Slashdot Mirror

IANAL, but anything plainly viewable from public property is not considered private.

The problem with that is that you're basically assuming that the law is something final, set for all time, instead of an ongoing, gradual, negotiated codification of rules that should apply to everybody, developed as the rules are needed, in response to new circumstances.

There's a fair amount of argument and research going on right now trying to refine the notion of privacy to new circumstances posed by information technology. Some points here are Privacy as Contextual Integrity and A Taxonomy of Privacy.

I would distill the fundamentals of these arguments down to the following: the privacy laws that we have today are tailored to the privacy issues of 50 years ago, when we didn't have the big, emerging privacy problem we have today: the dramatically increased ability to put together disparate pieces of "public" data to discover "private" facts.

IANAL, but anything plainly viewable from public property is not considered private.

The problem with that is that you're basically assuming that the law is something final, set for all time, instead of an ongoing, gradual, negotiated codification of rules that should apply to everybody, developed as the rules are needed, in response to new circumstances.

There's a fair amount of argument and research going on right now trying to refine the notion of privacy to new circumstances posed by information technology. Some points here are Privacy as Contextual Integrity and A Taxonomy of Privacy.

I would distill the fundamentals of these arguments down to the following: the privacy laws that we have today are tailored to the privacy issues of 50 years ago, when we didn't have the big, emerging privacy problem we have today: the dramatically increased ability to put together disparate pieces of "public" data to discover "private" facts.

I've been in a lengthy argument about this guy on the Ars Technica forums. I ended up emailing Bruce Schneier about this and asked his thoughts.

Here was my email to him:

Hi Bruce,

I've been following the Pwn2Own contest for the last couple of years.
Last year a researcher from ISE ( http://securityevaluators.com/ )
named Charlie Miller used an exploit in a Perl library included in
WebKit, the base code for Apple's Safari browser and won a cash price
for his effort. In the press it was claimed he "hacked Safari in mere
seconds". In truth it took a lot more time than that to devise the
exploit and only seconds to execute it.

This year he did it again with another preplanned exploit which he
says he discovered while researching last years bug. Again he won a
cash prize of $10,000.

In an interview with ZDNet he said: "I never give up free bugs. I have
a new campaign. It's called NO MORE FREE BUGS. Vulnerabilities have a
market value so it makes no sense to work hard to find a bug, write an
exploit and then give it away," Miller told ZDNet. "Apple pays people
to do the same job so we know there's value to this work."

I have a major problem with his philosophy and feel this is a
dangerous precedent to set and a bastardization of the goals of
security in the fist place. I feel he has an obligation to inform
Apple and not dangle a dollar amount for the how-to.

Sure he should be paid for his time and effort which is why he works
at a security firm. This contest is basically bonus money and about
bragging rights. Sitting on a bug puts the safety of other users at
risk. But he is basically demanding bribe money for bugs. Who is to
say he wouldn't give up his research to the highest bidder? I'm sure
there are blackhat groups like those in Russia and China that would
pay handsomely for some juicy exploits like this.

Yes there is a long history of security firms hiring hackers and there
have been many questions of whether that is a good idea. But security
firms should take notice of this philosophy and not employee those who
engage in this kind of behavior. It's bad form for his employer and
makes the security industry as a whole look bad by proxy. Would you
hire a security company that employees hackers who blackmail for bugs
to work on your systems? If we hired his firm while I was working IT
at a large New York bank I would advised my boss to make sure he's not
on our project (and perhaps hire an entirely different firm altogether).

I've been in a discussion with other users about this. There seems to
be a split in viewpoint, one side saying he should let Apple and the
WebKit developers know about this exploit for the betterment of
everyone (for free). The other side feels this is purely about
capitalism and he has no moral or ethical obligation to tell anyone.

Some have likened it to seeing a crack in a bridge that might fail.
Are you obligated to inform someone of the problem? What if Dan
Kaminsky demanded $1 million to divulge details on the DNS BIND problem?

What are your feelings on this?

