Author: Shawn K. Quinn

The fox in the henhouse, cyberspace edition

Again, before I get into discussing exactly what this email is about, I need to lay down the background on who’s who and what’s what. Otherwise, it’s easy for one to gloss over all of this and assume it doesn’t affect oneself, when in reality this potentially affects or could affect a large chunk of the users of the Internet.

In the beginning, there was the original Unix, AT&T Unix. The University of California at Berkeley made their own version of Unix based on AT&T’s code and called it BSD. There exist today several different operating systems that came from the original BSD code; FreeBSD, NetBSD, OpenBSD, DragonFly BSD, etc. Due to its liberal license, code from BSD was used in many places; instead of writing their own software for Internet connectivity (the TCP/IP stack, for those who know what that is), Microsoft adapted the one from BSD. Apple Mac OS X also uses software adapted from FreeBSD and NetBSD, which also traces its lineage back to the original BSD. Many GNU/Linux distributions also use software which came from BSD. Put simply, it is likely somewhere your computer has some software on it somewhere which originally came from BSD.

Of particular note in the BSD-derived operating systems is OpenBSD. The OpenBSD project was started by Theo de Raadt as a fork of NetBSD originally due to conflicts with the latter project’s leadership back in 1995. The focus of OpenBSD became security, and today many consider it the most secure operating system on the planet.

OpenBSD has software built into it to implement IPsec, which appears to have been started in the latter half of 1997. Theo de Raadt recently received an email from Gregory Perry. Gregory was working with a company called NETSEC and helped arrange funding for the OpenBSD Crypto Framework, upon which the IPsec software is based. The email, which Theo forwarded to the tech@openbsd.org mailing list, contains a rather direct accusation that developers accepted money from the FBI to weaken the IPsec software in OpenBSD (specifically, to add “backdoors” to it intended for FBI use).

The full email is archived on marc.info, and also implies that this sabotage of the IPsec software in OpenBSD is the reason that the OpenBSD project lost its DARPA funding suddenly and unexpectedly. Now, back in 2003, sources such as ComputerWorld reported on Theo’s no-nonsense comments against the war on Iraq (such as the often-quoted “I try to convince myself that our grant means a half of a cruise missile doesn’t get built”) and it was suggested these were DARPA’s motivation.

First, Theo is to be commended for, as he states, “refus[ing] to become part of… a conspiracy.” It is not an easy decision for anyone, let alone someone of Theo’s stature, to decide to publish a private email. It involves a careful consideration of the consequences of violating a social norm for the greater good, and he acknowledges this:

Of course I don’t like it when my private mail is forwarded. However the “little ethic” of a private mail being forwarded is much smaller than the “big ethic” of government paying companies to pay open source developers (a member of a community-of-friends) to insert privacy-invading holes in software.

(I’ll get back to this decision Theo had to make in a bit.)

Gregory also deserves some recognition here, for blowing the whistle as soon as he was legally permitted to. This email serves as a prime example of the kind of damage a non-disclosure agreement (NDA) can do to the public good. I don’t think all NDAs are bad, and it’s way too easy to see why the FBI wouldn’t want the news of backdoors in OpenBSD’s IPsec software getting out. And, to be fair about it, I honestly think Gregory expected his email to become public; had he wanted this to truly remain a secret, he would have told no one. This almost certainly weighed into Theo’s decision as well.

This news has anywhere from annoying to disastrous consequences to users of OpenBSD’s IPsec software, and products derived from it. The latter half of this is the most troubling, as Theo wrote in his email:

Since we had the first IPSEC stack available for free, large parts of the code are now found in many other projects/products. Over 10 years, the IPSEC code has gone through many changes and fixes, so it is unclear what the true impact of these allegations are.

However inconvenient it may be for law enforcement agencies such as the FBI, back doors in security software are still weaknesses. It is easy to forget sometimes that computers are pretty stupid; they do what humans tell them to do. Exactly what humans tell them to do. A computer cannot, by itself, tell the difference between honest, largely law-abiding citizens such as me and the vast majority of you out there reading, someone acting with criminal intent, someone representing the FBI or another law enforcement agency, or someone working with a group like al Qaeda or the Taliban. As an example, anyone who knows my password on any of my computers, can type in the username (which is usually not intended to be kept secret; mine is normally “skquinn”) followed by that password (which is intended to be kept secret), and will be logged in as me. It does not matter to the computer one bit if it really is me; a police officer who wound up with one of my computers somehow, legally or not (and who as a rule, I would not want just going through the stuff on my computer; I value my Fourth Amendment rights), or an al Qaeda operative who somehow has access to my computer. (Sidenote: Biometric devices such as fingerprint scanners can be fooled as well, and in fact are in some cases more dangerous than a password typed in via the keyboard, as once compromised changing one’s fingerprints is impossible for all practical purposes.)

