Friday, July 13, 2018

When is a "Search" minus the Quantum Theory, for Law Professors

One issue with reactions to Carpenter is that they tend to assume that we can get clarity around how technological change affects what a search is by making up various artificial models for how telephony systems  and search processes work. The principal example of this sort of model being Orin Kerr's description in his Lawfare piece.

Example random model Orin made up. :)
If you want a better example of how complicated this sort of thing is, I recommend this Infiltrate talk on the subject of how Regin (allegedly the Brits) searched a particular cellular network, covertly.

If you want to find out when a particular search started or ended, you almost always have to develop a lot of expertise in Quantum Mechanics, starting with Heisenburg, but quickly moving into the theory of computation, etc. This is a good hobby in and of itself, but probably more than a legal professor wants to do.

So I recommend a shortcut. A search is anything that can tell a reasonable person whether or not someone is gay. It's simple and future-proof and applies to most domains.

Thursday, July 12, 2018

The Senate Meltdown/Spectre Hearing

You can browse directly to the debacle here. Everything from beginning to end of this was a nightmarish pile of people grandstanding about the wrong things.

Let's start with the point that if you're going to get upset about a bug, Meltdown and Spectre are SUPER COOL but that does not make them SUPER IMPORTANT. In the time it took Immunity to write up a really good version of and exploit for this, maybe fifty other local privilege escalation bugs have come out for basically any platform they affected. And they are hardly the first new bugclass to come along. I guarantee you every major consulting company out there has a half dozen private bugclasses. People always say "You need to be able to handle an 0day on any resilient system" and the same thing is true for bugclasses.

I'm going to quote the National Journal here.
Chairman John Thune said he “hesitates” to craft legislation that would require U.S. companies to promptly hand over information on new cyber-vulnerabilities to the government, or to deny that same information to Chinese firms.
“You’d like to see that happen sort of organically, which is what we tried to suggest today and which many of the panelists indicated is happening in a better way, a more structured way,” Thune told reporters after the hearing.
Nearly every part of this not-veiled threat is a bad idea. Assuming they could come up with a definition of "cyber-vulnerability", the companies involved do most of this work overseas. They would no doubt make sure to give this information to every government at the same time. Now we are in a race to see who can take advantage of it first?

There's a reason Intel didn't even bother to show up to this hearing. One of them is they can't afford to be seen taking sides with the USG in public. Which is precisely why this conversation happens over beers in bar somewhere instead of us counter-productively trying to browbeat them on live TV for no good reason. And we have to deal with the fact that sometimes we don't get what we want.

Here's a list of things we could have learned:

  • Bugs that private companies discover are not classified information protected and owned by the USG
  • There are consequences to our adversarial relationship with the community and with industry
  • No matter how much we blather on about coordinated disclosure systems and public private partnerships, companies have other competing interests they are not going to sacrifice just because it would be nice for the USG