Thanks

Here's the discussion I've been following:

http://episteme.arstechnica.com/eve/forums/a/tpc/f/174096756/m/996001677931?r=869003677931#869003677931

http://dvlabs.tippingpoint.com/blog/2009/03/21/pwn2own-wrap-up

Bruce wrote me back today with his response:

There's a fine line between being paid for your efforts and extortion. This seems to cross it.

No, that's not actually true any more.

Check this out.

But what's to stop a person of suitable intelligence and malicious intent from subverting your system?

Check this article on MD5 collisions in speed camera captures from 2005. This was applied to a database of images where the public didn't have access.

You want to apply the same theory to images on the internet? Goodluckwiththat.

No, I mean "without copyright", explicitly.

Read The Digital Art Auction and Street Performer Protocol (co-written by Bruce Schneier, no less). Both detail a way of making money in a world where copyright law does not exist.

And the very first thing the users will do is write down the encryption key, so they don't forget it.

Well, Bruce Schneier recommends writing down your passwords.

Quote:

. We're all good at securing small pieces of paper. I recommend that people write their passwords down on a small piece of paper, and keep it with their other valuable small pieces of paper: in their wallet.

"Quantum cryptography is back in the news, and the basic idea is still unbelievably cool, in theory, and nearly useless in real life."

Benevolent worms are a perennial suggestion in computer security, and the conclusion is always no no no no.

who advises people to not encrypt their wireless access points. So yes, let's quote him on all security matters.

This is more spot-on than the joker seems to realize. According to Bruce Schneier:

I have long argued that the entertainment industry doesn't want people to have computers. Computers give users too much capability, too much flexibility, too much freedom. The entertainment industry wants users to sit back and consume things. They are trying to turn a computer into an Internet Entertainment Platform, along the lines of a television or VCR.

(full article is here) Computers

How do you nullify and change that cert? If the answer is "you don't", then how do you deal with someone breaking that cert (either through cryptanaylisis or getting access to the machine)?

OTOH, do you really need to secure wireless networks at all?

It didn't really disappear, it's just not defined anymore.

They should have used a Neutronic function.

Neutronic functions make possible for the first time the ability to analyze regions of mathematics commonly thought to be undefined, such as the point where one is divided by zero.

4. Security. GPO produces passports and other secure documents. The current design for passports uses an RFID chip, which means that an American can be picked out of a crowd merely by having a passport in their pocket. If nominated and confirmed, I would ask security expert Bruce Schneier to form a Blue-Ribbon Commission to reexamine the design of passports and other secure documents so we can better protect the privacy and security of all Americans.

And we know what Schneier's stance is on those RFID chips: he has long opposed them. So does this mean that we will see a reversal of the policy on RFID tags in passports? Gods, I hope so.

Dude, try installing the right codecs

This always gets me though: why doesn't [the trusting trust attack] apply to C?

Bruce Schneier pointed out that one can bootstrap a compiler using a different implementation of the language as a (probabilistic) measure against defects introduced by trusting trust. Build it on systems with different compilers, bit-compare the binaries generated on each system, and if they match, you can be reasonably sure that there is no such defect. But unlike C, which has implementations from GNU, Borland, Watcom, M$, Green Hills, and numerous other vendors, a lot of the managed languages lack multiple widely used complete implementations. For example, there really isn't an alternative to Sun Java.

I'll be charitable and assume you are just uninformed. Inform yourself.

djb thought potential exploits would appear without port randomization, but he didnt discover this particular flaw. Kaminsky did. As a car analogy, its like saying putting chips in keys keeps cars from being stolen, but coming up with a non-obvious hack that always starts the car without a key is its own work. Even Schneier says so:

Kaminsky's vulnerability is a perfect example of this. Years ago, cryptographer Daniel J. Bernstein looked at DNS security and decided that Source Port Randomization was a smart design choice. That's exactly the work-around being rolled out now following Kaminsky's discovery. Bernstein didn't discover Kaminsky's attack; instead, he saw a general class of attacks and realized that this enhancement could protect against them. Consequently, the DNS program he wrote in 2000, djbdns, doesn't need to be patched; it's already immune to Kaminsky's attack.

Attempting to use legal means to change this is akin to passing laws against gravity, and both will enjoy equal success.

