91% could also pretty misleading because not all vulnerabilities are equal. It's easy to let 9 potential segfaults or memory corruption issues get disclosed if you get to hold on to the 1 iOS Zero Day/Shellshock type attack/etc...
You beat me to it, haha. I was going to make the point that the vast majority of bugs found don't do anything significant for a hacker. A program crash or corruption at worst. It wouldn't surprise me if NSA just discloses the ones that hurt availability while weaponizing the few hitting confidentiality or integrity.
That point is so important that I hesitated to add a distraction but I think it's also worth remembering that the NSA has a defensive role, too.
It's been much neglected in recent decades but the entire country would be better off if the NSA helped patch things. They're hoping some suspected bad guy doesn't get patched but odds are high that many Americans, particularly important IP-heavy businesses, are going to get exploited as well — and given all the reports about how e.g. bin Laden preferred to send messages using trusted couriers, that trade off doesn't seem very good.
Their history has shown a trend toward less and less disclosure over time. Each successive "war" takes longer and longer for things to be declassified.
I've got extremely detailed material in my library published within years of the end of WW1 the sorts of detail I honestly never expect to see again.
The long cold war "taught" them to not trust the public, and the global media environment and the Internet only multiply their concerns.
Even if they have reasons to release... Those are increasingly washed away by their fear. We the public grow to accept "infinite secrecy" inch by inch, it's the Overton Window and sadly it works.
Since you mention decades of experience and information releases...
A book I just read about the history of the KGB and GRU listed techniques they used to unmask CIA spies. Choice stuff. If the cultural atttache has three assistants, and two of them has offices next to the cultural attache but the third has an office in the maximum-security area, which one is the spy? If that third assistant was hired at the age of 33 to an employer that never hires anyone over 31? And did not go through the regular training? And is listed in the State Department's employee list as "Reserve", ie. not a regular officer? And so on. A long and embarrassing list, and it worked for decades. The CIA knew about it in 1964 (probably not in detail) but the Soviets still used thee techniques to unmask three CIA spies per week in 1980.
Maybe the real stupidity was to locate the spies' offices where they were. But the office lists were published, for decades. The employee list was published, including the "Reserve" marking, for decades.
Decades of experience do not automatically confer competence.
> The CIA knew about it in 1964 (probably not in detail) but the Soviets still used thee techniques to unmask three CIA spies per week in 1980.
If you're the CIA and you know the Soviets are using this technique, you don't fix the problem, you use it to your advantage by letting the Soviets unmask the identities of lesser spies while not putting your most important spies on the employee list.
Sacrifice three less-important spies per week? From 1964 to 1989? That must have been some amazingly amazing things they guarded if they were worth that sacrifice.
Whats good for one agency may be bad for another, for example the State Department might like Tor because it facilitates anonymous informants while the NSA might not like it because they can't read your email.
I am not even sure if the NSA's mission extends to defending civilians.
Decades of experience doesn't mean it's the globally-optimal experience. From what has been made public, for example, it really seems like after 9/11 happened everyone got the message very clearly: “never again, no matter the cost”.
There hasn't been any significant counterbalance for protecting the public. This is also something of a new threat analysis model for them: software usually fails completely and globally, whereas there's never been an equivalent where someone in Russia figured out something like how to shutdown every GE industrial generator in the world without physical access. If you are used to thinking of the world in the era before pervasive internet connectivity you're going to underestimate the cost of not fixing something.
Nobody has been fired for keeping information secret or using national security as an excuse to mislead the public and even the Congress, and there's been no penalty for using those laws to conceal mistakes or abuse. That speaks of a culture which values secrecy over almost any other concern.
So, yes, they have decades of experience – but I would argue those are decades of experience with the wrong understanding and incentives.
Of course they don't. Security services don't have experience. People have experience. People are often incompetent. Security services have long, glorious histories of incompetence. Every day, someone with very little experience is having to make decisions.
Here's a similar example. The British armed forces have decades and decades of experience of COIN. Yet they were bloody awful at it for most of the recent Iraq and Afghanistan debacles. The fact that someone who had a job fifty years ago and was good at is it meaningless. It only matters if the person who has the job now is good at it.
Yes. Pretty much everyone I know in such an industry has tunnel-vision on their area and overestimates its importance. They'd end up plastic-wrapping(/suffocating) us to prevent [malware, terrorism, power-grid collapse, etc] if they could - that's their only metric because they spend all day thinking about it.
If you step back and look at terrorism and hacking and traffic fatalities on the same level you can make rational plans to actually help the most people - then assign tasks to the agencies. They certainly can't set their own goals.
So no, I really don't think the NSA has a rational (ie, cost/benefit) balance of attack/defense from our (citizens who want to live long wealthy lives) PoV. It's our job to regulate that.
For the most part, any party the NSA might be interested into is going to be running an OS and an application suite that will also be used by Americans a whole lot. Probably even other government agencies.
So, every zero day they find and weaponize, is a zero day that they don't tell the vendor about. So to be able to be aggressive with exploits, they have to leave American computers exposed too, and hope nobody else has found the exploit. So even with the same budget looking for vulnerabilities, doing the right thing for one of their roles makes them worse for the other.
It's a bit like the encryption problem: An encryption system with a backdoor that the NSA has weakens American security too, because the backdoor itself is a valid intelligence target: Infiltrate the NSA, take the backdoor key, and anything the NSA can snoop into, someone else can too.
So doing both defense and offense without major tradeoffs requires having some kind of edge that nobody else can ever have: For instance, the rumored gigantic cluster that can crack specific SSH communications, which they expect nobody else to be able to replicate, just due to the cost of the hardware. That's a far more limited offense than what we know the NSA had at the time of the Snowden leaks.
So my guess, based on public information, is that they do trade-offs, and disclose the issues that they think are easier to find, while keeping around enough ammunition to have something against pretty much every target.
