vulneiability
ieseaich centei.
2u2
Noi shoulu it be; that expeitise lies in the NSA's Infoimation
Assuiance Biiectoiate, anu uuplicating the expeitise is neithei possible noi
appiopiiate. Naking such juugements woulu iequiie vast knowleuge about systems
being employeu in the 0.S. acioss a wiue aiiay of inuustiies. Even a uecaue aftei
Septembei 11
th,
this infoimation is not being tiackeu by the 0.S. goveinment.

2uu
This issue makes foi an inteiesting insight into piiateu softwaie. The fact that a high peicentage of
softwaie in China is illegally obtaineu has seveial implications foi electionic suiveillance. Piobably
the most significant is that the veisions aie not only out of uatee.g., as of }anuaiy 2u1S, 64% of
Chinese Winuows useis hau Winuows XP installeu, while S2% hau Winuows 7 (StatCountei ulobal
Stats, http:gs.statcountei.com#os-CN-monthly-2u12u2-2u1Su1 |last vieweu Febiuaiy 17, 2u1Sj)
but also less secuie than moie mouein systems. Thus they aie moie open to exploitation.
2u1
0ne example of this is Winuows XP; the eleven-yeai-olu 0S is still the most common opeiating
system in use at most goveinment agencies (Shawn NcCaithy, "8 ieasons agency IT will change
couise in 2u1S," uCN, Novembei 16, 2u12, http:gcn.comaiticles2u1211168-ieasons-agency-
it-will-change-couise-in-2u1S.aspx |last vieweu Febiuaiy 18, 2u1Sj). Anothei is the backenu
systems suppoiting voting machines in 0hio (Patiick NcBaniel, Kevin Butlei, William Enck, Baiii
Buisti, Steve NcLaughlin, Patiick Tiaynoi, Natt Blaze, Auam Aviv, Pavel Ceiny, Sanuy Claik, Eiic
Cionin, uauiav Shah, Nicah Sheii, anu uiovanni vigna, "EvEREST: Evaluation anu Testing of Election-
Relateu Equipment, Stanuaius, anu Testing," Final Repoit, Becembei 7, 2uu7,
http:www.sos.state.oh.usS0Suploaueveiest14-AcauemicFinalEvERESTRepoit.puf |last vieweu
Febiuaiy 18, 2u1Sj).
2u2
=-- Beclan NcCullagh, "FBI quietly foims secietive Net-suiveillance unit", Nay 22, 2u12, available
at http:news.cnet.com8Su1-1uu9_S-S74S97S4-8Sfbi-quietly-foims-secietive-net-suiveillance-
unit.
Lawful Hacking S7
Ceitainly the FBI is not in a position to know this, oi to be able to make the
ueteimination about how uangeious to the 0.S. a paiticulai vulneiability may be.

The point is that except foi some obvious cases,
2uS
it is usually veiy uifficult to
ueteimine a piioii whethei a paiticulai vulneiability is likely to cieate a seiious
pioblem. It may be that some obscuie, but ciitical, pait of society ielies on the coue
with the vulneiability. It may be that it lies in some hiuuen pait of the
infiastiuctuie; foi example, foi liteially uecaues Ameiican Aiilines ielieu on olu
softwaie foi planning flight opeiations.
2u4
Fuitheimoieanu especially in an open-
souice woilu, wheie it may be impossible to ueteimine all the useis of a system
theie is no way that law enfoicement woulu be in a position to uo a full mapping
fiom softwaie to useis.

As we have alluueu to eailiei, this is a clash of competing social goous. Theie is the
value of secuiity obtaineu thiough patching as quickly as possible anu the value of
secuiity by uownloauing the exploit to enable the wiietap to convict the ciiminal.
Although theie aie no easy answeis, we believe the answei is cleai. In a woilu of
gieat cybeisecuiity iisk, wheie each uay biings a new heauline of the potential foi
attacks on ciitical infiastiuctuie, wheie the Beputy Secietaiy of Befense says that
thefts of intellectual piopeity may be "may be the most significant cybeithieat that
the 0niteu States will face ovei the long teim,"
2uS
public safety anu national secuiity
aie too ciitical to take iisks anu leave vulneiabilities uniepoiteu anu unpatcheu.We
believe that law enfoicement shoulu always eii on the siue of caution in ueciuing to
iefiain fiom infoiming a venuoi of a vulneiability. Any policy shoit of full anu
immeuiate iepoiting by uefault is simply inauequate. "Repoit immeuiately" is the
policy that any ciime-pievention agency shoulu have, even though such an appioach
will occasionally hampei an investigation.
2u6


Note that a "iepoit immeuiately" policy uoes not foieclose exploitation of the
iepoiteu vulneiability by law enfoicement, vulneiabilities iepoiteu to venuois uo
not iesult in immeuiate patches; the time to patch vaiies with each venuoi's patch
ielease scheuule (once a month, oi once eveiy six weeks is common) but, since

2uS
A stiiking example of one such occuiieu with the Febiuaiy 2u1S 0S CERT aleit conceining }ava;
the oiganization iecommenueu uisabling }ava in web biowseis until an auequate patch hau been
piepaieu (https:www.us-ceit.govncasaleitsTA1S-uS2A).
2u4
Robeit Nitchell anu }ohanna Ambiasio, "Fiom builu to buy: Ameiican Aiilines changes
moueinization couise miuflight" (}anuaiy 2, 2u1S), C0NP0TERW0RLB,
https:www.computeiwoilu.comsaiticle92S49S6Fiom_builu_to_buy_Ameiican_Aiilines_chang
es_moueinization_couise_miuflight_ |last vieweu Naich 11, 2u1Sj.
2uS
William }. Lynn III, M-.-%E&%; ( H-1 M"#(&%, F0REIuN AFFAIRS, 89, no. S (Septembei0ctobei 2u1u)
at 1u2.
2u6
Theie aie peisistent iumois that goveinment agencies have sometimes piessuieu venuois to
leave holes unpatcheu; *--7 -I;I7, "Niciosoft gives zeio-uay vulneiabilities to 0S secuiity seivices
Bloombeig", !"#>$)&%;I'"I$O, }une 14, 2u1S, available at
http:www.computing.co.ukctgnews227499Smiciosoft-gives-zeiouay-vulneiabilities-to-us-
secuiity-seivices-bloombeig. This is a veiy uangeious path, one that shoulu not be followeu by law
enfoicement agencies.
Lawful Hacking S8
venuois often uelay patches
2u7
the lifetime of a vulneiability is often much longei.
Reseaich shows that the aveiage lifetime of a zeio-uay exploit is S12 uays.
2u8