I believe the preferred analogy is trying to make water not wet.

Yes, it it. If that happens. But so far it looks like that's not the case:

http://www.schneier.com/blog/archives/2008/06/cctv_cameras.html

Except cameras don't catch people "redhanded". If they catch people at all it's almost always after the crime has been committed and the criminal has fled. Beyond that statistics show that public surveillance cameras do not reduce crime. Many studies of surveillance cameras have shown this to be the case.

CCTV Cameras
http://www.schneier.com/blog/archives/2008/06/cctv_cameras.html

You seem to be a bit trolling, but you're an interesting troll, so lets go ahead :-)

It's very clear that different parts of open source have different standards of review. Whilst the Debian SSL situation is bad to terrible (I had just installed my home web server on Debian for an experiment; I was not pleased!), however it was discovered only due to the source being open. It's known that actual deliberate attempts to put back doors into the Linux Kernel have been thwarted. By choosing properly supported stable well audited parts of Linux there can really be a benefit. Personally I would strongly recomment RedHat. I was impressed that ther distribution wasn't actually compromised during the recent attacks on their signing infrastructure. It showed a real commitment to defense in depth to a level which surprised me.

Even the compiler attack you mention has now been countered (see also Schneier's interesting discussion of double compilation). I'm surprised you don't mention it when discussing a 1980's paper (which is why I wonder about the trolling bit). This means that it really is possible to leverage the benefit of "open source" for better security.

I'd take a slightly different moral; you should have layered trust. More for Linux; less for Apache; little for Open Office very little for random Linux games; none for closed source software. Use SELinux to partition your software (if your OS doesn't support SELinux then change it :-). If you care about security then insist on source and actually pay for some parts of source level audits.

A key "talking point" in this discussion would be why the Chinese insisted on having Windows source whilst commercial customers don't get it. Discuss whether your company has any Chinese competitors. Seriously consider switching off a system which gives those competitors a benefit you don't have (sometimes Chinese competitors seem indistinguishable from the government). If they insist on source then so should you.

I fail to see where your functional duplicate matters in the slightest. My security conscious employer is going to know that my eyeball has been removed, and will revoke the authorization immediately after being informed. If I don't show up for work one day, and am unreachable, all of my credentials will again be revoked. My bank is going to be only slightly less responsive - the worst case will be that they are informed by my employer that something is amiss.

Perhaps you could describe the scenario you envision?

Well, first I make a copy of your eyeball, and use it to access your bank account, and make some long distance phone calls, and buy some stuff. Then I publish it online so others can make copies and do the same, pretending to be you.

So, you contact the bank, and ask them to revoke your eyeball, and you call the phone company and your credit company and do the same thing. Fine, now I can't pretend to be you.

Now, how are you going to open another bank account? Are you going to grow a new eyeball? Are they going to email you a new eyeball that has to be activated within the next 24 hours or it will expire?

If you want an example, a group in Germany already did the same thing, except it was a fingerprint and not an eyeball. Wolfgang Schauble, who was Germany's interior minister at the time and for all I know still is, was a big supporter of systematic biometrics. Then his fingerprint became something you could download off the internet and tape to your finger. I wonder how he feels about the idea now...

http://www.schneier.com/blog/archives/2008/04/german_minister.html

Still confused?

I like Schneier and respect him with regards to a lot of positions but on this particular topic I don't think I can. You say that Bruce is on Gutmann's side as if Schneier had some some sort of analysis on Gutmann's claims in order to verify their authenticity. He did not, he simply discussed the article in question and said that he agrees. Nobody has ever posted an actual analysis of the XP and Vista systems to see if indeed the DRM path is the culprit in anything. Maybe instead of attacking the DRM path for playing protected media (Which I might add is only invoked when one decides to playback DRMed content) people should focus their ire on the true culprit - Lazy programming that causes slowdowns in certain situations.

You may want to have a look at the entire section here on Wikipedia about this particular issue, which specifically mentions Guttman's article. The most important bit to note, in my opinion, is one of the responses from Paul Smith (There are many good ones):

# Vista does not degrade or refuse to play any existing media, CDs or DVDs. The protected data paths are only activated if protected content requires it.