At least one issue is perception of the NSA by the talented people that the NSA needs to recruit. At the time I graduated CS undergrad in 2010, the NSA was still seen as "Sketchy, but good (and reliable) on the balance." Post-Snowden, views have changed. If the NSA can't do a better job of public relations, nobody is going to want to work for them, and then this defensive work won't be done as well.
The NSA knows little about defense. They keep saying Defense in Depth but even they don't know what that means. Its Security Compliance guys! Defense in depth (Castle Approach) is Security Compliance because the Security Controls are defined in ISO 27002, FEDRAMP, CCM!
Okay, so let's say American businesses can't get hacked so easily by nationstates and have their secrets stolen. Also, Iran has successfully tested a nuclear bomb. Is that the world you'd prefer?
It is indeed possible that if the NSA used a very different strategy with vulnerabilities, Iran might be further along with its nuclear weapons development.
Stuxnet will always be possible. The vulns/trojans just replace having to get someone to knowingly install it.
Or rather, will always be possible until we move to doing protocol and behavior analysis of SCADA commands (as they enter the machine). And that'll just mean it has to get more subtle. If there's a way to do it right, there're more ways to do it wrong.
Typical of what? Obviosity? We've got a poster here claiming that business are "going to" get exploited, and in the meantime, non-theoretically (consider reading the Wikipedia [1] article on "strawman"), the U.S. Govt is making productive use of exploits today.
I think you're misrepresenting what the rule of law means. The rule of law just means we follow codified rules, not the arbitrary whims of an individual. The NSA is, I'm sure, very scrupulous about following the law.
We have repeated proof of the opposite – Congress had to rush to retroactively legalize the mass surveillance programs, and much of what's been disclosed since is clearly unconstitutional.
What they are extremely good at is using security claims to avoid ever having to see a real court. Most of the cases have been thrown out for lack of standing because it's hard to prove that you've been spied on when all of the details are classified.
It is valid to criticize the state secrets defense which keeps the NSA out of court – it's not valid to unilaterally decide what is and is not clearly unconstitutional.
You're correct that it's ultimate up to judges to interpret the law but in this case it's really hard to see the full range of NSA activities surviving a 4th amendment challenge. The recent ruling shows how that's likely to go unless they're allowed to play the national security excuse:
There's a simple rule I use for this: are they trying to prevent a court from discussing the mechanism?
You never see e.g. the FBI trying to argue that it'll endanger national security to acknowledge that they have the technical capacity to wiretap phones because that's clearly legal as long as they have a warrant. They might try to keep specific instances sealed (e.g. mob cases where retaliation is likely) but the capability and process is not secret.
As with the NSA, however, that changes once they exceed their legal authority and you see that when they do things like drop charges against known criminals rather than discuss how they used a Stingray to intercept cell-phone traffic. There's no reason to do that unless you know that the system isn't designed to follow the legal rules and thus would never survive a real court.
Actually, unilaterally deciding what the constitution means is actually how it works. You don't vote to see if you feel it's unfair - you feel it's fair/unfair and so you vote to express that.
The constitution isn't a promise we-the-people made to government, it's how we-the-people define government.
Now it's okay that the NSA employees had different opinions, but what's not okay is that when called on their actions they used their interpretation of the constitution not just as a defense, but as a reason to continue. As if we owe the government its rights instead of the other way around.
Clearly unconstitutional according to anyone who cares about the will of the people they serve as opposed to the letter of the law.
If it were all a matter of interpretation we wouldn't need an actual written constitution.
If it were all up to judges the constitution wouldn't be on display and would be written in Latin or somesuch. But the constitution is public, readable and fairly plain. Now maybe the constitution is outdated. Maybe it should be changed. I don't know that. But from what the constitution reads at this point a number of these measures are manifestly unconstitutional, and it doesn't take a mosque full of Koranic scholars to ascertain that.
> If it were all a matter of interpretation we wouldn't need an actual written constitution.
This is false, given that there is no settled jurisprudence until interpretation happens. If the Constitution said "there may be no dog-walking on Thursday", the constitutionality of dog-walking on Thursday would rest entirely upon the decisions of the judiciary with regards to its constitutionality (and this is important, as the court can functionally ignore provisions of the constitution under accepted judicial doctrine; being lashed to two-hundred-year-old thinking is not an inherent good and so plenty of escape hatches have been created over time).
> But from what the constitution reads at this point a number of these measures are manifestly unconstitutional
You speak imprecisely. You think (and maybe I do, too) that those measures are unconstitutional. Until they are ruled unconstitutional by a court (and the decision upheld on appeal, ruled on by the Supreme Court, etc. etc.), the most you can realistically say is that something might be unconstitutional. That's how checks and balances work--only the judiciary can say one way or the other, and that's by design.
What you have described is the sort of government we have, but it's not one characterized by the rule of law -- or at least not characterized so thoroughly as you imply. If law can be retconned, then we are not ruled by law at all; we are ruled by the ones doing the retconning.
But I think you might be missing my point. The constitution is on display in the nations capital. Copies hang on the walls of courtrooms around the country. It is taught to school children. It is (in theory) the supreme law of the land.
If it were meant strictly for closed door interpretation by qualified individuals I doubt this would be the case. It would be like the bible during the dark ages. Only highly trained and qualified priests would be able to correctly understand it and pass their deciphering on to the masses.
The point is that we live in a democracy. We are entitled to read the agreement we are supposed to be living under and to ascertain that it is (or isn't) being followed. In theory, (if anyone gave a shit), we can then elect people who will appoint judges who actually follow the document rather than weaseling around it for who knows what purpose while keeping the masses in the dark.
Now, maybe the system is in need of overhaul for new times. But that is how it is supposed to work. Don't _ever_ feel you aren't qualified to ascertain an injustice or an infraction of the rules. And please don't suggest others don't have this right either. Down that path lies darkness.
It is a purposely vague document outlining the basic form of government leaving out all important detail and deferring that to said government and courts; it is by design intended to be interpreted by qualified individuals. The notion that it's some clear simple document anyone can read and properly understand is simply contrary to history and contrary to how law operates even back then. It was never the supreme law of the land so much as the supreme framework of the law to be later implemented by the land.
