“Those who would give up essential liberty to purchase a little temporary safety deserve neither liberty nor safety.”

-Benjamin Franklin

I often wrestled with the above statement, re-quoted so many times by so many people in the face of any security argument. In the urge to “connect the dots” after 9/11,  I often wondered what Ben Franklin would have thought of his now famous statement. Would he still agree? Is it too much to ask to purchase a little safety?

The world we live in today is much different from that 234 years ago to the day. We live in a time of magic and awe. Six billion people inhabit this planet, many of them able to share their thoughts and ideas with millions of others instantly regardless of distance or location. We are able to send anyone or anything anywhere on the globe within 24 hours. A butterfly flapping it’s wings in Africa may be able to eventually spawn a hurricane in the north Atlantic, but that’s nothing compared to the speed of an email or  Twitter wave.

Never before has the world been so open and interconnected, and every day the lives of thousands everywhere gets incrementally better as the walls that held back human progress in the remote locations of the world come crumbling down. Yet the same mechanisms that whisk thoughts and goods and people from place to place also send threats and malcontent over the same channels. Some are terrified at the rapid changes in people’s lives, and are driven to violence. Others believe that the rest of the world should stay as it is, that we should build the walls again, and leave the rest to it’s machinations.

To the latter group, it is a fool’s wish. The world will never close up again. And it is here we find ourselves today.

I wondered what Ben Franklin would have said. If we were not to give up liberty for security, then were we to give up security? Would it be inevitable that people would be bossed and shoved around? Terrorized? Harmed? Killed? Who would advocate this? No, I thought, people were being too thin-skinned. It doesn’t matter if the FBI or so is reading your email, they’re not out to get you anyways. An extra security line here or there to check for bombs is fine. The nation got it’s fill of seeing people jump out of skyscrapers to their deaths to avoid being burned alive, and we would all toughen up to avoid having to go through that ordeal again.

I thought this for a while, until I passed a New Hampshire license plate.

It’s been said so much from such an early time that the words became meaningless to me, and yet one day, driving down the interstate, it clicked. There was a time, when people didn’t have a say in how their affairs were run. They were forced to pledge loyalty to some guy an ocean away, who didn’t give a shit about them unless the taxes we note being paid. People were tried and convicted in mock courts, under laws that were suspended at will, and where death by hanging could be the penalty for a trivial offense.

The people who endured this chose not to fall in line, but rather, they declared war.

The statements “Live Free or Die”, “Give Me Liberty, or Give Me Death!” are quotes that are referred to often. They were spoken by ordinary men who were fully willing to embrace the threat of harm to ensure the right to live as they pleased. A terrible conflict ensued, and thousands perished.

We honor this day and others during the year and speak to those days when those citizens before us decided enough was enough and they would be terrorized no longer. We celebrate, rightfully, what was a monumental occasion.

It has been over two centuries since that conflict. But these days I feel that sentiment, the lessons from that struggle, are more relevant than ever. Our world holds untold promise and prosperity, but also new threats and dangers. We face risks and read about horrors that the founding fathers never would have imagined.

Many in this country think we should do everything we can to protect our citizens from every conceivable threat and attack. This is a laudable, if unrealistic, aim. Nevertheless, we try. But in doing so we often erode those liberties the founding fathers spoke of. We read email, install full body scanners, take off our shoes at airports. You can no longer photograph some buildings or officials, for fear of undertaking reconnaissance. Some declare that the constitution should no longer apply to those accused of terrorism, U.S. citizen or not.

Those in the security business would tell you that these measures work to a marginal extent. A determined attacker will get through eventually. However, many would argue that any measurable increase in security is worth the price.

The founding fathers would disagree.

No one would argue the need for practical measures, for vigilance, for a strong military and law enforcement. But the day will arrive, occasionally, where harm is done or lives are lost. And it is we, the ordinary U.S. citizen, who must remember that it is the price we pay for enjoying such little interference in our affairs, for the right to do as we please while upholding the rights of others, for the right to choose, to speak out, to condone and complain.