Fuitheimoie, useis fiequently uo not patch theii systems piomptly, even when
ciitical upuates aie available.
2u9

Immeuiate iepoiting to the venuoi of vulneiabilities consiueieu ciitical will iesult
in a shoiteneu lifetime foi paiticulai opeiationalizeu exploits, but it will not pievent
the use of opeiationalizeu exploit. Insteau, it will cieate a situation in which law
enfoicement is both peifoiming ciiminal investigations using the wiietaps enableu
thiough the exploits, anu ciime pievention thiough iepoiting the exploits to the
venuoi. This is cleaily a winwin situation.

It is inteiesting to ponuei whethei the policy of "immeuiately iepoit vulneiabilities"
might have a positive impact on the zeio-uay inuustiy. Some membeis of the
inuustiy, such as BP BvLabs, "will iesponsibly anu piomptly notify the appiopiiate

2u7
0n the seconu Tuesuay of eveiy month Niciosoft issues patches both foi softwaie uefects anu
vulneiabilities. This uate is known as h@()'C D$-*E(6fI venuois who use a 6-week h/(>&Eb/-9-(*-
'6'9-f such as uoogle (Chiome) anu Nozilla (Fiiefox, Thunueibiiu) fiequently ioll theii secuiity
patches into theii new ieleases. Bowevei, not all vulneiabilities uiscoveieu aie patcheu in the next
ielease, see http:www.pcwoilu.comaiticle2uSS649patch-tuesuay-leaves-inteinet-exploiei-
zeio-uay-untoucheu.html anu http:thieatpost.comoiacle-leaves-fix-java-se-zeio-uay-until-
febiuaiy-patch-upuate-1u1712 foi some examples. Some venuois uo issues patches consiueiably
moie iapiuly; it is uncleai, though, that this is always a goou iuea. Rapiu patches often block a
paiticulai path to ieach the unueilying buggy coue iathei than iepaiiing it. Accoiuingly, attackeis
often finu new vaiiants of the exploit without much tiouble. Sometimes patches contain theii own
flaws. Thus theie is likely an iiieuucible aveiage minimum time.
2u8
Zeio-uay vulneiabilities aveiage a 1u-month lifespan. See Bilge anu Bumitias ,% 2#>&/&'(9 =)$E6
". i-/"bE(6 ,))('O &% DC- G-(9 J"/9E, ACN Confeience on Computei anu Communications Secuiity,
0ct 2u12.
2u9
Theie is a paucity of peei-ievieweu ieseaich iesults on how soon inuiviuual useis apply patches.
The best stuuies (-I;I7 E. Rescoila, "Secuiity holes... who caies." @/"'--E&%;* ". )C- ZL)C a=2H<]
=-'$/&)6 =6#>"*&$#. 2uuS, oi S.N. Bellovin, W.R. Cheswick, anu A. Rubin, X&/-1(99* (%E <%)-/%-)
=-'$/&)6W G->-99&%; )C- J&96 A('O-/7 seconu euition, at 27S, Auuison-Wesley, 2uuS) aie olu anu apply
to enteipiise seiveis, not inuiviuual useis. Enteipiises have theii own neeus anu uynamics foi
patching, such as compatibility with ciitical local softwaie; fuitheimoie, all system auministiation is
geneially unuei the contiol of a centializeu suppoit gioup. Nost wiietaps aie of inuiviuuals,
especially uiug uealeis (*-- Wiietap Repoit7 *$>/( footnote 47); theii behavioi is likely veiy
uiffeient. Theie have been a numbei of statements by inuustiy consistent with oui asseition (-I;I7
"Suivey Finus Neaily Balf of Consumeis Fail to 0pgiaue Softwaie Regulaily anu 0ne uaitei of
Consumeis Bon't Know Why to 0puate Softwaie", Skype piess ielease, }uly 2S, 2u12,
http:about.skype.compiess2u12u7suivey_finus_neaily_half_fail_to_upgiaue.h
tml). A iecent stuuy (Websense Secuiity Labs Blog, "Bow aie }ava Attacks uetting Thiough.", Naich
2S, 2u1S, available at
http:community.websense.comblogssecuiitylabsaichive2u1SuS2Show-
aie-java-attacks-getting-thiough.aspx) is moie useful, since it measuies actual exposuie of
ieal-woilu web biowseis. 0nly about S% of useis hau up-to-uate }ava veisions, uespite wainings of
ongoing attacks. The best eviuence, though, is empiiical: the pievalence of attacks against holes foi
which patches aie available suggests that attackeis still finu them useful.
Lawful Hacking S9
piouuct venuoi of a secuiity flaw with theii piouuct(s) oi seivice(s)."
21u
0theis,
such as v0PEN, which "iepoits all uiscoveieu vulneiabilities to the affecteu venuois
$%E-/ '"%)/(') with v0PEN"
211
(emphasis auueu), uo not. Although it woulu be a
gieat benefit to secuiity if the inability to sell to law enfoicement woulu cause the
selleis to actually change policy, in point of fact, the 0.S. law-enfoicement maiket is
unlikely to have a majoi impact on the zeio-uay maiket, which is inteinational anu
uominateu by national-secuiity oiganizations.




