Fwd: Call for input to President's Commission on Enhancing Cybersecurity - bridging the trust gap between the IT community and the US government
- - - Begin forwarded message - - - Date: July 15, 2016 at 3:21:32 PM EDT From: Herb Lin <herblin@stanford.edu> To: "'David Farber (dave@farber.net)'" <dave@farber.net>, ip <ip@listbox.com> Subject: Call for input to President's Commission on Enhancing Cybersecurity - bridging the trust gap between the IT community and the US government Dear IPers - You may know that President Obama has established a commission to consider how to strengthen cybersecurity in both the public and private sectors while protecting privacy, ensuring public safety and economic and national security, fostering discovery and development of new technical solutions, and bolstering partnerships between Federal, State, and local government and the private sector in the development, promotion, and use of cybersecurity technologies, policies, and best practices. (See https://www.whitehouse.gov/the-press-office/2016/02/09/executive-order-commi....) I am one of the 12 designated commissioners. Recognizing that trust is hard to build and easy to destroy (and a variety of things have happened over the last 20 years have occurred to do the latter), one issue that has come up is the enormous gap of trust between the U.S. government and the information technology (IT) community, from which many IPers are drawn. This rift is not helpful to either side, and I'd like to solicit input from the IP community about what you think the government can do or refrain from doing to help bridge that gap. It would be most helpful if you could three things in your response: 1 - Your best examples of things the government (and what part of the US government) has done to alienate the IT community specifically. (Or, at the very least, show how the examples you provide connect to the interests of the IT community.) 2 - Things that the U.S. government could realistically do in the short and medium term (i.e., 0-10 year time frame) that would help bridge the trust gap. If your answer is "Don't do dumb things!", it would be better and more useful to provide *examples* of what not to do. 3 - Things that the U.S. government could realistically do in the longer term to do the same. Please send your responses to CENCinput1@gmail.com. (I set up this email address, but I'd like to keep the traffic separate from my non-Commission work email.) I promise to read as many as I can individually and share what I learn with the commission membership. Also, feel free to circulate this call for input to anyone else you feel would want to comment. Thanks much Herb ======================================================================= Herb Lin Senior Research Scholar, Center for International Security and Cooperation Research Fellow, Hoover Institution Stanford University Stanford, CA 94305 USA herblin@stanford.edu 650-497-8600 office || 202-841-0525 cell || 202-540-9878 fax AIM herblin (any time you see me) Skype herbert_lin (usually by appointment) Twitter @HerbLinCyber This message was sent to the list address and trashed, but can be found online. - - - End forwarded message - - -
On Sat, Jul 16, 2016 at 10:22:40PM -0000, Joy wrote:
- - - Begin forwarded message - - -
Date: July 15, 2016 at 3:21:32 PM EDT From: Herb Lin <herblin@stanford.edu> To: "'David Farber (dave@farber.net)'" <dave@farber.net>, ip <ip@listbox.com> Subject: Call for input to President's Commission on Enhancing Cybersecurity - bridging the trust gap between the IT community and the US government
Dear IPers -
Making your intentions easier to read would be a start. Makes them easier to respond to:
You may know that President Obama has established a commission to consider how to
- strengthen cybersecurity in both - the public and - private sectors
- while protecting privacy,
- ensuring public safety and
- ensuring economic and national security,
- fostering discovery and development of new technical solutions,
Your terms of reference are fundamentally in conflict. This causes people to contribute in the hope that you will personally balance possible outcomes in favour of the people (or principles which we would identify as just and righteous), and in the US government this "balance" or "favouring of righteousness" is almost never achieved. The stated intentions, these foundations or 'terms of reference' of your "study" are conflicting. No foundation principles have been provided by you. No undertakings have been provided by you in respect of how any contributions to your study will be used. We who contribute, are expected to have faith that you, representative of "the government" will somehow do the right thing, act in our interest. How are we to have faith that you would in fact act in our interest? You have presented no foundation of intention, let alone undertaking, such as any of the following: - fundamental human rights (right to travel, communicate privately etc) - the ultimate sovereignty of we the people - true democracy (political anarchy or direct democracy for example) - nor any other principle worth supporting or standing for, You are employed by the US government. The US government drones people to death, every day, all around the world, based on meta data that it collects globally to the greatest extent possible. These daily killings by the US, done via the IT infrastructure centred at Ramstein Air Base in Germany, established by the "IP"ers "technology" and "security" "professionals" of America, these killings are all extra-judicial, outside any court case, outside anything resembling democracy or the rule of law! HOW CAN WE TRUST YOU? WHY SHOULD WE CONTRIBUTE TO YOUR STUDY? You want feedback and assistance, but rather than any of: - principles - foundations - truth - true democracy - absolute sovereignty of the people, you merely provide a list of conflicting "considerations" and "possible intentions", which cannot possibly be resolved in your foundation terms. The US North American regime has year after year, since World War 2, deceived the people, bombed other people, unilaterally acted in war, and generally been highly despotic in its actions. How can this possibly be brought to a stop? Can your study help to stop the North American regime? How will the results of your study help to stop the daily extra-judicial killing by the US government by drone, all around the world? How can the results of your study bring any credibility whatsoever, to the actions of the US government and military industrial banking complex? North America has sold and bombed away every shred of honor, decency and democracy that it ever had. Therefore the US government has no credibility. The US government is not a legitimate government. The US government is not accountable where it matters - in respect of killing people in other sovereign nations. The US government does not respect the rule of law. The US government is not a democracy. There are SO many problems with the US government, that any attempt to help it, is only going to help kill more people, daily, around the world, outside of any acceptable process, by the US military. This all has to stop. Is there any hope, that contributing to your study, will help stop the killing? In the eyes of those who seek righteousness and goodness in the world, can you provide any reason for hope? The North American government has no high moral ground; no moral ground at all; it violates what the common man would consider ethical or moral at every turn, since World War 2 and indeed before! What's in it for us? Why should we help you? What's in it for our human brothers and sisters in Iraq, Syria, France, North America, Latin America, China, Russia and everywhere else in the world?
- and bolstering partnerships between Federal, State, and local government and the private sector in the - development, - promotion, - and use of - cybersecurity technologies, - policies, - and best practices.
The "government" (you personally in this instance) will usually come unstuck, and the terms of reference/ stated intentions of your study prove this prima facie (on the face of it) - your terms are in conflict from the start, so you will be unable to produce any effect worth contributing to, based on your current terms (which are in conflict). That is, we the people, who contribute to your study, will end up, like every other instance in the past, "screwed over". So, again, why should we help you?
(See https://www.whitehouse.gov/the-press-office/2016/02/09/executive-order-commi....) I am one of the 12 designated commissioners.
