Monday, December 31, 2007

spinning down

Just a few thoughts as the year spins down to a merciful end.

These are strange times. Kind of un-fun dark and anxious times. The nation that I grew up in seems to be a fading memory, and there seems to be little recourse on the part of our elected officials. We now live in a place where rule of law (for what it is worth) has been displaced at least in part by rule of man.

Where we see:

Former Guantanamo inmate set free. Australian David Hicks, “the first person convicted at an American war crimes trial since World War II was freed from prison on Saturday, after completing his U.S. imposed sentence.” Hicks spent five years in detention at Guantanamo Bay, followed by a nine month sentence in prison. “He was told to remain silent about any alleged abuse he suffered while in custody.”
There can be no practical reason to prohibit this information from being discussed except for political embarrassment. Not sure what a war crimes tribunal might think of the limitations on communication - they might frown on the "don't tell anybody about the torture until after the end of the political season or we will drag you back and torture you for the remainder of the nine year term." Nice.

And discussions about torture inevitably decay into arguments about the minutia of just how effective one form of torture might be over another in some hypothetical (ie unreal) story line. Rule of law. No discussion about due process so the base assumption here is that said person is just guilty, not found guilty by judicial process. If the decision about torture is predicated on effectiveness, then why don't we quite fucking around and apply it on the general US criminal population (more so than it already is). Torture and more importantly the threat of torture exist as a weapon of fear against an entire population. As a tool of information gathering it is denounced as useless so can we all just shut the fuck up about it and move on.

On the whole the Hicks situation reminds me of the redacted judicial opinion which, in whole reads:
"The danger to political dissent is acute where the Government attempts to act under so vague a concept as the power to protect 'domestic security.' Given the difficulty of defining the domestic security interest, the danger of abuse in acting to protect that interest becomes apparent."
particularly given the details of the case.

The whole rubric of 'security' has been so poisoned, that any mention of the word invokes the same feel good impressions that the Ministry of Love invoked in our demi hero Winston Smith. Security is about Fear Management rather than some archaic notion of personal or societal safety. It disgusts me.

As the new year approaches, there are quite a few interesting things that await us. Besides the agonizing Kabuki of the political process, we will see the steaming remnants of the executive branch mopped up and placed into the ash bin of history. We sit on a cusp - an inflection point really - where decisions made now will have generational consequences. Think about Miranda and the fallout from that, except for the judicial steam engine speeding in the other direction.

Not much else to say.

no one is united
all things are untied
perhaps we're boiling over inside
they've been telling lies
who's been telling lies?

there are no angels
there are devils in many ways
take it like a man

X, The World's A Mess It's In My Kiss

Sunday, December 30, 2007

Island of content

Mrs. set.element gave me the nicest gift ever. Went out with friends, had excellent dinner, watched my favorite band perform better than I have ever seen them. Ears still ringing.


See, I can post non-grumpy/paranoid/angry.


Friday, December 28, 2007

Left Hand, meet Right ...

Regarding the post last Saturday about the proposed joint DHS/NSA program, I wandered across a few other interesting notes.

In a letter to to the Bush administration, Rep Bernnie Thompson (Chairman of the House Homeland Security Committee) politely asked "WTF mates?" Seems like repeated requests by he and his committee to get any sort of information have been repeatedly ignored.

More details can be read in an article here.
Thompson - whose panel oversees the Homeland Security Department, which would run the initiative - said he was unaware of the program's existence until it was revealed by The Sun in a Sept. 20 article.

A Homeland Security spokeswoman said Chertoff had received Thompson's letter, which was dated Monday, and would respond "in a timely fashion."

"We do agree that cybersecurity is a very important issue, and that is why since the beginning of this congressional session DHS has provided more than a half a dozen briefings to the House Homeland Security Committee on cyberthreats and related issues," said the spokeswoman, Laura Keehner.
So a program that has been in design phase for many months (if not years) which is expected to run for at least seven years and cost billions of dollars, which will require a revamping of the NSA charter and which involves access to highly sensitive personal information of everybody who is using The Internets transiting US geography - this is US citizens - is running silent and deep.

