cypherpunks-legacy
Threads by month
- ----- 2025 -----
- January
- ----- 2024 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2023 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2022 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2021 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2020 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2019 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2018 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2017 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2016 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2015 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2014 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2013 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2012 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2011 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2010 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2009 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2008 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2007 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2006 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2005 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2004 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2003 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2002 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2001 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2000 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 1999 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 1998 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 1997 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 1996 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 1995 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 1994 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 1993 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 1992 -----
- December
- November
- October
- September
July 2018
- 1371 participants
- 9656 discussions
Making an informed decision as a user or a developer when it comes to
real-world tradeoffs between usability and security of course hinges
upon your threat model. I think this is ultimately an empirical question
-- we should be aiming to create a taxonomy of various actual tools
packaged and sold by companies like FinFisher, beyond just the
brochures. For example, Morgan and Citizen Lab did an excellent analysis
recently of FinSpy (in case you missed it:
http://citizenlab.org/2012/07/from-bahrain-with-love-finfishers-spy-kit-exp…)
Expanding this research and getting an inside view into the industry
will help everyone make non-speculative decisions about threat models.
It's a difficult problem -- getting this inside view -- but it seems
worthwhile. Is anyone working towards compiling such a list?
And I'll just add that I agree with Moxie about recommending gchat over
cryptocat for users in jurisdictions where Google is unlikely to hand
over information to LE. However, even in this case it may not be so
black and white. The FinSpy software mentioned above, for example, may
intercept Google's chat traffic because it's a popular service, and may
ignore cryptocat because it is relatively unknown. This isn't an
argument that cryptocat v1 is a tenable long-term alternative, but just
shows that it's very difficult to be maximally protect every single user
when it comes to real-world recommendations.
Finally, I'll just support the idea that usability is critical and the
burden of making something usable should always be on the developer,
never on the intelligence or know-how of the user. Although I agree
cryptocat v1 has significantly more security issues than v2, I think the
sacrifice in usability moving to v2 is significant and I'd hypothesize
that installing an extension is much harder for people than visiting a
website. Though, again, it's an empirical question that can be answered
rigorously through user experience research.
On 08/07/2012 08:02 AM, Maxim Kammerer wrote:
> On Tue, Aug 7, 2012 at 4:21 AM, Moxie Marlinspike
> <moxie(a)thoughtcrime.org> wrote:
>> However, my position is that Google Chat is currently more secure than
>> CryptoCat. To be more specific, if I were recommending a chat tool for
>> activists to use, *particularly* outside of the United States, I would
>> absolutely recommend that they use Google Chat instead of CryptoCat.
>> Just as I would recommend that they use GMail instead HushMail.
>>
>> The security of CryptoCat v1 is reducible to the security of SSL, as
>> well as to the security of the server infrastructure serving the page.
>> Any attacker who can intercept SSL traffic can intercept a CryptoCat
>> chat session, just as any attacker who can compromise the server (or the
>> server operator themselves) can intercept a CryptoCat chat session.
> Are you equating passive attacks with active attacks? If I understand
> how CryptoCat works correctly, it is resistant against passive
> interception attacks, whereas Google Chat stores cleartext on Google
> servers, which are easily accessible to law enforcement. Active
> attacks against SSL can be mitigated by pinning CryptoCat
> certificates, so you are left with what, compromise of server
> infrastructure? That requires LE jurisdiction where the servers are
> located, domain expertise, and dealing with the risk that the
> compromise is detected. All that vs. Google servers, which, if I
> remember right, provide a friendly interface to user accounts once
> served with a simple wiretapping order (and as has been already
> mentioned, Google is a multinational corporation, subject to a
> multitude of jurisdictions, and is known to bend over for whoever is
> in charge).
>
_______________________________________________
liberationtech mailing list
liberationtech(a)lists.stanford.edu
Should you need to change your subscription options, please go to:
https://mailman.stanford.edu/mailman/listinfo/liberationtech
If you would like to receive a daily digest, click "yes" (once you click above) next to "would you like to receive list mail batched in a daily digest?"
You will need the user name and password you receive from the list moderator in monthly reminders. You may ask for a reminder here: https://mailman.stanford.edu/mailman/listinfo/liberationtech
Should you need immediate assistance, please contact the list moderator.
Please don't forget to follow us on http://twitter.com/#!/Liberationtech
----- End forwarded message -----
--
Eugen* Leitl <a href="http://leitl.org">leitl</a> http://leitl.org
______________________________________________________________
ICBM: 48.07100, 11.36820 http://www.ativel.com http://postbiota.org
8B29F6BE: 099D 78BA 2FD3 B014 B08A 7779 75B0 2443 8B29 F6BE
1
0
I asked Robb about the transcript - he says that per Rule 6 we can't give it
to you. You would need to file a motion with the US District Court, and the
Judge would have to order them released to you. Robb thinks that Judge
Pechman was the Judge responsible for your grand jury. You can get more
court info at http://www.wawd.uscourts.gov/
Jeff
-----Original Message-----
From: John Young [mailto:jya@pipeline.com]
Sent: Friday, March 09, 2001 7:15 AM
To: Gordon Jeff TIGTA
Subject: Re: Bell trial schedule
Jeff,
Thanks for the information.
Could you find out if I can buy a transcript of my grand jury
testimony before the trial? Robb London has not answered
my three inquiries. The court reporters office told me it
can be released only with Robb's approval.
John
1
0
:
:
John
The Judge has decided he will not actually start Bell's trial until Tuesday,
4/3 - everyone's testimony will be delayed 1 day - So you will need to be at
the Federal courthouse in Tacoma by Wed, 4/4 at 9:00am, and you should be
done no later than Thursday afternoon
If you want to be reimbursed for your expenses, you will need to make travel
arrangements through the US Attorney's office, Dru Mercer, (206) 553-7970
Jeff
---
And an older message:
1
0
I asked Robb about the transcript - he says that per Rule 6 we can't give it
to you. You would need to file a motion with the US District Court, and the
Judge would have to order them released to you. Robb thinks that Judge
Pechman was the Judge responsible for your grand jury. You can get more
court info at http://www.wawd.uscourts.gov/
Jeff
-----Original Message-----
From: John Young [mailto:jya@pipeline.com]
Sent: Friday, March 09, 2001 7:15 AM
To: Gordon Jeff TIGTA
Subject: Re: Bell trial schedule
Jeff,
Thanks for the information.
Could you find out if I can buy a transcript of my grand jury
testimony before the trial? Robb London has not answered
my three inquiries. The court reporters office told me it
can be released only with Robb's approval.
John
1
0
:
:
John
The Judge has decided he will not actually start Bell's trial until Tuesday,
4/3 - everyone's testimony will be delayed 1 day - So you will need to be at
the Federal courthouse in Tacoma by Wed, 4/4 at 9:00am, and you should be
done no later than Thursday afternoon
If you want to be reimbursed for your expenses, you will need to make travel
arrangements through the US Attorney's office, Dru Mercer, (206) 553-7970
Jeff
---
And an older message:
1
0
Hello,
If you read Salon or Slashdot, you may have already read
of this. Our research group, comprising of crypto-folk
from Princeton U, Rice U and Xerox have issued a press
release and faq (http://www.cs.princeton.edu/sip/sdmi/)
detailing comprehensive success in the 1st round of the
SDMI challenge.
Basically, we got positive results from the oracles
for all four watermarking technologies. These oracles
would yield a positive result if music submitted to
it was modified enough that a watermark could not be
detected, and if quality was good enough relative to
64Kbps MP3 compression. We dont know how they measured
quality. But we passed all four oracles, and repeated
our results as much as we could before the challenge
deadline was over.
A full technical writeup is coming soon, as we plan
on sharing all our findings with the cryptographic and
steganographic community. This is part of the reason
we are not participating in the second phase: we
are not interested in the prize money, and at this
point the challenge is more like a contest, providing
no real value to us from a scientific perspective.
Further participation may also restrict our ability
to publish our results---to be eligible for the prize,
it appears one must sign a form transferring intellectual
property rights to the analysis.
Finally, if you are also a research team who has
received positive results from SDMI oracles, wed love
to hear about it. We are making a list of links to
others who have received positive results in the first
round. Keep in mind that if youre going after the
money, you might become ineligible if you publicize
these details.
-Scott
Heres the official statement, as found at the URL:
---------------------------------------------------------------
Statement Regarding the SDMI Challenge
The Secure Digital Music Initiative (SDMI) is developing a
comprehensive system to prevent music piracy. Central to this
system is watermarking, in which an inaudible message is hidden
in music to provide copyright information to devices like MP3
players and recorders. Devices may then refuse to make copies of
pieces of music, depending on the meaning of the watermark
contained therein.
In September 2000, SDMI issued a public challenge to help them
choose among four proposed watermarking technologies. During the
three-week challenge, researchers could download samples of
watermarked music, and were invited to attempt to remove the
secret copyright watermarks.
During the challenge period, our team of researchers, from
Princeton University, Rice University, and Xerox, successfully
defeated all four of the watermarking challenges, by rendering
the watermarks undetectable without significantly degrading the
audio quality of the samples. Our success on these challenges
was confirmed by SDMIs email server.
We are currently preparing a technical report describing our
findings regarding the four watermarking challenges, and the two
other miscellaneous challenges, in more detail. The
technical report will be available some time in November.
This statement, a Frequently Asked Questions document, the full
technical report (when it is ready), and other related information
can be found on the Web at http://www.cs.princeton.edu/sip/sdmi.
For more information, please contact Edward Felten at
(609) 258-5906 or felten0x40cs0x2Eprinceton0x2Eedu.
Editors note: replace 0x40 with @ and 0x2E with .
----------------------------------------------------------------
Scott Craver, Patrick McGregor, Min Wu, Bede Liu
Dept. of Electrical Engineering, Princeton University
Adam Stubblefield, Ben Swartzlander, Dan S. Wallach
Dept. of Computer Science, Rice University
Drew Dean
Computer Science Laboratory, Xerox Palo Alto Research Center
Edward W. Felten
Dept. of Computer Science, Princeton University
1
0
CRYPTO-GRAM
April 15, 2009
by Bruce Schneier
Chief Security Technology Officer, BT
schneier(a)schneier.com
http://www.schneier.com
A free monthly newsletter providing summaries, analyses, insights, and
commentaries on security: computer and otherwise.
For back issues, or to subscribe, visit
<http://www.schneier.com/crypto-gram.html>.
You can read this issue on the web at
<http://www.schneier.com/crypto-gram-0904.html>. These same essays
appear in the "Schneier on Security" blog:
<http://www.schneier.com/blog>. An RSS feed is available.
** *** ***** ******* *********** *************
In this issue:
Fourth Annual Movie-Plot Threat Contest
Who Should be in Charge of U.S. Cybersecurity?
News
Privacy and the Fourth Amendment
Schneier News
The Definition of "Weapon of Mass Destruction"
Stealing Commodities
Comments from Readers
** *** ***** ******* *********** *************
Fourth Annual Movie-Plot Threat Contest
Let's face it, the War on Terror is a tired brand. There just isn't
enough action out there to scare people. If this keeps up, people will
forget to be scared. And then both the terrorists and the
terror-industrial complex lose. We can't have that.