Western governments appear entirely lacking self awareness when it comes to what they do (which is a lot of evil actions amongst other things), how they are perceived by people who directly suffer the consequences of the "government" not upholding and protecting the absolute human rights of the people in its own country let alone other countries, as well as in the eyes of those who witness such injustices. If some country started conducting extra-judicial drone killings of US citizens on US soil, do you think there might be an uproar? You ("government") want to "balance" "competing" interests (so you imply, you don't even be explicit about this) such as those of the people (security, privacy and anonymity of communication for example - we can only hope, you give no promise, no undertaking, we are to trust you absolutely); and those "interests" of the government, which "should" be aligned with the people, but never seem to be! I.e. the interests of the government and military industrial banking complex (monitoring the people to the greatest extent possible, to aid those with power and money - i.e. subversion of the "democratic" "government" to the selfish, greedy and despotic intentions of the few with great money and great power). Are you able to affect any real change? Is there any hope that your study will actually help shift the "balance" away from those with power, to the people of the world? It is unlikely you can contribute to true democracy by helping to dismantle this despotic global surveillance infrastucture that the US government and its organs has put in place and uses to unilaterally kill people daily (CIA: "we kill people based on meta data"), but anything else you do will of course further these despotic intentions and methods of globabl surveillance and despotic actions of killing people daily without any trial, without any conviction, without any testing of evidence and without any jury of ones peers, and therefore you will be personally contributing to this evil that the world suffers at the hands of the US government today. And tomorrow. And every day after that. More and more humans being killed. Illegally. Herb/ Joy, can you help to stop this? This global illegal communications intercepting and meta data and actual data collecting infrastructure, is used on a daily basis to drone kill people all over the world, outside of any judicial process, outside of any "democratic" consent of 'the people' other than implied tacit consent by apathy and momentum (which of course has no hope of competing with the active monetary and power motivations of the military industrial banking complex). Can you help to stop these daily illegal killings? "Democratic governments" consider themselves sovereign, and with ultimate authority, and ultimate power. The supreme authority of the people, both collectively as well as individually, must be acknowledged, publicly, by any government to consider itself legitimate, and for that government to be seen as legitimate by educated humans. All 'significant' decisions (say anything costing more than $1000, like unilaterally dropping a drone bomb on a human in a foreign sovereign country) must be put to the people to decide on, for any "democracy" to actually be a democracy. Otherwise it is a fascist state, and not a democracy, and is killing people illegally. In other countries. Illegally. Many humans are schooled, but sadly, not educated.
Recognizing that trust is hard to build
It is very hard to build when you are facilitating the daily killing of people around the world, outside the rule of law, outside democracy, outside sanity.
and easy to destroy
Extra-judicial killing destroys trust, destroys democracy, and destroys a nation. North America will ultimately suffer the fallout of its despotic daily illegal killings.
(and a variety of things have happened over the last 20 years have occurred to do the latter),
Like killing people daily, completely illegally. That will certainly destroy trust. No individual can trust North America. Even presidential aeroplanes (the highest of "diplomatic immunity" if such a thing even existed or was respected by USA) is violated by the North American government - witness the grounding of the Ecuadorian president's plane in America's desperation to try to catch Snowden. No nation can trust the North American/ USA government.
one issue that has come up is the enormous gap of trust between the U.S. government and the information technology (IT) community,
Are you truly surprised? Are you surprised that there is an enormous gap of trust? Are you suggesting that gap is not deserved? Are you mistakenly believing that the U.S. government is good and wholesome?
from which many IPers are drawn.
Perhaps their conscience is getting to them, with all the killings happening by their infrastructure, on a daily basis, by the US military? Killing takes a toll on conscionable humans.
This rift is not helpful to either side,
It is not helpful to the US government. But this rift is VERY helpful to we the people. We are suffering the despotic actions of the US government. We are suffering the US government: - killing people daily, extra-judicially - monitoring most of the worlds communications in real time - collecting of most of the worlds comms meta data - the use of the things we make (computers, networks, crypto systems) to kill people extra-judicially on a daily basis - the targetting and stalking of our best and fairest (those who want to bring the US government to account, to blow the whistle on despotic actions) - the reckless debt creation - the financial meltdown to come, which was mathematically guaranteed when the US dollar was taken OFF the gold backing standard - endless violations of human rights by the US government, all around the world, on a daily basis We, IPers, crypto nerds, cypher punks, programmers, hackers, crackers, moms, dads, brothers and sisters, artists and all the rest, we NEED to maintain distrust of the US government, or for some of us, we will be killed as a result of our righteous actions! If we let down our guard, we will be imprisoned for many years simply for exercising our right of freedom of speech! HOW DARE you suggest that our distrust is not helpful to our side. And who's SIDE are you on?!!!! When the government is at war with people/ on the other side, of its own people, and you work for the government, are you on the right side or the wrong side? Shouldn't you be trying to cause others "in government" to treat the people as not "on the other side"? How can you, the government, speak to us like this?
and I'd like to solicit input from the IP community about what you think the government can do
- destroy all meta data collected - dismantle the global monitoring infrastructure - rapproach with Russia (the US MIC needs an enemy to maintain justification for its funding) - dismantle Ramstein Air Base - respect China - respect sovereignty of nations - obtain permission from sovereign democratically elected governments before going to war or assisting in any way a civil war within a country - respect international law - respect the rule of law
or refrain from doing
- stop collecting meta data - stop killing people daily, illegally - stop overthrowing sovereign nations - stop frauding your own elections
to help bridge that gap.
Stop killing people illegally.
It would be most helpful if you could three things in your response:
1 - Your best examples of things the government (and what part of the US government) has done to alienate the IT community specifically. (Or, at the very least, show how the examples you provide connect to the interests of the IT community.)
Using the IT community created infrastructure, to illegally kill people every day, every week, every month, every year, year after year. Can this be stopped?
2 - Things that the U.S. government could realistically do in the short and medium term (i.e., 0-10 year time frame) that would help bridge the trust gap. If your answer is "Don't do dumb things!", ultimateit would be better and more useful to provide *examples* of what not to do.
Stop killing people illegally, every day, in sovereign countries all around the world.
3 - Things that the U.S. government could realistically do in the longer term to do the same.
Promise to the world, publicly, repeatedly, to never kill people illegally again. Promise to the world, publicly, to stop sending weapons to anyone. Promise to the world to start obeying the rule of law, international law, and the UN Security Council. Stick to these promises.
Please send your responses to CENCinput1@gmail.com. (I set up this email address, but I'd like to keep the traffic separate from my non-Commission work email.) I promise to read as many as I can individually and share what I learn with the commission membership.
Also, feel free to circulate this call for input to anyone else you feel would want to comment.
Thanks much
Herb
======================================================================= Herb Lin Senior Research Scholar, Center for International Security and Cooperation Research Fellow, Hoover Institution Stanford University Stanford, CA 94305 USA herblin@stanford.edu 650-497-8600 office || 202-841-0525 cell || 202-540-9878 fax AIM herblin (any time you see me) Skype herbert_lin (usually by appointment) Twitter @HerbLinCyber This message was sent to the list address and trashed, but can be found online.
- - - End forwarded message - - -
This "answer" must be printed and put on the desk of not only this "researcher", but on the desk of all the congressman. Couldn't stop myself from reposting this harsh piece of truth again, Zenaan. With "amen" on every basic statement of it. ___ in the US government this "balance" or "favouring of righteousness" is
almost never achieved.
!!! The US government drones people to death, every day, all around the
world, based on meta data that it collects globally to the greatest extent possible.
!!! These daily killings by the US, done via the IT infrastructure centred at
Ramstein Air Base in Germany, established by the "IP"ers "technology" and "security" "professionals" of America, these killings are all extra-judicial, outside any court case, outside anything resembling democracy or the rule of law!
!!! HOW CAN WE TRUST YOU?
THE KEY QUESTION. Or... shall i say a KEY STATEMENT? . The US North American regime has year after year, since World War 2,
deceived the people, bombed other people, unilaterally acted in war, and generally been highly despotic in its actions.
!!! How can this possibly be brought to a stop?
?! North America has sold and bombed away every shred of honor, decency and
democracy that it ever had. ==> Therefore the US government has no credibility. The US government is not a legitimate government. The US government is not accountable where it matters - in respect of killing people in other sovereign nations. The US government does not respect the rule of law. The US government is not a democracy.
!!! There are SO many problems with the US government, that any attempt to
help it, is only going to help kill more people, daily, around the world, outside of any acceptable process, by the US military.
!!! This all has to stop.
!!! In the eyes of those who seek righteousness and goodness in the world,
can you provide any reason for hope?
!!! The North American government has no high moral ground; no moral ground
at all; it violates what the common man would consider ethical or moral at every turn, since World War 2 and indeed before!
!!!!!!!!!! Why should we help you?
