The FBI has no trouble spying on encrypted communications

Every time the Bureau wants to spy on someone whose communications are encrypted, they just hack them.

The FBI has made a huge deal out of wanting back doors in encryption — back doors that could be exploited by dirty cops, by crooks, by foreign spies — to make their jobs easier. But in every single case where the FBI has wanted to eavesdrop on a suspect, they've just deployed one of their many dirty tricks to compromise their target's computer.

Sometimes, they hack a website to serve malware to everyone who visits it. In one case, the Bureau publicly asked a judge for permission to sneak a rootkit onto a target's computer so that they could covertly operate its camera and mic. The judge turned them down, but they may have done it anyway through one of the many secret warrant processes available to them.

They really like the idea of forcing tech companies to serve poisoned updates that contain malware, a measure that would reduce the rate at which people installed vital security updates. If this were to become common, responsible tech companies might adopt binary transparency to make it useless.

And as the Washington Post recently reported, an Obama administration working group exploring possible approaches tech companies might use to let law enforcement unlock encrypted communications came up with one that involves the targeted installation of malware — through automatic updates.

"Virtually all consumer devices include the capability to remotely download and install updates to their operating system and applications," the task force wrote. Law enforcement would use a "lawful process" to force tech companies to "use their remote update capability to insert law enforcement software into a targeted device." That malware would then "enable far-reaching access to and control of the targeted device."

The Post did not report who came up with that idea, or whether it was already in use.

And little is known about how much access the agency has to the extensive hacking capabilities developed by other government agencies, especially the National Security Agency.


(via /.)