So it follows, the same “backdoors” the FBI put in, will work for anyone who knows about them, regardless of their good or evil intent. Such “backdoors,” as well as unintentional security holes which stem from bugs (programming errors) in the software, get found without the help of the source code (a human-readable form of the computer’s instructions) all the time. It was and is incredibly naive and stupid of the FBI and like-minded law enforcement agencies to assume that these “backdoors” would never be found.

We may not know for several more years just how much damage has been done by developers bribed by the FBI. This is but one small example of why I tend not to trust law enforcement agencies. Shame on the FBI for weakening the security of computers worldwide, including those outside of US jurisdiction. I hope restitution is made that involves fixing the intentionally broken software made fraudulently by programmers on the take from the FBI. That, and a pledge never to violate our privacy and peace of mind in such a fashion again, would be the minimum needed for me personally to start trusting the FBI again. Sadly, I don’t see that coming.

Controversy, art, and “Fire in My Belly”

Over the two years this blog has been in existence, I’ve called out quite a fair number of people and organizations that have attempted censorship of the expressions of others. I believe very strongly in freedom of speech and freedom of the press as guaranteed by the First Amendment of the US Constitution (and as acknowledged in, for example, Article 19 of the UN Universal Declaration of Human Rights). I also agree in principle with the stated mission and objectives of the Smithsonian Institution. I recognize the Smithsonian’s prestige, but I am not in the least intimidated by it.

Especially when the people in charge of the Smithsonian today do things like censoring the work of artist David Wojnarowicz, who has been deceased since 1992. More horrifying than the censorship was its motivation. Two Republican Congressmen (Eric Cantor and John Boehner) threatened to yank funding for the Smithsonian if the video “Fire in My Belly” was not censored. In the words of Rep. Cantor, the exhibit is an “outrageous use of taxpayer money and an obvious attempt to offend Christians during the Christmas season.”

I find this assertion abominable and a slap in the face at the intent of the First Amendment. Yes, some art is controversial, and there are pieces of art that may be offensive to certain groups or individuals. That’s hardly a reason to threaten to slash the budget of the Smithsonian like a ten-foot-tall growth of weeds, and Reps. Cantor and Boehner should be ashamed of themselves for such a heavy-handed action.

The good news is that the art community has stood up for the First Amendment. In particular, the Warhol Foundation has demanded the restoration of the exhibit under threat of a cessation of funding. Also of note, Jon O’Brien of Catholics for Choice published an open letter to Smithsonian Secretary G. Wayne Clough which states in part:

…your decision to censor David Wojnarowicz’s art has sullied the reputation of the National Portrait Gallery and does a disservice both to the arts community and the public. For artists, it suggests that in order to be considered by your gallery, their art may have to be uncontroversial. For the public, it suggests that what they see at the gallery may not be the full story, that exhibitions may be tailored so that they do not offend anybody. Neither scenario is positive.

Censorship of the arts is the last thing that an art institution should be doing. You have set a low standard for yourselves, and for your public. The National Portrait Gallery plays an important role in the cultural life of the city and the nation. Your decision sends the worst possible message to artists, to other cultural institutions and to the American people.

As commendable as both of these moves are, the management of the Smithsonian has yet to flinch. This censorship is every bit as bad as the grants Andres Serrano lost in the wake of Piss Christ, which some of my readers might even be too young to really remember. I just happened to be reading Time that month, or I would not have known about it either. Yes, I will admit there was a time I did not follow the art scene that closely. Apparently, the entire Piss Christ controversy has been long forgotten because it’s being repeated. As said by George Santayana, “Those who cannot remember the past are condemned to repeat it.” Or, if you prefer a more contemporary quote, there’s Yogi Berra’s “It’s deja vu all over again.”

Art made to be non-controversial to avoid censorship is much more likely to wind up boring. A nation with boring art is doomed to become a nation of boring people. My own life is boring enough some days; it’s nice to be able to go to an art gallery and see something interesting.

I want to see America stay interesting. I can’t be the only one.