What's in it for our human brothers and sisters in Iraq, Syria, France, North America, Latin America, China, Russia and everywhere else in the world?
!!! Western governments appear entirely lacking self awareness when it comes
to what they do (which is a lot of evil actions amongst other things)
!!! Western governments appear entirely lacking self awareness when it comes
to how they are perceived by people who directly suffer the consequences of the "government" not upholding and protecting the absolute human rights of the people in its own country let alone other countries, as well as in the eyes of those who witness such injustices.
!!! **** If some country started conducting extra-judicial drone killings of US*
*citizens on US soil, do you think there might be an uproar?*
*That's the BEST comparison ever!!!!* and those "interests" of the government, which "should"
be aligned with the people, but never seem to be!
!!! Are you able to affect any real change?
!!! despotic global surveillance infrastucture that the US
government and its organs has put in place and uses to unilaterally kill people daily (CIA: "we kill people based on meta data")
!!! despotic intentions and methods
of globabl surveillance and despotic actions of killing people daily without any trial, without any conviction, without any testing of evidence and without any jury of ones peers
!!!
*you will be personally contributing to this evil that the world suffers at the handsof the US government today.*
*!!!MOST OF US ARE DOING THAT!* More and more humans being killed.
Illegally. Herb/ Joy/mr. X/Y/Z, can you help to stop this?
*!!!The question is, whether he/we WANT to or.... the warm bed and the nice suit is more important...The moment he WANTS -> HE "SUDDENLY" CAN.!* This global illegal communications intercepting and meta data and actual
data collecting infrastructure, is used on a daily basis to drone kill people all over the world, outside of any judicial process, outside of any "democratic" consent of 'the people' other than implied tacit consent by apathy and momentum
!!!
*Can you help to stop these daily illegal killings?*
*Again, this question refers to EVERY HUMAN BEING. Especially on this list.* The supreme authority of the people, both collectively as well as
individually, must be acknowledged, publicly, by any government to consider itself legitimate
!!! All 'significant' decisions (say anything costing more than $1000, like
unilaterally dropping a drone bomb on a human in a foreign sovereign country) must be put to the people to decide on, for any "democracy" to actually be a democracy. Otherwise it is a fascist state, and not a democracy, and is killing people illegally.
!!! Many humans are schooled, but sadly, not educated.
And "universitized" and even "professored"/big-bossed, but still, not educated! Extra-judicial killing destroys trust, destroys democracy, and destroys
a nation. North America will ultimately suffer the fallout of its despotic daily illegal killings.
!!! Like killing people daily, completely illegally. That will certainly
destroy trust.
!!! No individual can trust North America.
No nation can trust the North American/ USA government.
!!!
*Are you surprised that there is an enormous gap of trust?Are you suggesting that gap is not deserved?Are you mistakenly believing that the U.S. government is good andwholesome?*
*!!!NO, HE IS NOT. Excluding the case that this is a CIA officer OR a dead walking zombie (although i see no big difference)*. Killing takes a toll on conscionable humans.
!!!
This rift is not helpful to either side, It is not helpful to the US government. But this rift is VERY helpful to we the people. We are suffering the despotic actions of the US government.
!!! ___
*We are suffering the US government:* * - killing people daily, extra-judicially* * - monitoring most of the worlds communications in real time* * - collecting of most of the worlds comms meta data* * - the use of the things we make (computers, networks, crypto systems)* * to kill people extra-judicially on a daily basis* * - the targetting and stalking of our best and fairest (those who want* * to bring the US government to account, to blow the whistle on* * despotic actions)* * - the reckless debt creation* * - the financial meltdown to come, which was mathematically guaranteed* * when the US dollar was taken OFF the gold backing standard* * - endless violations of human rights by the US government, all around* * the world, on a daily basis*
!!! ___ *We, IPers, crypto nerds, cypher punks, programmers, hackers, crackers,*
*moms, dads, brothers and sisters, artists and all the rest, we NEED to* *maintain distrust of the US government, or for some of us, we will be* *killed as a result of our righteous actions!*
*!!!YES, DISTRUST! A TOTAL DIS-TRUST OF THE US GOV.* ! If we let down our guard, we will be imprisoned for many years simply
for exercising our right of freedom of speech!
!!! __ HOW DARE you suggest that our distrust is not helpful to our side.
*He is desperately LYING, Zen! Those scums want us to SMILE AND ENJOY when they torture our souls and killing our bodies. You see, it's not enough for them just to torture (all of us) and kill (some of us). We should also smile and welcome these actions.and trust them. Fucken INQUISITORS!* __
*When the government is at war with people/ on the other side, of its ownpeople, and you work for the government, are you on the right side orthe wrong side?*
!!! *How can you, the government, speak to us like this?*
!!! __
and I'd like to solicit input from the IP community about what you think the government can do
- destroy all meta data collected
AMEN. - dismantle the global monitoring infrastructure
AMEN. - rapproach with Russia (the US MIC needs an enemy to maintain
justification for its funding)
AMEN. - dismantle Ramstein Air Base
AMEN. - respect China
AMEN. - respect sovereignty of nations
AMEN. - obtain permission from sovereign democratically elected governments
before going to war or assisting in any way a civil war within a country
AMEN. - respect international law
AMEN. - respect the rule of law
AMEN. It's a good start, USgov. Don't you think? __ *> what you think the government should refrain from doing*
*- stop collecting meta data* *- stop killing people daily, illegally* *- stop overthrowing sovereign nations* *- stop frauding your own elections*
... *Stop LYING LYING LYING!Stop playing the chosen/god's/best nation of the world. AND START REALLY BECOMING SO.* ... ...
Your best examples of things the government (and what part of the
US government) has done to alienate the IT community specifically. Using the IT community created infrastructure, to illegally kill people every day, every week, every month, every year, year after year. Can this be stopped?
!!!
2 - Things that the U.S. government could realistically do in the
short and medium term
*Stop killing people illegally, every day, in sovereign countries allaround the world.*
!!!
3 - Things that the U.S. government could realistically do in the
longer term to do the same.
*a. Promise to the world, publicly, repeatedly, to never kill peopleillegally again.b. Promise to the world, publicly, to stop sending weapons to anyone.c. Promise to the world to start obeying the rule of law, internationallaw, and the UN Security Council.*
p.s Stick to these promises.
!!! *I think this answer/reply couldn't be written better.Thank you very much Zenaan. From me and from many "silent", but smart people on this list.*
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On 07/16/2016 06:22 PM, Joy wrote:
- - - Begin forwarded message - - -
Date: July 15, 2016 at 3:21:32 PM EDT From: Herb Lin <herblin@stanford.edu> To: "'David Farber (dave@farber.net)'" <dave@farber.net>, ip <ip@listbox.com> Subject: Call for input to President's Commission on Enhancing Cybersecurity - bridging the trust gap between the IT community and the US government
You may know that President Obama has established a commission to consider how to strengthen cybersecurity in both the public and private sectors while protecting privacy, ensuring public safety and economic and national security, fostering discovery and development of new technical solutions, and bolstering partnerships between Federal, State, and local government and the private sector in the development, promotion, and use of cybersecurity technologies, policies, and best practices.