We're going to help revive the fear. There's plenty to be scared about,
if only people would just think about it in the right way. In this
Fourth Movie-Plot Threat Contest, the object is to find an existing
event somewhere in the industrialized world -- Third World events are
just too easy -- and provide a conspiracy theory to explain how the
terrorists were really responsible.
The goal here is to be outlandish but plausible, ridiculous but
possible, and -- if it were only true -- terrifying. Entries should
be formatted as a news story, and are limited to 150 words (I'm going to
check this time) because fear needs to be instilled in a population with
short attention spans. Submit your entry, by the end of the month, in
comments to the blog post.
Submit your entry here:
http://www.schneier.com/blog/archives/2009/04/fourth_annual_m.html
An example from The Onion:
http://www.theonion.com/content/cartoon/feb-23-2009
The First Movie-Plot Threat Contest:
http://www.schneier.com/blog/archives/2006/04/announcing_movi.html
http://www.schneier.com/blog/archives/2006/06/movieplot_threa_1.html
The Second Movie-Plot Threat Contest:
http://www.schneier.com/blog/archives/2007/04/announcing_seco.html
http://www.schneier.com/blog/archives/2007/06/second_annual_m.html
http://www.schneier.com/blog/archives/2007/06/second_movieplo.html
The Third Movie-Plot Threat Contest:
http://www.schneier.com/blog/archives/2008/04/third_annual_mo.html
http://www.schneier.com/blog/archives/2008/05/third_annual_mo_2.html
http://www.schneier.com/blog/archives/2008/05/third_annual_mo_1.html
** *** ***** ******* *********** *************
Who Should be in Charge of U.S. Cybersecurity?
U.S. government cybersecurity is an insecure mess, and fixing it is
going to take considerable attention and resources. Trying to make sense
of this, President Barack Obama ordered a 60-day review of government
cybersecurity initiatives. Meanwhile, the U.S. House Subcommittee on
Emerging Threats, Cybersecurity, Science and Technology is holding
hearings on the same topic.
One of the areas of contention is who should be in charge. The FBI, DHS
and DoD -- specifically, the NSA -- all have interests here. Earlier
this month, Rod Beckstrom resigned from his position as director of the
DHS's National Cybersecurity Center, warning of a power grab by the NSA.
Putting national cybersecurity in the hands of the NSA is an incredibly
bad idea. An entire parade of people, ranging from former FBI director
Louis Freeh to Microsoft's Trusted Computing Group Vice President and
former Justice Department computer crime chief Scott Charney, have told
Congress the same thing at this month's hearings.
Cybersecurity isn't a military problem, or even a government problem --
it's a universal problem. All networks, military, government, civilian
and commercial, use the same computers, the same networking hardware,
the same Internet protocols and the same software packages. We all are
the targets of the same attack tools and tactics. It's not even that
government targets are somehow more important; these days, most of our
nation's critical IT infrastructure is in commercial hands.
Government-sponsored Chinese hackers go after both military and civilian
targets.
Some have said that the NSA should be in charge because it has
specialized knowledge. Earlier this month, Director of National
Intelligence Admiral Dennis Blair made this point, saying "There are
some wizards out there at Ft. Meade who can do stuff." That's probably
not true, but if it is, we'd better get them out of Ft. Meade as soon as
possible -- they're doing the nation little good where they are now.
Not that government cybersecurity failings require any specialized
wizardry to fix. GAO reports indicate that government problems include
insufficient access controls, a lack of encryption where necessary, poor
network management, failure to install patches, inadequate audit
procedures, and incomplete or ineffective information security programs.
These aren't super-secret NSA-level security issues; these are the same
managerial problems that every corporate CIO wrestles with.
We've all got the same problems, so solutions must be shared. If the
government has any clever ideas to solve its cybersecurity problems,
certainly a lot of us could benefit from those solutions. If it has an
idea for improving network security, it should tell everyone. The best
thing the government can do for cybersecurity world-wide is to use its
buying power to improve the security of the IT products everyone uses.
If it imposes significant security requirements on its IT vendors, those
vendors will modify their products to meet those requirements. And those
same products, now with improved security, will become available to all
of us as the new standard.
Moreover, the NSA's dual mission of providing security and conducting
surveillance means it has an inherent conflict of interest in
cybersecurity. Inside the NSA, this is called the "equities issue."
During the Cold War, it was easy; the NSA used its expertise to protect
American military information and communications, and eavesdropped on
Soviet information and communications. But what happens when both the
good guys the NSA wants to protect, and the bad guys the NSA wants to
eavesdrop on, use the same systems? They all use Microsoft Windows,
Oracle databases, Internet email, and Skype. When the NSA finds a
vulnerability in one of those systems, does it alert the manufacturer
and fix it -- making both the good guys and the bad guys more secure? Or
does it keep quiet about the vulnerability and not tell anyone -- making
it easier to spy on the bad guys but also keeping the good guys
insecure? Programs like the NSA's warrantless wiretapping program have
created additional vulnerabilities in our domestic telephone networks.
Testifying before Congress earlier this month, former DHS National Cyber
Security division head Amit Yoran said "the intelligence community has
always and will always prioritize its own collection efforts over the
defensive and protection mission of our government's and nation's
digital systems."
Maybe the NSA could convince us that it's putting cybersecurity first,
but its culture of secrecy will mean that any decisions it makes will be
suspect. Under current law, extended by the Bush administration's
extravagant invocation of the "state secrets" privilege when charged
with statutory and constitutional violations, the NSA's activities are
not subject to any meaningful public oversight. And the NSA's tradition
of military secrecy makes it harder for it to coordinate with other
government IT departments, most of which don't have clearances, let
alone coordinate with local law enforcement or the commercial sector.
We need transparent and accountable government processes, using
commercial security products. We need government cybersecurity programs
that improve security for everyone. The NSA certainly has an advisory
and a coordination role in national cybersecurity, and perhaps a more
supervisory role in DoD cybersecurity -- both offensive and defensive --
but it should not be in charge.
A copy of this essay, with all embedded links, is here:
http://www.schneier.com/blog/archives/2009/04/who_should_be_i.html
A version of this essay appeared on The Wall Street Journal website.
http://online.wsj.com/article/SB123844579753370907.html
** *** ***** ******* *********** *************
News
Privacy in Google Latitude: good news.
http://blog.wired.com/business/2009/03/googles-latitud.html
Leaving infants in the car. It happens, and sometimes they die.
http://www.schneier.com/blog/archives/2009/03/leaving_infants.html
Interesting piece of cryptographic history: a cipher designed by Robert
Patterson and sent to Thomas Jefferson in 1801.
http://www.schneier.com/blog/archives/2009/03/1801_cipher_sol.html
The Bayer company is refusing to talk about a fatal accident at a West
Virginia plant, citing a 2002 terrorism law.
http://pubs.acs.org/cen/news/87/i11/8711news6.html
The meeting has been rescheduled. No word on how forthcoming Bayer will be.
http://www.csb.gov/index.cfm?folder=news_releases&page=news&NEWS_ID=461
or http://tinyurl.com/cckma9
Research on fingerprinting paper:
http://www.freedom-to-tinker.com/blog/felten/fingerprinting-blank-paper-usi…
or http://tinyurl.com/djvdkz
http://citp.princeton.edu/pub/paper09oak.pdf
Blowfish on the television series 24, again:
http://www.schneier.com/blog/archives/2009/03/blowfish_on_24_1.html
Interesting analysis of why people steal rare books.
http://www.ft.com/cms/s/2/d41a83d6-09dc-11de-add8-0000779fd2ac.html
Last month, I linked to a catalog of NSA video courses from 1991.
Here's an update, with new information (the FOIA redactions were appealed).
http://www.governmentattic.org/2docs/NSA_TV_Center_Catalog_1991-Update.pdf
or http://tinyurl.com/d2ds68
You just can't make this stuff up: a UK bomb squad is called in because
someone saw a plastic replica of the Holy Hand Grenade of Antioch, from
the movie Monty Python and the Holy Grail.
http://www.schneier.com/blog/archives/2009/03/holy_hand_grena.html
Interesting research in explosives detection.
http://www.aip.org/press_release/detecting_explosives.html
A Psychology Today article on fear and the availability heuristic:
http://blogs.psychologytoday.com/blog/the-narcissus-in-all-us/200903/mass-m…
or http://tinyurl.com/c8mkzm
>From Kentucky: I think this is the first documented case of election
fraud in the U.S. using electronic voting machines (there have been lots
of documented cases of errors and voting problems, but this one involves
actual maliciousness). Lots of details; well worth reading.
http://www.schneier.com/blog/archives/2009/03/election_fraud.html
Sniffing keyboard keystrokes with a laser:
http://news.zdnet.com/2100-9595_22-280184.html
Where you stand matters in surviving a suicide bombing.
http://www.sciencedaily.com/releases/2009/03/090323161125.htm
Presumably they also discovered where the attacker should stand to be as
lethal as possible, but there's no indication they published those results.
An impressive solar plasma movie-plot threat.
http://www.newscientist.com/article/mg20127001.300-space-storm-alert-90-sec…
or http://tinyurl.com/c3xphd
Security fears drive Iran to Linux:
http://www.theage.com.au/articles/2004/09/21/1095651288238.html
A gorilla detector, from Muppet Labs.
http://www.youtube.com/watch?v=4QrelL9fOjY
Bob Blakley makes an interesting point about what he calls "the zone of
essential risk": "if you conduct medium-sized transactions rarely,
you're in trouble. The transactions are big enough so that you care
about losses, you don't have enough transaction volume to amortize those
losses, and the cost of insurance or escrow is high enough compared to
the value of your transactions that it doesn't make economic sense to
protect yourself."
http://notabob.blogspot.com/2009/03/zone-of-essential-risk.html
Massive Chinese espionage network discovered:
http://www.schneier.com/blog/archives/2009/03/massive_chinese.html
Thefts at the Museum of Bad Art:
http://en.wikipedia.org/wiki/Museum_Of_Bad_Art
Be sure to notice the camera:
http://en.wikipedia.org/wiki/File:MOBAcamera.JPG
Here's a story about a very expensive series of false positives. The
German police spent years and millions of dollars tracking a mysterious
killer whose DNA had been found at the scenes of six murders. Finally
they realized they were tracking a worker at the factory that assembled
the prepackaged swabs used for DNA testing.
http://scienceblogs.com/authority/2009/03/the_phantom_of_heilbronn_and_n.php
or http://tinyurl.com/d5cwww
This story could be used as justification for a massive DNA database.
After all, if that factory worker had his or her DNA in the database,
the police would have quickly realized what the problem was.