No indication of legal authority to even run the show. No indication that evidence gathered will even be usable when weighed against the remaining fourth amendment constitutional rights we still have. No notion of utility - how and what are they going to do?

That is what I want to know. Getting the data is surprisingly easy. Making intelligent decisions based on this collection of flows and application data can be quite difficult. Using the infrastructure to spy on people is trivial. Rather amusing in a cynical sort of way.

And we do trust them, yes?

The first part of the implementation seems to be a continuation of the Einstein program which is geared to globally monitor US government networking resources. This would be in conjunction with the OMB plan to reduce the number of POP sites hooking up government networks with the internet proper. No issues with this - we have seen budget and planning indications for this above the table. Government gets to monitor government networks. No expectation of privacy there(!).

What I am hearing though is this:
Policymakers have become increasingly alarmed at the vulnerability of trains, nuclear power plants, electrical grids and other key infrastructure systems, which rely on Internet-based controls that could be hijacked remotely to produce a catastrophic attack.

Recent attempted attacks on Pentagon and other government computer systems have heightened concerns about holes in government networks, as well.
Monitoring internet traffic will not actually address these issues. What exactly is the point of this program? Network monitoring sounds good and can be quite powerful in addressing some classes of attacks. I am not all that confident that it is the right tool to address issues related to real large scale threats to our resources. Nation-State level threats require smart responses rather than large responses. Sophisticated zero day attacks against high value targets are currently blindingly successful. Perhaps not tomorrow? Not sure.

PAB will awake soon, so I must go mop the floor.

Wednesday, December 26, 2007

All the news, errr, just a bit of news.

Now that the majority of Squidmas events have passed and we are left with the less than fun task of cleaning up the place, it seems like a natural time to ignore the many tasks at hand and do a little writing.
The Ministry of Truth contained, it was said, three thousand rooms above ground level, and corresponding ramifications below. Scattered about London there were just three other buildings of similar appearance and size. So completely did they dwarf the surrounding architecture that from the roof of Victory Mansions you could see all four of them simultaneously. They were the homes of the four Ministries between which the entire apparatus of government was divided. The Ministry of Truth, which concerned itself with news, entertainment, education, and the fine arts. (...)
So I have been thinking a bit about the role of media in the perception of the world around us. This is not original or even all that interesting to most people. We all know and understand it, but this subject has been on my mind as of late so I will cast it out on the internets...

On Dec 18th, the NY Times (our Paper of Record) took the successful filibuster of the telco immunity bill and essentially ignored it - while I do not think that every little obsession that I have deserves to be on the front page, trumping this real and important information with 2/3 page coverage about small town high school football team. A great steaming pile of bucolic meat and potatoes americanism. The NYT did manage to make an showing on A29 for the filibuster.

The filibuster was one of the most significant political events to happen for quite some time and represented if not a departure from the current political kabuki, at least a tiny bit of fiber in the otherwise jello like political landscape.

My point to this is that with the new round of media consolidation the barriers to big business monoculture have been lowered again. The people who own the large media outlets are the same ones that are disinterested in a agressive and thoughtful social and political process. They want you to care about steroid use, or some stupid persons sex life, or whatever dumbfuckery is rolling by in todays sound byte.

I can (and have) gone on and on about this stuff, but need to tie this up and get on with the rest of my work.

Do I have a final destination for this? Naturally. It is a little more out there than the usual post material, but if you can't post unauthenticated irrationally paranoid rantings on your blog we live in even darker times than I think.
“The right of voting for representatives is the primary right by which all other rights are protected. To take away this right is to reduce a man to slavery.”
- Thomas Paine, Dissertation on the First Principles of Government
The introduction of closed source, privately owned software companies into vote counting and tallying has resulted in significant change in the electoral process. Don't go running away just yet - I have a point to make (!!!).

