Security and freedom blogging

I recently received an email telling me they liked my little detours into security.  I haven’t touch security recently for a number of reasons.  Primarily my research in that area has be temporarily thwarted by PNNL defying the Freedom of Information Act.  A FOIA request I made back in June which only required they make a duplicate of some of the files on a DVD and send it to me.  I told them who had possession of the DVD, the project name, and the markings on the DVD.  Very simple.  None of the material I requested was classified and although it was originally considered Official Use Only that restriction had been lifted before I left and the material used on a proposal for a a completely open project which we won a contract for.  They are in defiance of the law and my FOIA attorney is working on the problem but my involvement in security issues gets sidetracked by my anger over PNNL illegal activities.  Unfortunately FOIA is a law that doesn’t have any enforcement teeth.  It’s against the law from them to do what they are doing (or rather not doing) but there is no penalties for their illegal activity.  Sort of like making it against the law for you to steal but if you get caught nothing happens–you don’t have to give back what you stole and you don’t get punished for your crime.

Anyway… sidetracked by my anger again…

Alphecca posted this about Bush authorizing eavesdropping on American citizens and wondered why a lot of the people on the libertarian/conservative side of the Blogosphere quiet or indifferent about it.  I haven’t read any news reports that indicated anything of real news.  From my readings (try The Puzzle Palace) and a few hints from other sources the NSA has been doing this for years if not decades.  You shouldn’t act as if your electronic traffic is anymore private than if you were to have a conversation on a crowded elevator.  Encrypting your traffic might make it as private as a conversation on a city street.  I try to encrypt a fair portion of my email and encourage others to do the same.  Most of my web browsing travels, at least part way, via encrypted channels.  This is not because anything in the email or my browsing would be a problem for me if it were decrypted but because it raises the cost for the people doing the surveillance.  The more people that do that the more likely they are to concentrate their limited resources on the people that are high probability threats to our national security.  I talked about this at the Gun Rights Policy Conference in 2000 (do a search for “Huffman” on that page).  If I had the time I would work on some other projects that would further consume resources and release them to the public.  Basically, as others have pointed out, you can’t legislate restrictions on the government and expect them to obey the law.  Government entities rarely obey the law (see here, here, here, here, and the first paragraph of this post for example) if it’s inconvenient for them to do so.  Remember the famous Henry Kissinger quote?  Of course this is the real reason for the 2nd Amendment–a last ditch resort for prevention of tyranny.  But there are other things we can do to help that are much lower cost to us and exact at least a moderate cost from the agents of tyranny.  Encrypting your electronic traffic is one of those things.  It costs them far, far more computing resources to decrypt it that it does for you to encrypt it.

I spent some time catching up on my security reading and came across this on Bruce Schneier’s blog:

According to the three-page document, to preserve the openness that characterizes today’s Internet, “consumers are entitled to run applications and use services of their choice, subject to the needs of law enforcement.” Read the last seven words again.

What the FCC is now saying is that people cannot use encryption technology unless law enforcement has the back-door keys to it.  Of course they have to know encryption is being used before they can stop you from using it or demand you give them the keys to the back-door.  I covered that in my GRPC talk and I already distributed a tool to circumvent them to hundreds of people.  What I haven’t done is tell all those hundreds of people about the hidden feature set in the tool–just the ones that paid money for the product.

I should work on some of my other tools.  The price of liberty is eternal vigilance and I need to pay my share of that price.  When the next tool is up and running I’ll talk about it more.  In the mean time check out PGP and Thawte.  The cost to you is low and the cost to “them” is high.