> If it were all a matter of interpretation we wouldn't need an actual written constitution.
That sentence quite literally makes no sense; all writing is a matter of interpretation, writing something down doesn't remove interpretation without great effort; in fact that's what legalese is, an attempt to remove all possible interpretation (which still fails continually; thus judges) and the constitution is not written in that manner because it's a general outline, not an attempt at really creating practical law.
"No Person shall be a Representative who shall not have attained to the Age of twenty five Years, and been seven Years a Citizen of the United States, and who shall not, when elected, be an Inhabitant of that State in which he shall be chosen."
or this?
"All Bills for raising Revenue shall originate in the House of Representatives; but the Senate may propose or concur with Amendments as on other Bills"
or this?
"Neither slavery nor involuntary servitude, except as a punishment for crime whereof the party shall have been duly convicted, shall exist within the United States, or any place subject to their jurisdiction."
Now, I agree in portions such as this:
"The Privilege of the Writ of Habeas Corpus shall not be suspended, unless when in Cases of Rebellion or Invasion the public Safety may require it."
That what comprises "public safety" is open to some degree of interpretation.
But the document, as a whole is not that opaque.
The intent is to be a transparent set of rules. Ones that you and I, as participants in a democracy can view and insist are followed. We can't just say "oh, judges know better" and leave it at that. That isn't a democracy, isn't representative and leads to a very bad place. We have to demand representation and a rule of law. We can't allow the law to be bent to the point it really isn't law anymore. We, as citizens, must be in control of our government. To do that, we must individually be able to read and judge the rules and ascertain if they are or are not being followed. And elect those who agree to uphold rather than subvert the process.
There's plenty vague about those things; by what rules shall the house and senate operate... unspecified and left to the house and senate to figure out just as a thousand other things are. Most of the document is open to interpretation, as is all written word by man anywhere. Even today people can't agree on the meaning of the second amendment.
Just because you can find a few things that seems specific is in no way an argument against my point; I didn't say it had no specifics, I said much of it is vague and intentionally so. The real law of the land is the U.S. Code which is the actual law derived from the framework the constitution lays out. The notion that anyone can understand the constitution is simply wrong; without a correct legal grounding in common law and precedence you have no idea what the constitution actually means or how law is derived from it. Just because you can read a sentence does not mean you understand it the same way everyone else does nor that everyone agrees on what the words mean. That's why we have judges and precedence and a common law foundation, to guide the interpretation in a direction most can agree on.
Many of the rules for the house and senate are specified, very clearly, as well.
Sorry, it isn't a "vague document" nor a "rough guideline". It is very specific on many points. Also, the idea that no one but trained professionals can read or understand if the document is being followed is not only wrong but abhorrent. Certainly, legally the judiciary is to interpret the law for implementation, I don't disagree. But again... we as voters have a right and responsibility to read the rules, to understand the rules, to ascertain if they are being followed and to vote accordingly. The ultimate power, in theory, resides with us, not with "trained professionals". This principal is of extreme importance for our system and seems to be quite often forgotten.
I agree that we as voters vote our interests; I don't, and won't agree that the average joe can read and correctly interpret the constitution and they never will. It is a legal document and understanding it requires more than just the words on the page.
It's common because it's true, whether you choose it accept it or not really doesn't matter, legal documents cannot be understood merely by the words on the page. They exist in a field of precedence and lacking an understanding of the precedence the common person cannot properly understand the intended meaning which whether you see it or not is referencing that precedence.
I'm sorry. You don't need legal training to read and understand most of the Constitution. Much of it is fairly plain and straightforward. Much of the "context" you speak of often comes after the fact. I would suggest rather than trying to beat a worn out point you take half an hour and actually read the document. You can do it... even without a law degree. We can read it.. we can see if it is manifestly being violated, we can vote accordingly. That is the intent. The intent is not that we are governed by an army of lawyers twisting a document into whatever they choose.
Don't play superior, you're not; I've read it more than a few times and worked in law enforcement. You think your interpretation is somehow right while ignoring the reality that reasonable people disagree on the meaning of it and denying they even can. You're blinded by your own ideology. We're done.
I'm sorry you think I'm playing superior. That's not my intent. I'm also sorry you feel as you do. I think I've made my point. You seem to be deliberately ignoring it. You appear to have heard something and are parroting it without thinking about it. I don't think that's the best thing to do. And I agree, we are done.
> <i>If the Constitution said "there may be no dog-walking on Thursday", the constitutionality of dog-walking on Thursday would rest entirely upon the decisions of the judiciary with regards to its constitutionality</i>
What you are asserting is that we are not ruled by written law, but by a judiciary, who feels themselves free to invent "escape hatches" to avoid old commitments now deemed undesirable.
Of course I am. That's by design. The textual literalists of the Constitution are as bad as Biblical ones. Written law informs the interpretation of the judiciary. That's how it's been literally-literally since day one.
On some points interpretation may be needed. On other points it's a stretch. At still other points maybe a stretch to breaking and beyond.
You may not care for literal text, but a lawful society depends on it. Governments just doing whatever they feel is best at the moment aren't generally very robust. There has to be restraint over a judiciary. A limit to how far they can stretch things. Opinions vary on what this limit is, but, back to the original point, some aspects of NSA data collection, from my point of view very clearly exceed this limit as embodied in the constitution.
Probably the real answer is we need an update. A 200 year old document might not be the best guide for modern times. But you can only have authorities claim it is day when it is really night for so long without people starting to suspect corruption. And I think that's where we are at. Sadly.
What if the removed justices sued and the judiciary hearing the case ruled that, in fact, Constitutional provisions be damned, the legislative branch may not remove justices.
Were that to happen, how could you argue that they are wrong?
You effectively can't, because "but the Constitution" is not a method of legal operation in the United States. At that point, you indeed do have a legitimate breakdown in governance. I expect such a situation would cause the kind of crisis that destroys a government.