Identifying people using anonymous social networking data:
http://www.schneier.com/blog/archives/2009/04/identifying_peo.html
What to fear: a great rundown of the statistics.
http://www.counterpunch.org/goekler03242009.html
Crypto puzzle and NSA problem:
http://www.cryptosmith.com/archives/565
Clever social networking identity theft scams:
http://www.schneier.com/blog/archives/2009/04/social_networki.html
Police powers and the UK government in the 1980s:
http://www.schneier.com/blog/archives/2009/04/police_powers_a.html
Research into preserving P2P privacy:
http://www.physorg.com/news158419063.html
Fact-free article about foreign companies hacking the U.S. power grid
suggests we panic. My guess is that it was deliberately planted by
someone looking for leverage in the upcoming budget battle.
http://www.schneier.com/blog/archives/2009/04/us_power_grid_h.html
Here's a tip: when walking around in public with secret government
documents, put them in an envelope. Don't carry them in the open where
people can read (and photograph) them.
http://www.schneier.com/blog/archives/2009/04/how_not_to_carr.html
Details of the arrests made in haste after the above disclosure:
http://www.timesonline.co.uk/tol/news/uk/article6078397.ece
It is a measure of our restored sanity that no one has called the TSA
about Tweenbots:
http://www.tweenbots.com/
How to write a scary cyberterrorism story. From Foreign Affairs, no less.
http://neteffect.foreignpolicy.com/posts/2009/04/11/writing_the_scariest_ar…
** *** ***** ******* *********** *************
Privacy and the Fourth Amendment
In the United States, the concept of "expectation of privacy" matters
because it's the constitutional test, based on the Fourth Amendment,
that governs when and how the government can invade your privacy.
Based on the 1967 Katz v. United States Supreme Court decision, this
test actually has two parts. First, the government's action can't
contravene an individual's subjective expectation of privacy; and
second, that expectation of privacy must be one that society in general
recognizes as reasonable. That second part isn't based on anything like
polling data; it is more of a normative idea of what level of privacy
people should be allowed to expect, given the competing importance of
personal privacy on one hand and the government's interest in public
safety on the other.
The problem is, in today's information society, that definition test
will rapidly leave us with no privacy at all.
In Katz, the Court ruled that the police could not eavesdrop on a phone
call without a warrant: Katz expected his phone conversations to be
private and this expectation resulted from a reasonable balance between
personal privacy and societal security. Given NSA's large-scale
warrantless eavesdropping, and the previous administration's continual
insistence that it was necessary to keep America safe from terrorism, is
it still reasonable to expect that our phone conversations are private?
Between the NSA's massive internet eavesdropping program and Gmail's
content-dependent advertising, does anyone actually expect their e-mail
to be private? Between calls for ISPs to retain user data and companies
serving content-dependent web ads, does anyone expect their web browsing
to be private? Between the various computer-infecting malware, and world
governments increasingly demanding to see laptop data at borders, hard
drives are barely private. I certainly don't believe that my SMSs, any
of my telephone data, or anything I say on LiveJournal or Facebook --
regardless of the privacy settings -- is private.
Aerial surveillance, data mining, automatic face recognition, terahertz
radar that can "see" through walls, wholesale surveillance, brain scans,
RFID, "life recorders" that save everything: Even if society still has
some small expectation of digital privacy, that will change as these and
other technologies become ubiquitous. In short, the problem with a
normative expectation of privacy is that it changes with perceived
threats, technology and large-scale abuses.
Clearly, something has to change if we are to be left with any privacy
at all. Three legal scholars have written law review articles that
wrestle with the problems of applying the Fourth Amendment to cyberspace
and to our computer-mediated world in general.
George Washington University's Daniel Solove, who blogs at Concurring
Opinions, has tried to capture the Byzantine complexities of modern
privacy. He points out, for example, that the following privacy
violations -- all real -- are very different: A company markets a list
of 5 million elderly incontinent women; reporters deceitfully gain entry
to a person's home and secretly photograph and record the person; the
government uses a thermal sensor device to detect heat patterns in a
person's home; and a newspaper reports the name of a rape victim. Going
beyond simple definitions such as the divulging of a secret, Solove has
developed a taxonomy of privacy, and the harms that result from their
violation.
His 16 categories are: surveillance, interrogation, aggregation,
identification, insecurity, secondary use, exclusion, breach of
confidentiality, disclosure, exposure, increased accessibility,
blackmail, appropriation, distortion, intrusion and decisional
interference. Solove's goal is to provide a coherent and comprehensive
understanding of what is traditionally an elusive and hard-to-explain
concept: privacy violations. (This taxonomy is also discussed in
Solove's book, Understanding Privacy.)
Orin Kerr, also a law professor at George Washington University, and a
blogger at Volokh Conspiracy, has attempted to lay out general
principles for applying the Fourth Amendment to the internet. First, he
points out that the traditional inside/outside distinction -- the police
can watch you in a public place without a warrant, but not in your home
-- doesn't work very well with regard to cyberspace. Instead, he
proposes a distinction between content and non-content information: the
body of an e-mail versus the header information, for example. The police
should be required to get a warrant for the former, but not for the
latter. Second, he proposes that search warrants should be written for
particular individuals and not for particular internet accounts.
Meanwhile, Jed Rubenfeld of Yale Law School has tried to reinterpret the
Fourth Amendment not in terms of privacy, but in terms of security.
Pointing out that the whole "expectations" test is circular -- what the
government does affects what the government can do -- he redefines
everything in terms of security: the security that our private affairs
are private.
This security is violated when, for example, the government makes
widespread use of informants, or engages in widespread eavesdropping --
even if no one's privacy is actually violated. This neatly bypasses the
whole individual privacy versus societal security question -- a
balancing that the individual usually loses -- by framing both sides in
terms of personal security.
I have issues with all of these articles. Solove's taxonomy is
excellent, but the sense of outrage that accompanies a privacy violation
-- "How could they know/do/say that!?" -- is an important part of the
harm resulting from a privacy violation. The non-content information
that Kerr believes should be collectible without a warrant can be very
private and personal: URLs can be very personal, and it's possible to
figure out browsed content just from the size of encrypted SSL traffic.
Also, the ease with which the government can collect all of it -- the
calling and called party of every phone call in the country -- makes the
balance very different. I believe these need to be protected with a
warrant requirement. Rubenfeld's reframing is interesting, but the devil
is in the details. Reframing privacy in terms of security still results
in a balancing of competing rights. I'd rather take the approach of
stating the -- obvious to me -- individual and societal value of
privacy, and giving privacy its rightful place as a fundamental human
right. (There's additional commentary on Rubenfeld's thesis at ArsTechnica.)
The trick here is to realize that a normative definition of the
expectation of privacy doesn't need to depend on threats or technology,
but rather on what we -- as society -- decide it should be. Sure,
today's technology make it easier than ever to violate privacy. But it
doesn't necessarily follow that we have to violate privacy. Today's guns
make it easier than ever to shoot virtually anyone for any reason. That
doesn't mean our laws have to change.
No one knows how this will shake out legally. These three articles are
from law professors; they're not judicial opinions. But clearly
something has to change, and ideas like these may someday form the basis
of new Supreme Court decisions that brings legal notions of privacy into
the 21st century.
A copy of this essay, with all embedded links, is here:
http://www.schneier.com/blog/archives/2009/03/privacy_and_the_1.html
This essay originally appeared on Wired.com.
http://www.wired.com/politics/security/commentary/securitymatters/2009/03/s…
or http://tinyurl.com/dh3xg5
** *** ***** ******* *********** *************
Schneier News
I was interviewed on Federal News Radio about insider threats:
http://www.federalnewsradio.com/index.php?nid=56&sid=1632741
I'm speaking at the Taiwan Information Security Center on April 17 in
Taipei:
http://forum.twisc.ncku.edu.tw/dm.html
I'll be on the Cryptographers' Panel at the RSA Conference on April 21
in San Francisco:
http://www.rsaconference.com/2009/US/Home.aspx
I'll be the keynote speaker at the IPSI Research Symposium on May 6 in
Toronto:
http://www.ipsi.utoronto.ca/events/IPSI_Research_Symposium_2009.htm
I'm speaking at the International Workshop on Coding and Cryptography on
May 12 in Lofthus, Norway:
http://www.selmer.uib.no/WCC2009/callWCC2009.pdf
I'm giving the keynote speech on Day 2 of the European OWASP Application
Security Conference, May 14 in Krakow, Poland:
http://www.owasp.org/index.php/AppSecEU09
And I'm giving the keynote speech at CONfidence on May 15 in Krakow, Poland:
http://2009.confidence.org.pl/
** *** ***** ******* *********** *************
The Definition of "Weapon of Mass Destruction"
At least, according to U.S. law:
18 U.S.C. 2332a
(2) the term "weapon of mass destruction" means --
(A) any destructive device as defined in section 921
of this title;
(B) any weapon that is designed or intended to cause
death or serious bodily injury through the release, dissemination, or impact
of toxic or poisonous chemicals, or their precursors;
(C) any weapon involving a biological agent, toxin,
or vector (as those terms are defined in section 178 of this title); or
(D) any weapon that is designed to release radiation
or radioactivity at a level dangerous to human life;
18 U.S.C. 921
(4) The term "destructive device" means--
(A) any explosive, incendiary, or poison gas--
(i) bomb,
(ii) grenade,
(iii) rocket having a propellant charge of
more than four ounces,
(iv) missile having an explosive or
incendiary charge of more than one-quarter ounce,
(v) mine, or
(vi) device similar to any of the devices
described in the preceding clauses;
(B) any type of weapon (other than a shotgun or a
shotgun shell which the Attorney General finds is generally recognized as
particularly suitable for sporting purposes) by whatever name known which
will, or which may be readily converted to, expel a projectile by the action
of an explosive or other propellant, and which has any barrel with a bore
of more than one-half inch in diameter; and
(C) any combination of parts either designed or
intended for use in converting any device into any destructive device
described in subparagraph (A) or (B) and from which a destructive device may
be readily assembled.
The term "destructive device" shall not include any device which is
neither designed nor redesigned for use as a weapon; any device,
although originally designed for use as a weapon, which is redesigned
for use as a signaling, pyrotechnic, line throwing, safety, or similar
device; surplus ordnance sold, loaned, or given by the Secretary of the
Army pursuant to the provisions of section 4684 (2), 4685, or 4686 of
title 10; or any other device which the Attorney General finds is not
likely to be used as a weapon, is an antique, or is a rifle which the
owner intends to use solely for sporting, recreational or cultural purposes.
This is a very broad definition, and one that involves the intention of
the weapon's creator as well as the details of the weapon itself.
In an e-mail, Ohio State University Professor John Mueller commented to
me:
"As I understand it, not only is a grenade a weapon of mass destruction,
but so is a maliciously-designed child's rocket even if it doesn't have
a warhead. On the other hand, although a missile-propelled firecracker
would be considered a weapon of mass destruction if its designers had
wanted to think of it as a weapon, it would not be so considered if it
had previously been designed for use as a weapon and then redesigned for
pyrotechnic use or if it was surplus and had been sold, loaned, or given
to you (under certain circumstances) by the Secretary of the Army.
"It also means that we are coming up on the 25th anniversary of the
Reagan administration's long-misnamed WMD-for-Hostages deal with Iran.
"Bad news for you, though. You'll have to amend that line you like
using in your presentations about how all WMD in all of history have
killed fewer people than OIF (or whatever), since all artillery, and
virtually every muzzle-loading military long arm for that matter,
legally qualifies as an WMD. It does make the bombardment of Ft. Sumter
all the more sinister. To say nothing of the revelation that The Star
Spangled Banner is in fact an account of a WMD attack on American shores."
