About 5000 people are dead..but what about civil liberties? 5000 are dead. Perhaps more to come. Don't you want to live long enough to enjoy your liberty?
Actually, no, I do not want to live a long, meaningless life in a world without any risks, and without any freedom.
Wouldn't you feel safer riding an airplane if you knew security at the airports is airtight?
Problem is, we can give up ALL of our civil liberties, and security will still not be 'airtight'.
What do you expect will happen when we've given up all our rights, and yet these incidents will still happen? Do you have any illusion that, once lost, we will ever regain these rights?
Interestingly enough, Congress unanimously supports the President. This is not the time for dissent.
But is everybody going along with the party line because they feel it is the rational solution, or because they are afraid of the consequences if they don't?
How do you think all of the 'good germans' felt about 'the time for dissent' when the brownshirts started checking papers and their neighbors began to dissappear?
In my experience, middle management in 'traditional' companies reject telecommuting primarily out of fear.
Fear of loss of control over their direct reports, fear of loss of productivity, but more than anything else,
fear that telecommuting will make middle management obsolete.
If they pass a key escrow or 'backdoor' law, and the crypto community follows this by proving weaknesses introduced by the government requirements make encrypted communications easier for a fourth party to crack, the legislative response is obvious...
They'll simply amend the DMCA to outlaw cryto algorithm research, cracking software, and possession of non-government-issued decryption keys, software, or hardware.
You are correct. Your suggestion is the most basic way to defeat the proposed 'key escrow' proposals, where you create an additional decryption key for your private key, and hand that key over to an escrow agency.
In theory, the feds can never get your escrow key unless they have a warrant, so they can never detect that you are using 'double encryption' until they have some other reason to suspect you.
The primary reason I like the idea of using double encryption is because I know that under a key escrow system the escrow agency will eventually be compromised, and the Feds will start using the escrowed keys to conduct illegal 'fishing expeditions'.
If you doubt this, just read up on J. Edgar Hoover.
you are sharing a trade secret with someone who has a need to know in your company, the feds aren't going to post it on the
Internet. If you are leaking a trade secret to your competitors for money, then I hope the feds come knocking at your door.
Wanna bet?
One word proves you wrong: France
It is well known that the French government routinely used their 'key escrow' laws (recently liberalized) to collect inside information from foreign firms and pass this information on to French corporations for competitive advantage.
Who is to say that if you are sending confidential contract bid information to a colleage, that the Feds won't pass this date on to a competitor, one that just happened to be a major contributor to the winning party in the last election?
For every highly ethical person in government, there are a hundred G. Gordon Liddys, fifty J Edgar Hoovers, and a dozen Nixons.
In the United State, police are empowered to attempt to eavesdrop on normally private converstations.
There is nothing in US law (yet!) that prevents the parties to the conversation from taking steps to prevent the police from eavesdropping, including encryption.
As far as wiretap laws and police eavesdropping on telephone calls, there have been various levels of voice encryption products on the market for several decades, and there has never been any question as to the legality of their sale and use in the USA.
No, the internet should not be exempt from the rules of the physical world, but our rules only say that they police have to get a court order before they can legally attempt to intercept your conversation- nowhere does it say that the parties have to actively assist in violating their own privacy.
The proposed change would tilt the balance of power, mandating that you cannot take steps to conceal the content of your messages, just in case law enforcement might someday want to go over your communications.
Digital encrypted records can be stored indefinitely. I have no doubt that the backdoor key and a record over every message every 'interesting' person every sends will be stored on permanent media, just in case you or I turn out to be the next Martin Luther King Jr. and they need to pull up some blackmail material....
...If we're going to control encryption usage then I'm sorry but we're just going to have to pass some laws to force people to use
authorized spell and grammar checkers. ... You will also be interogated by an AI on every message you craft to determine your true
intent; non-standard word usage will be flagged and noted on your record.
I knew it!