(I'm not saying I am describing something that is good. I prefer to live in the world of the descriptive when it comes to legal matters, rather than the prescriptive. There are things I want very much to see changed--but I recognize that the process that exists isn't going away.)
The Constitution doesn't say it works this way, and that was the document that was voted on by the representatives of the people. So whoever it was that decided it actually works a totally different way, why should I care what they think?
Then the legislature can make a new law which can nullify a judiciary's decision. Or the executive can just stop arresting people for the crime and then the judiciary never gets a say.
If the old, nullified Constitutional provision said that dog-walking on Thursdays was illegal, what new law is the judiciary supposed to pass to make dog-walking illegal on Thursdays again? If the judiciary is free to impose whatever interpretation on whatever text they want, and then their interpretation is the real law, then there is no law the legislature can pass to change that.
Of course everyone always has the possibility of fighting; civil war is always an option. But if the <i>principle</i> is that the judiciary gets to make law just howsoever it pleases, then one loses the ability to call the government out on anything. It just becomes "that's not what I want" versus "that's not what you want".
Which is where we are at with this surveillance mess. Except that because we have a written Constitution with an explicit method for amendation, instead of an implicit right of amendment by Judiciary, we do have a basis for pointing out that the government is out of bounds and for demanding reform. Reject that and everything becomes legal and there is nothing you can do except complain that you don't like it.
The judiciary doesn't pass laws. The judiciary can choose to nullify a law by choosing "not guilty" for anyone charged under a law that's unjust. The executive can also just not arrest people seen walking their dogs on Thursdays. The legislature could just revoke the law that made it illegal to begin with, then the executive and judiciary have no right to arrest or convict under it anymore – even if the previous precedent was considered sound.
This is how the government works. Yes, transition periods may be sloppy (people may be arrested for walking their dogs), but it will equalize.
Legislature makes an unjust law
The executive can choose to enforce or not to enforce
If the executive enforces, the judiciary can choose not to convict
Let's say for this specific scenario, assuming the surveillance isn't Constitutional (big assumption):
1: Executive begins doing something that's not Constitutional
Judiciary chooses not to convict
Law is nullified and executive will stop enforcing (what would be the point?)
2: Executive begins doing something that's not Constitutional
Judiciary chooses to convict (the law is now officially Constitutional)
Legislature disagrees with convictions and can pass specific laws outlawing the original executive actions, OR revoke the original law which allowed the unconstitutional interpretation
This is all by design. This is how it's meant to work. Just because you don't think it's working in your favor does not mean it's broken.
(First a note: "what new law is the judiciary supposed to pass" was meant to be "what new law is the legislature...".)
I'm not sure we disagree. You seem to be arguing that no one branch is the final arbiter of what is constitutional; that each is allowed its independent opinion. I agree with that. What I was arguing against in this thread is the proposition that the judiciary alone gets to decide what is constitutional and that it gets to do so regardless of what the constitution actually says.
You ended with "This is all by design. This is how it's meant to work," which is a claim that only makes sense if we have a system where the constitution actually means something and its meaning is binding. If the judiciary is free to redefine the constitution however they want, then we are not living under a government that has a design or a correct way to work.
I agree with the definition of 'the rule of law' you have given, however the point the above user was making is that government secrecy fundamentally undermines the rule of law since if no one knows what you are doing no one can determine if you are breaking the law.
Its like trying to referee a football game while locked in a windowless basement 1000 miles away. The only information you get is that at half time a note is slipped under the door reading "No one has broken the rules".
Ha. I think we have established that such a silly distinction is clearly not relevant. What about the illegals in the country? Are they subject to being targeted? How about their illegal children born in the commission of a crime? Those aren't Americans, so they can be targeted? Remember, we wisely suspended the Posse Comitatus
Now the question is, are vendors deliberately putting in security flaws at NSA's instigation?
Intel's "system management mode" and code need to be viewed with extreme suspicion. So do network controllers which accept management commands from the network side. It would be so easy to add some system management passwords to a network controller that don't show up when you list them. (In fact, if you're willing to have them show up in a list that nobody ever checks, you can insert a backdoor in a motherboard if you can get hold of it anywhere in the supply chain, hook it up to power and Ethernet, and talk to it briefly.)[1]
I doubt the NSA needs to instigate much. There is so much bad code in the world, and it just keeps growing, they would be in business forever just sitting on their thumbs.
I doubt that. It would be a massive PR shitstorm if something like this exists and get exposed. Though it's also true that NSA is known for intercepting specific shippings of electronic goods and plant hardware backdoors. It would be interesting to know how this things work and operate on the target device.
It's good news to me. The NSA's mission means they're going to have to get in somehow. FBI, too. Bulk collection and subversion have huge issues. Targeted collection with 0-days in endpoints that we know are insecure is much closer to Constitution than most of what they do. If people want that to go away, they could always apply methods for building secure systems from ground up. I've posted plenty here and elsewhere about high assurance security along with tons of Comp Sci and case studies existing.
If not, they've chosen to accept that risk from NSA and others hunting 0-days. Most choose that. Most platforms have tons of risk and attack surface. So, I'm all for them collecting 0-days for focused attacks and relying on it rather than pushing subversion or L.I. harder.
Anyone worrying about this should be focusing on the organizations creating 0-days with known-insecure development practices rather than those exploiting them. They're the problem and the demand side (users/customers) that doesn't give a shit. Excerpt from a counterpoint to Bruce Schneier on why users/customers, not manufacturers, were the problem in terms of security of our devices and services:
"Why does this problem (insecure everything) exist? Because manufacturers don't focus on building secure systems. Why don't they build secure systems? BECAUSE USERS DON'T BUY THEM!
Most users want the risk management paradigm where they buy insecure systems that are fast, pretty and cheap, then occasionally deal with a data loss or system fix. The segment of people willing to pay significantly more for quality is always very small and there are vendors that target that market (e.g. TIS, GD, Boeing and Integrity Global Security come to mind).