21u
"The fiist attempt at contact will be thiough any appiopiiate contacts oi foimal mechanisms
listeu on the venuoi Web site, oi by senuing an e-mail to secuiity, suppoit, info, anu
secuiecompany.com with the peitinent infoimation about the vulneiability. Simultaneous with the
venuoi being notifieu, BvLabs may uistiibute vulneiability piotection filteis to its customeis' IPS
uevices thiough the Bigital vaccine seivice.

If a venuoi fails to acknowleuge BvLabs initial notification within five business uays, BvLabs will
initiate a seconu foimal contact by a uiiect telephone call to a iepiesentative foi that venuoi. If a
venuoi fails to iesponu aftei an auuitional five business uays following the seconu notification,
BvLabs may iely on an inteimeuiaiy to tiy to establish contact with the venuoi. If BvLabs exhausts
all ieasonable means in oiuei to contact a venuoi, then BvLabs may issue a public auvisoiy
uisclosing its finuings fifteen business uays aftei the initial contact." Zeio Bay Initiative, Bisclosuie
Policy, http:www.zeiouayinitiative.comauvisoiiesuisclosuie_policy |last vieweu Naich 1,
2u1Sj.
211
vupen, vupen Secuiity Reseaich Team, http:www.vupen.comenglishieseaich.php |last
vieweu Naich 1, 2u1Sj.
Lawful Hacking 6u

$" - C3;4(>$ IH>*54$*&# $& N37&%$
The tension between exploitation anu iepoiting can be iesolveu if the goveinment
follows B")C paths, actively iepoiting anu woiking to fix even those vulneiabilities
that it uses to suppoit wiietaps. As we noteu, the iepoiting of vulneiabilities (to
venuois anuoi to the public) uoes not piecluue exploiting them. 0nce a
vulneiability is iepoiteu, theie is always a leau time befoie a "patch" can be
engineeieu, anu a fuithei leau time befoie this patch is ueployeu to anu installeu by
futuie wiietap taigets. Because theie is an effectively infinite supply of
vulneiabilities in softwaie platfoims,
212
pioviueu the uiscoveiy enteipiise finus
new vulneiabilities at a iate that exceeus the iate at which they aie iepaiieu,
iepoiting vulneiabilities neeu not compiomise the goveinment's ability to conuuct
exploits. By always iepoiting, the goveinment investigative mission is not placeu in
conflict with its ciime pievention mission. In fact, such a policy has the almost
paiauoxical piopeity that the moie active the law enfoicement exploitation activity
becomes, the moie zeio-uay vulneiabilities aie iepoiteu to - anu iepaiieu by -
venuois.
Bowevei, this uoes not mean that a goveinment exploitation laboiatoiy will be
natuially inclineu to iepoit the fiuits of its laboi to venuois. Fiom the peispective of
an oiganization chaigeu with ueveloping exploits, iepoiting might seem anathema
to the mission, since it means that the tools it uevelops will become obsolete moie
quickly. Biscoveiing anu ueveloping exploits costs money, anu an activity that
iequiies moie output woulu neeu a laigei buuget.
21S

An obligation manuating that law enfoicement agencies iepoit any zeio-uay
vulneiabilities they intenu to exploit woulu thus have to be suppoiteu by a stiong
legal anu policy fiamewoik. Such a policy woulu have to cieate biight lines foi what
constitutes a vulneiability that is iequiieu to be iepoiteu, when the iepoit must
occui, to whom the iepoit shoulu be maue, anu which paits of the goveinment aie
iequiieu to uo the iepoiting. Theie aie many giey aieas.
Fiist, what woulu constitute a iepoitable vulneiability. Sometimes, this will be
obvious. Foi example, some softwaie bugs, such as input valiuation eiiois, might
allow an attackei to take contiol ovei a piece of softwaie. Such behavioi is cleaily
an eiioi. 0nce iepoiteu, the softwaie venuoi can easily iepaii the softwaie to
eliminate the vulneiability anu "push" the coiiection out.
214
0thei vulneiabilities
aie less cleaily the iesult of specific bugs, howevei. In some cases, a vulneiability

212
=-- Biooks, *$>/( note 1uu.
21S
It is uifficult to estimate piecisely the cost of ueveloping a paiticulai vulneiability, but existing
maikets can seive as a guiue heie, as uiscusseu in Section Iv.
214
Nany, if not most, companies pioviue automatic secuiity upuates that aie simply upuateu via the
Inteinet.
Lawful Hacking 61
iesults fiom oveily poweiful softwaie featuies that might be behaving peifectly
coiiectly as fai as the softwaie specification is conceineu, but that allow an attackei
to exploit them in unanticipateu ways. Foi example, many email systems allow
softwaie to be sent as an "attachment" that is executeu on the iecipient's computei
when the usei clicks on it. If an attackei emails a usei mailwaie anu the usei is
peisuaueu howevei unwisely, to open it, the usei's computei becomes
compiomiseu. Although it seiveu as a vectoi foi the malwaie, the email system
softwaie, stiictly speaking, has behaveu "coiiectly" heie. The line between a "bug"
anu a "featuie" is often quite thin.
Then theie is the question of when a potential vulneiability that has been
uiscoveieu becomes "iepoitable". Nany vulneiabilities iesult fiom subtle
inteiactions in a paiticulai implementation,
21S
anu not eveiy softwaie bug iesults in
an actual exploitable vulneiability. If the goveinment is obligateu to iepoit
exploitable vulneiabilities, when must it uo so. A viable iule of thumb might be that
once the goveinment has uevelopeu an exploit tool, the unueilying vulneiability has
been confiimeu to be exploitable anu shoulu piomptly be iepoiteu. Note that this
way of implementing "always iepoit" gives law-enfoicement investigatois some
leau time in using the exploit tool. This appioach pioviues appiopiiate leeway foi
law enfoicement to uo its job (anu not, foi example, the job of quality assuiance
testeis at a softwaie company).
To whom shoulu a vulneiability iepoit be maue. In many cases, theie is an obvious
point of contact: a softwaie venuoi that sells anu maintains a piouuct in question,
oi, in the case of open-souice softwaie, the community team maintaining it. In othei
cases, howevei, the answei is less cleai. Not all softwaie is actively maintaineu;
theie may be "oiphan" softwaie without an active venuoi oi ownei to iepoit to.
Anu not all vulneiabilities iesult fiom bugs in specific softwaie piouucts. Foi
example, stanuaiu communications piotocols aie occasionally founu to have
vulneiabilities,
216
anu a given piotocol may be useu in many uiffeient piouucts anu
systems. Beie, the vulneiability woulu neeu to be iepoiteu not to a paiticulai
venuoi, but to the stanuaius bouy iesponsible foi the piotocol. Nany stanuaius
bouies opeiate entiiely in the open, which can make "quietly" iepoiting a
vulneiabilityoi hiuing the fact that it has been iepoiteu by a law enfoicement
agencypioblematic.