Emphasis mine on the second half of that, and right before that bullet point is the pointing out that this stuff isn't even supposed to be turned on until 2010 or 2012.

According to Bruce Schneier:

We've never factored a 1024-bit number -- at least, not outside any secret government agency -- and it's likely to require a lot more than 15 million computer years of work.

So even if the usable computational speed of processors doubles in the next few years, it would still take at least 7.5 million computer years of work. You might have that much time (or maybe you have 7 million computers) but I don't.

No, increased computational speeds won't make factoring extremely large numbers feasible (at least, not anytime soon). The only thing that will do that would be finding some algorithm to do it - and if you figure that out, you'll deserve every award you get and then some.

http://slashdot.org/article.pl?sid=08/07/20/1624253

http://slashdot.org/article.pl?sid=08/02/21/1543234

It was also on Wired: http://blog.wired.com/27bstroke6/2008/02/encryption-stil.html

Engadget: http://www.engadget.com/2008/02/21/cold-boot-disk-encryption-attack-is-shockingly-effective/

Schneier's blog: http://www.schneier.com/blog/archives/2008/02/cold_boot_attac.html

Information week: http://www.informationweek.com/news/personal_tech/showArticle.jhtml?articleID=206801184

The Register: http://www.theregister.co.uk/2008/07/21/cold_boot_utilities/

Cnet: http://news.cnet.com/8301-1009_3-10003167-83.html

PC World http://www.pcworld.com/video/id,762-page,1-bid,0/video.html

Boing Boing http://www.boingboing.net/2008/07/19/cold-boot-encryption.html

It was even on reuters: http://www.reuters.com/article/pressRelease/idUS163325+27-Feb-2008+PRN20080227

It's not an obscure thing, you are just ignorant of major technology news. Perhaps the summary should define "CPU" and "linux" for you as well, just in case you don't what they are either.

When I worked in retail sales in the early nineties, Computer printers were making good enough images to encourage some idiots to try passing home-made bills as real.

Seems to be the majority of counterfeiting nowadays:

http://www.schneier.com/blog/archives/2009/01/trends_in_count.html

Interesting fact about Rijndael -- it has a very simple structure: it's "light" but perfectly* strong, as far as extant knowledge goes. (*"Perfectly" in the sense that there is no extant way to break it apart from brute force.) However, its simplicity has led some to consider it "not the most secure choice." Makes you wonder if there *is* a government farm that can crack it now!

Indeed, it seems that more or less anyone in the US who is involved in any way with the transport industry can set up their own private police force. For an example, see here

As SHA-1 is somewhat weak also, use the SHA-2 family, for example SHA-256 or longer instead.

Be sure to test the resulting cert infrastructure before deploying it. I (vaguely) recall a couple of years ago that OpenSSL lets you specify some legal hash names which it verifies just fine, but browsers such as Firefox may obscurely fail to recognize them when verifying the certificate chain.

A better overview: The SHA-3 Zoo. Did you look at Edon-R? It is not be the most flexible, but it's the fastest one. Followed by Skein. I agree to what Bruce Schneier wrote: sort the algorithms based on performance and features, and then focus on the top 12.

1. GP does not sound psychotic at all

2. I see nothing irrational or excessive at all. The US has deliberately sent the Lucetania into a battle zone in order to enter WWI, disregarded intelligence that could have prevented Pearl Harbor, entered a virtual battle in Tonkin to enter Vietnam, and made up stories on WMD to enter Iraq. In that light an NSA backdoor does not seem more preposterous to me. And there have been news items on this, even from Bruce Schneier.

I think you owe GP an apology for your incorrect accusation.

K I was following with a skeptical eye till you mentioned WOMD. Give it up for once, guys. They've used gas on the Kurds before. They used it during the Persian Gulf war. All we asked was that they show they got rid of it. Not only would they not show they got rid of it, they run around claiming they've got it and their citizens screaming that they're the big bad new military power sent to bring down the evil West. And you have a problem with us doing something about that?