Ok. The presidential elections of 2000, 2004 and the mid term elections of 2006 were rigged. Period. The inconsistencies with voting summaries and exit polls in Florida for 2000, and the exit poll fiascos of 2004 combined with the Ohio election mix up point to real actional events that have been carefully analyzed and determined to be hugely anomalous in US voting history.

Nothing new I know. People do not give a shit that the school house rock democracy that they have had described to them for their entire lives has become a lie. It has never been a truth, but the magnitude of difference that I am seeing here is overwhelming. People do not give a shit because the ability to process this abstract change has calcified from an excess of fear, corporate porn and sound byte politics. Class politics has devourered the democratic process and intends to perpetuate the bilking of our Great American Democracy until it is useless to them any more. The bones will be left for the less bright theocrats to make little houses out of.

Done with my paranoia. There is hope, there is light, there is hope.

Tuesday, December 25, 2007

A Good man of Business

Upon this day a very brief moment to stop picking up bows and little scraps of paper and fully embrace the meaning of our business. Many good friends over yesterday. Much food and talk and fun - truly a good squidmass.
"It is required of every man," the Ghost returned, "that the spirit within him should walk abroad among his fellow men, and travel far and wide; and if that spirit goes not forth in life, it is condemned to do so after death. It is doomed to wander through the world -- oh, woe is me! -- and witness what it cannot share, but might have shared on earth, and turned to happiness!"
"You are fettered," said Scrooge, trembling. "Tell me why?""I wear the chain I forged in life," replied the Ghost. "I made it link by link, and yard by yard; I girded it on of my own free will, and of my own free will I wore it. Is its pattern strange to you?"Scrooge trembled more and more."Or would you know," pursued the Ghost, "the weight and length of the strong coil you bear yourself? It was full as heavy and as long as this, seven Christmas Eves ago. You have laboured on it, since. It is a ponderous chain!"
"But you were always a good man of business, Jacob," faltered Scrooge, who now began to apply this to himself."Business!" cried the Ghost, wringing its hands again. "Mankind was my business. The common welfare was my business; charity, mercy, forbearance, and benevolence, were, all, my business. The dealings of my trade were but a drop of water in the comprehensive ocean of my business!"

Saturday, December 22, 2007

He knows when you've been bad or good ...

Like I mentioned yesterday, there are just too many government agencies and non-governmental groups that want my magic ball of string.

There are a number of different topics that I have been hoping to have time to write about, this just came up and I thought that it would be nice to share. This is the season of sharing - like the head cold that I got from a nice person on BART for example...

So in the big struggle between the civilians (represented by DOJ), and the military (represented by NSA and in part DHS) to scoop up all of your personal data we have another move.

As have been discussed again and again, NSA + DHS have been gathering all the publicity for hoovering up everybody's packets and doing interesting graph analysis on them. Not to be out done, DOJ is now entering into contract to spend 1 billion dollars on a vast database of uniquely identifiable characteristics:
Digital images of faces, fingerprints and palm patterns are already flowing into FBI systems in a climate-controlled, secure basement here. Next month, the FBI intends to award a 10-year contract that would significantly expand the amount and kinds of biometric information it receives. And in the coming years, law enforcement authorities around the world will be able to rely on iris patterns, face-shape data, scars and perhaps even the unique ways people walk and talk, to solve crimes and identify criminals and terrorists. The FBI will also retain, upon request by employers, the fingerprints of employees who have undergone criminal background checks so the employers can be notified if employees have brushes with the law.
Two things - the money has already been allocated since they have a ten year contract to award. No surprise there. Nice to know that they are sharing in the budget pain with the rest of the government. The second and more, well evil, is the notion that the normal firewall between your average corporation and law enforcement seems to be gone here. Reminds me of the gilded age where the nice robber barons had such a good working relationship with law enforcement. Mind you, a brush with the law is not the judicial system finding a person guilty.

But it does get better...

Again, from the article:

The FBI is building its system according to standards shared by Britain, Canada, Australia and New Zealand.

At the West Virginia University Center for Identification Technology Research (CITeR), 45 minutes north of the FBI's biometric facility in Clarksburg, researchers are working on capturing images of people's irises at distances of up to 15 feet, and of faces from as far away as 200 yards. Soon, those researchers will do biometric research for the FBI.