21S
uite some time ago, one of the authois of this papei uiscoveieu that someone woiking on an
impoitant pioject was one of thiee people who weie aiiesteu in a hacking inciuent. (Be eventually
pleu no contest. 0ne of the othei two was convicteu; the thiiu was acquitteu.) An auuit of the coue
base was peifoimeu. The team founu one cleai secuiity hole, but log files showeu it was an
inauveitent hole coueu, iionically, by one of the othei auuitois. The othei pioblem founu was moie
subtle. Theie weie two inuepenuent bugs, foi one of which the comments uiun't agiee with the coue.
Eithei bug alone was haimless; both togethei, combineu with a common configuiation mistake,
auueu up to a iemote exploit. Theie was a plausible innocent explanation foi why the comments anu
the coue uiun't match. It iemains uncleai if this was a uelibeiate back uooi oi a coinciuence.
216
Foi example, seveial vulneiabilities have been founu that allow attacks against systems using the
Secuie Socket Layei (SSL) piotocol, a wiuely useu stanuaiu employeu by many applications,
incluuing Web biowsing, piinting, anu email, foi enciypting Inteinet connections.
Lawful Hacking 62
Finally, theie is the question of who in the goveinment woulu be coveieu by the
iepoiting policy. In this papei, we aie conceineu specifically with a law
enfoicement vulneiability lab. Woulu eveiy 0S goveinment employee be coveieu by
the policy. 0i only those ueveloping law enfoicement suiveillance tools. The vast
majoiity of goveinment employeeseven those who encountei secuiity
vulneiabilitiesaien't uiiectly involveu in ueveloping wiietapping tools. Foi
example, theie aie piesumably system auministiatois in the veteians
Auministiation who occasionally uiscovei secuiity vulneiabilities in the couise of
theii woik. Woulu they become legally obligeu to iepoit. We piopose that the
iepoiting obligation be linkeu to the use of vulneiabilities foi law enfoicement
puiposes. An oiuinaiy system auministiatoi who uiscoveieu a hole peihaps shoulu
iepoit it; the legal iequiiement, though, woulu apply to those who employ such
holes to conuuct communications inteicepts.
G!!" P&>*): 4#' .35*9>4$*?3 !99(39
When shoulu iepoiting occui, at the time of uiscoveiy oi puichase of the
vulneiability, oi at the time of woiking exploit. Night theie be exceptions to the
iepoiting iule in the case of an extiemely impoitant taiget, anu how that might
woik. In this section, we attempt to answei these questions as well as uiscuss the
iole of oveisight.

-" /#;&%)*#5 N37&%$*#5
We auvocate that vulneiabilities law enfoicement seeks to exploit to be iepoiteu by
uefault. Theie aie a numbei of ways to implement anu enfoice such a policy.
The simplest woulu be foi an executive bianch policy that manuates iepoiting
unuei ceitain ciicumstances. Such a policy woulu come fiom the auministiation,
likely thiough the Bepaitment of }ustice. Bowevei, a policy-only appioach has
inheient weaknesses. Fiist, the policy woulu be foimulateu, implementeu, anu
enfoiceu by the veiy agency with the most inteiest in cieating exceptions to the
iule, anu that most "pays the cost" of neutializing the tools it uevelops anu uses.
Such conflicts of inteiest iaiely enu up with the stiongest possible piotections foi
the public.
Theiefoie, a legislative appioach may be moie appiopiiate. Peihaps as pait of the
appiopiiation that funus the exploit uiscoveiy effoit, Congiess coulu manuate that
any vulneiabilities it uiscoveis be iepoiteu. As noteu above, such legislation woulu
neeu to be caiefully uiafteu to captuie a iange of uiffeient ciicumstances.
In many situations, the best solution is foi the juuge authoiizing the use of the
vulneiability to inseit a iepoiting iequiiement into the waiiant oi oiuei. This
piovision coulu incluue a ietuin uate by which the iequesting agency must ceitify
Lawful Hacking 6S
that the venuoi hau ieceiveu appiopiiate notification. Apait fiom pioviuing an
enfoicement mechanism, this appioach allows foi caieful consiueiation of specific
ciicumstances, incluuing exceptional ciicumstances that might meiit a uelay.
217

