I am unclear on what you mean by technical choice. Are you talking about a
technical solution to keep the government from seeing your traffic? That will
not work for two main reasons.
1. The government has a lot more resources and motivation than the average
company when it comes to security systems. They do not have to be profitable,
just effective. Most companies only invest in the security that they are
required to provide. As a private entity they will be unlikely to want to get
in a technological arms race with the NSA. Remember these are the guys that
also design some of the most sophisticated encryption systems in the world and
have nearly limitless computing power to break such systems. They attract some
of the most brilliant mathematical minds in the world and actively pursue these
employees. You are really unlikely to out "security engineer" the NSA
especially since the USG can control legally what technology you are allowed to
use and export. Who designed your encryption algorithm and which one of your
employees is a qualified cryptographer that can assure you that it is secure
enough. Is he qualified to tell you what backdoors or capability NSA has to
break that encryption method? Do you have the technical experts to assure you
that no US intelligence service has penetrated your human or technical
resources? Do you think no one in your organization would plug something into
your network if it comes with a bag of cash or a threat attached to it. If so,
I think the NSA might offer you a lucrative job. Remember these are the same
guys who are supposed to break the communications of foreign governments and by
all accounts are fairly good at it. I don't want to bet my job on defeating
them.
2. If the political environment allows, they will simply pass laws along the
lines of CALEA to give them the legal right to tap your traffic. Even if you
won the technological battle they can instantly trump you with key escrow and
other such legal force means to defeat you. If the political will exists they
can pass a law requiring you to pass them all information in plain text. Game
over, you lose. Just try to defy a FISA court order or refuse a CALEA tap and
see how long you are in business. There is always a debate of privacy vs
security and there always has been in one form or the other. This is expressed
by the people of this country in their political and economic choices. I know
it does not seem like it sometimes but the government will only do what the
majority of the people will accept most of the time. Every decision a
politician makes is a balance between what he wants and what he thinks he can
get away with. He want the information but it is only useful if he maintains
his access to power.
As you see, the ONLY solution is the political will to limit the governments
powers. The only way that is done is to threaten the power structure or
financial structure. The history of the best technical solution winning inside
the US Government structure is pretty weak. POSIX compliance, ADA programming,
need I say more? I say this as a former network engineer in the United States
Air Force. As far as both parties being responsible for this, I agree
completely. Everyone knows that information is power and everyone wants as much
information as they can get. The only way to influence that is to make the
cost of illegal information collection too high a price to pay for the
politicians. The NSA will only use the technology they are allowed to use by
whomever is in power. No one over there wants to go to jail and most
government employees do not want to put their neck on the line if they know
there is no safety net. The Director of NSA answers to the President. His job
is to get the information the USG wants and not get anyone fired doing it.
Everything he does is about that balance. If he does not do it, the President
will appoint someone who does. Historically the NSA is directed by a General
officer from the military. They generally follow the orders they are given by
the President and that is where the power really lies. It is the job of the
Congress to oversee that and ensure the limitations are being followed. If
that is not happening, it is up to the citizens to replace the President or
Congress with someone who will follow the will of the people.
Steve
-----Original Message-----
From: Royce Williams [mailto:ro...@techsolvency.com]
Sent: Friday, September 06, 2013 9:56 AM
To: NANOG
Subject: Re: The US government has betrayed the Internet. We need to take it
back
[snip]
http://www.motherjones.com/kevin-drum/2010/02/daniel-ellsberg-limitations-knowledge
I think that Schneier's got it right. The solution has to be both technical
and political, and must optimize for two functions: catch the bad guys, while
protecting the rights of the good guys.
When the time comes for the political choices to be made, the good technical
choices must be the only ones available.
Security engineering must pave the way to the high road -- so that it's the
only road to get there.
Royce
[snip]