Covert iris- and face-image capture is several years away, but it is of great interest to government agencies.

As a personal note, I wonder if that anachronistic notion that law enforcement should have a reason to go poking about my business will ever be meaningful again. On a less philosophical note is the problem of false positives. As an exercise for the reader, you can connect the dots back to other posts regarding similar activity. PAB is just getting up and there is much to do before Squidmass eve!!

Feel safer yet?

Friday, December 21, 2007

Sweeping out corners...

Prolog: In staring this blog, a major part of writing has been involved with exploring the various groups and agencies that are interested in protecting us from those dark shadowy evildoers that live in deep cyberspace. At this point it is really getting difficult to keep up with the sheer volume of participants who have lined up to play this game. Hell a shorter list might be those people disinterested in your packets.

Go figure.

Anyway, as discussed previously our friends in the executive branch requested some large block of funding ($282 million) for some sort of anti-terrorism humdrum to be spread across DOJ and DHS. I provided what I thought was a argument mostly based on innuendo and character assassination but it seemed like a good idea at the time. Some part of the dark budget side of that proposition seems to be surfacing.

From the Baltimore Sun (which has removed the original article which can still be located in a google search):
In a major shift, the National Security Agency is drawing up plans for a new domestic assignment: helping protect government and private communications networks from cyberattacks and infiltration by terrorists and hackers, according to current and former intelligence officials.
The plan calls for the NSA to work with the Department of Homeland Security and other federal agencies to monitor such networks to prevent unauthorized intrusion, according to those with knowledge of what is known internally as the "Cyber Initiative." Details of the project are highly classified.
Hmmm. Guess details of this project are beginning to emerge. This is the same set of folks that engage in illegal warentless wiretaps of American citizens. This is what they say about the whole thing:
Another former NSA official said that if the government wants to prevent cyberattacks, it makes sense to tap the agency's skills.

"I've got to be able to at least look at something to determine: Do I have a threat or don't I have a threat?" the former NSA official said. "It's important that you have the best thinkers with the deepest experience working these problems on behalf of the nation."
A little farther down we see:
Amit Yoran, the Homeland Security Department's first chief of cybersecurity, said in an interview that while the government has made progress, federal efforts have been "somewhat spotty" overall.

Among the main challenges, he said, is that the Homeland Security Department has been given responsibility for the problem but lacks the authority and expertise to compel other agencies and the private sector to follow its lead.

The new cybersecurity effort aims to build, in part, on an existing NSA program, code-named Turbulence, which has had a troubled start, the senior intelligence official said.
The language that is being used here is quite interesting. What does it mean that one agency will 'compel' other agencies and the private sector to do something. As an act, this is hardly without precedent (think about basic federal regulations). On the other hand we are not just talking about seat belts here...

I have several issues here: The least of which is that DHS/NSA have not proven themselves compitent in the domain of commercial computer security. This has been commented on before.

More importantly the NSA can not be trusted. Period. Ever. They have a long and glorious history of abusing their considerable power for pure political ends. Given the machinations that the EFF has had to go through up till now to show that they are already looking at most of this data anyway, it seems a little odd about the selection.

A final question in this day before the weekend before Squidmass, is simple. Who will monitor these folks? The DOJ? [hahahahahahahahahahahahahahhahahahah!!!] Even if I trusted them any more than DHS/NSA - which seems somewhat unlikely - they lack jurisdiction to do anything except to complain to congress, the courts or (you know this is coming!) the executive branch. Feh.

And what the heck is the 'Turbulance' program mentioned at the bottom of the article?
Turbulence is a loose collection of at least nine programs designed to give the NSA the ability to continuously patrol global communications networks. The Sun revealed the existence of Turbulence and outlined its management problems earlier this year.
This could all just be FUD and the program might be canned (or not even started). Just seems a little broken to me to even begin thinking about security in these terms.

* The dictionary options for this word include 'insecurity' which seems more than a little more applicable to me...

