December 14, 2017

USENIX Panel

Today I’ll be speaking on a panel at the USENIX Conference in Boston, on “The Politicization of [Computer] Security.” The panel is 10:30-noon, Eastern time. The other panelists are Jeff Grove (ACM), Gary McGraw (Cigital), and Avi Rubin (Johns Hopkins).

If you’re attending the panel, feel free to provide real-time narration/feedback/discussion in the comments section of this post. I’ll be reading the comments periodically during the panel, and I’ll encourage the other panelists to do so too.

Comments

  1. Neat idea. I wonder how well this will work….

  2. Anonymous Krispy Kreme Eater says:

    First post!

    (Because I could.)

  3. Where can I get one of those cool Krispy Kreme hats?

  4. Chris Devers says:

    We have Krispy Kreme panelists. We can’t fail.

  5. There’s a Krispy Kreme store in the mall-complex across the street (take the covered walkway/bridge). They give away the hats for free.

  6. Chris Devers says:

    The problem with that is that the mall across the street is across the street. We’re smart folks — we should be able to write a shell script to have some delivered over here.

  7. should we lobby? we should *advertise*. We need a Ronald McDonald type figure. Waldo Whitehat?

  8. But how about bein partisan to our own case (freedom of research etc).

  9. So if Krispy Kreme supplies the white hats, does that make Dunkin Donuts the black hats? (There are certainly lots of them around…perhaps it’s a set up for a DDoS attack of some sort?)

  10. Thanks, Ed.

  11. Starbucks are the black hats

  12. Chris Devers says:

    The one clear thing is that Starbucks are filthy, evil imperialists.

  13. Anonymous says:

    great panel

  14. Gary McGraw’s summary — tell the truth
    * debate is healthy
    * attacking systems is part of security
    * outlawing the little boy doesn’t clothe the emporer

  15. If Dunkin Donuts wears the black hat, what does Starbucks wear? I can hear it now, “There are no hats…”

  16. Because we live in a “culture of experts”, where the average citizen looks to experts to inform their opinions, we have almost a moral responsibility to lend our expertise to topics being debated in the public arena, especially issues which affect society as a whole…….

  17. The five-minute chats don’t seem to be working too well.

    Specific cases are good. Generalities are bad. Give us more war stories. That’s what’s interesting, and that’s what we won’t read elsewhere.

  18. peter honeyman says:

    i like the jaunty angle of this grob guy’s hat.

    peter

  19. I was serious about the advertising. In Schneider’s talk he discussed four ways of changing the stakes in the security discussion:
    Law and Regulations
    Market forces
    Technological improvements
    Education and Advertising

    Microsoft spends a HUGE amount of money going for “hearts and minds”. So does the government. We counter by writing technical papers. We should be running PSA’s

  20. Re: advertising,,,, maybe not a blitz, but a point for point refutation of bad laws or policy decisions

  21. peter honeyman says:

    po li ti ci za tion

    just sound it out.

  22. Could education of the public and officials be the answer to the innovation “infringement” problem? Maybe if we educate the lowest common denominator (whether that be the elected officials or the people that put them there) by whatever means necessary (lobbying, advertizing, etc.).

  23. Chris Devers says:

    betsys’s point is fair — there is a lot of preaching to the choir in a discussion among technically savvy people that the general public will never be aware of. We should have people on, say, the David Letterman show (to pick something at random) pointing out to a mass audience that a lot of these policies are misguided.

  24. We should have people on Nick Jr too. And MTV. If they can do “Rock the vote” they can do “rock your privacy rights”

  25. There was a dramatic outcry against the DMCA before it ran. It didn’t make any difference. Remember? People assumed that it would be thrown out as unconstitutional. It wasn’t. Remember?

  26. Do they actually read there mail or do they just take metrics (for or against a particular bill)? That has been my experience.

  27. Chris Devers says:

    I’ve heard that members of Congress pay far less attention to electronic communication from constituents than old fashioned letters. Email is seen is a “disposeable” form of communication, where it takes little effort and so the sentiment may not be perceived as being weighty as letters, faxes, phone calls, etc.

  28. The industry sometimes won’t take our side because they have partnerships with content companies (Apple with iTunes, Microsoft with the push to get Windows Media into the next-gen DVD spec) or are content companies (Sony).

    I’m not sure we can counterbalance that easily–if at all.

  29. Because we live in a “culture of experts”, where the average citizen looks to experts to inform their opinions, we have almost a moral responsibility to lend our expertise to topics being debated in the public arena, especially issues which affect society as a whole…….