My tolerance for your type is fast waning.
Of all the dictatorial military powers ever to exist in the history of mankind, the US is the teddybear of them all. Yes I know it's a fallacy to say "look how much worse we could be". But I'm saying it anyways-- we could just be Rome or China and run in, kill all their leaders and men and loot their country for our own profit. As it is we're doing quite the opposite, installing power everywhere, spending billions to set up schools and all that, blah blah. Basically what the Europeans didn't do when they pulled out of the African colonies.

So I say to you-- "Boo hoo" Control your citizens and don't offer save haven to terrorists, and we won't do this to you.

1. GP does not sound psychotic at all
2. I see nothing irrational or excessive at all. The US has deliberately sent the Lucetania into a battle zone in order to enter WWI, disregarded intelligence that could have prevented Pearl Harbor, entered a virtual battle in Tonkin to enter Vietnam, and made up stories on WMD to enter Iraq. In that light an NSA backdoor does not seem more preposterous to me. And there have been news items on this, even from Bruce Schneier.

I think you owe GP an apology for your incorrect accusation.

That's one solution. I began looking into seperate password managers a year or two ago. The two solutions I found looked the best, at the time, were KeePass, and Bruce Schneier's Password Safe.

Ultimately, though, I decided against either one. The problem with using something like that is that, now, I don't actually know the passwords for all of my accounts. If something goes wrong, or I just don't have access to the safe (like maybe I am away from home and forgot to bring my USB key along, or I'm using a computer which I don't want to stick the key into (because the key might get infected with some virus/trojan if I stick it into a public PC, or maybe their is malware on the PC which, once I've unlocked the password safe, grabs all the account/password info), I can't get into my accounts.

The real, true, ultimate problem isn't that people need a password safe. It's that people need fewer accounts/passwords. We need something like OpenId to become more widespread. Now, you probably wouldn't use OpenId (or some analog) for very sensitive accounts like bank/paypal/amazon.com/etc, but how many times have you been to a site where you wanted to post in a forum, or add a comment to a blog, but then you were confronted with being forced to register an account? On the one hand, that might cut down on spam/noise/trolls (or it might not; if you are a troll or spammer, you just register an account without worrying about every using it again, so you don't care what the password is or if you remember it), but it also cuts down, I'm sure, on worthwhile posts because people can't be bothered to try to remember yet another password (or they just end up using a very small number of passwords everywhere).

I wish more sites used OpenId. Seems like only a very small minority of sites I've visited offer that as an option.

Well, for one thing, 1.www.google.com has access to the www.google.com cookie. It's also a really good place to phish from. In some circumstances, document.domain is even set up such that 1.www.google.com has script level access to www.google.com. Not good.

That makes sense. Nonexistent, subdomain host poisoning is also a serious problem.

Taking over existing domains is a superset of that serious problem, and can be done with the same style attack, just by adding glue. Because existing hijackable domains include nameserver domains, you could take over all DNS for google.com, from webservers and mail servers to SPF and DKIM records.

Anyway, it's all bad. Yes, poisoning is bad.

At this point, BIND, Nominum, Unbound, and Microsoft all suppress colliding queries. The only name server I know of that doesn't is DJBDNS, and it drops its security level noticeably.

DJB was the first to point out that Source Port Randomization would help, years ago, and he gets no credit? Why not concede any? And how many of those servers you named have been open to an easily feasible 32,000 max packet poisoning attack for the eight years that djbdns was requiring a TXID + SPR packet attack? And now you're trying to ding djbdns, characterizing it as a less secure outlier, for allowing 200 simultaneous queries, which opens the space by not quite 8 bits? TXID + SPR for djbdns is still 24 bits. TXID + SPR is only 27 for Microsoft (2500 source ports).

Scheier:

The real lesson is that the patch treadmill doesn't work, and it hasn't for years. This cycle of finding security holes and rushing to patch them before the bad guys exploit those vulnerabilities is expensive, inefficient and incomplete. We need to design security into our systems right from the beginning. We need assurance. We need security engineers involved in system design. This process won't prevent every vulnerability, but it's much more secure -- and cheaper -- than the patch treadmill we're all on now.