We are not defenseless. Bravery, ingenuity, cleverness, and tenacity continue to protect this nation of 300 million every day. We are not on the verge of being annihilated, and we were wise to structure our government in such a way in that we rely on no one man or family for continuity. Our military, our intelligence agencies, federal and local police, all of our lines of defense filter and stop so much. But there is a threshold at which point security begins to trump liberty, and it is there where we must accept that residual risk and bear the burden ourselves, as the revolutionaries once promised to do, and did.

Have a happy 4th of July everyone. =)

Or maybe not. According to reports, their “mission” consisted mainly of collecting open source information. Domestic response and general feeling towards U.S. political parties, information on the upcoming election, the feel of the population towards the current administration, all things an English speaker could find out doing a bit of reading on Google.

But an article on RFE/RL caught my eye. The social network gathered was quite extensive.  Perhaps the mission of this group was not as much of a failure as the FBI made it out to be, (insofar as gathering top secret information) but one that was more focused on providing a communications channel between the Russian government and the American tech industry. It’s all speculation, but I would think such an approach might have the advantage of bypassing normal public channels and thus avoid some of scrutany (not to mention political backlash) of firms like Cisco setting up shop next to the Kremlin.

I admit, its a lot of theorying and speculation on my part, and I’m sure only the FBI (and the spies themselves) know the truth. But given that so much espionage no longer is of the “top secret” variety, I’m inclined to wonder if this operation was focused in an entirely different direction than the one the investigators assumed it would be.

Edit: I haven’t read all of this yet, but security veteran Gary Warner has a really good series of articles going breaking down the whole operation. I should give these a closer look.

I didn’t find anything in his remarks that are particularly alarming, (the comment that DHS and the FBI would be the primary agency to address domestic IA issues spoke volumes to his views on his command’s AOR)  but lots of snide comments from the peanut gallery that somehow, the military is wasting it’s time and that the threat to DoD information assurance is somehow a myth.

Granted, DoD, just like a private organization, is loathe to acknowledge when they’ve been compromised, but most readers here I’m sure would recognize that it’s occurred many times in the past. So I’m a bit puzzled when DoD starts discussing a unified command to deal with these issues that they’re met with ridicule.

There is justifiable and wholly appropriate questions being asked on just how DoD intends to defend it’s networks, and they and outside individuals correctly recognize that the nature of the internet means that threats will originate from inside and out, across a myriad of state lines, sovereignties, various agencies and organizations. People have a right to know how DoD will respond in these cases, but don’t be surprised or offended if they come knocking.

Government agencies, which control VAST networks handling everything from taxes to health care and military communications is starting to finally get serious about network security, and they need our help. (They can start by dropping the “cyber” part of their name. =P ) But the cries of “BULLSHIT”, “Buy American!” and “wahhh! Wiretapping!!!” echo Tea Party-like cries of boogymen and conspiracies that are not there.

Be concerned. Question, critique. But please, don’t expect them to sit back and do nothing while they’re getting lambasted online and off. The Government moves much slower than we’d all like them to, but at least we’re starting somewhere. The Cybersecurity Act and this command are at least a starting point. The former got lots of good input and revision before it was done. We can do the same here.

P.S. Everyone knows what a probe is. (Hint, it’s not just a ping sweep.) No, he didn’t spell it out for the congressmen in the room, and he didn’t need to. Remember, these people interviewing him send “internets” to one another. =P

My friend Ken had a really excellent analogy.