That damn paperclip was working for the CIA all along!
Anyway, why would someone need to use crypted messages, except for bank accounts and e-commerce? I fail to see any good reason.
What need?
What about pro-choice activists trying to organize a (legal) protest while Republicans control the white house?
What about a small business working in physically diverse locations to write up a competitive bid against major corporations with huge budgets for 'industrial espionage?'
Perhaps you are organizing a political campaign against the incumbent? After Nixon and Florida, do you have any doubt that politicians in office would not use intelligence assets to intercept the communications of their political opponents?
Perhaps most of my personal work isn't that interesting (but you'd be suprised). But the data my employer transfers over various networks can be worth millions.
When I worked for a major radio communication and semiconductor firm, we dealt with file transfers including HR data (salary, SSN, insurance claims), new CPU and other chip designs, bid information for contracts in the hundreds of millions, marketing, pricing, and profit projections, and much more they didn't tell me about.
How about the phone company? (Okay, I was only there two months) Sure, they have your credit information and the unlisted number for various celebrities. But they also have call detail information for every subscriber, and systems that allow real-time interception of all phone calls, including alarm circuits and the 911 system.
What about an online brokerage, mananging hundreds of millions in customer assets, and tens of millions in stock transactions each day?
Perhaps 'the government' can be trusted with backdoors giving them access to all of this information. But remember Nixon, Oliver North, or the many other cases of abuse of power and access to information by the people who make up the government?
Here's a real-life example where my personal data has value to the Feds and others: I find a new security hole in a popular corporate firewall project. I need to report this major security problem to the vendor, but I don't want it to be known to anybody who might exploit it to penetrate corporate networks. How do I communicate this problem to the vendor without strong encryption?
The government of France tried this. They outlawed all forms of encryption without providing the keys to the french government.
For example, I worked for a major semiconductor and radio communications corporation. We encrypted all private circuits to all remote offices, in the US and abroad, except that in France we had to provide the keys to the French government.
End Result?
The French intelligence agencies would hand over to major french businesses the 'competitive intelligence' collected from foreign corporations operations in france, allowing them to underbid competitors, etc.
There are several well-documented cases of government abuse of this information. In France the level of distrust got so bad that they eventually relaxed this policy due to foreign based companies withdrawing their business.
Using this sort of tragedy to advance a political career or a particularly opressive agenda is disgusting, but is also standard procedure for many politicians, American or otherwise.
After every mass murder with the least connection to firearms, some politician proposes extreme restrictions on civilian ownership, without regard for whether it would have prevented the particular incident in question. One of the first bills proposed after the OKC bombing was new gun control laws.
After every crime where the offender ever even saw a computer, let alone had an AOL account, some congressman will propose new 'Internet Crime' laws restricting freedom online.
The only saving grace is these rash proposals seldom become law.
Shipped from Canada or Europe to avoid those pesky American laws.
And while you're at it, you can pick up the 'OpenBSD Globe' T-shirt with the very relevant slogan 'Make Crypto Not Munitions', and a timely quote from Ben Franklin.
OpenBSD will run on pretty much all of the same hardware that will run Mac/Win, and then some.
The mildly paranoid will only use encryption software they have compiled themselves, from source code they can trust, written to follow specifications by respected people in the crypto community.
The mildly paranoid will also only use compilers they have compiled themselves, and only use implementations that have undergone a line-by-line code review by a trusted person in their organization.
The truly paranoid will only run this crypto on isolated systems using chips that they have personally inspected the original die and have an established 'chain of custody' from original pressing to installation in this isolated workstation.
Osama Bin Laden will just have a few dozen of his faithful followers memorize 'one time pads', and a few hundred who can do 8-round Rijndael in their heads, and laugh at the silly Americans giving up essential liberties for a little temporary safety.
The concept is that if you are caught using non-backdoor-enabled crypto software, then they don't need to prove that you are a terrorist, they can just throw you in jail for a few dozen years based solely on the easily proven charge of 'possession of illegal munitions (crypto)".
