Today pur Democratic leadership failed us. Here are the list of Democratic Senators who sold you out of your Constitutional protections. Sadly, one of them includes my Senator, whom I campaigned for...very sad.
If one of your Senators appears on this list, send them an email or call them and tell them how disappointed you are that they didn't stand up for your rights. Ask them to explain to you why they couldn't understand they are sending us down a paralysis path to more government and corporate abuses.
Spread the word!
Jay Rockefeller (D-WV),
Evan Bayh (D-IN),
Daniel Inouye (D-HI),
Tim Johnson (D-SD),
Herb Kohl (D-WI),
Mary Landrieu (D-LA),
Claire McCaskill (D-MO),
Mark Pryor (D-AR),
Blanche Lincoln (D-AR),
Dianne Feinstein (D-CA),
Ken Salazar (D-CO),
Tom Carper (D-DE),
Barbara Mikulski (D-MD),
Jim Webb (D-VA),
Ben Nelson (D-NE),
Bill Nelson (D-FL),
Kent Conrad (D-ND),
Debbie Stabenow (D-MI)
Security: February 2008 Archives
When I first reported on this, it had only shown up in The Guardian, but now it's all over the mainstream press, so following up seems a bit pointless, but I'll should wrap it up here anyway.
Judge Jeffrey White may not have understood the consequences of what he was doing at the time, but he was not oblivious to the press coverage nor, fortunately, the constitutional questions that were raised; you can't go around shutting down publishers just because they published information that they (possibly) shouldn't have.
"There are serious questions of prior restraint and possible violations of the First Amendment," White ruled from the bench in his San Francisco courtroom. - Reuters via New York Times.
The case had rapidly escalated, with serious questions raised about whether Wikileaks had sufficient notice, whether Baer was being fully forthcoming about the situation, and even whether the Court had jurisdiction. In addition, by the time the judge decided to hold a hearing on the matter, the big guns were out in strength, with Public Citizen, the California First Amendment Coalition, ACLU, Project on Government Oversight and the EFF all weighing in.
One thing is very clear; if Baer wanted to keep their documents secret, they seriously miscalculated. Pre-blogging days you might have been able to stifle a source and assume that the complaints (if any) would come long after you stopped caring (the company is preparing a public stock offering). Instead, they saw the entire process play out in less than ten days. And those documents they wanted out of the public eye? They've been read, seen or at least heard of by hundreds of thousands of people who had never even heard of a banking group called "Julius Baer." True or not, the company's name is now indelibly associated with Cayman Islands money laundering.
But I'm sure Wikileaks appreciates the publicity.
I really hadn't been following any of this, and I'm not big on conspiracy theories (no, not even when they involve Karl Rove (as featured on the new depleted uranium half-gallon coin)). Also, it was a bribery case, and that would seem to be relatively straightforward, right? More on that after the fold. First the highlights.
Article pointer courtesy of Dave Winer.
So, the date on the check doesn't match the story, and the story-teller admits his memory needed prodding. That doesn't sound good at all. But unless those missing notes surface, there doesn't seem to be much hope of a re-trial.
Two points to take away.
- "Bribery," particularly in politics, is distinguishable from "campaign donation" only by intent and timing. The former is virtually impossible to determine, and the latter is easily faked. There's not a lot that can be done about that fact, and it's why politicians need to make such an effort to avoid even the appearance of impropriety. (Unfortunately, some of them get so focused on "appearance" that they forget they are supposed to avoid the "actual" impropriety as well.)
- Anybody can be appear guilty if you monitor everything they do, particularly if the folks doing the monitoring are selective about what they disclose. This is of course especially true of politicians, but it's also true of you and me. And it's a very good response to people who are willing to give up their privacy to the Government because they have nothing to hide. The issue isn't what you've done—it's what you might appear to have done.
The current administration wants immunity for the telecom companies who performed (probably illegal) wiretaps at the request of the government.
The administration has also made it clear that they want to leave torture (or things very like it) on the table during interrogation of terrorists.
The logic in both cases is similar. They don't want to punish people who are, in good faith, trying to stop terrorism. And they don't want people to delay, worried about the consequences, in time-critical situations.
I'm a strong believer in personal responsibility. That responsibility applies to individuals and to corporations. They have a responsibility to do what they believe is right. And they need to be willing to take the consequences if they turn out to be wrong. So oddly enough, my logic is very similar to that of the administration's—I just come to the opposite conclusion.