Finally, one might imagine that the couits woulu iecognize an obligation foi the
goveinment to iepoit vulneiabilities, anu cieate a toit cause of action foi those
haimeu by a ciiminal exploitation of a vulneiability known to the goveinment but
not iepoiteu. This woulu be peihaps the most iauical appioach to ensuiing
goveinment iepoiting, but it seems most unlikely. Theie is, cuiiently, no obligation
on anyone to iepoit vulneiabilities; foi a couit to suuuenly uiscovei one seems
impiobable.
218
Thus foi eaily goveinment iepoiting of vulneiabilities uiscoveieu
unuei this piogiam, a legislative manuate that the goveinment iepoit any zeio-uay
vulneiabilities it seeks to exploit seems the best appioach.
219

E" /K)37$*&#9 $& $23 N37&%$*#5 N(>3
Although we have iecommenueu that law enfoicement iepoit vulneiabilities upon
uiscoveiy (oi puichase), theie may be exceptional cases when immeuiate iepoiting
is not appiopiiate. Immeuiate iepoiting of the vulneiability might leau to patching
anu pievent achieving a wiietap. Night theie be ciicumstances in which not
iepoiting is appiopiiate.
Consiuei the closely ielateu establisheu piactice of emeigency wiietaps. Title III
incluues an exception allowing wiietaps to be useu in emeigency situations without
a waiiant so long as a wiietap oiuei is obtaineu within foity-eight houis.
22u
The
law states that an emeigency situation exists when theie is immeuiate uangei of
ueath oi seiious bouily injuiy, conspiiatoiial activities thieatening national secuiity,
oi conspiiatoiial activities chaiacteiistic of oiganizeu ciime,
221
but piactice is that
waiiantless wiietapping by law enfoicement
222
is peimitteu only when theie is an
immeuiate thieat to life such as kiunapping anu hostage-taking situations.
22S


217
Exceptional ciicumstances aie uiscusseu in the following section.
218
Bue in pait to uisclaimeis in Enu 0sei License Agieements (E0LAs), theie is in geneial no liability
even foi venuois oi uevelopeis of insecuie softwaie; *--7 -I;I7 Nichael B. Scott, "Toit Liability foi
venuois of Insecuie Softwaie: Bas the Time Finally Come.", 67 Nu. L. Rev. 42S. (2uu8 ); howevei, the
issue is a fiequent topic of acauemic uiscussion anu the situation coulu conceivably change. In some
situations, a site opeiatoi can be helu negligent, &I-I7, <% G- A-(/)9(%E @(6#-%) =6*)-#*, 8S1 F.Supp.2u
1u4u (0niteu States Bistiict Couit, S.B. Texas, Bouston Bivision.2u12).
219
We uo not uiscuss oi suggest iemeuies if the goveinment fails to iepoit vulneiabilities, as uigeu in
this papei. A iauical legislative appioach woulu peimit uamages foi those haimeu by the
exploitation of a zeio-uay vulneiability that was known to the goveinment but that the goveinment
hau not iepoiteu. A moie moueiate appioach woulu legislate the goveinment's iepoiting obligation
but uisallow piivate iecoveiy of uamages if it fails to uo so.
22u
18 0.S.C. 2S18(7).
221
18 0.S.C. 2S18(7).
222
Note that we aie uiscussing waiiantless wiietaps foi ciiminal investigations unuei Title III, not
the legalities of the Bush auministiation's "teiioiist suiveillance" waiiantless wiietapping piogiam.
22S
Foi a uetaileu uiscussion, see 0S ATT0RNEYS NAN0AL, 9-7.112 Emeigency Inteiception,
http:www.justice.govusaoeousafoia_ieauing_ioomusaminuex.html.
Lawful Hacking 64
Emeigency wiietapping is not uone lightly, anu iequiies appioval of no iank lowei
than an Associate Attoiney ueneial. 0nce the emeigency wiietap is appioveu
appioveu, not installeulaw enfoicement has foity-eight houis to obtain a wiietap
oiuei.
224


Consiuei now the subject of a wiietap waiiant, one foi whom noimal methous of
inteiception aie unlikely to succeeu. 0sing a wiietap waiiant, law enfoicement
uownloaus softwaie to the taiget's machine that iepoits back what piogiams anu
opeiating system aie being iun on the uevice. The taiget is iunning an unusual set
of piogiams, e.g., using the 0penBSB opeiating system with the Lynx web
biowsei.
22S
Law enfoicement lacks suitable tools foi this paiticulai set up. To
exeicise the actual wiietap, law enfoicement must finu a vulneiability, anu
opeiationalize it. As we uiscusseu eailiei, uoing so will take between two to seven
uays. If the vulneiability is immeuiately iepoiteu as soon as it is acquiieu, law
enfoicement iuns the iisk that the taiget's uevice may be patcheu befoie the
opeiationalizeu exploit can be useu.

We can infei fiom the FBI's use of CIPAv that theie is cuiiently no legal oi policy
iequiiement that law enfoicement iepoit vulneiabilities. So we iecommenu a
compiomise. Foi public safety, the law shoulu iequiie that law enfoicement iepoit
vulneiabilities to the venuoi once they have been acquiieu oi otheiwise uiscoveieu.
But theie shoulu also be an emeigency exception similai to that of Title III. We
iecommenu that in an emeigency situation, law enfoicement shoulu have a foity-
eight houi winuow in which it coulu petition foi a ielease fiom iepoiting the
vulneiability until it hau successfully installeu a wiietap.

We expect that such a piovision woulu be only veiy iaiely invokeu. Fiist, most
vulneiabilities will have been uiscoveieu anu iepoiteu by law enfoicement, anu the
tools that exploit them built anu put in the aisenal foi futuie use, well befoie theie
is any case that might use them. Foi such tools, theie is no emeigencyoi even any
case to weigh against iepoiting at the time the vulneiability woulu be iepoiteu.
Any cases in which a vulneiability is useu woulu come up long aftei the
vulneiability has alieauy been iepoiteu.