    But how do they know which experts to consult? For every person working for the “good” cause, there are the ones who lobby who, because they generally have more money, influence (or can infulence) more.

    repeat after me, P2P is bad, P2P is bad… and so on and so forth.

  30. Greg Vernon says:

    There was a dramatic outcry against DMCA in the community, but how many of us actually contacted our congress folks about it?

  31. Ed, the politicization of computer security goes back at least 30 years. Remember the crypto wars? They started in 1976 with the DES standard…

  32. Justin Ferguson says:

    Am I jaded to think that individuals contacting their congresspeople directly with no financial support attached or implied does little good? The few times I have bothered to contact my congressperson, the best I’ve gotten back is a “Thanks for your comments.” form letter.

  33. Letters on paper are much less effective as a way to contact Congress since the anthrax attacks. Faxes may be the best remaining option.

    Perhaps someone on the panel has more insight on what Congress is listening to these days? Besides campaign contributions, of course.

  34. I did manage to have a long email talk with my state senator about a Massachusetts bill last year. He is very accessible, and participates in local email discussions. But my federal congress critter seems unreachable. is Ed Kennedy. There’s a point where politicians seem completely armored against the public. The ones who talk to the public seem to be the ones who will never rise above a certain point.
    To go higher they have to submit to the marketing machine, it seems, and stop thinking for themselves. (although to be fair, there’s probably too much stuff out there for any one congressperson to become expert on all of it, and technology has a higher ramp-up than most of the other issues)

  35. Because we live in a “culture of experts”, where the average citizen looks to experts to inform their opinions, we have almost a moral responsibility to lend our expertise to topics being debated in the public arena, especially issues which affect society as a whole…….

    But how do they know which experts to consult? For every person working for the “good” cause, there are the ones who lobby who, because they generally have more money, influence (or can infulence) more.

    repeat after me, P2P is bad, P2P is bad… and so on and so forth.

    I agree that there are many self-proclaimed experts and that it is hard for people to know who to listen to…..that is not our problem quite yet…the problem we have at the moment is that we are not (with a few exceptions such as Avi and ACM ‘s lobbying efforts) yet collectively taking part in the public debate, either on a large scale individually or with a collective voice…so if people choose not to listen to us as experts, it is not because they have chosen other experts over us but because we are not yet fully engaged in the fight….

  36. I have both written snail mail and email messages to my elected official. The reply is always canned. My feeling is that an intern staffer only takes metrics unless something extraordinary is stated by the writer.

  37. That’s not to say that writing to your congressman is useless…

  38. timdoug says:

    Justin, what state do you live in? In Massachusetts when I write to my rep he sends back a page about why he supports x law, and signs it in pen.

    Probably written by one of his lackeys, but at least shows that they care enough to outline why they are for whatever.

    And also, if you use one of the online forms to send to your rep on sites like the EFF or whatever, make it send a fax rather than an email. Faxes are valued more.

  39. I was wondering when “wearing the hat” was going to pop up…

  40. Money is the ultimate vote. Emails, letters, faxes, etc. all pale in comparison.

    It is my opinion that the best time to influence your politicians is before they are elected, via campain contributions. Letters to them after they are elected also gain power if they are backed up with money. IOW, letters from contributors have more leverage than from non-contributors.

  41. Justin Ferguson says:

    I live in Missouri. While it’s a fairly mixed state politically, the House district I live in is fairly heavily Republican, and the things I’ve written about have been fairly heavily-Democratic issues, which probably explains the somewhat lackluster response from my Republican representative.

  42. timdoug says:

    Money is the ultimate vote. Emails, letters, faxes, etc. all pale in comparison.

    But which would the average person on Slashdot (for example) rather do? Many people are very strongly against something, but they will only go so far.

  43. Chris Devers says:

    I’m sorry, Matt who? The panelists all seem to know this questioner, but I can’t read his nametag…

  44. Greg Vernon says:

    LP has a very good point. Another great time to get involved is during the party caucuses. This unfortunately makes you take a side. On the very positive side of things, you have a chance to get issues into the party platform. In the end, it’s the party platform that your congress critters make a lot of their decisions from, as they see that as coming from the grassroots level.

  45. Matt Blaze.

  46. Jim Pirzyk says:

    Avi just mentioned about the government not blowing up buildings and crashing airplanes to test against anti terrorist measures, but the National Insurance Institute does crash cars to test failure modes. We should be using more examples like that to help the public understand what we are doing.