IMHO, this is just one more step towards a police state.
It is highly unlikely that the Internet was used in any way to organize, plan, target, or launch these attacks. Chances are that none of the 20+ terrorists involved even had an email account, and if they did, it was a hotmail account used as a cover, with a subscription to a couple pro-Israel mailing lists, and a web browser history showing a few visits to flight booking sites and a bit of porn browsing on the weekends.
The Internet is monitored, logged, and data-mined like no other communications medium. It is undependable, insecure, and would not be used by terrorists for the same reasons that it is not used by the US government to plan our reprisals.
The Internet isn't good for anything much more important than Quake.
Pilots have full control over their aircraft, because they need the choice to use their judgment in flying the plane -- When you take away options, you leave the situation open to other disasters, failure modes that were not anticipated in the design of the system, but which could be averted by the human pilot.
For example, if a plane diverges from its set flight-path a mechanism should kick-in which sets it on autopilot at x-thousand feet. This can only be overriden by ground control.
Great. Now all I need to do is disable all of the radio receivers on a airplane (with a low-power spark gap transmitter on board) and watch the plane go in a straight line at x-thousand feet until it runs out of fuel.
Im amazed that no one has proposed the obvious technical solutions to this specific problem. I, for one, am amazed that this did not happen earlier. In a distributed system no single agent should have too much power. Pilots of jumbo jets have too much distructive power. We need to fix that.
Drivers of cars have too much power
Captains of cargo ships have too much power
Voters in Florida have too much power
The solution is not to override the decisions of the pilots, but to provide AAA (Authentication, Authorization, Accounting) to ensure that the person at the controls is who we think they are, and provide warnings and suggestions to the pilot.
But people have a strong need to do something in the wake of a tragedy of this magnitude, and if nothing else, giving blood will give them a feeling of accommplishment, and leave them too weak to go out rioting in the streets:-)
It doesn't take high technology to hijack an airplane... I wouldn't be suprised if these hijackings were carried out with quite primitive weapons, perhaps as simple as a knife or icepick.
I do agree that US airport security has become very complacent recently. I've flown many, many times in the past year, often to the east coast, commonly flying with a pocket knife and leatherman multi-tool in my carry-on baggage, only once ever was it even noticed... before boarding a flight to Pittsburg.
Civil rights must be protected, but there is no right to board an aircraft. If you don't like the tight airport security, take a bus, a train, or drive yourself.
I'm actually pleasantly suprised by how well the 'internet infrastructure' is working.
I have big buildouts at Exodus and Genuity, and both sites are seeing problems, but they are isolated to specific high-traffic news sites.
This is a major news event, and as such, there is a huge overload on major news sites, including sites operated by newspapers, TV, and radio.
I have trouble loading MSNBC, a bit of difficulty with slashdot, but normal network access to my servers on Exodus, Genuity, Sprint, and other places around the country has not degraded at all.
I'm responsible for some massive infrastructure in both Genuity and Exodus colocation, and both sites are seeing a huge traffic load on all 'news' web sites.
Other non-news web connections seem to be faring fine, the only DDoS is more along the lines of the Slashdot Effect, specific servers are getting many more users than they planned for, and are individually being overloaded.
I've been flying more often than usual for the past year, about every other month, and each time I've noticed that airport security has gotten more and more complacent -- at O'hare and Midway I routinely board with my spyderco and leatherman in my carry on, and I've only ever once been challenged in 20 some flights, and that was while catching a short prop flight from Virginia to Pittsburg...
Just about year ago I boarded a flight from Detroit to Chicago with not just my usual sharp objects, but also a power screwdriver, set of Motorola trunking radios and their charger, and assorted spare batteries, all in my carry-on. Didn't get a second glance from security.
Privacy can be achieved, if you are willing to spend money, it's trivial to conceal your identity.