The mission defined above is much more ambitious than it may initially appear, because direct conflicts of interest are hard wired into it. The "cybersecurity" buzzword embraces a spectrum of practical security context from protecting consumer financial credentials through shielding "secret" government databases from unauthorized access, to preventing malicious alteration of the firmware that runs our civil and industrial infrastructure. Privacy is not encompassed by the term "cybersecurity" as it is intended and understood by those who use presently use it in a national policy context - but this can and should change. Network security addresses practical concerns of privacy, utility, reliability and cost effectiveness as well as countermeasures to stereotypical hacker threats. The express inclusion of privacy protection in its brief directs the Commission to deliver recommendations directly counter to the interests of private enterprises and government departments which presently collect, analyze, and transfer or act on "private" information about individuals and groups. If economic security is taken to include protecting the revenue streams of dominant U.S. IT vendors and their associated armies of specialized workers in the field, either "cybersecurity" or economic security must be sacrificed. If national security is taken to include protecting intelligence service access to surveillance and sabotage targets via widely distributed security defects in IT products and services, either "cybersecurity" or national security must be sacrificed. A security model can not be "just a little bit pregnant." Every variance or exception that permits violations of any system's specified security protocol creates new vulnerabilities that compromise the security of that system, usually in subtle as well as obvious ways. Security threats are both external and internal to the enterprise, and include hackers who want to break in for fun and/or profit, but also: Enterprise IT consumers who who make non-negotiable demands for features and functions that create security vulnerabilities; senior executives whose golfing buddies know more about network security than the enterprise's entire IT staff; IT vendors who are free to hide deficiencies and misrepresent their wares under immunity from prosecution or civil liability; academics and consultants whose personal fortunes rise and fall with the value of vendor-specific credentials; and certified technical workforces whose educational and occupational background is restricted to a vendor specific context, and includes mandatory training as outside sales reps for those same vendors. Add to this the massive political influence of dominant U.S. IT vendors' senior executives and major shareholders, and our picture of an industry hard wired for security failure is complete. The expected end result of the complex of counter-security factors outlined above would be smoking rubble, and that is and apt description of prevailing network security conditions. Pervasive "cybersecurity" failures have prompted the Executive branch to prepare for intervention across both government and private sector domains; in itself this is evidence that a deep systemic disorder harmful to the National Interest has been recognized and acknowledged. Developing a functional model that explains why an emergency exists is the first step toward reliably and durably ending it. The inclusive nature of the Commission's mandate requires it to address "cybersecurity" in a holistic manner. The systemic disorders listed above are inherent in the present economic and political relationships of parties whose inputs control IT security across all domains. Effective solutions will be called "radical" and rightly so, as one must change the underlying economic and political relationships that drive the ongoing failure of "cybersecurity" to achieve meaningful results. Bolting layers of external reinforcement onto a broken machine does not fix the machine, only prolongs its ability to produce broken outputs. Like an urban renewal project, implementing an effective national "cybersecurity" strategy begins with a wrecking ball. If this is not an acceptable option, "enhanced cybersecurity" is not a possible outcome.
Recognizing that trust is hard to build and easy to destroy (and a variety of things have happened over the last 20 years have occurred to do the latter), one issue that has come up is the enormous gap of trust between the U.S. government and the information technology (IT) community, from which many IPers are drawn. This rift is not helpful to either side, and I'd like to solicit input from the IP community about what you think the government can do or refrain from doing to help bridge that gap.
In the present context, trust has two distinct and nearly opposite definitions: In a political context, trust means confidence cultivated to further a collaborative and/or manipulative agenda. In a network security context, trust is a controlled asset whose role is minimized on every front and excluded where and as possible: A trusted actor or system is one that can break your security model. A competent IT security strategy compartmentalizes, simplifies and hardens the handling of protected assets. Tools must be selected and protocols designed on a case by case basis to enable a given enterprise or department's necessary functions while minimizing exposure of its assets to hostile actors. Trust is rationed, and dispensed only where and as the benefits of trust outweigh the risks. As a simple example illustrating the role of trust in "cybersecurity," all major web browsers automatically download and execute software as directed by any website their users visit, without the user's knowledge or express consent. Large families of critical security vulnerabilities grow from this promiscuous trust model. Many botnets propagate themselves via this vector, which has also enabled targeted attacks compromising "secured" assets affecting major corporations and government agencies. Browser makers build automatic execution of 3rd party software into their browsers because both end users and major commercial website operators demand it. Vendor efforts to mitigate this critical security threat by 'sanitizing and sandboxing' incoming executable code can reduce but not reliably prevent high impact security incidents arising from a fundamentally insecure trust model. Informed end users can install tools like NoScript which prevent the browser from downloading and executing software without the user's express consent. Individual websites can be whitelisted by the user, where and as the benefits of automatically executing arbitrary software from a given site are believed to outweigh the risks of doing so. In practice this trivially simple trust based security measure has proven itself orders of magnitude more effective than a promiscuous trust model "mitigated" by complex, failure prone defenses against hostile code. Bridging the trust gap between the IT community and the US government is already a done deal, because there has never been one. The U.S. government funded and directed the creation of the IT industry. As indicated above, the existing bridges enabling public/private partnership in IT enterprises create promiscuous trust relationships in the face of conflicts of interest, perverse incentives and institutional inertia all working against the objectives of "cybersecurity." Rather than reinforcing them, these bridges must be locked down or removed as the first step toward enhancing "cybersecurity."
1 - Your best examples of things the government (and what part of the US government) has done to alienate the IT community specifically. (Or, at the very least, show how the examples you provide connect to the interests of the IT community.)
The U.S. government has not alienated the IT community: It has shielded this community from liability for fraudulent performance claims, fed it billions of dollars of annual revenue, and given Fortune 500 IT corporations nearly full control of government policy affecting those same corporations. The intimate partnership of IT vendors and government decision makers has, however, alienated a large segment of the public at large. With regard to privacy concerns, IT vendors are correctly perceived as the government's partners in domestic mass surveillance. The interests of the IT community are directly served by the government's nearly absolute tolerance for commercial mass surveillance, inherently insecure products and protocols, forced obsolescence strategies and abusive marketing practices - all of which are routinely implemented by major IT vendors to reduce costs and/or enhance revenues. The current condition of gross insecurity across private and State owned IT assets is a product of the dominant role of vendors who are richly rewarded for exploiting the technological ignorance of private and public sector decision makers. The cumulative cost of unstable, insecure IT infrastructure supplied and serviced by parasitic vendors greatly exceeds the short term costs of replacement with stable, security oriented infrastructure; but perverse incentives and conflicts of interest assure that no such course can be taken absent dynamic and determined public sector leadership.
2 - Things that the U.S. government could realistically do in the short and medium term (i.e., 0-10 year time frame) that would help bridge the trust gap. If your answer is "Don't do dumb things!", it would be better and more useful to provide *examples* of what not to do.
Revoke software vendors' blanket immunity from prosecution for consumer fraud and from liability for damage caused by failure to control product defects. Where there is no accountability, there is no motivation to spend money on security and no rational basis for consumer trust. The infallible invisible hand of the Free Market can not produce security, quality or innovation where the State grants special immunity from prosecution and civil liability to privileged parties. Mandate security evaluations based on performance and design metrics for all software (and firmware) purchased for use by government agencies and departments. These evaluations must include examination of the specific product offerings under consideration, and the bidder's historical security track record across all products. Total cost of ownership calculations for IT assets must include estimated costs of potential security failures, and projected costs of recovery from same, proportionally adjusted to reflect the relative security performance of each competing bidder's products. This could be facilitated by the establishment of a transparent, accountable Federal activity that collects relevant data and produces reports in a standardized format consistent with government procurement process. Mandate reporting of security incidents by every government activity, and every commercial enterprise with a State or Federal tax ID, where financial losses and costs of remediation and recovery from the incident exceed $5,000.00. Require reporting of the category of failure, specific software tools that presented the vulnerabilities exploited, direct losses incurred, and the costs of remedial and recovery measures taken. Specify that aggregate data from these reports be made available to the public on at least a quarterly basis. Direct the Federal Communication Commission to conduct and annually review studies on the privacy impacts, positive and negative, of deployed and proposed network communication protocols and Standards, publicly report their findings, and solicit public comments in a transparent process. Mandate that all reports reference IETF RFC 6973, Privacy Considerations, as guidance in identifying, naming and evaluating adverse and beneficial privacy impacts of deployed and proposed network communication protocols and architectures.