Wednesday, December 12, 2007

moral calculus

I have been reading with some interest the ongoing drama associated with the CIA destroying video tapes of them using "enhanced interrogation techniques" on (amongst others) Abu Zubaydah. While this topic is worthy of righteous indignation in and of itself, I will try to contain myself on this rich topic for another day.

Ok. One thing. What the hell sort of lawyer fetish does this administration have going on. Every dumbfuck stunt that they seem to try is met with "Well my lawyer said that it was ok." quickly followed by "Oops! Guess I made a mistake!" Cowards and Fuckwits.

But I have an agenda and intend to follow it...

In an good read from the Washington Monthly, we get the following:

And here is Barton Gellman's gloss of Ron Suskind's The One Percent Doctrine:

Interrogators did their best to find out, Suskind reports. They strapped Abu Zubaydah to a water-board, which reproduces the agony of drowning. They threatened him with certain death. They withheld medication. They bombarded him with deafening noise and harsh lights, depriving him of sleep. Under that duress, he began to speak of plots of every variety — against shopping malls, banks, supermarkets, water systems, nuclear plants, apartment buildings, the Brooklyn Bridge, the Statue of Liberty. With each new tale, "thousands of uniformed men and women raced in a panic to" And so, Suskind writes, "the United States would torture a mentally disturbed man and then leap, screaming, at every word he uttered."
As those of you who have the dubious pleasure of knowing me, it is no surprise that I have a strong opinion about these things.

If you are willing to sit there and tell me that it is ever ok to torture another human being, then you better be able to address the following:

In all the scenerios that I have had the misfortune of reading, there is some dreaded emergency where we scoop up some evildoer who has the everlovin secret sauce which will let us foil the plan. I have yet to hear one of these stories where an individual who has been provided with due process and has been found guilty in a court of law under the protection of the constitution is said evildoer. A suspect, forbidden access to rule of law, is tortured. I am sure you are still ok with this since there might be a "reasonable prospect that the torture of a terrorist will save innocent lives".

For the sake of everybody's sanity, I will skip the notion of terrorist identification. What it would be good to remember is that many of the people who find themselves in Cuba (and elsewhere) have absolutely nothing to do with terrorism. They were kidnapped and turned in for the money offered by the US Government.

Does any of this change if the suspect is a US citizen who has not been formally charged with anything?

So what do we do now if the torture does not work? What does the calculus of our moral system provide? We have recited that it is ok to torture a possibly innocent person to save innocent lives. So I give you your fictional '24' scenario. The suspect and their hidden bomb. You torture them and do not get the required result. What now? Their driver? What about their friends? Their spouse? Their child? What defines the line for right and wrong? What would you do?

In reading the comments to the article, I was struck by the moral calisthenics that people seemed to engage in to both support torturing there fellow humans and to pretend that this is still a country where there is some notion of rule of law. Nowhere did I see the issue of 'innocent until proven guilty' addressed. It is though that whole notion gets swept off the table. One comment really made an impression on me for it's wholesale lack of morality.
I doubt it, because unlike Nick, I think if there is a reasonable prospect that torture of a terrorist will save innocent lives, it should be used as a last resort. Actually, I hope we develop some modern form of "virtual" torture that does not signficantly harm the person, but secures necessary and accurate information.

Posted by: brian on December 8, 2007 at 1:44 PM | PERMALINK
Virtual torture. The play on words here is a little odd. The mechanism of choice that we have been all focusing on is waterboarding which is, as we have heard from countless experts, a way to simulate the whole drowning experience. Now virtual torture seems to provide a sort of ethical middle path for brian here. If we really don't beat the shit out of someone or deprive sleep or waterboard them, but instead only simulate an exact duplication of the experience it is somehow cleaner. Less wrong.

That is unless you have an issue with destroying the mind, body and soul of another human being.