So, if users demand the opposite of security, aren't capitalist system producers supposed to give them what they want? It's basic economics Bruce. They do what's good for the bottom line. The only time they started building secure PC's en masse was when the government mandated them. Some corporations, part of the quality segment, even ordered them to protect I.P. at incubation firms and reduce insider risks at banks. When the government killed that & demand went low again, they all started producing insecure systems again. So, if user demand is required and they don't demand it, who is at fault again? The user. They always were and always will be.
On the bright side, those same users are the reason I can send photo's to friends on a thin, beautiful smartphone. They also gave us short-lived 1TB hard disks whose low cost made the short-lived part tolerable. They are also probably why I have a full-featured, fast, cheap wireless router at the home. So, at least some good comes from the users choices of demand. But, they definitely don't accept the tradeoffs of real security, they don't demand it, it doesn't pay to produce it, & that's why it's their fault. "
Nick, our programming ecosystem barely satisfies the basic principles of software fault tolerance, much less self-healing systems. High assurance? Multiple independent levels of security (MILS)? Covert channel resistance? Completely out of the question!
That said, it is somewhat true that when you reduce the intelligence agency activities to targeted surveillance with employment of 0-days, the onus falls more and more on industry adopting HA.
Yet one must not discount that how 0-days are even procured can involve questionable deeds.
Furthermore, when the NSA's offense model is targeted attacks with 0-day deployment, an incentive is created to pump these 0-days by subverting cryptographic standard bodies. The market for 0-days is a) adversary and b) contestable, which is a lethal combination that promulgates black bag and kleptographic techniques.
We must also be willing to assume that in any interventionist statist society, the property of domestic surveillance is not a unique event or something that can be eradicated, but a constant cyclical factor akin to a business cycle that may only be mitigated.
"Nick, our programming ecosystem barely satisfies the basic principles of software fault tolerance, much less self-healing systems. High assurance? Multiple independent levels of security (MILS)? Covert channel resistance? Completely out of the question!"
Original high assurance systems were done with Pascal, etc. Not much required in terms of programming past type and memory safety, esp strong interface checks. Plus easily understanding how that language becomes code with ability of compilers to transform it (eg auto-insertion of checks). More about a clear description of how it works, clear security policy, evidence they correspond, and implementation that maintains the same. As in another comment in this thread, small changes in hardware or OS's alone would create great increases in security.
Far as the other requirements, software MILS just takes a microkernel with capabilities, periods processing, virtualizable hardware, and the right scheduler. A covert channel analysis via Kemmerer's Shared Resource Matrix can be done by a junior staffer with guidance and little time. That usable, prototypes of secure systems were done by small academic teams with 1990's and early 2000's tech shows it's well within reach of today's programmers. There's just an issue of willingness. Just look back at all the times I wrote up a secure-by-design system and how many people jumped on bandwagon to try to build their own. I can count them on my hands.
"Yet one must not discount that how 0-days are even procured can involve questionable deeds."
That's the subversion risk. The EAL6-7 development processes going back to Orange Book are designed to partly counter that. I add certified compilation, mutually suspicious parties doing analysis, diverse hardware, and so on in my requirements. Gotta address it all. Teams with little resources should focus on ability to detect, trace, and recover rather than prevent. Prevent what they can but only so much staff and time...
"the property of domestic surveillance is not a unique event or something that can be eradicated, but a constant cyclical factor akin to a business cycle that may only be mitigated."
That's an interesting thought. There have been cycles in my country. What worries me is the cyclical nature seems to be ending. We haven't seen the mass protests of police state activity that we wanted. The abuses revealed by Manning and Snowden led to griping followed largely by inaction. We've only seen American power increase even after the parties changed. The 180 of Obama administration on the key issues further suggests strong, covert influence that exists across parties and time. I wished we got something like Iceland in 2008 but America is a fake democracy: people did nothing, are mostly doing nothing, and TPP situation is set to confirm that trend. It's the new cycle.
The language's direct effect on fault tolerance is not always easily measurable. Even in C you could add compile-time instrumentation to discard invalid writes and redirect invalid reads to fixed-size buffers (failure-oblivious computing) and that's just a proactive measure. Recursive restartability, microrebooting, state transfer to stable storage, event logs for fault recovery and piecewise determinism via replay of non-deterministic events, and many other hosts of options are all language-agnostic. Of course, many mission-critical projects will mandate redundancy through n-version programming where you have say a C implementation and Ada implementation of the same spec running concurrently with some failover scheme. Point is most of it is architectural and interface-related, not necessarily language-related. Hell, L4 was written in ASM at first.
Since we can't get that, but instead mostly rely on cargo culting like "Haskell is magic pixie dust because math" for our software safety and availability, I find the prospects of careful HA research (which is more mathematically rigorous) to be daunting.
Software MILS and separation kernels are promising, particularly what Muen does with the Intel VT-x extensions and its rather abundant configuration tools. Getting that deployed is going to be an uphill battle given fault tolerance's neglect, but also because many might perceive the static resource allocation to be anathema to "high scalability".
I think you overestimate public resistance to surveillance. The Church Committee came and went quickly, and was forgotten and dismissed over the legislative band-aids that people blindly believed were as effective as that. Total Information Awareness too got restructured before anyone even blinked. COINTELPRO was not widely protested. DCSNet and FBI snarfing even less so.
One of the most notable reactions to 9/11 and then Obama's election and reign has been Americans arming themselves at astounding and unprecedented rates (something very well tracked because it's all taxed: https://en.wikipedia.org/wiki/Pittman%E2%80%93Robertson_Fede...). I think that's most because of the government's obviously ineffectual domestic response to 9/11 and Obama's indifference to all that and inimical attitudes towards us bitter clingers (I see no signs of a "180", just dishonesty in 2008), and e.g. Bush telling us our most important duty was to go shopping. But the post-9/11 expansions of the security state are a factor.
It sure looked to me that the Church Committee et. al. had an effect for some years, and then there were great debates during the Clinton era over all this (remember the Clipper Chip?). At least they now feel a need to hide, there's a reason for that post-9/11.