3 - Things that the U.S. government could realistically do in the longer term to do the same.
See above. A durable commitment of all necessary resources to assure that the measures suggested in response to query 2 are effectively implemented would create and sustain rational, constrained trust relationships affecting all those aspects of "cybersecurity" which are properly the government's business. The requirement that recommendations be "realistic" is regrettable. "Practicable" would have been better language. A realistic proposal might be considered as one that will not provoke a do-or-die defense of the status quo from dominant IT vendors, U.S. intelligence activities, and others whose bread and butter is "cyber insecurity." A practicable proposal would be one that is within the scope of public policy authorities and industry capabilities: Vendors who assert that requirements are "impossible" or simply refuse to comply will be replaced by vendors who are ready to step forward and meet any challenges presented. Solutions to many of today's most serious and widespread network security failures are already avaialbe as off the shelf products from vendors with excellent security track records. The proposals presented under query 3 above may not be considered reasonable by dominant industry stakeholders, but they are practicable, and these or materially similar policy initiatives are necessary if the President is serious about getting the results he has asked for. Steve Kinney -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.22 (GNU/Linux) iQEcBAEBAgAGBQJXjt4rAAoJEECU6c5XzmuqOlMH/2Pb88LKcsAeOQMlBrqNrd7b WR5PYY5302/JmujeJkkA3n/AwzRsVwtnOLJ9JyfpRbbiml8qIiP98rcfsjeUO6jh 3z+13y96Y/pKMWOCDPuiBrFTTR6rk77MaxrXCJSZaeSrSAhRpNFKwmuShIjdVXPB F1ecYyaOwOCVva+keigKMDPwG6o2pgBErMS8FFYfvTWSeJgMKg9ZNsa5XuJzrbV2 PN/K/+i1LyCekpyvycc/dKY+maV70bMjKMEOIz9QNfZc4V+4AtBRjzlnSp/wDJY9 YpnryYMNVK6CtBciGfutq9ujdvZIn4H6z9coUXOv4RMLEFqFmIXHphXxSUzkDOI= =IHnQ -----END PGP SIGNATURE-----
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Maybe I will finally qualify for the title Statist Pig with this post. One can only hope. Contrary to the original query's request that replies not consist of "don't do dumb things," I have composed a very elaborate text that actually says, "don't do dumb things." :o) On 07/19/2016 10:13 PM, Steve Kinney wrote:
On 07/16/2016 06:22 PM, Joy wrote:
- - - Begin forwarded message - - -
Date: July 15, 2016 at 3:21:32 PM EDT From: Herb Lin <herblin@stanford.edu> To: "'David Farber (dave@farber.net)'" <dave@farber.net>, ip <ip@listbox.com> Subject: Call for input to President's Commission on Enhancing Cybersecurity - bridging the trust gap between the IT community and the US government
You may know that President Obama has established a commission to consider how to strengthen cybersecurity in both the public and private sectors while protecting privacy, ensuring public safety and economic and national security, fostering discovery and development of new technical solutions, and bolstering partnerships between Federal, State, and local government and the private sector in the development, promotion, and use of cybersecurity technologies, policies, and best practices.
The mission defined above is much more ambitious than it may initially appear, because direct conflicts of interest are hard wired into it. The "cybersecurity" buzzword embraces a spectrum of practical security context from protecting consumer financial credentials through shielding "secret" government databases from unauthorized access, to preventing malicious alteration of the firmware that runs our civil and industrial infrastructure. Privacy is not encompassed by the term "cybersecurity" as it is intended and understood by those who use presently use it in a national policy context - but this can and should change.
Network security addresses practical concerns of privacy, utility, reliability and cost effectiveness as well as countermeasures to stereotypical hacker threats. The express inclusion of privacy protection in its brief directs the Commission to deliver recommendations directly counter to the interests of private enterprises and government departments which presently collect, analyze, and transfer or act on "private" information about individuals and groups. If economic security is taken to include protecting the revenue streams of dominant U.S. IT vendors and their associated armies of specialized workers in the field, either "cybersecurity" or economic security must be sacrificed. If national security is taken to include protecting intelligence service access to surveillance and sabotage targets via widely distributed security defects in IT products and services, either "cybersecurity" or national security must be sacrificed.
A security model can not be "just a little bit pregnant." Every variance or exception that permits violations of any system's specified security protocol creates new vulnerabilities that compromise the security of that system, usually in subtle as well as obvious ways. Security threats are both external and internal to the enterprise, and include hackers who want to break in for fun and/or profit, but also: Enterprise IT consumers who who make non-negotiable demands for features and functions that create security vulnerabilities; senior executives whose golfing buddies know more about network security than the enterprise's entire IT staff; IT vendors who are free to hide deficiencies and misrepresent their wares under immunity from prosecution or civil liability; academics and consultants whose personal fortunes rise and fall with the value of vendor-specific credentials; and certified technical workforces whose educational and occupational background is restricted to a vendor specific context, and includes mandatory training as outside sales reps for those same vendors. Add to this the massive political influence of dominant U.S. IT vendors' senior executives and major shareholders, and our picture of an industry hard wired for security failure is complete. The expected end result of the complex of counter-security factors outlined above would be smoking rubble, and that is and apt description of prevailing network security conditions.
Pervasive "cybersecurity" failures have prompted the Executive branch to prepare for intervention across both government and private sector domains; in itself this is evidence that a deep systemic disorder harmful to the National Interest has been recognized and acknowledged. Developing a functional model that explains why an emergency exists is the first step toward reliably and durably ending it. The inclusive nature of the Commission's mandate requires it to address "cybersecurity" in a holistic manner. The systemic disorders listed above are inherent in the present economic and political relationships of parties whose inputs control IT security across all domains.
Effective solutions will be called "radical" and rightly so, as one must change the underlying economic and political relationships that drive the ongoing failure of "cybersecurity" to achieve meaningful results. Bolting layers of external reinforcement onto a broken machine does not fix the machine, only prolongs its ability to produce broken outputs. Like an urban renewal project, implementing an effective national "cybersecurity" strategy begins with a wrecking ball. If this is not an acceptable option, "enhanced cybersecurity" is not a possible outcome.
Recognizing that trust is hard to build and easy to destroy (and a variety of things have happened over the last 20 years have occurred to do the latter), one issue that has come up is the enormous gap of trust between the U.S. government and the information technology (IT) community, from which many IPers are drawn. This rift is not helpful to either side, and I'd like to solicit input from the IP community about what you think the government can do or refrain from doing to help bridge that gap.
In the present context, trust has two distinct and nearly opposite definitions: In a political context, trust means confidence cultivated to further a collaborative and/or manipulative agenda. In a network security context, trust is a controlled asset whose role is minimized on every front and excluded where and as possible: A trusted actor or system is one that can break your security model.
A competent IT security strategy compartmentalizes, simplifies and hardens the handling of protected assets. Tools must be selected and protocols designed on a case by case basis to enable a given enterprise or department's necessary functions while minimizing exposure of its assets to hostile actors. Trust is rationed, and dispensed only where and as the benefits of trust outweigh the risks.
As a simple example illustrating the role of trust in "cybersecurity," all major web browsers automatically download and execute software as directed by any website their users visit, without the user's knowledge or express consent. Large families of critical security vulnerabilities grow from this promiscuous trust model. Many botnets propagate themselves via this vector, which has also enabled targeted attacks compromising "secured" assets affecting major corporations and government agencies. Browser makers build automatic execution of 3rd party software into their browsers because both end users and major commercial website operators demand it. Vendor efforts to mitigate this critical security threat by 'sanitizing and sandboxing' incoming executable code can reduce but not reliably prevent high impact security incidents arising from a fundamentally insecure trust model.