What a security engineer brings to the problem is a particular mindset. He thinks about systems from a security perspective. It's not that he discovers all possible attacks before the bad guys do; it's more that he anticipates potential types of attacks, and defends against them even if he doesn't know their details. I see this all the time in good cryptographic designs. It's over-engineering based on intuition, but if the security engineer has good intuition, it generally works.

Kaminsky's vulnerability is a perfect example of this. Years ago, cryptographer Daniel J. Bernstein looked at DNS security and decided that Source Port Randomization was a smart design choice. That's exactly the work-around being rolled out now following Kaminsky's discovery. Bernstein didn't discover Kaminsky's attack; instead, he saw a general class of attacks and realized that this enhancement could protect against them. Consequently, the DNS program he wrote in 2000, djbdns, doesn't need to be patched; it's already immune to Kaminsky's attack.

That's what a good design looks like. ...

I'm not a DJB fanboy. I concede that I think the 200 simultaneous identical queries is a big loss of security. But I also recognize that DJB was doing the right thing nearly a decade ago, and warning people, while everyone else took until now, after disclosure of a specific, very bad vuln, to clean up their acts. I find it distasteful that people are reluctant to publicly acknowledge DJB's right thinking, or even to acknowledge it to themselves. That's the other face of fanboyism, just inverted from fan to detractor.

All viruses require a reasonable level of market share to operate, because one of the principles they rely upon is a network effect, and you just plain cannot get a network effect without a decent market share. So marketshare is, very much, a pre-requisite for a successful virus. It's not the only one, but when people say "Mac OS X hasn't been attacked yet because it doesn't have enough marketshare", they're right. That's one fundamental reason. And unless you can show that any other reasons apply, it's likely to be the only reason.

Fair point. However, Mac OS X has far more market share than something like Aros. We're talking somewhere above 8% of the market right now. That's an appreciable install base and certainly worth targeting. By comparison, the Witty worm targeted (and infected) an install base of only 12,000 systems. So sure - install base might be a factor. But it is hardly the only one.

There's little reason to believe that Mac OS X is protected from viruses by anything other than its low market share at this point. There's not a large enough group of users for network effects to take over. It is not an inherently secure operating system. The default user is generally set up with administration privileges, and it just takes a buffer overflow or other ordinary vulnerability in a client application like a web browser plug-in for a virus or worm to have complete access to the user's files, and enough access to be able to modify many of the applications the user is likely to run.

Fundamentally, Mac OS X has the same problem as Windows, and the same problem the "run-everything-as-root" Unixes did in the eighties and early nineties: too much functionality available to the default user. To fix this, you need to change the model somewhat. The very least Apple could do is set Mac OS X up so that the installer actively discourages setting up the default user as an administrator.

Wait a minute here. Correct me if I'm wrong, but my impression is that the "administrator" setting of an account allowed sudo access. That's a little different than running as root. Is there something else going on in the Mac userland?

It should also be noted that we've heard these warnings before. The doomsday scenario has yet to come to pass. And while I agree that some of the perception of imperviousness is misplaced, I am also inclined to believe there's a bit more at work here than some critics want to believe.

Take a look at Schneier's arguments against this: http://www.schneier.com/blog/archives/2008/02/benevolent_worm_1.html. One additional point is that stack/heap overflows and other memory-corrupting vulnerabilities often can't be made to be 100% reliable, and can be difficult to code for different service packs and such. This can be, and is, coded around as a matter of course, but a bug in the exploitation process can have disastrous and unpredictable results (in this case, interruption of a large swath of critical internal office file sharing networks.) This doesn't matter to the criminals, but it presumably matters to any prospective "grey hat" worm authors.

Since tfa didn't link to Schneier's blog, here it is:
http://www.schneier.com/blog/archives/2008/11/1941_pencil-and.html

This was Bruce's comment on the matter, back in September: BT, Phorm, and Me. Basically, it boils down to ‘I wasn't working for BT when the decision was made; I'm not involved in the decision; however, as an exec, I cannot comment on the decision.’. I'm fairly certain he disapproves, but can't say anything since BT bought Counterpane.