But theie may be exceptional ciicumstances in which this patteinvulneiabilities
uiscoveieu anu tools uevelopeu well in auvance of the cases wheie they aie useu
is not followeu. Foi example, we can imagine a veiy high-value oiganizeu ciime case
in which a taiget might be using a paiticulai anu well-haiueneu, non-stanuaiu
platfoim foi which no exploit tools aie available in the "stanuaiu" aisenal. Law
enfoicement might uevote taigeteu iesouices towaiu uiscoveiing vulneiabilities

224
18 0.S.C. 2S18(7)
22S
0penBSB is an open-souice opeiating system baseu on 0nix; Lynx is a web biowsei. (Because
Lynx uoes not suppoit giaphics, it cannot have web bugs, embeuueu objects that tiack usage, making
it paiticulaily piivacy piotective.) Both systems, which ielatively olu by inuustiy stanuaius, continue
to be uevelopeu, but neithei has laige maiket shaie.
Lawful Hacking 6S
anu ueveloping tools foi the specific uevices useu by the paiticulai taiget. In such
(likely veiy iaie) cases, the case anu taiget woulu might known at the time some
vulneiability is uiscoveieu by law enfoicement, anu they might place a high piioiity
on pieseiving theii ability to exploit it uuiing the case.
The ciiteiia foi exemption must be as stiingent as the Title III exemption. If
emeigency wiietaps aie peimitteu only when theie is imminent uangei of ueath
e.g., a kiunapping oi hostage-taking situationthen the situation foi emeigency use
of a vulneiability without iepoiting must be equally uiie. Note that even teiioiist
investigations uo not geneially employ emeigency wiietap piovisions; neithei
shoulu they employ an emeigency exemption to vulneiability iepoiting.
The othei issue in emeigency use is that the vulneiability must be such that theie is
a low iisk of seiious haim iesulting fiom its exploitation by otheis against innocent
peisons. As we have uiscusseu, estimating such iisk is quite uifficult. uiven the
impoitance of pieventing ciime, the uecision not to iepoit must not be maue lightly.
Inueeu, the "uefault" piesumption must be that a vulneiability shoulu be iepoiteu,
with exceptions maue only foi unusual anu compelling ieasons. The petition not to
iepoit must incluue not only an aigument foi the impoitance of the inteiception but
also an analysis of the haim likely shoulu the vulneiability be uiscoveieu anu
exploiteu by otheis uuiing the peiiou that law enfoicement is opeiationalizing the
tool. In weighing whethei to uelay iepoiting a vulneiability, the couit shoulu
consiuei how likely it is that the vulneiability, having been uiscoveieu, can actually
be exploiteu, anu the uamage that may iesult fiom such exploitation.

," P%&?*'*#5 I?3%9*52$
Theie is the uangei that an opeiationalizeu exploit may piolifeiate past its intenueu
taiget. Stuxnet
226
pioviues an inteiesting case in point. Although aimeu at Iian, the
malwaie spieau to computeis in othei countiies, incluuing Inuia anu Inuonesia.
227

It is uncleai fiom the public iecoiu how this happeneu. It may have been uue to a
flaw in the coue, as Sangei contenus;
228
alteinatively, it may have been foieseeable
but unavoiuable collateial uamage fiom the means chosen to launch the attack
against Iian. Eithei option, though, iepiesents a piocess that may be acceptable foi
a militaiy oi intelligence opeiation but is unacceptable foi law enfoicement. 0nly
the legally authoiizeu taiget shoulu be put at iisk fiom the malwaie useu.

226
=-- =)$:%-)7 *$>/( footnote 17.
227
Baviu Sangei, C0NFR0NT ANB C0NCEAL: 0BANA'S SECRET WARS ANB TBE S0RPRISINu 0SE 0F ANERICAN
P0WER, Ciown Publisheis, 2u12, at 2uS-2uS.
228
<E. Sangei's conclusion is somewhat contioveisial; *-- Steven Cheiiy, "Stuxnet: Leaks oi Lies.",
<222 =>-')/$# poucast, Septembei 4, 2u12, available at
http:spectium.ieee.oigpoucastcomputingembeuueu-systemsstuxnet-leaks-oi-lies.
Lawful Hacking 66
uiven the policy issues iaiseu by the use of vulneiabilities, it woulu be appiopiiate
to have public accountability on the ueployment of this technique. We have in minu
annual iepoits on vulneiability use similai to the A0's Wiietap Repoits, piesenting
such uata as how many vulneiabilities weie useu by law enfoicement weie useu in a
given yeai, whethei by feueial oi state anu local. Was the vulneiability subsequently
patcheu by the venuoi, anu how quickly aftei being iepoiteu. Was the vulneiability
useu by otheis. Biu the opeiationalizeu vulneiability spieau past its intenueu
taiget. Was the vulneiability exploiteu outsiue law enfoicement uuiing the peiiou
that law enfoicement was awaie of the pioblem but hau not yet tolu the venuoi.
What uamages occuiieu fiom its exploitation. Naking such infoimation open to
public analysis shoulu aiu in uecisions about the iight balances being stiuck
between efficacy anu public safety.
229

C" N35(>4$*#5 G(>#3%4H*>*$*39 4#' /K7>&*$4$*&# 1&&>9

As we have mentioneu, even without consiueiing its use by law enfoicement,
infoimation about softwaie vulneiabilities is inheiently "uual use"useful foi both
offense anu uefense. Relateu to the issue of iepoiting anu piolifeiation is the
question of how the law shoulu tieat infoimation about vulneiabilities anu the
uevelopment of softwaie tools that exploit them by non-law enfoicement peisons.
Shoulu infoimation about vulneiabilities, anu tools that exploit them, be iestiicteu
by law. Bow uo existing statutes tieat such infoimation anu tools.