Monday, December 10, 2007

A few thoughts on the free internet

The Party said that Oceania had never been in alliance with Eurasia. He, Winston Smith, knew that Oceania had been in alliance with Eurasia as short a time as four years ago. But where did that knowledge exist? Only in his own consciousness, which in any case must soon be annihilated. And if all others accepted the lie which the Party imposed -if all records told the same tale -- then the lie passed into history and became truth. 'Who controls the past,' ran the Party slogan, 'controls the future: who controls the present controls the past.' And yet the past, though of its nature alterable, never had been altered. Whatever was true now was true from everlasting to everlasting. It was quite simple. All that was needed was an unending series of victories over your own memory. 'Reality control', they called it: in Newspeak, 'doublethink'.
George Orwell, 1984

A few thoughts about the free internet:

There are so many changes happening to the way that out corporate masters are reworking the notion of an ISP, that keeping track of their actions is as difficult as keeping track of the criminal enterprise running the current administration. Yes, I have a great deal to say about those bastards, but that will have to wait as there are many people doing an excellent job tracking their evildoery.

Thankfully I know a little more about service providers than my political education based on School House Rock.

Let me get my main points across - your data is being monitored. It may not be by the NSA (though methinks that that is in all likelihood the case). It is by your ISP. Seeking to maximize profits as well as track possibly illegal web site access, your web browsing is being monitored and recorded. Those records are kept around for a long time. What you ask for is not always what you get. The data you request across your common carrier service provider will not always get to you if the profit margins are not high enough.

For those of you interested in citations:

Ex AT&T Tech Says NSA Monitors All Web Traffic

Google Hijacked -- Major ISP to Intercept and Modify Web Pages
ISPs Spying On and Modifying Web Traffic -- With Patent Application
German ISPs Must keep web content for 6 months
US Made Censorware used to oppress Burma
DHS wants master keys for DNS
Congress' copyright reform: seize computers, boost penalties, spend money
FBI Puts Antiwar Protesters on Criminal Database

The service that you the customer pay for is not the service that you get.

But who really cares?

You should care because the infrastructure exists to dynamically re-write the content that you see from any site. You should care because what you do is closely monitored by little brother. You should care because one of the only tools that exists for the dissemination and communication of viewpoints inconsistent with the corporate media message are carried over lines owned by those same corporations.

You really should care.

Friday, December 7, 2007

Bringing a toothpick to a knife fight

This is another example of Attacker 3.0
exploiting features devised by Developer
2.5 while Security 1.0 is still thinking
about how great it is no big worms have
hit since 2005.

Another dork post I am afraid. It has been quite a while since I have have written anything - between work, family and a research paper due, there has been no time to wax philosophical about the strange world around me.

Thankfully I can count the number of readers on one hand, so I doubt that anybody noticed.

Some time ago, I made some comments about the quality of hostile actor that I have had the pleasure of interacting with. The time has come to ponder the other side of the coin. Having just finished a graduate course in "Privacy and Security Enhancing Technologies" and dabbling in the actual day to day myself, there are some interesting things that I have noticed. The quote that on the top of the page (which is not my own) has caused more turbulence for my fellow co-workers than you might imagine.

We interact with computers, networking systems and the internet through windows of our own making. Since this is a strange combination of physical (little burps of electrons and photons crashing into semiconductors and doing Fermi-Dirac things) and mathematical (routing tables, state engines and statistical distributions) we have no way of really seeing what is happening around us on the many different levels that stuff is going on.

Ok. So what?

To process the huge amount of information that must be sifted through, we have whole sacks of tools and generalizations. With the most short term useful of these, one sees what you expect to and little else. There is, unfortunately, a whole universe of other things that slip by.

Ready for a little irony? The same environmental changes that are leaving many of the small classical hackers out in the cold are doing the same for the security community. There is a sea change taking place within the arena of computer security and quite a few people refuse to notice. Too busy watching internet worms to notice Cthulhu sneaking up behind them.

And the other graduate students? While I might have issues with "kids these days" not being able to do math without the aid of a graphing calculator it was a real pleasure to see some really cool out of the box work being done. Not practical stuff from an operational perspective, but at least it keeps me looking over my shoulder.