Informed end users can install tools like NoScript which prevent the browser from downloading and executing software without the user's express consent. Individual websites can be whitelisted by the user, where and as the benefits of automatically executing arbitrary software from a given site are believed to outweigh the risks of doing so. In practice this trivially simple trust based security measure has proven itself orders of magnitude more effective than a promiscuous trust model "mitigated" by complex, failure prone defenses against hostile code.
Bridging the trust gap between the IT community and the US government is already a done deal, because there has never been one. The U.S. government funded and directed the creation of the IT industry. As indicated above, the existing bridges enabling public/private partnership in IT enterprises create promiscuous trust relationships in the face of conflicts of interest, perverse incentives and institutional inertia all working against the objectives of "cybersecurity." Rather than reinforcing them, these bridges must be locked down or removed as the first step toward enhancing "cybersecurity."
1 - Your best examples of things the government (and what part of the US government) has done to alienate the IT community specifically. (Or, at the very least, show how the examples you provide connect to the interests of the IT community.)
The U.S. government has not alienated the IT community: It has shielded this community from liability for fraudulent performance claims, fed it billions of dollars of annual revenue, and given Fortune 500 IT corporations nearly full control of government policy affecting those same corporations. The intimate partnership of IT vendors and government decision makers has, however, alienated a large segment of the public at large. With regard to privacy concerns, IT vendors are correctly perceived as the government's partners in domestic mass surveillance. The interests of the IT community are directly served by the government's nearly absolute tolerance for commercial mass surveillance, inherently insecure products and protocols, forced obsolescence strategies and abusive marketing practices - all of which are routinely implemented by major IT vendors to reduce costs and/or enhance revenues.
The current condition of gross insecurity across private and State owned IT assets is a product of the dominant role of vendors who are richly rewarded for exploiting the technological ignorance of private and public sector decision makers. The cumulative cost of unstable, insecure IT infrastructure supplied and serviced by parasitic vendors greatly exceeds the short term costs of replacement with stable, security oriented infrastructure; but perverse incentives and conflicts of interest assure that no such course can be taken absent dynamic and determined public sector leadership.
2 - Things that the U.S. government could realistically do in the short and medium term (i.e., 0-10 year time frame) that would help bridge the trust gap. If your answer is "Don't do dumb things!", it would be better and more useful to provide *examples* of what not to do.
Revoke software vendors' blanket immunity from prosecution for consumer fraud and from liability for damage caused by failure to control product defects. Where there is no accountability, there is no motivation to spend money on security and no rational basis for consumer trust. The infallible invisible hand of the Free Market can not produce security, quality or innovation where the State grants special immunity from prosecution and civil liability to privileged parties.
Mandate security evaluations based on performance and design metrics for all software (and firmware) purchased for use by government agencies and departments. These evaluations must include examination of the specific product offerings under consideration, and the bidder's historical security track record across all products. Total cost of ownership calculations for IT assets must include estimated costs of potential security failures, and projected costs of recovery from same, proportionally adjusted to reflect the relative security performance of each competing bidder's products. This could be facilitated by the establishment of a transparent, accountable Federal activity that collects relevant data and produces reports in a standardized format consistent with government procurement process.
Mandate reporting of security incidents by every government activity, and every commercial enterprise with a State or Federal tax ID, where financial losses and costs of remediation and recovery from the incident exceed $5,000.00. Require reporting of the category of failure, specific software tools that presented the vulnerabilities exploited, direct losses incurred, and the costs of remedial and recovery measures taken. Specify that aggregate data from these reports be made available to the public on at least a quarterly basis.
Direct the Federal Communication Commission to conduct and annually review studies on the privacy impacts, positive and negative, of deployed and proposed network communication protocols and Standards, publicly report their findings, and solicit public comments in a transparent process. Mandate that all reports reference IETF RFC 6973, Privacy Considerations, as guidance in identifying, naming and evaluating adverse and beneficial privacy impacts of deployed and proposed network communication protocols and architectures.
3 - Things that the U.S. government could realistically do in the longer term to do the same.
See above. A durable commitment of all necessary resources to assure that the measures suggested in response to query 2 are effectively implemented would create and sustain rational, constrained trust relationships affecting all those aspects of "cybersecurity" which are properly the government's business.
The requirement that recommendations be "realistic" is regrettable. "Practicable" would have been better language. A realistic proposal might be considered as one that will not provoke a do-or-die defense of the status quo from dominant IT vendors, U.S. intelligence activities, and others whose bread and butter is "cyber insecurity."
A practicable proposal would be one that is within the scope of public policy authorities and industry capabilities: Vendors who assert that requirements are "impossible" or simply refuse to comply will be replaced by vendors who are ready to step forward and meet any challenges presented. Solutions to many of today's most serious and widespread network security failures are already avaialbe as off the shelf products from vendors with excellent security track records. The proposals presented under query 3 above may not be considered reasonable by dominant industry stakeholders, but they are practicable, and these or materially similar policy initiatives are necessary if the President is serious about getting the results he has asked for.
Steve Kinney
-----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.22 (GNU/Linux) iQEcBAEBAgAGBQJXjuB8AAoJEECU6c5Xzmuq3a0H/irlhwCoGeBc9QFjnIT3OvPg AFDw/rw+NLwI7GrJyMyr+Sz4gxsC3CXGy5UuasLHtzDlN7nKN2kzvAYl3lj2TihD it8aoQ5C2oK5hGu/Vz12hjuH9DJxOHr1ctlACpyTBeIw5MwLJFap/MMi8Q76z/ZA 7X4tQLGeMCkQeHXS3wSmYTcMv1/Zg+LaYiTJ/Jnuy9hMlGDiv7mTGOEWsrPKZ4bT t1h+cFRKK+yPD99mYT3qc68jFlVGEas76IhQFNbXwUl8/N+eKRvXTJJpiWZtWbRN Xm8rZWr5aLnI2RNMiIPfn2YzhUQimQCVE1HnDn6yHMQg98DYzlqRYsBMWvTNIqM= =Mo7H -----END PGP SIGNATURE-----
On Tue, 19 Jul 2016 22:22:52 -0400 Steve Kinney <admin@pilobilus.net> wrote:
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1
Maybe I will finally qualify for the title Statist Pig with this post. One can only hope.
I took a (very) quick look at your previos post and skipped it cause it seemed a bit too academic. OK, I'll have to read it...
Contrary to the original query's request that replies not consist of "don't do dumb things," I have composed a very elaborate text that actually says, "don't do dumb things."
:o)
On Tue, 19 Jul 2016 22:13:00 -0400 Steve Kinney <admin@pilobilus.net> wrote:
Bridging the trust gap between the IT community and the US government is already a done deal, because there has never been one. The U.S. government funded and directed the creation of the IT industry.
^^^ quoted for truth
The U.S. government has not alienated the IT community: It has shielded this community from liability for fraudulent performance claims, fed it billions of dollars of annual revenue, and given Fortune 500 IT corporations nearly full control of government policy affecting those same corporations.
so called patents and copyrights, i.e. government privileges, play a fundamental role too.
Mandate security evaluations based on performance and design metrics for all software (and firmware) purchased for use by government agencies and departments.
You do get a good amount of statist pig points for that one. Actually, the government must stop buying stuff and must start giving back all the money they stole.
Mandate reporting of security incidents by every government activity, and every commercial enterprise with a State or Federal tax ID,
So yeah, statist bullshit.
Direct the Federal Communication Commission to conduct and annually review studies on the privacy impacts,
And even more statist bullshit. And of course I now have to ask. First you correctly explain the relationship between the 'industry' and the state and then expect the state to regulate it? What?
See above. A durable commitment of all necessary resources to assure that the measures suggested in response to query 2 are effectively implemented would create and sustain rational, constrained trust relationships affecting all those aspects of "cybersecurity" which are properly the government's business.
