Jen, I don't see anyone answering, so I will try a bit with the disclaimer, if one need be given, that Joel Brenner is a friend of mine. His book, _America the Vulnerable_ is worth reading, and his blog entry on the subject you are raising, an entry crossposted on Lawfare, is germane to this discussion. See http://joelbrenner.com/n-s-a-not-so-secret-anymore/ If I may synthesize from the material you posted, in the digital world we are growing the attack surface faster than we can grow our defensive capacity. That being the fundamental dynamic, there are, as both you and Joel imply, a set of choices that might be properly called Hobbesian. Hobbes himself argued that "the only way to secure civil society is through universal submission to the absolute authority of a sovereign." What Hobbes could not envision is a sovereign that was a machine. I'm on the record in proposing to deliver a shock to the entire system of software vendors by using the Treasury of the United States to simply corner the world market in vulnerabilities and exploits and to concommitantly release them to the public -- the moral equivalent of administering an unproven chemotherapy for an otherwise terminal cancer. That proposal originally appeared in an article that I did for CNAS (www.cnas.org/cyber) but my presumption is that there will always be ready buyers (which there are), so the question is whether the buying and selling is to be a black market or a white. In truth, I was focusing on a side effect of the USG having an unassailable presence in a white market -- that there is some chance that we could collapse the black market, not by outbidding it but by implying that we had motivated the finding of vulnerabilities to such a level that even if one searcher was able to find a vulnerability it would not be long before some other searcher found it, too. By cutting the shelf-life of an unused but known vulnerability down to near zero, we would cripple the stockpiling of weapons. All of which, to repeat, comes with my ironclad requirement that vulns found be made public. Otherwise, and as one would certainly imagine, buying a lot of them at high prices only makes more get found such that in a black-only market those vulns will presumaby be both sold and re-sold to self-compartmentalized buyers. ["We" learned only this past week that the FBI is now buying for offensive purposes (www.securityweek.com/fbi-looking-buy-malware-security-vendors).] I am also on the record that Stuxnet was a Godsend insofar as it proved by demonstration that mutual assured destruction is possible, though one must quickly acknowledge that, unlike a missile with the Kremlin's name on it, cyberweapons with understood-in-advance collateral damage do not grow on trees. (Website on which it originally appeared has disappeared; a mirror is at geer.tinho.net/geer.dsbox.18xi10.txt) In October, 2012, I spoke with a recently retired gentleman who had been at the top of NSA's threat evaluation wing. I asked him then what he would be worrying about if he were still on the job. He said "Today I'd be worrying about the maker community and especially the drone crowd. Tomorrow I'd worry about do-it-yourself bio." These are by no means crazy answers. All of which comes back to your Home Invasion 2.0 work (I broke discipline and turned on Javascript just to get it). There is an enormous attack surface growing there, just as you say. Electric meters that report back everything are quintessential privacy destroying even if they are being mandated for "green" reasons. And so forth -- I'll restrain myself from enumerating all the things of that sort, though a cpunks dictionary of such would be an useful thing jointly to build. Which brings us back to the NSA. Their job description is to never miss a needle in any haystack. Haystacks are bigger than ever, and those who control the needles are ever more powerful -- both being side effects of the growth in power that is buried in cyberspace. If you are obliged to miss nothing while the cardinality of the things you might miss is growing at an accelerating rate, your only choice is to capture everything. Only when you have total surveillance is it possible to say that the absence of evidence is the evidence of absence. What "we" need to do is tell our leaders that we do not want their protections, that we will bloody well take care of ourselves even if down that path lies the occasional loss of a major city. One is again reminded of Dostoyevsky's Grand Inquisitor, is one not? --dan