Chaos Program

How can you not love a domain named “cryptohippie.com?”

Okay, so it’s a business that sells unusual and interesting services that broadly fall under the heading of “security.” I say broadly because this is not the usual anti-virus or hacker proofing kind of stuff. Check out the website if you like. For now let’s just say that CryptoHippie lives up to its name.

What I really want to discuss is CryptoHippie’s report on the Electronic Police State, 2008. (Available here). The title caught my eye immediately, partly because I recently finished a class that included in the reading list a couple books that were chock full of scare stories about that same topic, more or less [See No Place to Hide by Robert O'Harrow, Jr. and Darknet: Hollywood's War against the Digital Generation by J.D. Lasica]. The class wasn’t quite about that, though. It was about the law as it relates to computer and internet security and privacy (It was also brutal but it looks like I got the A).

Of course, some of what we covered included the hoops the government has to jump through to gather and the way that was changed by the USA PATRIOT Act. Privacy policies and the laws that govern or even require them were also a large part of the class. And other interesting things. Never did the phrase “Electronic Police State” come up. That would be worth another class by itself and I hope to take it one of these days.

The first topic should be What does “Electronic police state” mean?

First, what is a “regular” police state? According to Wikipedia, the term “describes a state in which the government exercises rigid and repressive controls over the social, economic and political life of the population” (Police state). This is a nice start but doesn’t tell the half of it. A police state is one where citizens have few, if any, rights. It’s a place where they can be arrested at any time with, or without a reason. In the old Soviet Union the crime of committing “anti-soviet activities” (or was it un-Soviet?) was a catchall that could be used to collect dissidents or prostitutes with equal ease (the story goes that it was used against prostitutes because there were no laws against prostitution, since that was said to exist only in decadent western countries like the U.S.A. But that law could be used to nab almost anybody for almost anything, so it worked just fine).
read more »

After I wrote the last post about problems with the upcoming CyberSecurity bill (see The Law of Unintended Cyber Consequences) – actually after I went to bed – I realized what bugged me about the whole idea of the president having a Real-Time CyberSecurity Dashboard. It’s an alarm system just begging for someone to mess with it. There are three possible scenarios that I can think of without trying very hard.

In the first scenario someone with a great many resources (maybe well-educated Russian youth groups (as described in my post Cyberwars Redux), launches a series of  “events” to gauge the workings of the dashboard. Maybe they do a virus one month, a severe denial of service attack on a high profile target another month and a serious attempt at penetration of a military target some other month. They monitor responses from the White House, particularly the CyberSecurity Advisory Panel. Maybe they go by press releases and rumors in the press. An actual intelligence operation (as all governments have and quite a few terrorist organizations as well) might have live humans they can pump for information. Anyway, after a time, they gather enough information to know how to make the dashboard show what they want it to show.

I’ve described this as an entire intel program but it doesn’t have to be. The dashboard will be something most security geeks will be interested in. Information about it will get out. Maybe it will show up in the trade press, or in casual conversations at conventions or on IRC. The trouble is, once people learn how to manipulate the system, worse scenarios become possible or even likely.

read more »

Computer security seems to be an endlessly hot topic. Recently, there has been talk of a bill in the U.S. Senate that would dramatically change the security landscape in this country. Under the guise of protecting national infrastructure, this legislation would raise the price tag for security significantly while allowing the federal government to take charge of any and all systems and networks it happened to choose.

Great idea. “We’re from the government, and we’re here to help your computers. Here’s our secure example. It’s called Colossus” (That’s a somewhat obscure movie reference. See Colossus: The Forbin Project or even Colossus: The DVD. See what people worried about long before we ever heard of Skynet).

The bill is The Cybersecurity Act of 2009, co-sponsored by Democrat John Rockefeller of West Virginia and pretend Republican Olympia Snowe of Maine. As of yet (if I remember correctly and didn’t miss something in my reading), the bill has no sponsors in the House. That’s a hopeful sign. Let’s see why.

read more »