Off the top of my head...

1. Anyone capable of altering the card can give themselves free unlimited travel.
2. If the card is damaged to the point where it no longer works, you lose your remaining balance.

It's the RFID equivalent of storing all your Internet banking data (accounts, balances, etc.) on the client side as a browser cookie.

As it stands, they aren't going to store the raw data - just information on the endpoints.

This in itself is disturbing, since as Bruce Schneier points out, data mining of this sort is inherently flawed.

It strikes me that this is politically driven - i.e. that GCHQ has an ample supply of mathematicians who can see that this is useless, but that the idiocracy that is Neues Arbeit still believes the bullshit that their highly paid, poorly educated advisors spew out.

Trouble is, the idiots won't listen to sense, so we'll have to wait until the next election to vote in another lot of idiots who may or may not be as stupid as this lot.

Then he spent some quality time with the Air Marshall and DHS ...

The American War on the Unexpected at your service.

Isn't that choice limited by hardware and driver? With my asus adapter and the rt73 driver, I don't recall having any other option than TKIP. Also, similar attacks were started on AES shortly after it arrived on the scene.

Am I the only one that looks at Bruce and thinks Bearforce1?

http://www.schneier.com/skein.html

ahem.

Let's just agree we don't see eye to eye. Time will tell.

I blatantly stole it from Bruce Schneier.

Low level enlisted personel reported listening in on superiors private conversations through the warrantless wire tapping laws. Who knows how many other fucked up bureaucrats spend their days getting themselves off listening to conversations that citizens of the US should have the expectation to be private. And before we say if you don't have anything to hide, remember that Sarah Palin cried like a little girl when her account was hacked and wasted huge amounts of federal dollars looking for the person who did it. If you don't have anything to hide...

In fact I wonder how much of this economic meltdown is caused by the realization that there are no more corporate secrets. Every communique can be intercepted by some disgruntled government worker and be sold to the highest bidder. How much of the meltdown is caused by the realization that Obama might become president, and therefore all the good old boys who were used to breakin' the law, might now be on the ass end of warrentless wire tap. Such abuse of power was OK when a drunk frat boy had the keys.

And let's look a old Joe. The most that will happen to these government worker bees is that they get fired, on assumes, which is OK because this is not the worst that these government workers did to old Joe. Reportedly, someone typed in his name wrong. If the Republican party had their way, Old Joe would not have been able to vote because he drivers license would not have matched his voter registration card . This disenfranchise is reportedly due to a "clerical error". We are now giving low level bureaucrats the power to at least attempt to disenfranchise voters. Can you imagine what would happen if a bunch of voter registration cards came in from a republican area, and the clerk decided to misspell every few names, knowing that a law such as the republicans want to curb voter fraud might at least disenfranchise a few of them?

We really need get back to the constructionist ideals of this country, where those that will trade freedom for security deserve neither.

Our approach to finding terrorist "operational tools" seems to be almost identical to our approach to finding patentable "methods".
Everybody remember the ghastly rash of patents of the form "*yada, yada, something obvious and already common* On the Internet!"? It appears that we are going through the same thing here. Today it is Terrorism, on Twitter!, a while back it was Terrorism, on Wow!, even Terrorism, hidden in kiddie porn!(the ultimate in integrated police state rationalizations. Proposed in Britain, of course. I wish I were kidding).

Terrorism is a threat, albeit an absurdly and dangerously overhyped one; but all this stuff about "OMG TERRORISTS USING $COMMUNICATION_TOOL!" is just stupid(or aimed at laying the groundwork for controlling $COMMUNICATION_TOOL; but our Heroic and Patriotic leaders would never do that). Obviously terrorists need to communicate, obviously they'll use whatever happens to fit their needs, which probably means almost exactly the same things as any other criminal enterprise.

According to http://www.schneier.com/book-applied.html this version was published in 1996. Clifford Cocks' research wasn't made public until 1997. Since we know that Bruce Schneier feeds SchrÃdinger's cat on his back porch, without opening the box, we assume that he was just being polite by not publishing it before it was made publicly known.