Celebrities usually already have at least one 'shell corporation', and don't have any issue with the slightly higher price to purchase dedicated 'business' connectivity.
I am baffled that anybody on/. would be unable to remain anonymous online for long. You need only find an ISP that accepts payment by other than credit card, and that does not require ID to register a new account.
Now pre-pay your account fees for 6-12 months in advance, using a money order (or cash). The ISP might suspect you of being a spammer, but that won't stop them from taking your money.
So long as you do not intentionally 'out' yourself (never personalize your PC or web site settings), don't buy things online, and don't do anything to get the Feds interested, your identity should remain private.
What about cookies?
You mean you don't have a PC dedicated to web browsing, upon which you never keep any personal files? You don't regularly blow away the hard drive, upgrade the ethernet card (new MAC, new GUID, etc), and change the visible IP address?
You say 'I'm too poor to afford such extravagance!' ?
Then you're probably also not interesting enoough for anybody to go to great efforts to invade your privacy.
SCA drives (80-pin connector with power, drive ID and data all together) are getting easier to find. The SCA standard is common not just in Sun, but also Dell servers and many other mid-range server-class PC systems use SCSI-2 LVD drives with a SCA connector, and these are usually backwards compatible with SCSI/SCSI-2 interface on most Sparcstations.
At DirtCheapDrives, CompGeeks and several other vendors, I've found that SCA drives are actually five to ten bucks cheaper than the equivalent drive with a 68-pin 'standard' connector.
Coincidentally, for about eight bucks you can get an adapter that will allow using a drive with a SCA connector with a PC controller having a 50 or 68 pin SCSi cable.
Slashdot Mirror
What do you expect will happen when we've given up all our rights, and yet these incidents will still happen? Do you have any illusion that, once lost, we will ever regain these rights?
But is everybody going along with the party line because they feel it is the rational solution, or because they are afraid of the consequences if they don't?How do you think all of the 'good germans' felt about 'the time for dissent' when the brownshirts started checking papers and their neighbors began to dissappear?
Fear of loss of control over their direct reports, fear of loss of productivity, but more than anything else, fear that telecommuting will make middle management obsolete.
They'll simply amend the DMCA to outlaw cryto algorithm research, cracking software, and possession of non-government-issued decryption keys, software, or hardware.
In theory, the feds can never get your escrow key unless they have a warrant, so they can never detect that you are using 'double encryption' until they have some other reason to suspect you.
The primary reason I like the idea of using double encryption is because I know that under a key escrow system the escrow agency will eventually be compromised, and the Feds will start using the escrowed keys to conduct illegal 'fishing expeditions'.
If you doubt this, just read up on J. Edgar Hoover.
Wanna bet?
One word proves you wrong: France
It is well known that the French government routinely used their 'key escrow' laws (recently liberalized) to collect inside information from foreign firms and pass this information on to French corporations for competitive advantage.
Who is to say that if you are sending confidential contract bid information to a colleage, that the Feds won't pass this date on to a competitor, one that just happened to be a major contributor to the winning party in the last election?
For every highly ethical person in government, there are a hundred G. Gordon Liddys, fifty J Edgar Hoovers, and a dozen Nixons.
In the United State, police are empowered to attempt to eavesdrop on normally private converstations.
There is nothing in US law (yet!) that prevents the parties to the conversation from taking steps to prevent the police from eavesdropping, including encryption.
As far as wiretap laws and police eavesdropping on telephone calls, there have been various levels of voice encryption products on the market for several decades, and there has never been any question as to the legality of their sale and use in the USA.
No, the internet should not be exempt from the rules of the physical world, but our rules only say that they police have to get a court order before they can legally attempt to intercept your conversation- nowhere does it say that the parties have to actively assist in violating their own privacy.
The proposed change would tilt the balance of power, mandating that you cannot take steps to conceal the content of your messages, just in case law enforcement might someday want to go over your communications.