So yeah, statist pig.
A practicable proposal would be one that is within the scope of public policy authorities and industry capabilities: Vendors who assert that requirements are "impossible" or simply refuse to comply will be replaced by vendors who are ready to step forward and meet any challenges presented. Solutions to many of today's most serious and widespread network security failures are already avaialbe as off the shelf products from vendors with excellent security track records.
such as?
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On 07/19/2016 11:46 PM, juan wrote:
On Tue, 19 Jul 2016 22:13:00 -0400 Steve Kinney <admin@pilobilus.net> wrote:
Mandate security evaluations based on performance and design metrics for all software (and firmware) purchased for use by government agencies and departments.
You do get a good amount of statist pig points for that one.
Actually, the government must stop buying stuff and must start giving back all the money they stole.
I can dig it. But how to implement this? My strategy is to let Nature take its course; after the State collapses, surviving resources no longer under State control will be up for grabs. BTW, money as we know it is a fiction created and maintained by the State for the purpose of enriching the powerful at everyone else's expense. See how easy it is to fall into the trap of compliance with State sponsored assumpitons? :)
Mandate reporting of security incidents by every government activity, and every commercial enterprise with a State or Federal tax ID,
So yeah, statist bullshit.
Note that this would only affect the State itself, and those who have made a positive commitment to submit to State dominion.
Direct the Federal Communication Commission to conduct and annually review studies on the privacy impacts,
And even more statist bullshit.
And of course I now have to ask. First you correctly explain the relationship between the 'industry' and the state and then expect the state to regulate it? What?
This ain't a call for regulation; it's just a call for public reporting by a State agency. ;)
See above. A durable commitment of all necessary resources to assure that the measures suggested in response to query 2 are effectively implemented would create and sustain rational, constrained trust relationships affecting all those aspects of "cybersecurity" which are properly the government's business.
So yeah, statist pig.
Only if I expect this to produce real world results. Prescribing abstinence as a cure for alcoholism, or getting well as a cancer cure, would be similar in effect.
A practicable proposal would be one that is within the scope of public policy authorities and industry capabilities: Vendors who assert that requirements are "impossible" or simply refuse to comply will be replaced by vendors who are ready to step forward and meet any challenges presented. Solutions to many of today's most serious and widespread network security failures are already avaialbe as off the shelf products from vendors with excellent security track records.
such as?
For a start, if my (impossible) suggestions were implemented, Microsoft would lose its most important State protections, all its government contracts, and a large part of its market share in the business and consumer markets. Those product lines would be largely replaced by UNIX model operating systems, Free software applications, etc. My first draft was an explicit Microsoft death sentence, I worked backward from there to create generic, vendor agnostic conditions that would assure the same result. No anarchists were harmed in the production of this policy brief. I wrote it because it amuses me to keep a hand in - I used to do quality assurance programs and the like, and sometimes I miss the games. Also to troll the Commission. Thank you for your feedback, and may I add, OINK OINK. :o) -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.22 (GNU/Linux) iQEcBAEBAgAGBQJXjv4WAAoJEECU6c5XzmuqvdAIAK3cVa+zDIgUkCQNLQtCD7IO 1+1IiNaTmzR5NOpAZJYEstrOrxC0xfmAED3w471temR3c7BGI37MbJwGMIxHPfO0 kYAm3azEosnDOkUEvaOwj+mvskCgj6A58XAL9t82GX+vZnmHpO7c7QlMymnRKBmu 9KKzpSSlJEbCP8qZPb9kSPTMJ/sMSUTKaKgY8DwCtBBi1fSCah6AT8bnlgAhD2z6 aSE4/mnaWqDPez6gPPCkKXqCqyt63niYatcu+LBeA/5ifuzV3YXHQ8QwTgWLB30o sK9mmdH6F2YyqKV9yFBr7YyMRx05srSbaEIfrV+D9IK4sNE5ilL2QkD7QRbG+gY= =EyUm -----END PGP SIGNATURE-----
Hi,
Steve Kinney: Microsoft would lose a large part of its market share in the business and consumer markets
I am confident that even after the collapse, businesses running 98 and XP will still be paying for support q: People, on the other hand, will be using the free and open-source KanyeOS built on the BAE-Waynux system. Wordlife, Spencer
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On 07/20/2016 12:17 PM, Spencer wrote:
Hi,
Steve Kinney: Microsoft would lose a large part of its market share in the business and consumer markets
I am confident that even after the collapse, businesses running 98 and XP will still be paying for support q:
I know of a couple of small businesses still running core missions on Windows 98; in their use cases it "just works" and they see no need to fix it. There are still millions of XP installations grinding away out there. When a tool has successfully supported necessary business process for years, rational managers don't replace it until it either breaks or something comes along that offers a real improvement in the performance of the enterprise as a whole. Hence the key roles of forced obsolescence, managed security failure, and product misrepresentation in the wonderful world of proprietary software.
People, on the other hand, will be using the free and open-source KanyeOS built on the BAE-Waynux system.
Post-apocalypse, Free Software will dominate because of its superior performance in the context of salvaging and repurposing hardware, and because it already has a distributed architecture in place for developing and maintaining software. The more Free Software we have in our large scale integrated infrastructure today, the faster and better we can stand up a patchwork quilt of autonomous infrastructures tomorrow. :o) -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.22 (GNU/Linux) iQEcBAEBAgAGBQJXj+dpAAoJEECU6c5XzmuqMRAH/iEIut2RsA7vrJfRG9aU6fJw e5HTKnyc1IdlUOikugs0ifHLHm5CsWsBxwlsmDDsBwPR9j3f0iU7krtF85vkU2Bm WkhA9+rbmO9uzLoAqTJ1vzTwJEubDl3rWK4yk6KSSyqLZo79SIGE6bNKUIEAoGWQ 1kh4lvpHqYiP+ziJ5XTBQd735qdzVxqp1/HK4ji/Iex3cFfHhhBhsMkDQQF4rzFP +ljuV685MN+dwY6OIprR+BkS4FwyN9j1K71hJzgylIeXs1A5dAB4tdI9a4LCmmoa 8ojgLMtVJICbjiF8jwvPVWm52c+Tfj1sqtimiHE9DFPI51lgmcj7eC2DNsq7rGI= =CYQm -----END PGP SIGNATURE-----
Hi,
Steve Kinney: forced obsolescence, managed security failure, and product misrepresentation in proprietary software.
Not exclusively proprietary stuff ... see Torvalds, Zawinski, Dingledine, Freitas, et al.
Post-apocalypse, Free Software will dominate we can stand up a patchwork quilt of autonomous infrastructures
Automatic low credit score droning done with publicly audited open-source code XD Wordlife, Spencer
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On 07/20/2016 06:21 PM, Spencer wrote:
Automatic low credit score droning done with publicly audited open-source code XD
By definition, credit reporting agencies will not survive into the post-apocalyptic world. Ditto for State programs conducting economic wars of conquest through terrorist means. :o) -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.22 (GNU/Linux) iQEcBAEBAgAGBQJXkAovAAoJEECU6c5XzmuqNjQIALbUkFadkYZRrHV1HlHaCXje lqWYi7XBnkDfRX9wrYe0zuGx3ZfKiRU303PSBK7dDREsvfMJejDiGtNv8M1/9/X/ a/DRDHedQ2HpPrQzt8hwLlhSVhC+qpmH66MWg+FXXnoIITfOGcrG24EbfIn43ap1 F8UA2vs/jG/jHzOOSmComUveJ8WIrELXFU9yG9OigZt4DV86nqFbv9sR8xdZGMOr S1oQvSDT4sEUGqGH5oJ7oi6260KTc7Wp5uo8dNk4ndKOuCpJzIyCM7C/eLwebhYL P+fq6iQ8g8yUGhK2dC+Gd5/noWqCyXO4YHrsAn0xEQf6M9ptvumMvagqk1voREc= =Vyfb -----END PGP SIGNATURE-----
On Wed, Jul 20, 2016 at 09:17:52AM -0700, Spencer wrote:
Microsoft would lose a large part of its market share in the business and consumer markets
I am confident that even after the collapse, businesses running 98 and XP will still be paying for support q:
I never understood why folks upgraded from WfWG3.1 - 98 was -never- as stable, except when nothing was installed (including drivers). Not to mention those ghastly green hills...
