What Our Top Spy Doesn’t Get: Security and Privacy Aren’t OppositesWow, I don’t know how I missed this one back last month! I wish I had written this essay. The key point is that privacy is not the antithesis of security. Most of the privacy invading “security” solutions we see are what I call “placebo security” and Bruce calls “security theatre” . Things like the “don’t fly list” which appears to catch orders of magnitude more innocents than terrorists, and the national ID card when all the terrorists had legally issued valid ID already.In fact, many measures seriously damage security, like putting personal information in the clear on drivers licenses, including Social Security Numbers in many cases! It is an axiom of security that valuable information will leak and people with access will abuse that access. The more control a government demands, the more  oversight is required. That was my real problem with warrantless wiretapping. Not the wiretapping, but the warrantless. Surveillance of anyone at any time for any reason is the hallmark of a police state. The key is independent oversight. The debate on how that should be done must be open an honest.The security vs. privacy debate seems to me to be built on dishonest assumptions. It tends to be rhetoric and political point scoring on both sides with little discussion of whether the proposed solutions or changes actually improve security, what the real trade off is, and whether that trade is worth while.We are currently being asked to sacrifice enormous amounts of privacy and freedom to confront a threat that is miniscule compared to smoking or drunk driving, threats about which few would make such arguments. 

Finnish government blacklists ‘free speech’ site | The Iconoclast – politics, law, and technology – CNET News.comHere is another Declan article that deserves more attention. In this case the Finnish government is censoring a website for publishing a list of websites he discovered to be on a secret censorship black list compiled by the Finnish government. Censoring someone for trying to speak out about censorship is almost always a bad idea. As one might expect, free speech advocates around the world have mirrored the black list so many times and in so many places, it will be just about impossible for the Finnish government to contain the spread. 

Wikileaks domain name yanked in spat over leaked documents | The Iconoclast – politics, law, and technology – CNET News.comDeclan does a really good job here of discussing a fascinating case. WikiLeaks is a Wiki based website designed to enable completely anonymous posting of tips and leaked documents. It is focused around enabling disclosure of information from repressive countries.A US court recently ordered WikiLeak’s domain name registrar to disable their domain name because of some documents on the site about questionable off shore banking activities by a group of Swiss bankers.The real shocker here is the draconian action against WikiLeaks prior to the resolution of the claim. It is also ineffective action because WikiLeaks is openly hosted under a number of domains in a number of different countries.I am very interested to see how this story develops and whether the injunction will stand up once the details of the offending materials become clear.

One of my folks at Anonymizer pointed me towards this site WiebeTech HotPlug as a follow up to my blog post yesterday about recovering data from RAM after it has been removed from power. The HotPlug tool is sold to law enforcement to enable seizure of a computer without ever turning it off. The system has several methods that allow a running computer to be transitioned to a portable UPS system without causing the computer to shut down or react in any way. It can then be transported to a lab with the OS still running.As an additional clever trick, they have a USB dongle called the “Mouse Jiggler” which simulates a mouse making constant small motions, thus preventing a screen saver from ever activating. This allows the attacker to take all the time he needs without worrying about a password protected screen saver, or any other inactivity based security trigger, activating.All this enables the attacker to get the computer back to controlled laboratory conditions before trying to access the machine or pulling the power to capture the RAM image. Yet another argument for not walking away from a running computer with sensitive information. 

Here is another article I picked up on the Qui Custodes blog of David Kaufman: Washington City Paper: Cover Story: Desk Job.This article describes a woman, without any special training, who was able to gain access to “secure” government buildings and steal money right from the desks and purses of the employees. Obviously this could have been documents and information if she had been involved with foreign intelligence. Her methods were simple. She was spotted frequently, but very few people were willing to confront her about her actions, choosing to avoid conflict. The moral here is: security is about everyone following up on everything that seems out of place or unusual. Better metal detectors, or bigger guns at the front door won’t do it. Security comes from the alert minds of everyone on the inside of the building being willing to ask direct questions.