Amusing, to be sure, but there's something important going on. The U.S.
government has passed specific laws about "weapons of mass destruction,"
because they're particularly scary and damaging. But by generalizing
the definition of WMDs, those who write the laws greatly broaden their
applicability. And I have to wonder how many of those who vote in favor
of the laws realize how general they really are, or -- if they do know
-- vote for them anyway because they can't be seen to be "soft" on WMDs.
It reminds me of those provisions of the USA PATRIOT Act -- and other
laws -- that created police powers to be used for "terrorism and other
crimes."
Prosecutions based on this unreasonable definition:
http://www.ph2dot1.com/2008/04/wmd-arent-what-they-used-to-be.html
** *** ***** ******* *********** *************
Stealing Commodities
Before his arrest, Tom Berge stole lead roof tiles from several
buildings in south-east England, including the Honeywood Museum in
Carshalton, the Croydon parish church, and the Sutton high school for
girls. He then sold those tiles to scrap metal dealers.
As a security expert, I find this story interesting for two reasons.
First, amongst increasingly ridiculous attempts to ban, or at least
censor, Google Earth, lest it help the terrorists, here is an actual
crime that relied on the service: Berge needed Google Earth for
reconnaissance.
But more interesting is the discrepancy between the value of the lead
tiles to the original owner and to the thief. The Sutton school had to
spend #10,000 to buy new lead tiles; the Croydon Church had to repair
extensive water damage after the theft. But Berge only received #700 a
ton from London scrap metal dealers.
This isn't an isolated story; the same dynamic is in play with other
commodities as well.
There is an epidemic of copper wiring thefts worldwide; copper is being
stolen out of telephone and power stations--and off poles in the
streets--and thieves have killed themselves because they didn't
understand the dangers of high voltage. Homeowners are returning from
holiday to find the copper pipes stolen from their houses. In 2001,
scrap copper was worth 70 cents per pound. In April 2008, it was worth $4.
Gasoline siphoning became more common as pump prices rose. And used
restaurant grease, formerly either given away or sold for pennies to
farmers, is being stolen from restaurant parking lots and turned into
biofuels. Newspapers and other recyclables are stolen from curbs, and
trees are stolen and resold as Christmas trees.
Iron fences have been stolen from buildings and houses, manhole covers
have been stolen from the middle of streets, and aluminum guard rails
have been stolen from roadways. Steel is being stolen for scrap, too. In
2004 in Ukraine, thieves stole an entire steel bridge.
These crimes are particularly expensive to society because the
replacement cost is much higher than the thief's profit. A manhole cover
is worth $5-$10 as scrap, but it costs $500 to replace, including labor.
A thief may take $20 worth of copper from a construction site, but do
$10,000 in damage in the process. And even if the thieves don't get to
the copper or steel, the increased threat means more money being spent
on security to protect those commodities in the first place.
Security can be viewed as a tax on the honest, and these thefts
demonstrate that our taxes are going up. And unlike many taxes, we don't
benefit from their collection. The cost to society of retrofitting
manhole covers with locks, or replacing them with less resalable
alternatives, is high; but there is no benefit other than reducing theft.
These crimes are a harbinger of the future: evolutionary pressure on our
society, if you will. Criminals are often referred to as social
parasites; they leech off society but provide no useful benefit. But
they are an early warning system of societal changes. Unfettered by laws
or moral restrictions, they can be the first to respond to changes that
the rest of society will be slower to pick up on. In fact, currently
there's a reprieve. Scrap metal prices are all down from last
year's--copper is currently $1.62 per pound, and lead is half what Berge
got--and thefts are down along with them.
We've designed much of our infrastructure around the assumptions that
commodities are cheap and theft is rare. We don't protect transmission
lines, manhole covers, iron fences, or lead flashing on roofs. But if
commodity prices really are headed for new higher stable points, society
will eventually react and find alternatives for these items--or find
ways to protect them. Criminals were the first to point this out, and
will continue to exploit the system until it restabilizes.
A copy of this essay, with all embedded links, is here:
http://www.schneier.com/blog/archives/2009/04/stealing_commod.html
A version of this essay originally appeared in The Guardian.
http://www.guardian.co.uk/technology/2009/apr/02/google-earth-censorship-cr…
or http://tinyurl.com/coo59n
** *** ***** ******* *********** *************
Comments from Readers
There are hundreds of comments -- many of them interesting -- on these
topics on my blog. Search for the story you want to comment on, and join in.
http://www.schneier.com/blog
** *** ***** ******* *********** *************
Since 1998, CRYPTO-GRAM has been a free monthly newsletter providing
summaries, analyses, insights, and commentaries on security: computer
and otherwise. You can subscribe, unsubscribe, or change your address
on the Web at <http://www.schneier.com/crypto-gram.html>. Back issues
are also available at that URL.
Please feel free to forward CRYPTO-GRAM, in whole or in part, to
colleagues and friends who will find it valuable. Permission is also
granted to reprint CRYPTO-GRAM, as long as it is reprinted in its entirety.
CRYPTO-GRAM is written by Bruce Schneier. Schneier is the author of the
best sellers "Schneier on Security," "Beyond Fear," "Secrets and Lies,"
and "Applied Cryptography," and an inventor of the Blowfish, Twofish,
Phelix, and Skein algorithms. He is the Chief Security Technology
Officer of BT BCSG, and is on the Board of Directors of the Electronic
Privacy Information Center (EPIC). He is a frequent writer and lecturer
on security topics. See <http://www.schneier.com>.
Crypto-Gram is a personal newsletter. Opinions expressed are not
necessarily those of BT.
Copyright (c) 2009 by Bruce Schneier.
----- End forwarded message -----
--
Eugen* Leitl <a href="http://leitl.org">leitl</a> http://leitl.org
______________________________________________________________
ICBM: 48.07100, 11.36820 http://www.ativel.com http://postbiota.org
8B29F6BE: 099D 78BA 2FD3 B014 B08A 7779 75B0 2443 8B29 F6BE
1
0
<http://www.mises.org/fullstory.asp?control=1489>http://www.mises.org/fullstory.asp?control=1489
What Brought on the French Revolution?
By H.A. Scott Trask
[Posted April 9, 2004]
No matter how much the American economy grows during the next decade, the
government will have serious trouble funding expanding entitlements,
increased education spending, and ongoing wars in the Middle East, while
maintaining a global military constabulary and presence everywhere.
Something has to give. No matter how one crunches the numbers, a crisis is
looming, and Americans are bound to see their standard of living fall and
their global empire collapse.
It has happened before. Consider that seminal and catastrophic event that
inaugurated the era of mass politics, bureaucratic centralism, and the
ideological statethe French Revolution. It is a large and complex event
worthy of a Gibbon, but it may not have happened at all if the French
monarchy had balanced its budget.
While the causes of the Revolution are many, the cause of the crisis that
brought on the Revolution is not. It was a fiscal and credit crisis that
weakened the authority and confidence of the monarchy so much that it
thought it had to convene a defunct political assembly before it had safely
carried out a successful program of liberal constitutional and free market
reform. It would be as if the American federal government called a
constitutional convention with an open agenda and hoped that all would go
smoothly. The Estates General lasted only a little over a month before the
leaders of the Third Estate (the bourgeoisie, artisans, and peasantry)
transformed it into a National Assembly and took political power from the
monarchy. The Revolution was on.
Revisionist historians have challenged the standard interpretation of
pre-revolutionary France as a country with a stagnant economy, an oppressed
peasantry, a shackled bourgeoisie, and an archaic political structure. In
Citizens (1989), Simon Schama describes France under Louis XVI as a rapidly
modernizing nation with entrepreneurial nobles, a reform-minded monarchy,
nascent industrialization, growing commerce, scientific progress, and
energetic intendants (royal administrators in the provinces).
Moreover, Montesquieu was in vogue; the English mixed constitution was the
cynosure of political reform, and the economic philosophy of physiocracy,
with its belief in economic law and advocacy of laissez faire, had
discredited the dogmas of state mercantilism.
Turgot argued perceptively that another war with England would derail his
reform program, bankrupt the state, and, even if successful, do little to
weaken British power.
In 1774, Louis XVI appointed Jacques Turgot, a Physiocrat, to be
Controller-General of Finances. Turgot believed that subsidies,
regulations, and tariffs were crippling productivity and enterprise in
France. End them, he advised the king, and business would thrive and state
revenues increase. He proposed an ambitious reform program that included
taking down internal custom barriers, lifting price controls on grain,
abolishing the guilds and the corvee (forced labor service), and devolving
political power to newly created provincial assemblies (two of which he
established). Turgot envisioned a federated France, with a chain of elected
bodies extending from the village through the provinces to some form of
national assembly.
Not surprisingly, there was both aristocratic and popular opposition to
these reforms, but what really doomed them was Turgot's inveterate
opposition to French intervention in the American War of Independence. Many
were still stewing over the humiliating and catastrophic defeat suffered by
France in the Seven Years' War (17561763). The country had lost her North
American possessions (Quebec, Louisiana) and all of French India, except
two trading stations. The foreign minister (Vergennes) calculated that by
helping the Americans gain their independence they could weaken the British
Empire, gain revenge, and restore France's previous position as one of the
world's two superpowers.
Turgot argued perceptively that another war with England would derail his
reform program, bankrupt the state, and, even if successful, do little to
weaken British power. "The first gunshot will drive the state to
bankruptcy," he warned the king. It was to no avail. International power
politics and considerations of national prestige took precedence over
domestic reform, and the king dismissed him in May 1776. He would be proved
right on all three points.
The French began covertly supplying war material to the rebellious
colonists in 1777, and in 1778 they signed a treaty of alliance with the
Americans. Throughout the war, they supplied hard money loans, and
underwrote others for the purchase of war supplies in Europe. In 1780, they
landed a 5,000-man army in Rhode Island. In 1781, the French navy blockaded
Lord Cornwallis's army at Yorktown.
Turgot's successor Jacques Necker, a Swiss banker, financed these
expenditures almost entirely through loans. Although successful, France's
intervention cost 1.3 billion livres and almost doubled her national debt.
Schama writes, "No state with imperial pretensions has, in fact, ever
subordinated what it takes to be irreducible military interests to the
considerations of a balanced budget. And like apologists for military force
in twentieth-century America," imperialists "in eighteenth century France
pointed to the country's vast demographic and economic reserves and a
flourishing economy to sustain the burden." Even more, they claimed that
prosperity was "contingent on such military expenditures, both directly in
naval bases like Brest and Toulon, and indirectly in the protection it gave
to the most rapidly expanding sector of the economy." Plus ca change, plus
c'est la meme chose.
The new Controller General made no effort to restrain domestic or court
spending. The result was a peacetime spending spree and chronic budget
deficits.
Necker was neither a financial profligate nor an ultra royalist. He was
simply financing a war that the government deemed to be in the national
interest. During the conflict, he held down royal expenditures at home,
eliminated many sinecures, published a national budget in 1781, and
proposed the formation of a third provincial assembly. However, when his
request to join the royal council (as a Protestant, he was barred) was
rejected, he resigned. His immediate successor, Joly de Fleury, restored
many of the offices he had eliminated.