“that would be like saying someone ran the new york marathon in 12 hours, implying anyone can do it that quickly. But forgetting the years of training it would take to build up that endurance. ”

The media never assumes that someone just wanders up to the starting line on a whim and cranks out a record time. So why is it always misreported that it took these researchers cracked a browser in so many seconds? They didn’t hack the browser in 3 seconds, the 3 seconds was the time it took to execute the script they spent the previous year creating. =P

Before anyone panics, it’s not a hack, exploit, or otherwise. Actually the box itself doesn’t do much at all. The device relies on a certificate authority to forge a certificate of a legitimate website (The CA having assigned the certificate in the first place) so that the box will appear, for all intents and purposes, to be the actual site. Man in the middle.

What New School does a good job of pointing out is that this is not, as stated above, an exploit or hack, but a breakdown in trust. The company that markets the device does so to law enforcement and intelligence agencies, and I have no reason to suspect that they have not been able to convince a CA to forge a certificate for them on request. The fault lies soley with the CA that created the forged certificate that allowed the appliance to appear as the legitimate site. (s0mething digital certificates were designed to protect) It is, essentially, the ultimate irony. The groups asked to be the most trust worthy could easily destroy that trust, and undermine the system in the process.

There’s no evidence that any of this is taking place on a wide scale, or by which CAs, if any more than one or two at all. But as the author points out, browsers come preloaded with the certificates of hundreds of CAs, which can then be used to validated most certificates on the net. I can only guess at a future where users would be recommended to be more selective in the CAs they use, based on a history of those shown to abuse that trust or not.

As we all know, the bill passed, and “Obamacare” is now law. I am not disappointed by this. While there are some provisions that make me wary (namely the fee individuals must pay if they opt not to get insurance) I think on the whole it’s good, even if things such as tort reform and removal of interstate competition restrictions didn’t make it in.

Part of the reason I think many of those important elements were left out was due to the decision of the Republican Party not to offer any backing or input on the bill at all. They offered their own separate version (which was introduced in a Motion To Recommit just minutes prior to the first house vote in December.) but the law that was passed did not have much Republican input, only opposition.

This was unfortunate. The bill that passed should not have been entirely unappetizing to the other side; many noted the similarities between the Democrat bill and Mitt Romney’s (a Republican) plan for Mass. Being a moderate in most issues myself, I would have preferred to see both sides work on this together.

Alas, it did not happen, and in an excellent piece, David Frum, a well known Republican speaker, commented on what he was a failed Republican strategy on something that should have been an opportunity to work together.

Alas, he was fired today.

It’s somewhat ironic, given what his piece said, and I’m increasingly disappointed that there is little rational thought from the right side of the political spectrum anymore. Don’t get me wrong, I feel the left is no more innocent than anyone else, but the increasing frequency that rational and moderate voices are being drowned out by cheerleaders, shock jocks, and angry grand-standers is disappointing and worrying.

“”As a social good, I think privacy is greatly overrated because privacy basically means concealment. People conceal things in order to fool other people about them. They want to appear healthier than they are, smarter, more honest and so forth.”
-Judge Richard Posner, 7th Court of Appeals.

I saw the aforementioned quote on a cnet site and almost immediately went to find the full quote, as we see all too often how things are taken out of context. (I’d highly recommend watching his full comments; his words were not twisted and he went on to defend them, but he clearly had a specific context in mind.)

The quote was repeated around in many places, and in many ways it parallels Eric Schmidt’s “you shouldn’t be doing it in the first place” statement when questioned on privacy.

In both cases, these people infer scenarios where illegal acts are being committed by people who enjoy privacy. Certainly we could have stopped what bad things they were doing had we been listening to their phones or reading their e-mail.

To those who lose friends or family due to violent acts, this reasoning seems obvious. Surely the sanctity of life matters more than someone reading your e-mail. The policies of the United States following 9/11 followed the reasoning that the threat of retaliation was no longer a sufficient weapon against those who did not fear. No amount of punishment would ever bring dead people back to life, and so removing all threats to life became the modus operandi.

Years go by and the incessant calls to “connect the dots” faded away. Companies like AT&T had their eavesdropping operations exposed, and people reacted with shock and anger at comments like the one above. Why is it privacy suddenly matters again? Hadn’t we settled this issue?