On July 20, 2016 7:19:35 PM EDT, Zenaan Harkness <zen@freedbms.net> wrote:
On Wed, Jul 20, 2016 at 09:17:52AM -0700, Spencer wrote:
Microsoft would lose a large part of its market share in the business and consumer markets
I am confident that even after the collapse, businesses running 98 and XP will still be paying for support q:
I never understood why folks upgraded from WfWG3.1 - 98 was -never- as stable, except when nothing was installed (including drivers). Not to mention those ghastly green hills...
I never understood why anyone would run Windows -at all-. Linux and *BSD have both been totally usable for 20+ years now... John -- Sent from my Android device with K-9 Mail. Please excuse my brevity.
On Wed, Jul 20, 2016, 18:03 John <jnn@synfin.org> wrote:
On July 20, 2016 7:19:35 PM EDT, Zenaan Harkness <zen@freedbms.net> wrote:
On Wed, Jul 20, 2016 at 09:17:52AM -0700, Spencer wrote:
Microsoft would lose a large part of its market share in the business and consumer markets
I am confident that even after the collapse, businesses running 98 and XP will still be paying for support q:
I never understood why folks upgraded from WfWG3.1 - 98 was -never- as stable, except when nothing was installed (including drivers). Not to mention those ghastly green hills...
I never understood why anyone would run Windows -at all-. Linux and *BSD have both been totally usable for 20+ years now...
In '93 when WfWG 3.11 came out and even in '98, Linux was basically a hobbyist OS. Nowadays the problem isn't the OS but the applications. If you're just using a web browser, it's not a problem, but that's essentially what ChromeOS is from the perspective of the average user, and Android is rapidly filling that space and has plenty of applications. Which brings up an interesting point more relevant to the original topic, which is that to have any amount of security you really need to know what you're doing. I'm not holding my breath for the government to do anything about that besides exploit it to increase its own power and spy on us. The first thing that should come to one's mind when thinking of government's relationship to private industry and cybersecurity is AT&T's (and others) cooperation with the NSA and the government's subsequent shielding of them from any liability for it. That which is permitted rapidly becomes mandatory when government has all kinds of extra laws it can enforce at its own discretion, and privileges like indemnification that it can extend or withdraw as it likes.
John -- Sent from my Android device with K-9 Mail. Please excuse my brevity.
On Wed, Jul 20, 2016 at 08:57:52PM -0400, John wrote:
On July 20, 2016 7:19:35 PM EDT, Zenaan Harkness <zen@freedbms.net> wrote:
On Wed, Jul 20, 2016 at 09:17:52AM -0700, Spencer wrote:
Microsoft would lose a large part of its market share in the business and consumer markets
I am confident that even after the collapse, businesses running 98 and XP will still be paying for support q:
I never understood why folks upgraded from WfWG3.1 - 98 was -never- as stable, except when nothing was installed (including drivers). Not to mention those ghastly green hills...
Actually, it was WfWG 3.11, to be precise. I only had Windows 3.1, and lusted after the full windows for worgroups edition...
I never understood why anyone would run Windows -at all-. Linux and *BSD have both been totally usable for 20+ years now...
I did not know about Linux back then - I had actually heard about gcc and tried to download it on an old loaner PC running DOS that I had at the time, but I was getting only 1200baud! After 12 hours, reading enough to realise I'd be doing a lot of swapping just to use it, I figured I would wait until after upgrading to one of the new beaut 24/32kbps spangled modems and a better PC. A few years later someone I was working with brought in a slackware full CD set, and I was pleasantly amazed. Memory is not the best so there are probably other events in between.
On July 21, 2016 1:58:35 AM EDT, Zenaan Harkness <zen@freedbms.net> wrote:
On Wed, Jul 20, 2016 at 08:57:52PM -0400, John wrote:
On July 20, 2016 7:19:35 PM EDT, Zenaan Harkness <zen@freedbms.net> wrote:
On Wed, Jul 20, 2016 at 09:17:52AM -0700, Spencer wrote:
Microsoft would lose a large part of its market share in the business and consumer markets
I am confident that even after the collapse, businesses running 98 and XP will still be paying for support q:
I never understood why folks upgraded from WfWG3.1 - 98 was -never- as stable, except when nothing was installed (including drivers). Not to mention those ghastly green hills...
Actually, it was WfWG 3.11, to be precise. I only had Windows 3.1, and lusted after the full windows for worgroups edition...
I never understood why anyone would run Windows -at all-. Linux and *BSD have both been totally usable for 20+ years now...
I did not know about Linux back then - I had actually heard about gcc and tried to download it on an old loaner PC running DOS that I had at the time, but I was getting only 1200baud! After 12 hours, reading enough to realise I'd be doing a lot of swapping just to use it, I figured I would wait until after upgrading to one of the new beaut 24/32kbps spangled modems and a better PC.
A few years later someone I was working with brought in a slackware full CD set, and I was pleasantly amazed. Memory is not the best so there are probably other events in between.
The first time I ever tried to install Linux was on a 286 in I think 1995 (I lagged on quality computers as a kid). I downloaded the kernel source from a BBS at 9600 baud and got totally fucking confused with what to do with the resulting tgz file.... Eventually I was able to extract it in DOS, but of course it was still unusable... Linux needs 32bit and you can't install from a kernel source archive... Anyway I got a Pentium 120 a year or two later and figured it out. Never really looked back. Used a lot of Solaris in late 90s as well - netras were reasonably cheap (are dirt cheap now) John -- Sent from my Android device with K-9 Mail. Please excuse my brevity.
On Wed, Jul 20, 2016 at 12:29:10AM -0400, Steve Kinney wrote:
My first draft was an explicit Microsoft death sentence, I worked backward from there to create generic, vendor agnostic conditions that would assure the same result.
I will drink to m$'s death. But not sure if currently it is good for non-sheeple. It is known that m$ are lamers and their ``code'' is complete mess. My enemies better be pussies than lions. As an aside, the pokeman game mania doesn't appear to work on windoze shit AFAICT, hurting their phone sales (if any). Empires rise and fall. And get replaced by something worse.
On Sat, 16 Jul 2016 22:22:40 -0000 "Joy" <joyland@sigaint.org> wrote:
- - - Begin forwarded message - - -
Date: July 15, 2016 at 3:21:32 PM EDT From: Herb Lin <herblin@stanford.edu> To: "'David Farber (dave@farber.net)'" <dave@farber.net>, ip <ip@listbox.com> Subject: Call for input to President's Commission on Enhancing Cybersecurity - bridging the trust gap between the IT community and the US government
Recognizing that trust is hard to build and easy to destroy (and a variety of things have happened over the last 20 years have occurred to do the latter), one issue that has come up is the enormous gap of trust between the U.S. government and the information technology (IT) community,
So here we have a pathetic, fucking lie. As any retard should know, the american 'information technology' mafia is fully in bed with the american government. The US is a corporatocracy, and 'IT' corporations play a fundamental role as 'private' members of the US government. "gap of trust" - ROFL!
participants (9)
-
Georgi Guninski -
John -
Joy -
juan -
Sean Lynch -
Spencer -
Steve Kinney -
Zenaan Harkness -
Александр