Upon the return of peace with the signing of the Treaty of Paris (1783),
the monarchy had another opportunity to institute economic, financial, and
political reforms, but it squandered it. Just as with the first Bush
administration after the Cold War, there would be no peace dividend. The
government was determined to exploit the vacuum created by British defeat
to restore French imperial power. Their global strategy was to maintain a
standing army of 150,000 men to defend the borders and preserve the balance
of power on the Continent while building up a transoceanic navy capable of
challenging the British in all the world's oceans. What is more, the new
Controller General, Calonne, made no effort to restrain domestic or court
spending. The result was a peacetime spending spree, chronic budget
deficits, and the addition of 700 million livres to the national debt. By
1788, debt service alone would absorb fifty percent of annual revenue. It
was guns and butter, French style. Today we are savoring it, Texas style.
In a few years, Calonne was faced with an imminent fiscal catastrophe. The
annual deficit in 1786 was projected to be 112 million livres, and the
American war loans would begin falling due the next year. Action was
imperative. Such was the power of liberal and federalist ideas in France
that Calonne summoned the Physiocrat Dupont de Nemours, a former Turgot
associate, to advise him. Meanwhile, with their blessing, the foreign
minister, Vergennes, signed a free trade agreement with Great Britain
(1786). With the help of Nemours, Calonne proposed the following measures
to open up the French economy: the deregulation of the domestic grain
trade, the dismantling of internal custom barriers, and commuting the
corvee into a public works tax. To raise a regular and equitable revenue,
he suggested a "territorial subvention," (i.e. a direct tax levied on all
landowners, without exception, to be assessed and levied by representative
provincial assemblies).
Calonne remembered the mistake Turgot had made ten years before. He had
relied exclusively on royal authority to enact his program and in so doing
had antagonized the nobility who did not like being presented with a fait
accompli. To avoid a similar fate, Calonne suggested the summoning of an
Assembly of Notables for early 1787 to consider, modify, and sanction the
reforms before they were sent to the Parlement of Paris for registration
(making them law). The king approved Calonne's whole program in December
1786. Here was the last chance for the monarchy to institute a program of
decentralist constitutional and liberal economic reform that would free the
economy, solve the fiscal crisis, transmute absolutism into
constitutionalism, and avert an impending political cataclysm.
Alas, as excellent and necessary as were Calonne's reforms, he was not the
right man to see them through. He was deeply unpopular for his lavish court
spending and for using his office to cultivate various corrupt stock
schemes. The nobility did not trust him, and the people despised him.
Recognizing he was a liability, the king dismissed him and appointed
Lomenie de Brienne in his stead. Brienne was a high noble, a Notable, and a
reformer. The Assembly was supportive of all the reforms, except the taxes.
Here they balked. Before they would give their sanction to new taxes, they
wanted the king to publish an annual budget and to agree to a permanent
commission of auditors.
Their concern was obvious. Why should they agree to changes that would
increase royal revenue if they had no way of monitoring royal expenses to
see if those funds were being prudently spent? Now the king balked. He
thought the proposals an infringement on his prerogatives over the finances
and the budget. He vetoed them. It was a grievous error, but typical of the
vacillating mind of the king and the intellectual fetters of an absolutist
political tradition.
The Parlement of Paris duly registered the decrees freeing the grain trade,
commuting the corvee, and setting up the provincial assemblies, but they
would not register the stamp duty or the land tax. They claimed that only
the Estates General, the medieval representative assembly of the three
estates of the kingdom (clergy, nobility, and commons) that had last met in
1614, could approve the taxes. The nobles were gambling that Louis would
never dare call for an assembly of the Estates. It was a clever stratagem
for defeating the tax proposals without incurring the popular odium for
doing so. The nobility and clergy would not give up their tax exemptions
nor grant the monarchy a potentially inexhaustible new source of revenue
without a share of political power. An unforeseen consequence was to create
a popular expectation for the reconvening of the Estates. This time the
nobility erred.
If the monarchy had not been so pressed for funds to stave off bankruptcy,
they could have declared the registered edicts a victory for reform and
waited for another day to deal with taxes. Not having that luxury, Brienne
and the king panicked. They decided to resort to the weapons of royal
absolutism to force through the tax reforms. They issued lits de justice
declaring the new taxes to be law by royal will. Second, they exiled the
recalcitrant Parlement to Troyes. The public outcry and institutional
resistance to these tyrannical measures was such that the monarchy had to
back down. The king recalled the Parlement and withdrew the lits de justice.
Brienne now requested that the Parlement register new royal loans to stave
off bankruptcy. It did so, but it again called for the re-convening of the
Estates General. It also attempted to establish its new position as a de
facto parliament. It declared that royal decrees were not law unless duly
registered by the parlements and denied the constitutionality of both lits
de justice and lettres de cachet (royal arrest warrants). The king and
Brienne believed that the future of royal absolutism was at stake, so they
responded with force. They surrounded the Parlement with troops. The king
stripped it of its powers of remonstrance and registry, and he invested
those powers in a new Plenary Court to be appointed by him.
The May coup turned both the nobility and the clergy against the Crown,
excited civil protest and unrest, and created a political crisis to match
the seriousness of the fiscal crisis. Once again, a foolish attempt to
preserve inviolate the senescent institutions of absolutism had failed. By
August 1788, the monarchy was bankrupt and without credit. It could borrow
new funds neither in Paris nor Amsterdam. Brienne had no choice but to
resign. The king recalled Necker, who was the one man who had the
confidence of investors, was trusted by the nobility, and popular among the
masses. The king also summoned the Estates General to meet in May 1789.
The people would assemble by order in local assemblies and elect delegates.
The electorate would comprise over six million Frenchmen. Schama calls it
"the most numerous experiment in political representation attempted
anywhere in the world." By tradition, the assemblies could draw up a list
of grievances and requests which their representatives would take with them
to Versailles. They would carry 25,000 of them. Students are taught that
the nobility and clergy were determined to preserve the old order, the
ancien regime, with most of their privileges intact, and admit only a
modicum of change, while the Third Estate demanded a transformed France in
which the watchwords would be liberty, progress, and modernity.
The truth is almost precisely the opposite. The majority of the nobility
envisioned a France that was rational, liberal, and constitutional. They
were willing to surrender their tax exemptions and seigniorial dues. They
called for the abolition of lettres de cachet and all forms of censorship;
they wanted an Anglo-Saxon style bill of rights with constitutional
protection for civil liberties. They recommended financial reforms: a
published national budget, the abolition of the sale of government offices,
and an end to tax farming. They also urged the abolition of the trade
guilds and the suppression of internal custom barriers.
While many of these recommendations are found in the cahiers of the Third
Estate, they are eclipsed by material concernsunderstandable complaints
about the high price of bread, the game laws, the gabelle (the salt tax),
and the depredations of the tax collectors. There are also numerous
criticisms of recent reforms, such as the free trade agreement with
England, the lifting of price controls on grain, agricultural enclosures,
and the granting of civil rights to Protestants.
In short, the voice of the Third Estate was largely one of reaction, and
while they wanted fewer taxes they wanted more government. According to
Schama, "much of the anger firing revolutionary violence arose from
hostility towards that modernization, rather than from impatience with the
speed of its progress."
If only the French elites had reformed. There would have been no Terror, no
Napoleon, no centralizing, statist revolution.
The Third Estate had some liberal merchants and innovative industrialists,
but it had many more urban artisans and peasants. The latter believed they
were getting the shaft and that the nobility and clergy, as well as the
wealthy members of their own estate, were to blame. They wanted price
controls reimposed on grain, restrictions put on its exportation, the
prohibition of foreign manufactures, and the punishment of "speculators"
and "hoarders." They found leaders among lawyer intellectuals of their own
estate, and some visionary members of the others, who spoke in a charged
language of grievance, polarity, and combat. Knowing little and caring less
about economic liberty or federal constitutionalism, they spoke of patriots
versus traitors, citizens versus aristocrats, virtue versus vice, the
nation assailed by its enemies. They offered the masses panaceas for their
plight, villains to blame, and promises that the possession of political
power would heave in the dikes of privilege and unleash the fountains of
wealth.
Schama correctly deduces that it was the politicization of the masses that
"turned a political crisis into a full-blooded revolution." Once the vast
Third Estate was told that they were the nation and that a "true national
assembly would, by virtue of its higher moral qualityits common
patriotismprovide satisfaction, they were given a direct stake in sweeping
institutional change." The abbe Sieyes' pamphlet What is the Third Estate?
appeared in January 1789 and would be to the French Revolution what Thomas
Paine's Common Sense (1776) had been to the American. By the time the
Estates General convened in May, the masses and leading intellectuals
regarded the continued existence of separate social orders with their own
institutional representation not only as an obstacle to reform, but as
unpatriotic, even treasonous. When the Estates General metastasized into
the National Assembly in June 1789, it was the onset of a radical
revolution. Liberty would not fare well on the guillotine.
Through 1788 and into 1789 the gods seemed to be conspiring to bring on a
popular revolution. A spring drought was followed by a devastating hail
storm in July. Crops were ruined. There followed one of the coldest winters
in French history. Grain prices skyrocketed. Even in the best of times, an
artisan or factor might spend 40 percent of his income on bread. By the end
of the year, 80 percent was not unusual. "It was the connection of anger
with hunger that made the Revolution possible," observed Schama. It was
also envy that drove the Revolution to its violent excesses and destructive
reform.
Take the Reveillon riots of April 1789. Reveillon was a successful Parisian
wall-paper manufacturer. He was not a noble but a self-made man who had
begun as an apprentice paper worker but now owned a factory that employed
400 well-paid operatives. He exported his finished products to England (no
mean feat). The key to his success was technical innovation, machinery, the
concentration of labor, and the integration of industrial processes, but
for all these the artisans of his district saw him as a threat to their
jobs. When he spoke out in favor of the deregulation of bread distribution
at an electoral meeting, an angry crowded marched on his factory, wrecked
it, and ransacked his home.
>From thenceforth, the Paris mob would be the power behind the Revolution.
Economic science would not fare well. According to Jean Baptiste Say, "The
moment there was any question in the National Assembly of commerce or
finances, violent invectives could be heard against the economists." That
is what happens when political power is handed over to
pseudo-intellectuals, lawyers, and the mob.
The exponents of the rationalistic Enlightenment had stood for a
constitutional monarchy, a liberal economic and legal order, scientific
progress, and a competent administration. According to Schama, "They were
heirs to the reforming ethos of Louis XVI's reign, and authentic predictors
of the 'new notability' to emerge after the Revolution had run its course.
Their language was reasonable and their tempers cool. What they had in mind
was a nation vested, through its representatives, with the power to strip
away the obstructions to modernity. Such a state . . . would not wage war
on the France of the 1780s but consummate its promise."
If only the French elites could have agreed on a course of reform along
these lines, there would have been no Terror, no Napoleon, no centralizing,
statist revolution. And it was the pressing financial crisis, brought on by
deficit spending to fund a global empire that in the end frustrated the
kind of evolutionary political and economic liberalization that is the true
road of civilized progress.
__________________________
Historian Scott Trask is an adjunct scholar of the Mises Institute.