Digital encrypted records can be stored indefinitely. I have no doubt that the backdoor key and a record over every message every 'interesting' person every sends will be stored on permanent media, just in case you or I turn out to be the next Martin Luther King Jr. and they need to pull up some blackmail material....
I knew it!
That damn paperclip was working for the CIA all along!
What about pro-choice activists trying to organize a (legal) protest while Republicans control the white house?
What about a small business working in physically diverse locations to write up a competitive bid against major corporations with huge budgets for 'industrial espionage?'
Perhaps you are organizing a political campaign against the incumbent? After Nixon and Florida, do you have any doubt that politicians in office would not use intelligence assets to intercept the communications of their political opponents?
When I worked for a major radio communication and semiconductor firm, we dealt with file transfers including HR data (salary, SSN, insurance claims), new CPU and other chip designs, bid information for contracts in the hundreds of millions, marketing, pricing, and profit projections, and much more they didn't tell me about.
How about the phone company? (Okay, I was only there two months) Sure, they have your credit information and the unlisted number for various celebrities. But they also have call detail information for every subscriber, and systems that allow real-time interception of all phone calls, including alarm circuits and the 911 system.
What about an online brokerage, mananging hundreds of millions in customer assets, and tens of millions in stock transactions each day?
Perhaps 'the government' can be trusted with backdoors giving them access to all of this information. But remember Nixon, Oliver North, or the many other cases of abuse of power and access to information by the people who make up the government?
Here's a real-life example where my personal data has value to the Feds and others: I find a new security hole in a popular corporate firewall project. I need to report this major security problem to the vendor, but I don't want it to be known to anybody who might exploit it to penetrate corporate networks. How do I communicate this problem to the vendor without strong encryption?
For example, I worked for a major semiconductor and radio communications corporation. We encrypted all private circuits to all remote offices, in the US and abroad, except that in France we had to provide the keys to the French government.
End Result?
The French intelligence agencies would hand over to major french businesses the 'competitive intelligence' collected from foreign corporations operations in france, allowing them to underbid competitors, etc.
There are several well-documented cases of government abuse of this information. In France the level of distrust got so bad that they eventually relaxed this policy due to foreign based companies withdrawing their business.
After every mass murder with the least connection to firearms, some politician proposes extreme restrictions on civilian ownership, without regard for whether it would have prevented the particular incident in question. One of the first bills proposed after the OKC bombing was new gun control laws.
After every crime where the offender ever even saw a computer, let alone had an AOL account, some congressman will propose new 'Internet Crime' laws restricting freedom online.
The only saving grace is these rash proposals seldom become law.
Shipped from Canada or Europe to avoid those pesky American laws.
And while you're at it, you can pick up the 'OpenBSD Globe' T-shirt with the very relevant slogan 'Make Crypto Not Munitions', and a timely quote from Ben Franklin.
OpenBSD will run on pretty much all of the same hardware that will run Mac/Win, and then some.
The mildly paranoid will also only use compilers they have compiled themselves, and only use implementations that have undergone a line-by-line code review by a trusted person in their organization.
The truly paranoid will only run this crypto on isolated systems using chips that they have personally inspected the original die and have an established 'chain of custody' from original pressing to installation in this isolated workstation.
Osama Bin Laden will just have a few dozen of his faithful followers memorize 'one time pads', and a few hundred who can do 8-round Rijndael in their heads, and laugh at the silly Americans giving up essential liberties for a little temporary safety.
IMHO, this is just one more step towards a police state.
It is highly unlikely that the Internet was used in any way to organize, plan, target, or launch these attacks. Chances are that none of the 20+ terrorists involved even had an email account, and if they did, it was a hotmail account used as a cover, with a subscription to a couple pro-Israel mailing lists, and a web browser history showing a few visits to flight booking sites and a bit of porn browsing on the weekends.