As most people reading probably answered to themselves earlier, privacy is not about hiding one’s ill deeds (though it can be used for such) but also serves as one’s protection. Every one of us was conceived in what could be considered a private act, (I wish I could find who originally pointed that out to me, but I forget the blog author) and many of us carry knowledge in our heads that, in the wrong hands, could be used against us. Privacy is enshrined even in the highest levels of government when every two years, citizens pull a curtain around themselves, protecting their secret ballot against the danger of peer pressure and intimidation.

I have no doubt that if I were to bring these examples up to either of these men, they would agree that the need for privacy in these circumstances is necessary. But it is unmanageable to decide for every possible scenario what should be privacy and what should not. Instead we craft laws, which state in broad terms when privacy should be respected, and when it should not.

As Posner points out, people divulge all sorts of information daily with little care or concern as to what happens to it. The commonality of which technology has affected us has leveled our fears somewhat, we do not feel as exposed divulging our addresses if everyone else on our street has as well. And the data collected by computers and other systems is often vacuumed up into vast databases, and acted upon by algorithms and trending software, it’s focus trained outwards on thousands and millions rather than that of the individual. Think of the likelyhood that someone would focus on one individual in a sea of names, and one can feel complacent.

Improbable is not impossible however, and the same databases that deliver harmless ads in the hands of one can deliver malware or make charges to credit in the hands of another. Individuals can have their careers and lives ruined when privacy is breached. Is it right in these cases to assume that these individuals were doing something they shouldn’t have been?

To assume that privacy means hiding ill deeds forgets that we depend on our privacy every day for threats of predation, intimidation, and quick judgment. And just as we assume “innocence until proven guilty” to protect the unlawful incarceration of individuals, so must we assume one’s right to privacy lest we reveal information that can be used to compromise. It should be treated as no less important than justice itself. While there are many cases where an individual can be cleared after a wrongful sentence, “What has been seen cannot be unseen” so the saying goes.

I was reading the news out of Israel today for the building of 1,600 new homes. This comes a day after VP Biden starts touring the region spouting the U.S. and Israel’s “unshakable” ties.

I can’t help but feel like we just got played. Not more than a day later after Biden said “There is absolutely no space between the United States and Israel in terms of Israel’s security”, a whole swath of homes are approved on Palestinian land, no doubt for “security” reasons.

The move is admirable in it’s cleverness. If we object, then suddenly the “no space between” comment rings hollow. If we don’t, then we’re even more hated by the Middle East. It’s masterful in it’s deviousness.

Deviousness isn’t usually a trait between allies though. Sooner or later, the U.S. is going to get fed up of maintaining perpetual combat in the mid east because of our “unshakable” ties to a country even more obnoxious and heavy-handed than we are.

UPDATED: Biden has decided to sacrifice the pawn, and has rebuked Israel.

The problem with these is that the answers to the questions are weaker alternatives to the passwords themselves.  Both require the user to identify themselves via a string that only they should know. The questions however, has two flaws:

1. The answers to the questions are generally not considered confidential. “Your mother’s maiden name” is a piece of information that may not be commonly known, but is not exactly often considered secret either. Same for the names of the schools you attended. With the rise of social networks and the vast amounts of personal data individuals fill out in these, it’s become easier than ever for someone else to answer these questions correctly.

2. The answers are not random character strings. Think of all of the times you were told that a good password must contain symbols and numbers or what have you. This is a good practice, and it’s to help ensure that (to some degree) the password is as random as possible. Security questions often prompt for a word however, and this greatly lessens the amount of possible correct answers. An eight character password, using just lowercase letters, numbers, and ten different symbols, gives a possibility of over 20 trillion combinations, a steep hill for a brute force attack. Yet the English language has, at the high end of estimates, barely a million words. Quite a lot, but far less daunting. (This is a very simplistic example, but I believe the point stands.)