Mostly political, I suspect, but it might in part be due to feeling they won't have a secure rear area if they take this too far. People like me, at least, are willing to engage in mass slaughter of the organs of the state if they push too hard, and we have the numbers and the means to trivially swamp them. Fortunately for all concerned, just not the motivation. Yet, and for the foreseeable future. But we are most assuredly preparing.
(And, please, no one handwave about drones et. al. Drone operators have to sleep some time at something resembling "home", there's a huge logistical tail, etc. Think also about scale, e.g. "Three Percent" of the absolute minimum 100 million gun owners in the country. And how we fight things like McCain-Feingold (Citizens United) that suppress our collective action; heck, while our betters are now trying to hide their surveillance efforts, they're quite open about frank abridgment of core political speech, which I find much more worrying.)
And as long as I'm talking about dire subjects, it's long been my considered opinion that we won't get serious about all this until there are serious atrocities coming from less than robust and secure systems. Like a few thousand people dying from such a screwup, instead of the 3 from the Therac-25.
I personally focus more on "robust" than "secure" (I noticed long before HN nickpsecurity's observation that there's no market for the latter, e.g. I was near ground zero for the final stages of the decline and fall of Multics), but they go hand in hand.
People like me, at least, are willing to engage in mass slaughter of the organs of the state if they push too hard
Violence is only permissible to defend property and retaliate against aggression, but it must be contained against the aggressors and not involve any collateral, for the latter would be unjust murder. Rest assured your pipe dreams of "hang the bastards by their entrails" and mass slaughter will only let the samsara continue, as people who approve of killing anyone by association rather than by deed will quite likely reinstate the same authoritarian measures (or worse) themselves. I have noticed that you frequently engage in outlandish Second Amendment vengeance fantasies on this board quite frequently, though. If that's your fetish, so be it, but the fact is most Americans of that persuasion are not libertarian in the slightest, but interventionist theocrats.
I'm not even sure what an "effectual domestic response to 9/11" would have been, other than do nothing, of course.
That said, I do agree it will take some wanton death before fault tolerance becomes a concern. Certainly being armed is always a good precautionary measure, but avoidance of war is a prerogative and then if war commences, it must be directed and not carpet.
Violence is only permissible to defend property and retaliate against aggression, but it must be contained against the aggressors and not involve any collateral, for the latter would be unjust murder.... ...and then if war commences, it must be directed and not carpet....
"We don't care."
As for "libertarian in the slightest, but interventionist theocrat", I have no idea what made you think I might be the former, nor am I the latter, nor are most of who I think the "Three Percent" might turn out to be the latter. Your mental model of me is, as far as I can tell, 90+% wrong.
"We don't care" isn't a rebuttal, it's a trivial dismissal.
I'm not sure who the "Three Percent" would be, then. That they are not interventionists and theocrats is reassuring to hear, but if their views support violating people's self-ownership of their bodies, their property and their civil liberties, then they are revolutionaries who I gravely fear.
"We don't care" isn't a rebuttal, it's a trivial dismissal.
Which is exactly the amount of respect I believe your opinions about how to lose a war deserve.
then they are counter-revolutionaries who I gravely fear.
Fixed at least part of it for you.
I'm talking about reacting, not initiating action. Of course, there are those who argue the time for violent counter-revolution has arrived, but they aren't getting much of a hearing, and obviously not actually, you know, acting....
Every time a mass shooting happens, the MSM theorizes it's that sort of thing, and every time they're wrong. For now, thankfully.
(There are bombing exceptions, e.g. OK City and Eric Robert Rudolph's, but the vast majority of this sort of thing is and has always been by the Left, and as of late Muslims.)
Let's return to my thesis: we've been arming ourselves like never before (at one point, just about all available rifles of military utility had been bought, cleaning out the last of the available Cold War stocks, most certainly including the ammo), but don't care much about the surveillance state. Why is that true?
The assumption being it won't be a Pyrrhic victory. I don't know of any revolution or insurgency that hasn't ended in reinstating or even worsening authoritarian streaks. Then, of course, your rambling of "losing a war" won't make wantonly executing your own people who are not statist expropriators any less of a crime, nor not end up turning them against you and desiring retaliation of their own. Of course you haven't yet responded what the political views held by the "Three Percent" are, but that you ignore self-ownership and private property implies to me they are authoritarian and socialist.
Of course, such a conflict can only be justified as a reaction, so there is that in your favor. Militarism ultimately cannot be divorced from statism and trampling on voluntary exchange, however.
lol @ left-baiting. "Leftist" isn't a useful term.
The assumption being it won't be a Pyrrhic victory.
Ah, there we do care, but not enough to stay our hands if the alternatives are worse.
I don't know of any revolution or insurgency that hasn't ended in reinstating or even worsening authoritarian streaks.
How much do we care if we're in the population that's still alive afterwards?
Then, of course, your rambling of "losing a war" won't make wantonly executing your own people who are [strikeout]not[strikeout] statist expropriators any less of a crime
Fixed it for you; see e.g. Those Who Are No Longer Our Countrymen (TWANLOC).
Of course you haven't yet responded what the political views held by the "Three Percent"
Not my job, especially now that I've given you more than enough words, phrases and concepts to search on. Especially since you need a lot more than simple facts to begin to be able to understand us. Enough of your important, fundamental mental models do not correspond to mine, and others I know like me, at least.
And you haven't addressed my thesis in this discussion. Hmmm, do you know anybody in the US who's bought a rifle of military utility since 9/11?
lol @ left-baiting. "Leftist" isn't a useful term.