The issue of how to hanule such uual-use technologies is not new. The computei
secuiity community has giappleu foi yeais with the pioblem of uiscouiaging illicit
exploitation of newly uiscoveieu vulneiabilities by ciiminals while at the same time
allowing legitimate useis anu ieseaicheis to leain about the latest thieats, in pait to
uevelop effective uefenses.
2Su
It is all but impossible to pievent infoimation about
vulneiabilities oi softwaie exploits that use them fiom getting in to the hanus of
ciiminals without hampeiing effoits at uefense. 0n the one hanupeihaps most
stiaightfoiwaiulyinfoimation about zeio-uay vulneiabilities is coveteu by
ciiminals who seek unauthoiizeu anu illicit access to the computeis of otheis. But
the same zeio-uay infoimation is also useu, anu sought out by, legitimate secuiity

229
The same is tiue iegaiuing uata fiom the Auministiative 0ffice of the 0S Couits, WIRETAP REP0RT.
Foi example, one of the authois of the piesent papei useu the WIRETAP REP0RT uata to show that FBI
claims about the impoitance of wiietaps in solving kiunappings was incoiiect. Between 1969 anu
1994 that wiietaps weie useu in only two to thiee kiunappings a yeai (out of 4Su kiunappings
annually) (Whitfielu Biffie anu Susan Lanuau, PRIvACY 0N TBE LINE: TBE P0LITICS 0F WIRETAPPINu ANB
ENCRYPTI0N, NIT Piess, 2uu7, at 211).
2Su
The question of the ethics of publishing vulneiability infoimation fai anteuates computeis. In
18S7, Alfieu Bobbs, in G$E&#-%)(/6 D/-()&*- "% )C- !"%*)/$')&"% ". M""/ 0"'O*7 wiote "A commeicial,
anu in some iespects a social, uoubt has been staiteu within the last yeai oi two, whethei oi not it is
iight to uiscuss so openly the secuiity oi insecuiity of locks. Nany well-meaning peisons suppose
that the uiscussion iespecting the means foi baffling the supposeu safety of locks offeis a piemium
foi uishonesty, by showing otheis how to be uishonest. This is a fallacy. Rogues aie veiy keen in theii
piofession, anu alieauy know much moie than we can teach them iespecting theii seveial kinus of
iogueiy."
Lawful Hacking 67
ieseaicheis anu computei scientists who aie engageu in builuing uefenses against
attack anu in analyzing the secuiity of new anu existing systems anu softwaie.
Even softwaie tools that exploit vulneiabilities aie inheiently uual use. They can be
useu by ciiminals on the one hanu, but aie also useful to uefenueis anu ieseaicheis.
Computei anu netwoik system auministiatois ioutinely use tools that attempt to
exploit vulneiabilities to test the secuiity of theii own systems anu to veiify that
theii uefenses aie effective. Reseaicheis who uiscovei new secuiity vulneiabilities
oi attack methous often uevelop "pioof of concept" attack softwaie to test anu
uemonstiate the methous they aie stuuying. It is not unusual foi softwaie that
uemonstiates a new attack methou to be publisheu anu otheiwise maue fieely
available by acauemics anu othei ieseaicheis. Such softwaie is quite mainstieam in
the computei science ieseaich community.
2S1


The softwaie useu by malicious, ciiminal attackeis to exploit vulneiabilities can
thus be veiy uifficult to meaningfully uistinguish fiom mainstieam, legitimate
secuiity ieseaich anu testing tools. It is a mattei of context anu intent iathei than
attack capabilities >-/ *-, anu cuiient law appeais to ieflect this.

Cuiient wiietap law uoes not geneially iegulate inheiently uual-use technology.
The piovision of Title III conceineu with wiietapping equipment, 18 0SC 2S12,
geneially piohibits possession anu tiafficking in uevices that aie "piimaiily useful"
foi "suiieptitious inteiception"
2S2
of communications, which uoes not appeai to

2S1
Nany secuiity softwaie packages that might appeai to be ciiminal attack tools aie actually
uesigneu foi legitimate ieseaich anu testing. Foi example, the U-)(*>9"&) package
|http:metasploit.comj is a iegulaily upuateu libiaiy of softwaie that attempts to exploit known
vulneiabilities in vaiious opeiating systems anu applications. Although it may appeai at fiist glance
to be aimeu at ciiminals, it is actually intenueu foi (anu wiuely useu by) system auministiatois anu
piofessional "penetiation testeis" to iuentify weaknesses that shoulu be iepaiieu in theii systems.
2S2
18 0SC 2S12 (1) pioviues ciiminal penalties foi any peison not otheiwise authoiizeu who:
(a) senus thiough the mail, oi senus oi caiiies in inteistate oi foieign commeice, any electionic,
mechanical, oi othei uevice, knowing oi having ieason to know that the uesign of such uevice
ienueis it piimaiily useful foi the puipose of the suiieptitious inteiception of wiie, oial, oi
electionic communications;
(b) manufactuies, assembles, possesses, oi sells any electionic, mechanical, oi othei uevice, knowing
oi having ieason to know that the uesign of such uevice ienueis it piimaiily useful foi the puipose of
the suiieptitious inteiception of wiie, oial, oi electionic communications, anu that such uevice oi
any component theieof has been oi will be sent thiough the mail oi tianspoiteu in inteistate oi
foieign commeice; oi
(c) places in any newspapei, magazine, hanubill, oi othei publication oi uisseminates by electionic
means any auveitisement of
(i) any electionic, mechanical, oi othei uevice knowing oi having ieason to know that the uesign of
such uevice ienueis it piimaiily useful foi the puipose of the suiieptitious inteiception of wiie, oial,
oi electionic communications; oi
(ii) any othei electionic, mechanical, oi othei uevice, wheie such auveitisement piomotes the use of
such uevice foi the puipose of the suiieptitious inteiception of wiie, oial, oi electionic
communications, knowing the content of the auveitisement anu knowing oi having ieason to know
that such auveitisement will be sent thiough the mail oi tianspoiteu in inteistate oi foieign
commeice,

Lawful Hacking 68
apply to a wiue iange of cuiient softwaie exploit tools uevelopeu anu useu by
ieseaicheis. We believe this is as it shoulu be. The secuiity ieseaich community
uepenus on the open availability of softwaie tools that can test anu analyze softwaie
vulneiabilities. Piohibiting such softwaie geneially woulu have a seiiously
ueleteiious effect on piogiess in unueistanuing how to builu moie secuie systems,
anu on the ability foi useis to ueteimine whethei theii systems aie vulneiable to
known attacks. In auuition, we note that given that majoiity of vulneiability maikets
aie outsiue the 0.S., anu that national-secuiity agencies aie heavy puichaseis of
these vulneiabilities,
2SS
iegulating them is not a plausible option.