There’s been a lot of talk on the first point, but Light Blue Touchpaper has a really neat post focusing on the second. They reference a recently published paper that goes into the details on how successful drive-by brute forcing of accounts via the security questionnaire is, and it’s surprisingly high.

So what does one do about it?

1. Refuse to play along. One of the best pieces of advice I received from one of my infosec professors: If you have a security question, answer it with something else entirely. If it asks for say, your mother’s maiden name, put in the name of your school. Make it something hilarious, and you’ll be better able to remember it. Even if someone does find out your mother’s maiden name, an attacker will be puzzled as to why it doesn’t work.

2. According to the paper though, even that may not be enough. While the paper focuses on single names, (and the above, I think, will give you a reasonable level of security) the use of an actual word is still relatively weak for the reasons I outlined above. So use a password. Make it the same as the one you use for the account, or a different one. Both the question and the actual password challenge (and you do use a strong password, right?) will be protected at the same level.

But what if you do actually forget your password? Isn’t that what this was supposed to fix? The first suggestion would be to use a password escrow manager, such as KeePass, so that you only have to remember one password, and can then access all of the others. The other suggestion? Write it down. Seriously. Write it on a pad of paper, and protect that paper. If you’re in a work environment, then this does not apply. Your office is not private. (No, really, it’s not. You don’t own or control the building.) But for home, it’s more than sufficient. Keep it hidden in a desk or so, and pull it out when you need to. You’ll lessen the number of passwords you need to remember and make it easier to create more complex ones.

This usually results in numerous news articles proclaiming how our liberties/freedoms/lifestyle/cable TV selection are in immediate danger of coming under the jackboot of Fascism.

Buried in the fine print of the article though, you’ll see that often, these things don’t make it past the suggestion phase. An introduced bill, a letter of support, a submitted brief. Formal methods no doubt, but all carry the weight of some guy standing on a street corner proclaiming that the end is nigh.

Nevertheless, I can’t help but wonder if we’d be better served to ignore these things and get on with our lives. Stupid people say stupid things, with surprising regularity. Many media personalities have achieved larger-than-life statuses simply by proposing outrageous ideas that are attractive to all but a token few. Is focusing more attention on these things in our best interest if it stands that they’ll get ignored in the end anyways? Why lend any more credibility than is deserved?

It could very well be that it’s the reactions to these proposals that ensures their demise in the first place. I often wonder if this is the case in the areas of public policy; where a lot of bills and recommendations are posted, often without going anywhere. If there were people who might have considered some of these items in the slightest, many would rethink this in the face of so much uproar.

But while these items rarely make it past even one round of scrutiny, the comments and feedback that pour forth often seem to indicate that people think that these policies have been adopted or are on the verge of being so, convincing them of the downward spiral of their country/state/ISP. This fuels the cynicism even more, and mostly because of a poor understanding of systems that are often designed to weed out these bad polices in the first place.

That’s not to mention many proposals where a single line or component may be taken out of context. By itself, a phrase can indicate a grave danger to our traditional way of doing things, until it’s viewed in the larger context of it’s surrounding mitigating language. Suddenly it has no teeth. Yet it’s often that singular phrase that’s reported on.

Advocacy and special interest groups I feel are sometimes guilty of this. To an extent, I can see why: It is their mission to be passionate about their chosen issue. Advocate and watchdog groups serve a role in paying close attention to a particular issue in a way the populace cannot. (I can hear the multitude of persons saying that “people should be educated on the issues”, but I challenge any one of them to stay abreast of all of the “important” issues in the world and still have some semblance of a life.) However, while it’s important to raise awareness, it does not do favors to scare people into thinking that something is worse than it is.

There isn’t a realistic fix for this problem. In the end, critical thinking and common sense is the only cure from panicking needlessly at every little thing. Whether or not this has a high chance of uptake in the face of so much sensationalism however, I’m not holding my breath.