The Internet is monitored, logged, and data-mined like no other communications medium. It is undependable, insecure, and would not be used by terrorists for the same reasons that it is not used by the US government to plan our reprisals.
The Internet isn't good for anything much more important than Quake.
Pilots have full control over their aircraft, because they need the choice to use their judgment in flying the plane -- When you take away options, you leave the situation open to other disasters, failure modes that were not anticipated in the design of the system, but which could be averted by the human pilot.
Great. Now all I need to do is disable all of the radio receivers on a airplane (with a low-power spark gap transmitter on board) and watch the plane go in a straight line at x-thousand feet until it runs out of fuel.
Drivers of cars have too much power
Captains of cargo ships have too much power
Voters in Florida have too much power
The solution is not to override the decisions of the pilots, but to provide AAA (Authentication, Authorization, Accounting) to ensure that the person at the controls is who we think they are, and provide warnings and suggestions to the pilot.
But people have a strong need to do something in the wake of a tragedy of this magnitude, and if nothing else, giving blood will give them a feeling of accommplishment, and leave them too weak to go out rioting in the streets
I do agree that US airport security has become very complacent recently. I've flown many, many times in the past year, often to the east coast, commonly flying with a pocket knife and leatherman multi-tool in my carry-on baggage, only once ever was it even noticed... before boarding a flight to Pittsburg.
Civil rights must be protected, but there is no right to board an aircraft. If you don't like the tight airport security, take a bus, a train, or drive yourself.
There have been no incidents in Chicago, just the usual shutdown of government buildings and landmarks.
Also major shopping malls are closing today.
I have big buildouts at Exodus and Genuity, and both sites are seeing problems, but they are isolated to specific high-traffic news sites.
This is a major news event, and as such, there is a huge overload on major news sites, including sites operated by newspapers, TV, and radio.
I have trouble loading MSNBC, a bit of difficulty with slashdot, but normal network access to my servers on Exodus, Genuity, Sprint, and other places around the country has not degraded at all.
Both Republicans and Democrats talk shit, but at least we now have a president who is willing to walk the walk.
I'm responsible for some massive infrastructure in both Genuity and Exodus colocation, and both sites are seeing a huge traffic load on all 'news' web sites.
Other non-news web connections seem to be faring fine, the only DDoS is more along the lines of the Slashdot Effect, specific servers are getting many more users than they planned for, and are individually being overloaded.
Just about year ago I boarded a flight from Detroit to Chicago with not just my usual sharp objects, but also a power screwdriver, set of Motorola trunking radios and their charger, and assorted spare batteries, all in my carry-on. Didn't get a second glance from security.
Those days are over.
Celebrities usually already have at least one 'shell corporation', and don't have any issue with the slightly higher price to purchase dedicated 'business' connectivity.
I am baffled that anybody on /. would be unable to remain anonymous online for long. You need only find an ISP that accepts payment by other than credit card, and that does not require ID to register a new account.
Now pre-pay your account fees for 6-12 months in advance, using a money order (or cash). The ISP might suspect you of being a spammer, but that won't stop them from taking your money.
So long as you do not intentionally 'out' yourself (never personalize your PC or web site settings), don't buy things online, and don't do anything to get the Feds interested, your identity should remain private.
What about cookies?
You mean you don't have a PC dedicated to web browsing, upon which you never keep any personal files? You don't regularly blow away the hard drive, upgrade the ethernet card (new MAC, new GUID, etc), and change the visible IP address?
You say 'I'm too poor to afford such extravagance!' ?
Then you're probably also not interesting enoough for anybody to go to great efforts to invade your privacy.
At DirtCheapDrives, CompGeeks and several other vendors, I've found that SCA drives are actually five to ten bucks cheaper than the equivalent drive with a 68-pin 'standard' connector.
Coincidentally, for about eight bucks you can get an adapter that will allow using a drive with a SCA connector with a PC controller having a 50 or 68 pin SCSi cable.