<mailto:hstrask@highstream.net>hstrask(a)highstream.net. See his
<http://www.mises.org/articles.asp?mode=a&author=Trask>article
archive. Discuss this article on the <http://www.mises.org/blog>blog.
In response to many requests, it is now possible to set your credit-card
contribution to the Mises Institute to be recurring. You can easily set
this up on-line with a donation starting at $10 per month. See the
<https://www.mises.org/donate.asp>Membership Page. This is one way to
ensure that your support for the Mises Institute is ongoing.
<http://www.mises.org//fullstory.asp?printFriendly=Yes&control=1489>[Print
Friendly Page]
<http://www.mises.org/blog/>
<http://www.mises.org/elist.asp>Mises Email List Services
<https://www.mises.org/donate.asp>Join the Mises Institute
<http://www.mises.org/store>Mises.org Store
<http://www.mises.org/>Home | <http://www.mises.org/about.asp>About |
<http://www.mises.org/elist.asp>Email List |
<http://www.google.com/u/Mises>Search |
<http://www.mises.org/contact.asp>Contact Us |
<http://www.mises.org/journals.asp>Periodicals |
<http://www.mises.org/articles.asp>Articles |
<http://www.mises.org/fun.asp>Games & Fun
<http://www.mises.org/news.asp>News |
<http://www.mises.org/scholar.asp>Resources |
<http://www.mises.org/catalog.asp>Catalog |
<https://www.mises.org/donate.asp>Contributions |
<http://www.mises.org/calendar.asp>Freedom Calendar
You are subscribed as: rah(a)shipwright.com
Manage
<http://mises.biglist.com/list/article/?p=prefs&pre=l&e=1883638&pw=xujje2srnt>your
account. Unsubscribe
<http://mises.biglist.com/list/article/?p=unsub&pre=l&e=1883638&pw=xujje2srnt>here
or send email to <mailto:article-unsub-1883638@mises.biglist.com>this
address.
--- end forwarded text
--
-----------------
R. A. Hettinga <mailto: rah(a)ibuc.com>
The Internet Bearer Underwriting Corporation <http://www.ibuc.com/>
44 Farquhar Street, Boston, MA 02131 USA
"... however it may deserve respect for its usefulness and antiquity,
[predicting the end of the world] has not been found agreeable to
experience." -- Edward Gibbon, 'Decline and Fall of the Roman Empire'
1
0
-------- Original Message --------
Subject: New NSA Spying Map and White Paper
Date: Tue, 31 Jan 2006 17:06:48 -0500
From: Barry Steinhardt <bsteinhardt(a)aclu.org>
To: dave(a)farber.net
Dave,
The IP list may be interested in a new ACLU white paper and
interactive map detailing what is known and suspected about how the
NSA's illegal spying on Americans occurs and where the interceptions
are likely taking place.. The white paper is entitled "Eavesdropping 101:
What Can the NSA Do?" It looks at the probable connections that
the NSA has made to the U.S. civilian communications
infrastructure.
The map shows how the NSA's "surveillance octopus" likely entangles the
country. We believe it is the
first effort to visually illustrate what is happening.
You can find both the white paper and the map at
http://www.aclu.org/safefree/nsaspying/23989res20060131.html >
http://www.aclu.org/safefree/nsaspying/23989res20060131.html.
A complete range of materials can be found at www.nsawatch.org
<http://www.nsawatch.org> .
Barry Steinhardt
Director
Technology and Liberty Project
American Civil Liberties Union (ACLU)
-------------------------------------
You are subscribed as eugen(a)leitl.org
To manage your subscription, go to
http://v2.listbox.com/member/?listname=ip
Archives at: http://www.interesting-people.org/archives/interesting-people/
----- End forwarded message -----
--
Eugen* Leitl <a href="http://leitl.org">leitl</a> http://leitl.org
______________________________________________________________
ICBM: 48.07100, 11.36820 http://www.ativel.com
8B29F6BE: 099D 78BA 2FD3 B014 B08A 7779 75B0 2443 8B29 F6BE
[demime 1.01d removed an attachment of type application/pgp-signature which had a name of signature.asc]
1
0
CRYPTO-GRAM
April 15, 2009
by Bruce Schneier
Chief Security Technology Officer, BT
schneier(a)schneier.com
http://www.schneier.com
A free monthly newsletter providing summaries, analyses, insights, and
commentaries on security: computer and otherwise.
For back issues, or to subscribe, visit
<http://www.schneier.com/crypto-gram.html>.
You can read this issue on the web at
<http://www.schneier.com/crypto-gram-0904.html>. These same essays
appear in the "Schneier on Security" blog:
<http://www.schneier.com/blog>. An RSS feed is available.
** *** ***** ******* *********** *************
In this issue:
Fourth Annual Movie-Plot Threat Contest
Who Should be in Charge of U.S. Cybersecurity?
News
Privacy and the Fourth Amendment
Schneier News
The Definition of "Weapon of Mass Destruction"
Stealing Commodities
Comments from Readers
** *** ***** ******* *********** *************
Fourth Annual Movie-Plot Threat Contest
Let's face it, the War on Terror is a tired brand. There just isn't
enough action out there to scare people. If this keeps up, people will
forget to be scared. And then both the terrorists and the
terror-industrial complex lose. We can't have that.
We're going to help revive the fear. There's plenty to be scared about,
if only people would just think about it in the right way. In this
Fourth Movie-Plot Threat Contest, the object is to find an existing
event somewhere in the industrialized world -- Third World events are
just too easy -- and provide a conspiracy theory to explain how the
terrorists were really responsible.
The goal here is to be outlandish but plausible, ridiculous but
possible, and -- if it were only true -- terrifying. Entries should
be formatted as a news story, and are limited to 150 words (I'm going to
check this time) because fear needs to be instilled in a population with
short attention spans. Submit your entry, by the end of the month, in
comments to the blog post.
Submit your entry here:
http://www.schneier.com/blog/archives/2009/04/fourth_annual_m.html
An example from The Onion:
http://www.theonion.com/content/cartoon/feb-23-2009
The First Movie-Plot Threat Contest:
http://www.schneier.com/blog/archives/2006/04/announcing_movi.html
http://www.schneier.com/blog/archives/2006/06/movieplot_threa_1.html
The Second Movie-Plot Threat Contest:
http://www.schneier.com/blog/archives/2007/04/announcing_seco.html
http://www.schneier.com/blog/archives/2007/06/second_annual_m.html
http://www.schneier.com/blog/archives/2007/06/second_movieplo.html
The Third Movie-Plot Threat Contest:
http://www.schneier.com/blog/archives/2008/04/third_annual_mo.html
http://www.schneier.com/blog/archives/2008/05/third_annual_mo_2.html
http://www.schneier.com/blog/archives/2008/05/third_annual_mo_1.html
** *** ***** ******* *********** *************
Who Should be in Charge of U.S. Cybersecurity?
U.S. government cybersecurity is an insecure mess, and fixing it is
going to take considerable attention and resources. Trying to make sense
of this, President Barack Obama ordered a 60-day review of government
cybersecurity initiatives. Meanwhile, the U.S. House Subcommittee on
Emerging Threats, Cybersecurity, Science and Technology is holding
hearings on the same topic.
One of the areas of contention is who should be in charge. The FBI, DHS
and DoD -- specifically, the NSA -- all have interests here. Earlier
this month, Rod Beckstrom resigned from his position as director of the
DHS's National Cybersecurity Center, warning of a power grab by the NSA.
Putting national cybersecurity in the hands of the NSA is an incredibly
bad idea. An entire parade of people, ranging from former FBI director
Louis Freeh to Microsoft's Trusted Computing Group Vice President and
former Justice Department computer crime chief Scott Charney, have told
Congress the same thing at this month's hearings.
Cybersecurity isn't a military problem, or even a government problem --
it's a universal problem. All networks, military, government, civilian
and commercial, use the same computers, the same networking hardware,
the same Internet protocols and the same software packages. We all are
the targets of the same attack tools and tactics. It's not even that
government targets are somehow more important; these days, most of our
nation's critical IT infrastructure is in commercial hands.
Government-sponsored Chinese hackers go after both military and civilian
targets.
Some have said that the NSA should be in charge because it has
specialized knowledge. Earlier this month, Director of National
Intelligence Admiral Dennis Blair made this point, saying "There are
some wizards out there at Ft. Meade who can do stuff." That's probably
not true, but if it is, we'd better get them out of Ft. Meade as soon as
possible -- they're doing the nation little good where they are now.
Not that government cybersecurity failings require any specialized
wizardry to fix. GAO reports indicate that government problems include
insufficient access controls, a lack of encryption where necessary, poor
network management, failure to install patches, inadequate audit
procedures, and incomplete or ineffective information security programs.
These aren't super-secret NSA-level security issues; these are the same
managerial problems that every corporate CIO wrestles with.
We've all got the same problems, so solutions must be shared. If the
government has any clever ideas to solve its cybersecurity problems,
certainly a lot of us could benefit from those solutions. If it has an
idea for improving network security, it should tell everyone. The best
thing the government can do for cybersecurity world-wide is to use its
buying power to improve the security of the IT products everyone uses.
If it imposes significant security requirements on its IT vendors, those
vendors will modify their products to meet those requirements. And those
same products, now with improved security, will become available to all
of us as the new standard.
Moreover, the NSA's dual mission of providing security and conducting
surveillance means it has an inherent conflict of interest in
cybersecurity. Inside the NSA, this is called the "equities issue."
During the Cold War, it was easy; the NSA used its expertise to protect
American military information and communications, and eavesdropped on
Soviet information and communications. But what happens when both the
good guys the NSA wants to protect, and the bad guys the NSA wants to
eavesdrop on, use the same systems? They all use Microsoft Windows,
Oracle databases, Internet email, and Skype. When the NSA finds a
vulnerability in one of those systems, does it alert the manufacturer
and fix it -- making both the good guys and the bad guys more secure? Or
does it keep quiet about the vulnerability and not tell anyone -- making
it easier to spy on the bad guys but also keeping the good guys
insecure? Programs like the NSA's warrantless wiretapping program have
created additional vulnerabilities in our domestic telephone networks.
Testifying before Congress earlier this month, former DHS National Cyber
Security division head Amit Yoran said "the intelligence community has
always and will always prioritize its own collection efforts over the
defensive and protection mission of our government's and nation's
digital systems."
Maybe the NSA could convince us that it's putting cybersecurity first,
but its culture of secrecy will mean that any decisions it makes will be
suspect. Under current law, extended by the Bush administration's
extravagant invocation of the "state secrets" privilege when charged
with statutory and constitutional violations, the NSA's activities are
not subject to any meaningful public oversight. And the NSA's tradition
of military secrecy makes it harder for it to coordinate with other
government IT departments, most of which don't have clearances, let
alone coordinate with local law enforcement or the commercial sector.
We need transparent and accountable government processes, using
commercial security products. We need government cybersecurity programs
that improve security for everyone. The NSA certainly has an advisory
and a coordination role in national cybersecurity, and perhaps a more
supervisory role in DoD cybersecurity -- both offensive and defensive --
but it should not be in charge.