Have a better term for those who believe in the perfectibility of men? That, vs. as a favorite history professor told us, "Original Sin is an empirical observation", seems to be the single best way to divide us. Jerry Pournelle's polysci Ph.D. thesis result is also useful at least to distinguish various groups, e.g. the national from international socialists: https://en.wikipedia.org/wiki/Pournelle_chart
You acknowledge that you do care about the odds, good. The alternative of handing over all dominion to an authoritarian state is indeed worse than the counter-revolutionary Pyrrhic bloodbath, but most importantly, you keep beating around the bush as to the aftermath. You concede that your views are too complicated to explain here, but do not provide so much as a hint nor a reference or citation for me to gauge them. Your link to the Pournelle chart though implies you're libertarian-leaning to an extent. I can't precisely tell with lack of details.
I don't know who "We" will be in the population after a Second American Civil War. I assume it will be more than the Three Percent. That you tritely rebut again with the apathy strikes me as unprincipled. What, you don't value property, civil liberties and voluntary market exchange now that you've survived and have to rebuild the Republic (assuming you want one and not Rothbard/Hoppe natural order)? Clearly you must set a framework after all is over.
"It's not my job to educate you" makes you sound just like a postmodernist, but I digress.
Alright, TWANLOC. That's a rather naive and almost vicious view, that everyone who is outside your bubble must be a subhuman. Most people are not statist expropriators, and actually are sympathetic to voluntary relations with a classical liberal outlook on things, but again may not break out of the present statist framework. The goal should be exchange of ideas, not slaughtering them like sheep. Such disregard of life, such infringement on self-ownership is ironically borne from the same progressivist authoritarian ideas that lead to molding men and preaching doctrines of original sin. The original sin here being... not agreeing with the Three Percent, I don't know.
"Repression by brute force is always a confession of the inability to make use of the better weapons of the intellect — better because they alone give promise of final success. This is the fundamental error from which Fascism suffers and which will ultimately cause its downfall. The victory of Fascism in a number of countries is only an episode in the long series of struggles over the problem of property. The next episode will be the victory of Communism. The ultimate outcome of the struggle, however, will not be decided by arms, but by ideas. It is ideas that group men into fighting factions, that press the weapons into their hands, and that determine against whom and for whom the weapons shall be used. It is they alone, and not arms, that, in the last analysis, turn the scales." -- Ludwig von Mises
It may well be that people derive similar conclusions but from different a priori frameworks (see: left-libertarians v. right-libertarians). These are not enemies. They are reconcilable.
Hmmm, do you know anybody in the US who's bought a rifle of military utility since 9/11?
Yes. I'm not some pinko hippie gun grabber that you seem to believe I am. You swiftly edited your post though, I'm sorry. Returning to your thesis, you never made it clear you even had one. It is true that Americans are arming themselves at growing rates, and also true that concerns over surveillance are lukewarm at best. What is the conclusion? Is surveillance not a pressing issue?
(I think "progressivist" is a better term for people who believe in molding the individual through state and corporate means.)
Ultimately, your words are all too vacuous, and so my responses are similarly vacuous with no real recourse. Your fondness of divide-and-conquer with a fierce militarist absolutism and subhumanization is also disconcerting.
"The language's direct effect on fault tolerance is not always easily measurable. Even in C you could add compile-time instrumentation to discard invalid writes and redirect invalid reads to fixed-size buffers (failure-oblivious computing) and that's just a proactive measure."
I think you're going too far with it. Stuff like that is covered in fault-tolerant and immunity-aware computing. Most straight-forward approach is a NonStop-style system or TMR with voting. However, getting that far for fault-tolerance and security is way, way beyond standard practice. I'm just asking that standard practice move beyond the same old, same old problems. The baseline would be so much better and we could then work on the next leap. Not to mention the infusion of money and effort into tool support for that would greatly benefit high assurance work that tries to address what you're talking about.
"ince we can't get that, but instead mostly rely on cargo culting like "Haskell is magic pixie dust because math" for our software safety and availability, I find the prospects of careful HA research (which is more mathematically rigorous) to be daunting."
Best to think of it as several processes or systems working in lock-step one function or major state change at a time. That's been deployed in academia and commercially in many ways. There's even tools to draw on to help. Treating the system as a whole black box with restarts at failure simplifies things. This way, they can keep their pixie dust.
Meanwhile, we make the pixie dust better. Memory-safety, type-safety, and concurrency safety by themselves knock out most of what does damage. Hardware enforcement of these for CPU and I/O interactions make attacker's job daunting. A great exception system will help, too. The next steps are Design-by-Contract, automated test generation from those specs, static analysis with no false positives, information flow labels a la Cornell's SIF/JIF, and continued use of cookbooks like OWASP tools. Combining the above leaves very little room for bugs to hide. At the least, attacks become so expensive and valuable that only nation-states have them. Progress, eh? ;)
"Getting that deployed is going to be an uphill battle given fault tolerance's neglect"
It's happening a lot in mobile and safety-critical embedded. Virtualization, esp security-centric, has already taken off. I think modifying one to work with cloud-stacks and piggybacking off them might help. Might drop it to medium assurance due to complexity but would be improvement. Can structure it and assure it like VAX VMM Security Kernel did with modern tools/analysis. I doubt we see mass market uptake but a niche market might pick it up if cost/benefit still looks good.
"I think you overestimate public resistance to surveillance. The Church Committee came and went quickly, and was forgotten and dismissed over the legislative band-aids that people blindly believed were as effective as that."
It was more about major abuses than surveillance. I have little faith in public on the latter. We at least got to see a lot of details on things like COINTELPRO that are important in countering the propaganda. Point was that action was taken, some kind of result happened, and their level of domestic abuse appeared to drop a bit. Another good example was increases of FOIA power at different points, which helped us many times in the past. We didn't really need major results from Snowden leaks to deal with NSA, etc. Might have been as simple as eliminating bulk, forcing FISA warrants for targeted collection on Americans (not collection criteria), ability to challenge that in court (no parallel construction), and a clear indicator that no company/individual can be compelled into backdoors. Just four points could go a long way to knock out biggest legal risk with private sector and nonprofits handling the rest.