The specializeu tools uevelopeu by law enfoicement to collect anu exfiltiate
eviuence fiom taigets' computeis, howevei, might fall moie comfoitably unuei the
scope of 2S12 as it is cuiiently wiitten. These tools woulu not be uevelopeu to aiu
ieseaich oi test systems, but iathei to accomplish a law-enfoicement inteiception
goal. They woulu have naiiowly focuseu featuies uesigneu to make theii
installation suiieptitious anu theii ongoing opeiation uifficult to uetect. They woulu
also have featuies uesigneu to iuentify anu collect specific uata, anu woulu have no
alteinative use outsiue the suiieptitious inteiception application foi which they
weie uevelopeu. Such tools, unlike those useu by ieseaicheis, coulu moie easily
meet 2S12's test of being "piimaiily useful" foi "suiieptitious inteiception".


2SS
uieenbeig, *$>/( note 16S.
Lawful Hacking 69

G!!!" ,&#)>(9*&#9

Changes in telecommunications technologies leu to the 1994 passage of CALEA.
Bowevei, CALEA cieateu pioblems because of softwaie complexity anu the fact that
it intiouuces a secuiity vulneiability. Bue to fuitheianu quite extiaoiuinaiy
changes in the communications technologies since CALEA's passage, the law-
enfoicement wiietapping capabilities the law engenueieu aie now in uangei of
failing; law enfoicement now seeks to expanu the CALEA iegime to IP-baseu
communications. As we have uiscusseu, the changes in communications
technologies since 1994 not only unueimine the piesent veision of CALEA, they
make extenuing the CALEA mouel to mouein communications systems highly
pioblematic, cieating seiious secuiity iisks.

Nonetheless theie neeus to be a way foi law enfoicement to execute authoiizeu
wiietaps. The solution is iemaikably simple. Insteau of intiouucing %-1
vulneiabilities to communications netwoiks anu applications, in the cases wheie
wiietapping is uifficult to achieve by othei means, law enfoicement shoulu use of
vulneiabilities alieauy piesent in the taiget's communications uevice to wiietap.
The use of vulneiabilities to accomplish legally authoiizeu wiietapping cieates
uncomfoitable issues. Yet we believe the )-'C%&R$- &* >/-.-/(B9- ."/ '"%E$')&%;
1&/-)(>* (;(&%*) )(/;-)* 1C-% -%(B9&%; ")C-/ #-)C"E* ". 1&/-)(>>&%;7 *$'C (* B6
E-9&B-/()-96 B$&9E&%; 5$9%-/(B&9&)&-* &%)" )C- %-)1"/O "/ E-5&'-7 1"$9E /-*$9) &% 9-**
*-'$/&)6.

We piopose specific policies to limit the potential uamage. Fiist, we iecommenu
that in oiuei to pievent ieuiscoveiy of the vulneiability anu hence piolifeiation of
the exploit, technical uefenses shoulu be implementeu. Seconu, we iecommenu that,
with iaie exceptions, 9(1 -%."/'-#-%) *C"$9E /->"/) 5$9%-/(B&9&)&-* "% E&*'"5-/6 "/
>$/'C(*-I This means oui pioposal may actually have the benefit of &%'/-(*&%;
secuiity geneially. Finally, because the exploit may allow fai gieatei penetiations of
the taiget uevice than woulu be peimitteu by a meie wiietap, we uige guiuelines to
ensuie that law enfoicement bai use of any othei infoimation founu on the
computei uuiing the exploit (unless peimitteu by an auuitional waiiant).

Theie is a ciitical uiffeience in the societal uangeis entaileu in the use of taigeteu
vulneiabilities compaieu with the installation of global wiietapping capabilities in
the infiastiuctuie. If abuseu, taigeteu vulneiability exploitation, like wiietapping in
geneial, has the potential to uo seiious haim to those subjecteu to it. But it is
significantly moie uifficult - moie laboi intensive, moie expensive, anu moie
logistically complex - to conuuct taigeteu exploitation opeiations against all
membeis of a laige population. In othei woius, although vulneiability exploitation
is veiy likely to be effective against any given taiget, it is uifficult to abuse at laige
scale oi in an automateu fashion against -5-/6"%-. Thus oui solution pioviues
Lawful Hacking 7u
bettei secuiity than extenuing the mouel of CALEA to IP-baseu woulu.

vulneiability exploitation has moie than a whiff of uiity play about it; who wants
law enfoicement to be ueveloping anu using malwaie to bieak into useis' machines.
We agiee that this pioposal is uistuibing. But as long as wiietaps iemain an
authoiizeu investigatoiy tool, law enfoicement will piess foi ways to accomplish
electionic suiveillance even in the face of communications technologies that make it
veiy uifficult. We aie at a ciossioaus wheie the choices aie to ieuuce eveiyone's
secuiity oi to enable law enfoicement to uo its job thiough a methou that appeais
questionable but that uoes not actually make us less secuie. In this uebate, oui
pioposal pioviues a cleai win foi both innovation anu secuiity.