A copy of this essay, with all embedded links, is here:
http://www.schneier.com/blog/archives/2009/04/who_should_be_i.html
A version of this essay appeared on The Wall Street Journal website.
http://online.wsj.com/article/SB123844579753370907.html
** *** ***** ******* *********** *************
News
Privacy in Google Latitude: good news.
http://blog.wired.com/business/2009/03/googles-latitud.html
Leaving infants in the car. It happens, and sometimes they die.
http://www.schneier.com/blog/archives/2009/03/leaving_infants.html
Interesting piece of cryptographic history: a cipher designed by Robert
Patterson and sent to Thomas Jefferson in 1801.
http://www.schneier.com/blog/archives/2009/03/1801_cipher_sol.html
The Bayer company is refusing to talk about a fatal accident at a West
Virginia plant, citing a 2002 terrorism law.
http://pubs.acs.org/cen/news/87/i11/8711news6.html
The meeting has been rescheduled. No word on how forthcoming Bayer will be.
http://www.csb.gov/index.cfm?folder=news_releases&page=news&NEWS_ID=461
or http://tinyurl.com/cckma9
Research on fingerprinting paper:
http://www.freedom-to-tinker.com/blog/felten/fingerprinting-blank-paper-usi…
or http://tinyurl.com/djvdkz
http://citp.princeton.edu/pub/paper09oak.pdf
Blowfish on the television series 24, again:
http://www.schneier.com/blog/archives/2009/03/blowfish_on_24_1.html
Interesting analysis of why people steal rare books.
http://www.ft.com/cms/s/2/d41a83d6-09dc-11de-add8-0000779fd2ac.html
Last month, I linked to a catalog of NSA video courses from 1991.
Here's an update, with new information (the FOIA redactions were appealed).
http://www.governmentattic.org/2docs/NSA_TV_Center_Catalog_1991-Update.pdf
or http://tinyurl.com/d2ds68
You just can't make this stuff up: a UK bomb squad is called in because
someone saw a plastic replica of the Holy Hand Grenade of Antioch, from
the movie Monty Python and the Holy Grail.
http://www.schneier.com/blog/archives/2009/03/holy_hand_grena.html
Interesting research in explosives detection.
http://www.aip.org/press_release/detecting_explosives.html
A Psychology Today article on fear and the availability heuristic:
http://blogs.psychologytoday.com/blog/the-narcissus-in-all-us/200903/mass-m…
or http://tinyurl.com/c8mkzm
>From Kentucky: I think this is the first documented case of election
fraud in the U.S. using electronic voting machines (there have been lots
of documented cases of errors and voting problems, but this one involves
actual maliciousness). Lots of details; well worth reading.
http://www.schneier.com/blog/archives/2009/03/election_fraud.html
Sniffing keyboard keystrokes with a laser:
http://news.zdnet.com/2100-9595_22-280184.html
Where you stand matters in surviving a suicide bombing.
http://www.sciencedaily.com/releases/2009/03/090323161125.htm
Presumably they also discovered where the attacker should stand to be as
lethal as possible, but there's no indication they published those results.
An impressive solar plasma movie-plot threat.
http://www.newscientist.com/article/mg20127001.300-space-storm-alert-90-sec…
or http://tinyurl.com/c3xphd
Security fears drive Iran to Linux:
http://www.theage.com.au/articles/2004/09/21/1095651288238.html
A gorilla detector, from Muppet Labs.
http://www.youtube.com/watch?v=4QrelL9fOjY
Bob Blakley makes an interesting point about what he calls "the zone of
essential risk": "if you conduct medium-sized transactions rarely,
you're in trouble. The transactions are big enough so that you care
about losses, you don't have enough transaction volume to amortize those
losses, and the cost of insurance or escrow is high enough compared to
the value of your transactions that it doesn't make economic sense to
protect yourself."
http://notabob.blogspot.com/2009/03/zone-of-essential-risk.html
Massive Chinese espionage network discovered:
http://www.schneier.com/blog/archives/2009/03/massive_chinese.html
Thefts at the Museum of Bad Art:
http://en.wikipedia.org/wiki/Museum_Of_Bad_Art
Be sure to notice the camera:
http://en.wikipedia.org/wiki/File:MOBAcamera.JPG
Here's a story about a very expensive series of false positives. The
German police spent years and millions of dollars tracking a mysterious
killer whose DNA had been found at the scenes of six murders. Finally
they realized they were tracking a worker at the factory that assembled
the prepackaged swabs used for DNA testing.
http://scienceblogs.com/authority/2009/03/the_phantom_of_heilbronn_and_n.php
or http://tinyurl.com/d5cwww
This story could be used as justification for a massive DNA database.
After all, if that factory worker had his or her DNA in the database,
the police would have quickly realized what the problem was.
Identifying people using anonymous social networking data:
http://www.schneier.com/blog/archives/2009/04/identifying_peo.html
What to fear: a great rundown of the statistics.
http://www.counterpunch.org/goekler03242009.html
Crypto puzzle and NSA problem:
http://www.cryptosmith.com/archives/565
Clever social networking identity theft scams:
http://www.schneier.com/blog/archives/2009/04/social_networki.html
Police powers and the UK government in the 1980s:
http://www.schneier.com/blog/archives/2009/04/police_powers_a.html
Research into preserving P2P privacy:
http://www.physorg.com/news158419063.html
Fact-free article about foreign companies hacking the U.S. power grid
suggests we panic. My guess is that it was deliberately planted by
someone looking for leverage in the upcoming budget battle.
http://www.schneier.com/blog/archives/2009/04/us_power_grid_h.html
Here's a tip: when walking around in public with secret government
documents, put them in an envelope. Don't carry them in the open where
people can read (and photograph) them.
http://www.schneier.com/blog/archives/2009/04/how_not_to_carr.html
Details of the arrests made in haste after the above disclosure:
http://www.timesonline.co.uk/tol/news/uk/article6078397.ece
It is a measure of our restored sanity that no one has called the TSA
about Tweenbots:
http://www.tweenbots.com/
How to write a scary cyberterrorism story. From Foreign Affairs, no less.
http://neteffect.foreignpolicy.com/posts/2009/04/11/writing_the_scariest_ar…
** *** ***** ******* *********** *************
Privacy and the Fourth Amendment
In the United States, the concept of "expectation of privacy" matters
because it's the constitutional test, based on the Fourth Amendment,
that governs when and how the government can invade your privacy.
Based on the 1967 Katz v. United States Supreme Court decision, this
test actually has two parts. First, the government's action can't
contravene an individual's subjective expectation of privacy; and
second, that expectation of privacy must be one that society in general
recognizes as reasonable. That second part isn't based on anything like
polling data; it is more of a normative idea of what level of privacy
people should be allowed to expect, given the competing importance of
personal privacy on one hand and the government's interest in public
safety on the other.
The problem is, in today's information society, that definition test
will rapidly leave us with no privacy at all.
In Katz, the Court ruled that the police could not eavesdrop on a phone
call without a warrant: Katz expected his phone conversations to be
private and this expectation resulted from a reasonable balance between
personal privacy and societal security. Given NSA's large-scale
warrantless eavesdropping, and the previous administration's continual
insistence that it was necessary to keep America safe from terrorism, is
it still reasonable to expect that our phone conversations are private?
Between the NSA's massive internet eavesdropping program and Gmail's
content-dependent advertising, does anyone actually expect their e-mail
to be private? Between calls for ISPs to retain user data and companies
serving content-dependent web ads, does anyone expect their web browsing
to be private? Between the various computer-infecting malware, and world
governments increasingly demanding to see laptop data at borders, hard
drives are barely private. I certainly don't believe that my SMSs, any
of my telephone data, or anything I say on LiveJournal or Facebook --
regardless of the privacy settings -- is private.
Aerial surveillance, data mining, automatic face recognition, terahertz
radar that can "see" through walls, wholesale surveillance, brain scans,
RFID, "life recorders" that save everything: Even if society still has
some small expectation of digital privacy, that will change as these and
other technologies become ubiquitous. In short, the problem with a
normative expectation of privacy is that it changes with perceived
threats, technology and large-scale abuses.
Clearly, something has to change if we are to be left with any privacy
at all. Three legal scholars have written law review articles that
wrestle with the problems of applying the Fourth Amendment to cyberspace
and to our computer-mediated world in general.
George Washington University's Daniel Solove, who blogs at Concurring
Opinions, has tried to capture the Byzantine complexities of modern
privacy. He points out, for example, that the following privacy
violations -- all real -- are very different: A company markets a list
of 5 million elderly incontinent women; reporters deceitfully gain entry
to a person's home and secretly photograph and record the person; the
government uses a thermal sensor device to detect heat patterns in a
person's home; and a newspaper reports the name of a rape victim. Going
beyond simple definitions such as the divulging of a secret, Solove has
developed a taxonomy of privacy, and the harms that result from their
violation.
His 16 categories are: surveillance, interrogation, aggregation,
identification, insecurity, secondary use, exclusion, breach of
confidentiality, disclosure, exposure, increased accessibility,
blackmail, appropriation, distortion, intrusion and decisional
interference. Solove's goal is to provide a coherent and comprehensive
understanding of what is traditionally an elusive and hard-to-explain
concept: privacy violations. (This taxonomy is also discussed in
Solove's book, Understanding Privacy.)
Orin Kerr, also a law professor at George Washington University, and a
blogger at Volokh Conspiracy, has attempted to lay out general
principles for applying the Fourth Amendment to the internet. First, he
points out that the traditional inside/outside distinction -- the police
can watch you in a public place without a warrant, but not in your home
-- doesn't work very well with regard to cyberspace. Instead, he
proposes a distinction between content and non-content information: the
body of an e-mail versus the header information, for example. The police
should be required to get a warrant for the former, but not for the
latter. Second, he proposes that search warrants should be written for
particular individuals and not for particular internet accounts.
Meanwhile, Jed Rubenfeld of Yale Law School has tried to reinterpret the
Fourth Amendment not in terms of privacy, but in terms of security.
Pointing out that the whole "expectations" test is circular -- what the
government does affects what the government can do -- he redefines
everything in terms of security: the security that our private affairs
are private.
This security is violated when, for example, the government makes
widespread use of informants, or engages in widespread eavesdropping --
even if no one's privacy is actually violated. This neatly bypasses the
whole individual privacy versus societal security question -- a
balancing that the individual usually loses -- by framing both sides in
terms of personal security.
I have issues with all of these articles. Solove's taxonomy is
excellent, but the sense of outrage that accompanies a privacy violation
-- "How could they know/do/say that!?" -- is an important part of the
harm resulting from a privacy violation. The non-content information
that Kerr believes should be collectible without a warrant can be very
private and personal: URLs can be very personal, and it's possible to
figure out browsed content just from the size of encrypted SSL traffic.
Also, the ease with which the government can collect all of it -- the
calling and called party of every phone call in the country -- makes the
balance very different. I believe these need to be protected with a
warrant requirement. Rubenfeld's reframing is interesting, but the devil
is in the details. Reframing privacy in terms of security still results
in a balancing of competing rights. I'd rather take the approach of
stating the -- obvious to me -- individual and societal value of
privacy, and giving privacy its rightful place as a fundamental human
right. (There's additional commentary on Rubenfeld's thesis at ArsTechnica.)