What we got instead was no response on... anything. I was less bummed about NSA than 2008 financial crisis. Over here, Wall St gets $1+ trillion, no questions asked, and immunity. Over in Iceland, they overthrew the corrupt machine, seized the assets, eliminated questionable debts, and (given Wikileaks was source) later passed some of best press protections in the world. That is how democracy is supposed to work when facing that level of corruption. The American approach was BOHICA: Bend Over, Here It Comes Again. Has been consistently since with few exceptions. Disgusting...
I want to see Americans pull an Iceland on one of these core issues.
US has the most to lose from having the NSA hoard vulnerabilities in popular software that itself uses. So by that logic, the NSA is actually harming national security.
> Most users want the risk management paradigm where they buy insecure systems that are fast, pretty and cheap, then occasionally deal with a data loss or system fix
I disagree. I think most people don't know what the hell they want or need in terms on security, but they do want to be "safe". Nobody makes the choice "should I buy this phone for $600 or this one for $300 that is 10x less secure?" - People assume all of these devices have relatively the same security, and then they buy on price.
It's the job of system builders (and I think the government, too) to ensure people get a strong standard of security with their devices. Just like it's the government's job to ensure people don't get food poisoning from buying a random item from a store. You can't expect most people to actually know what they're buying in terms of food - but you expect them to know in terms of device security?
People think the $5 food item has the "same relative safety" as the $50 food item from the same category. Nobody expects to die from the $5 one, just like nobody expects to get hacked for buying a $100 unlocked phone at one of the four major (and let's say trusted) carriers. And by nobody I of course mean "normal people".
"US has the most to lose from having the NSA hoard vulnerabilities in popular software that itself uses. So by that logic, the NSA is actually harming national security."
I totally agree. I've said the same and gone as far to say they're "aiding and abetting" the enemy. Not Manning, Snowden, etc. ;)
That said, NSA doesn't build these systems. NSA doesn't use insecure methods of software or system construction to keep their profit margin high on critical stuff. NSA... does... neglect contributions to critical protocols and stuff but so do everyone else. Most of the problems come from businesses, FOSS projects, and demand side all sticking with what produces the most 0-days.
There's no excuse as even the first mainframe was doing it better back in 1963:
It's just everyone's choice to stick with the most risky approaches and tradeoffs. What follows is a consequence of that choice. Even when shown better way, they usually tell you to get lost or further justify bad choices. So, it's totally on the market itself. NSA could help and DOD did back with Computer Security Initiative but hard for me to blame NSA for intentional failure and pervasive insecurity of most of 300+ million people and millions of businesses. They're just predators exploiting a bad situation created by others.
"It's the job of system builders (and I think the government, too) to ensure people get a strong standard of security with their devices."
Ever hear of DiamonTEK? Gemini Computers? Secure Computing Corporation? They did highly secure stuff. They disappeared, were acquired, or withered away (eg Aesec). That's a false claim disproven by decades of buyers and management ignoring good security advice. No, producers only goal it to satisfy buyers and make money. Doing so means trading against security. Time after time.
I'm glad you brought this up. I know people who benefit from secure software today (they actually exist) and they are all customers. I don't know many users who can say the same.
For example, I've heard rumours about a formally-verified and usable replacement for PGP. Great... until the conversation turns to price:
PGP sucks!
Would you pay $10 for something better?
Heck no! PGP is free.
I think of security in terms of interests. Your interests, the developers' interests, and whether they align. I'm convinced the only scenario where our interests as users align with those of the developers is if we pay them directly. Not with ads, not with donations, not through foundations.
Personally I would pay $10 (or $50) for something better. But for a communication tool, I would not want to force that payment on everyone I interact with, and I would most definitely not accept a closed source security tool at any price.
What about a closed-source tool whose source and compiled binary had been vetted by mutually-distrusting, qualified parties who themselves used the tool? And provided the binaries and signatures to tools' customers?
...both proprietary and FOSS really come down to you taking other people's word that they reviewed it and they were qualified to do so. So, review and trust in the reviewer(s) are the truly important points. The many eyes argument hasn't held for security for over a decade while a number of closed-source systems survived rigorous evaluation due to good design.
So, would you trusted a rigorously built and evaluated system with closed source if you trusted the reviewers and could verify you had same thing? And, if not, why do you trust/use OSS that's made by people with varying competence with no proof of qualified review?
Yeah. If I used insecure crap, I've already decided that it will be destroyed by opponents. If I want something safe, I use very secure methods to protect it. That field is called high assurance or high robustness security. Quite a few things in it stopped NSA pentesters. Very few of us left in that field but one can learn from what's published as I did. Build your security strong, obfuscated, and with tamper detection to give them real headaches. Otherwise, you're enabling your enemy by your choice of systems, software, and methods. It's your own fault given what you know of the world you live in.
Examples of high assurance thinking another comment:
Let's just keep writing operating systems and security-sensitive code in C.
I'm sure this time we'll have even better development practices. This time we'll do better code reviews. This time the static analysis tools will catch more problems.
If we all close our eyes and wish really hard we can avoid inconveniencing a few programmers, save a few CPU cycles, and keep using C. After all, the performance is totally worth a few heartbleeds now and again ya?
The issue is not writing such software in some other language. The issue is rewriting such software in some other language. That's a very very large pile of functionality to implement all over again. In the process new bugs will be introduced, including new security bugs. While it's easy enough to write a toy system in some other language and get a paper published, a more fruitful approach for making a real world system secure is to do so incrementally. Look at the L4 family of microkernels for an example.
What do you consider to be a safer language? It seems like in most 'safe' languages you are relying on the language implementer to provide security and the compiler to basically catch the same mistakes that the static analysis tools do. You could consider this a variant of, "don't roll your own" but when a vulnerability is discovered it might be out of your control until the next release.
It seems somewhat absurd to blame the existence of bugs and zero day vulnerabilities on one language, especially when that language is one of the best supported and most powerful. Unless you can figure out a way to remove humans from both the creation and use of software, I anticipate we'll have issues like these for the foreseeable future.
Of course, HN commenters like you probably think if we all switched to Go or Swift there'd never be any bugs ever again...