  47. peter honeyman says:

    matt blaze

  48. I think Schneier made a great point in his talk this morning, which was to remain non-partisan when talking about security/privacy (note, not *non-politicized*). Becoming partisan opens up the possibility of being taken for granted by a certain party. I can point to several cases in which a demographic, through fierce allegience to a *party*, loses political power over their *issue*.

  49. peter honeyman says:

    that was nat howard

  50. Second plug today for stupidsecurity.com

    DOH! I just did the third! There I did it again!! Agghh!!

  51. Fear of looking silly: I think that’s one of the strongest tools working *against* us. A battery of slick lawyers and soothing marketing folks can make it seem very comforting to agree with them, as opposed to someone spouting complex technical stuff.

    We need at the very least spokespeople who can speak in terms that politicians find comforting.

  52. Anonymous says:

    hmmm. Why IE and Windows, whoever’s computer that was?

  53. I agree with Schneier and LP. To be partisan is to turn away half of your potential allies. On these issues we have natural allies across the political spectrum.

  54. Chris Devers says:

    But how can one respond when you’re forced (or tricked) into taking a side? How does one remain non-partisian? It seems like it may be easier said than done (e.g. Diebold is obviously biased towards the right, so attacking them can appear leftist, even if you don’t necessarily see things that way).

  55. One of the biggest things we need to counter is the perception that the current administration is trying very hard to foster, that equates objecting to the patriot act as being un-american. It is very hard to appear non-partisan when the debate is being shoehorned into this sort of artificial dichotomy
    (oops, I used a big word)

  56. Perry’s right. We can’t be afraid of oversimplifying, even at the cost of perfect accuracy

  57. Chris Devers says:

    The Buh administration is really good at this “stay on message” business. We could learn from that example, even if it is annoying for every complex issue to be boiled down to such terms.

  58. (Perry didn’t say that about accuracy, but I think it follows from the simplifying. We have to be able to use analogies and simplified examples)

  59. Greg Vernon says:

    Ed, I think that you (and public figures like yourself) should remain non-partisan. However, those of of us who are already partisan on other issues (non-computing) should do our part to work issues we believe in into the platforms of our specific parties.

  60. In many cases, it seems that reporters are either trained (or instructed) by their leadership to report the way they do or report just to collect a paycheck. There are no doubt some who are made to cover the stories when they would rather be reporting on sporting events. Whatever the cause for the misquotes, etc., I also believe that it is very important to “over simplify” your point. If one of the disinterested reporters knows that a summary document will be handed out after the press conference, he or she will more likely use that to write the story as opposed to taking bad notes. Of course, if the yahoo is pushing his or her own agenda or the agenda of their editor the argument is mute. In that case, at least you have proof, in writing, that you were taken out of context or whatever the case may be.

  61. Thanks to everybody who commented during the panel. All of the panelists found the comments both interesting and helpful.

    For those who weren’t present, and who might be wondering about the Krispy Kreme thing, here’s the story: all four panelists wore paper Krispy Kreme hats during the panel, for reasons too obscure to explain.

  62. Actually, it is a myth that the online community fought hard against the DMCA and lost. This bill largely passed under the radar. There was some opposiition, but nothing compared to some of the crypto wars, like the failed SAFE bill.

    The DMCA was enacted on October 28, 1998. Even more than a year later you can find this article, http://www.wired.com/news/politics/0,1283,32449,00.html, by Declan McCullagh talking about it as if it is a future threat (the 1201 reference at the bottom).

    Do a Google groups search on sci.crypt or comp.org.eff.talk and you will find zero references to DMCA before the passage date. Now, this is in part because it was known at that time by the bill numbers, H.R. 2281 and S. 1121. But even using these numbers as searches, comp.org.eff.talk has zero postings on these bills in the entire year of 1998! sci.crypt has one thread from mid 1998 but it’s ambivalent and shows no signs of strong and organized online opposition.

    I think people are getting the DMCA mixed up with some other bills in their memory. The DMCA was passed to implement the WIPO treaty and so it was presented as something of a procedural technicality to implement terms to which the United States was already bound. For whatever reason, the community did not organize against this bill as it had against some others, and it passed relatively easily.

  63. The opposition to the DMCA was co-ordinated through the Digital
    Future Coalition (DFC) which was not quite the same thing as
    “the on-line community”.

    I think EFF did engage in publicity before the DMCA’s passage,
    and there was certainly some discussion about the Lehman Green
    Paper and White Paper. Would you repeat your search using those
    terms instead of “DMCA”?

    The Free Software Foundation was concerned about the White Paper
    by 1996:

    http://www.fsf.org/philosophy/reevaluating-copyright.html