The trick here is to realize that a normative definition of the
expectation of privacy doesn't need to depend on threats or technology,
but rather on what we -- as society -- decide it should be. Sure,
today's technology make it easier than ever to violate privacy. But it
doesn't necessarily follow that we have to violate privacy. Today's guns
make it easier than ever to shoot virtually anyone for any reason. That
doesn't mean our laws have to change.
No one knows how this will shake out legally. These three articles are
from law professors; they're not judicial opinions. But clearly
something has to change, and ideas like these may someday form the basis
of new Supreme Court decisions that brings legal notions of privacy into
the 21st century.
A copy of this essay, with all embedded links, is here:
http://www.schneier.com/blog/archives/2009/03/privacy_and_the_1.html
This essay originally appeared on Wired.com.
http://www.wired.com/politics/security/commentary/securitymatters/2009/03/s…
or http://tinyurl.com/dh3xg5
** *** ***** ******* *********** *************
Schneier News
I was interviewed on Federal News Radio about insider threats:
http://www.federalnewsradio.com/index.php?nid=56&sid=1632741
I'm speaking at the Taiwan Information Security Center on April 17 in
Taipei:
http://forum.twisc.ncku.edu.tw/dm.html
I'll be on the Cryptographers' Panel at the RSA Conference on April 21
in San Francisco:
http://www.rsaconference.com/2009/US/Home.aspx
I'll be the keynote speaker at the IPSI Research Symposium on May 6 in
Toronto:
http://www.ipsi.utoronto.ca/events/IPSI_Research_Symposium_2009.htm
I'm speaking at the International Workshop on Coding and Cryptography on
May 12 in Lofthus, Norway:
http://www.selmer.uib.no/WCC2009/callWCC2009.pdf
I'm giving the keynote speech on Day 2 of the European OWASP Application
Security Conference, May 14 in Krakow, Poland:
http://www.owasp.org/index.php/AppSecEU09
And I'm giving the keynote speech at CONfidence on May 15 in Krakow, Poland:
http://2009.confidence.org.pl/
** *** ***** ******* *********** *************
The Definition of "Weapon of Mass Destruction"
At least, according to U.S. law:
18 U.S.C. 2332a
(2) the term "weapon of mass destruction" means --
(A) any destructive device as defined in section 921
of this title;
(B) any weapon that is designed or intended to cause
death or serious bodily injury through the release, dissemination, or impact
of toxic or poisonous chemicals, or their precursors;
(C) any weapon involving a biological agent, toxin,
or vector (as those terms are defined in section 178 of this title); or
(D) any weapon that is designed to release radiation
or radioactivity at a level dangerous to human life;
18 U.S.C. 921
(4) The term "destructive device" means--
(A) any explosive, incendiary, or poison gas--
(i) bomb,
(ii) grenade,
(iii) rocket having a propellant charge of
more than four ounces,
(iv) missile having an explosive or
incendiary charge of more than one-quarter ounce,
(v) mine, or
(vi) device similar to any of the devices
described in the preceding clauses;
(B) any type of weapon (other than a shotgun or a
shotgun shell which the Attorney General finds is generally recognized as
particularly suitable for sporting purposes) by whatever name known which
will, or which may be readily converted to, expel a projectile by the action
of an explosive or other propellant, and which has any barrel with a bore
of more than one-half inch in diameter; and
(C) any combination of parts either designed or
intended for use in converting any device into any destructive device
described in subparagraph (A) or (B) and from which a destructive device may
be readily assembled.
The term "destructive device" shall not include any device which is
neither designed nor redesigned for use as a weapon; any device,
although originally designed for use as a weapon, which is redesigned
for use as a signaling, pyrotechnic, line throwing, safety, or similar
device; surplus ordnance sold, loaned, or given by the Secretary of the
Army pursuant to the provisions of section 4684 (2), 4685, or 4686 of
title 10; or any other device which the Attorney General finds is not
likely to be used as a weapon, is an antique, or is a rifle which the
owner intends to use solely for sporting, recreational or cultural purposes.
This is a very broad definition, and one that involves the intention of
the weapon's creator as well as the details of the weapon itself.
In an e-mail, Ohio State University Professor John Mueller commented to
me:
"As I understand it, not only is a grenade a weapon of mass destruction,
but so is a maliciously-designed child's rocket even if it doesn't have
a warhead. On the other hand, although a missile-propelled firecracker
would be considered a weapon of mass destruction if its designers had
wanted to think of it as a weapon, it would not be so considered if it
had previously been designed for use as a weapon and then redesigned for
pyrotechnic use or if it was surplus and had been sold, loaned, or given
to you (under certain circumstances) by the Secretary of the Army.
"It also means that we are coming up on the 25th anniversary of the
Reagan administration's long-misnamed WMD-for-Hostages deal with Iran.
"Bad news for you, though. You'll have to amend that line you like
using in your presentations about how all WMD in all of history have
killed fewer people than OIF (or whatever), since all artillery, and
virtually every muzzle-loading military long arm for that matter,
legally qualifies as an WMD. It does make the bombardment of Ft. Sumter
all the more sinister. To say nothing of the revelation that The Star
Spangled Banner is in fact an account of a WMD attack on American shores."
Amusing, to be sure, but there's something important going on. The U.S.
government has passed specific laws about "weapons of mass destruction,"
because they're particularly scary and damaging. But by generalizing
the definition of WMDs, those who write the laws greatly broaden their
applicability. And I have to wonder how many of those who vote in favor
of the laws realize how general they really are, or -- if they do know
-- vote for them anyway because they can't be seen to be "soft" on WMDs.
It reminds me of those provisions of the USA PATRIOT Act -- and other
laws -- that created police powers to be used for "terrorism and other
crimes."
Prosecutions based on this unreasonable definition:
http://www.ph2dot1.com/2008/04/wmd-arent-what-they-used-to-be.html
** *** ***** ******* *********** *************
Stealing Commodities
Before his arrest, Tom Berge stole lead roof tiles from several
buildings in south-east England, including the Honeywood Museum in
Carshalton, the Croydon parish church, and the Sutton high school for
girls. He then sold those tiles to scrap metal dealers.
As a security expert, I find this story interesting for two reasons.
First, amongst increasingly ridiculous attempts to ban, or at least
censor, Google Earth, lest it help the terrorists, here is an actual
crime that relied on the service: Berge needed Google Earth for
reconnaissance.
But more interesting is the discrepancy between the value of the lead
tiles to the original owner and to the thief. The Sutton school had to
spend #10,000 to buy new lead tiles; the Croydon Church had to repair
extensive water damage after the theft. But Berge only received #700 a
ton from London scrap metal dealers.
This isn't an isolated story; the same dynamic is in play with other
commodities as well.
There is an epidemic of copper wiring thefts worldwide; copper is being
stolen out of telephone and power stations--and off poles in the
streets--and thieves have killed themselves because they didn't
understand the dangers of high voltage. Homeowners are returning from
holiday to find the copper pipes stolen from their houses. In 2001,
scrap copper was worth 70 cents per pound. In April 2008, it was worth $4.
Gasoline siphoning became more common as pump prices rose. And used
restaurant grease, formerly either given away or sold for pennies to
farmers, is being stolen from restaurant parking lots and turned into
biofuels. Newspapers and other recyclables are stolen from curbs, and
trees are stolen and resold as Christmas trees.
Iron fences have been stolen from buildings and houses, manhole covers
have been stolen from the middle of streets, and aluminum guard rails
have been stolen from roadways. Steel is being stolen for scrap, too. In
2004 in Ukraine, thieves stole an entire steel bridge.
These crimes are particularly expensive to society because the
replacement cost is much higher than the thief's profit. A manhole cover
is worth $5-$10 as scrap, but it costs $500 to replace, including labor.
A thief may take $20 worth of copper from a construction site, but do
$10,000 in damage in the process. And even if the thieves don't get to
the copper or steel, the increased threat means more money being spent
on security to protect those commodities in the first place.
Security can be viewed as a tax on the honest, and these thefts
demonstrate that our taxes are going up. And unlike many taxes, we don't
benefit from their collection. The cost to society of retrofitting
manhole covers with locks, or replacing them with less resalable
alternatives, is high; but there is no benefit other than reducing theft.
These crimes are a harbinger of the future: evolutionary pressure on our
society, if you will. Criminals are often referred to as social
parasites; they leech off society but provide no useful benefit. But
they are an early warning system of societal changes. Unfettered by laws
or moral restrictions, they can be the first to respond to changes that
the rest of society will be slower to pick up on. In fact, currently
there's a reprieve. Scrap metal prices are all down from last
year's--copper is currently $1.62 per pound, and lead is half what Berge
got--and thefts are down along with them.
We've designed much of our infrastructure around the assumptions that
commodities are cheap and theft is rare. We don't protect transmission
lines, manhole covers, iron fences, or lead flashing on roofs. But if
commodity prices really are headed for new higher stable points, society
will eventually react and find alternatives for these items--or find
ways to protect them. Criminals were the first to point this out, and
will continue to exploit the system until it restabilizes.
A copy of this essay, with all embedded links, is here:
http://www.schneier.com/blog/archives/2009/04/stealing_commod.html
A version of this essay originally appeared in The Guardian.
http://www.guardian.co.uk/technology/2009/apr/02/google-earth-censorship-cr…
or http://tinyurl.com/coo59n
** *** ***** ******* *********** *************
Comments from Readers
There are hundreds of comments -- many of them interesting -- on these
topics on my blog. Search for the story you want to comment on, and join in.
http://www.schneier.com/blog
** *** ***** ******* *********** *************
Since 1998, CRYPTO-GRAM has been a free monthly newsletter providing
summaries, analyses, insights, and commentaries on security: computer
and otherwise. You can subscribe, unsubscribe, or change your address
on the Web at <http://www.schneier.com/crypto-gram.html>. Back issues
are also available at that URL.
Please feel free to forward CRYPTO-GRAM, in whole or in part, to
colleagues and friends who will find it valuable. Permission is also
granted to reprint CRYPTO-GRAM, as long as it is reprinted in its entirety.
CRYPTO-GRAM is written by Bruce Schneier. Schneier is the author of the
best sellers "Schneier on Security," "Beyond Fear," "Secrets and Lies,"
and "Applied Cryptography," and an inventor of the Blowfish, Twofish,
Phelix, and Skein algorithms. He is the Chief Security Technology
Officer of BT BCSG, and is on the Board of Directors of the Electronic
Privacy Information Center (EPIC). He is a frequent writer and lecturer
on security topics. See <http://www.schneier.com>.
Crypto-Gram is a personal newsletter. Opinions expressed are not
necessarily those of BT.
Copyright (c) 2009 by Bruce Schneier.
----- End forwarded message -----
--
Eugen* Leitl <a href="http://leitl.org">leitl</a> http://leitl.org
______________________________________________________________
ICBM: 48.07100, 11.36820 http://www.ativel.com http://postbiota.org
8B29F6BE: 099D 78BA 2FD3 B014 B08A 7779 75B0 2443 8B29 F6BE
1
0