When the government shows up on your doorstep and asks you to do something, I believe that you have a responsibility to make a decision for yourself as to whether it is legal to do that thing. And if you decide that it isn't legal, you have to make a moral decision. "Is it worth it for me to break the law? Am I willing to take the risks that come with such a decision?" The government wants to relieve individuals of making moral decisions. I believe that is wrong. What could possibly be more immoral than telling people that they can do things that are wrong without having to suffer consequences?
I believe that when you believe lives are on the line, you should go right ahead and do whatever you feel necessary to get the answers you need. I also believe that if you turn out to be wrong, you should accept the consequences of that fact. I want you to stop and think about what you're doing, and whether it's worth it. Because we all know that if you don't have to think about it, you'll take the "safe" course and do the things you shouldn't do—just in case. And lest you say that they had no choice, I'll point out that when the government came calling to them, Qwest said, "No." And we all know how far "I was just following orders" is supposed to go as a defense.
"But wait!" I can hear my critics say. "How can we possibly punish someone who saved thousands of lives by breaking the law? That's not right!"
And I agree, it isn't right. Fortunately, we have a solution for that problem. It's called a presidential pardon. That's where the President puts his reputation on the line by pardoning people who broke the law, because he believes that they shouldn't be punished for it.
So, should we legalize torture? No. Should individuals in the government use torture? Only if they are willing to face the consequences.
Should the telecom companies testify under immunity for whatever it is that they did or didn't do? Absolutely not. If this administration truly believes that they did the right thing, they are free to pardon them after the fact.
Let's be serious. This isn't about saving the telecom companies from hassle. It's about trying to hide the fact that our government acted illegal. And why should we be surprised, when we see how amoral they want citizens to be when they make a request. The ends apparently always justify the means. And personal responsibility has lost all meaning. It's gone in government, and it's gone on the streets, where cars parade by with bumper stickers that read, "God Bless America" as though heaven were a prize awarded to the best country, not the best person.
Here's a list of the Democratic Senators who refused to stand up for responsibility. Please contact them and let them know what you think. It's not too late.
As posted on Facebook:
The February 2008 issue of Baseline Magazine has an article entitled "The Rhythm of Identity Management". It doesn't appear to be online as I write this, but you can find another article about it here on Dark Reading: "Credit Union Authenticates 'Bio-Rhythms'. The concept is simple. Different people have different patterns (cadence) to how they type. These don't have to be unique, they just have to be identifiable and unpredictable (given anything else you know about someone). The concept was used in WWII to identify enemy troop movements by tracking the movements of the telegraph operators (as identified by their typing patterns).
A company named BioPassword is now selling this as a security mechanism, fulfilling the "what you are" leg of security. That's good news for banks, because they are supposed to provide "dual-factor" authentication, and this gives them a way of doing that without requiring the customer to own some piece of hardware which either won't work with their computer, or will get lost along with their TV remote.
Unfortunately, along with trivia about your second cousin once removed, and other odd security mechanisms, this lip-service to "dual-factor" isn't providing any additional security at all.
Here is my letter to Baseline's editors:
I find it ironic that in the same issue where TJX is taken to task for putting costs before security, Forum Credit Union makes the very same choice.
The traditional legs of security are "something you know," "something you have," and "something you are," but it turns out that's not quite enough—none of those three may overlap. Going with typing cadence as a security mechanism adds the "something you are" leg, but what works in a corporate environment does not necessary apply when your user is on an unsecured computer in their home. You have to assume that any information entered onto the remote computer is potentially available to a hacker. When that is the case, any non-changing information can be trivially abused, and the whole reason cadence analysis works is because it doesn't change. In essence, "something you know" has become "something your computer can know", and in that context, typing cadence is just another static password.
If the hacker is able to obtain the user's name and password by sniffing keystrokes, then obtaining the timing of those keystrokes is a trivial addition. BioPassword's solution is simply a Flash-based plugin that gathers the typing information. It has no security hooks in the operating system to ensure that nobody else is listening to, or simulating, the input stream. (In any case, it's unclear that such checks would be sufficient on a compromised machine.) A remote hacker can record the timing and then just play the keystrokes back on their own machine, even introducing artificial jiggle should it be necessary.
The reason most USB Tokens and Key Fobs are secure is that they generate one-time passwords synchronized (on a per-device basis) with a server in the back-office. The hacker can get the password, but it's only good for a single use within a 60 second time-span.
BioPassword sounds like a reasonable solution in a corporate environment, where machines are kept secure. In the outside world, it is secure only so long as it remains obscure.
I believe Form Credit Union would do well to reconsider whether $20 is really too much money to spend truly securing a customer's bank account.
Kee Hinckley
CEO/CTO Somewhere, Inc.