The story of Katie and the Star Wars water bottle

Maybe you’ve already seen it by now. CNN.com recently ran a story about Katie Goldman, a first-grader (7 years old) who likes Star Wars and who was teased at school for it. It wouldn’t be a newsworthy story, except for the curiosity of her mother, Carrie Goldman, who asked Katie about it until she finally got an answer. Carrie’s post on her blog entitled Portrait of an Adoption tells more of the story. I quote in part:

[A] week ago, as we were packing her lunch, Katie said, “My Star Wars water bottle is too small.  It doesn’t hold enough water.  Can I take a different one?”  She searched through the cupboard until she found a pink water bottle and said, “I’ll bring this.”

I was perplexed.  “Katie, that water bottle is no bigger than your Star Wars one.  I think it is actually smaller.”

“It’s fine, I’ll just take it,” she insisted.

I kept pushing the issue, because it didn’t make sense to me.  Suddenly, Katie burst into tears.

She wailed, “The first grade boys are teasing me at lunch because I have a Star Wars water bottle.  They say it’s only for boys.  Every day they make fun of me for drinking out of it.  I want them to stop, so I’ll just bring a pink water bottle.”

Is this how it starts?  Do kids find someone who does something differently and start to beat it out of her, first with words and sneers?  Must my daughter conform to be accepted?

Carrie closes her blog post with a call to action for other female Star Wars fans, and a reminder that it works the other way too (of course, it’s much easier to see boys getting teased for the pink water bottle). The CNN story goes on to mention Jen Yates’s entry to her blog epbot.com, a comment from Catherine Taber who voiced Padme Amidala in the animated series Star Wars: The Clone Wars, and the school’s first Proud To Be Me Day, to be held tomorrow (December 10).

My reaction to the story is multi-faceted, since it touches on a lot of things I have a strong opinion of. But first, a bit of background.

I was quite into Star Wars when I was a kid; the original theatrical releases of the first three movies (which are actually Episodes 4 through 6 in the sequence). I endured my share of teasing and bullying growing up. Even though I was at a private school through my elementary school years, little was done about it. (Remember, this was the early 1980s; if there were any communities they were bulletin boards on dialup modems, and the Internet was still primarily for research and would not open up to the public for a few more years. There were no websites or mommy blogs as we know them today.)

My ordeal with bullying and teasing eased up some after I transferred to a public school and moved in with my mom between my fifth and sixth grade years. It was still difficult to deal with some kids who just didn’t want to accept me for who I was. It was hard for me to make and keep friendships, a problem that has followed me well into adulthood.

First, Star Wars. Having grown up with Star Wars, it was a shock to me that anyone, any age, would ridicule another for showing off their support of George Lucas’s best known work. My interest in science fiction in general is not what it once was, but were George Lucas to change his mind and make Episodes 7 through 9, I’d probably still make sure I saw them in the theater during their original theatrical run, just to say I did. (Which, unfortunately, I cannot say for Episodes 1 through 3, which I only saw on DVD.)

Second, the (perceived) gender stereotypes upon which Katie’s bullying was based. Somehow and somewhere, these first-grade boys got it stuck in their heads that Star Wars is only for boys. These same boys probably also have it stuck in their heads that pink water bottles are for girls, and would undoubtedly ridicule a boy who had one the same way they ridiculed Katie. (It would not surprise me at all if Katie knew this and went straight for the pink water bottle thinking “the boys will never tease me for drinking out of this one.”) This disturbs me greatly. I’ve never been the most “macho” boy of the group; whether or not this was the root cause of some of the bullying I endured is up for debate. Either way, I honestly think it is not good for our generation to have such strong gender-based stereotypes at the tender young age of seven (there’s plenty of time for them to learn that, particularly post-puberty), and I think it would behoove us as a society to figure out where our kids are learning these things.

(Sidenote: I recall one instance of bullying against me where I was criticized for wearing my pants “low like a (female dog).” So I pulled them up as high as I could for the next few days. I was later criticized for wearing them “high like a (female dog)” which, unfortunately, was not far what I expected; my response was “Which is it? Because you just said ‘low like a (female dog)’ a few days before.” That shut them up for a while.)

Third, bullying in general, particularly among elementary school kids. We know school bullying has gotten more publicity in recent years. I’m not sure if it’s just that we know more about it now that the Internet has brought us all closer together (meaning that the bullying problem was this bad all along, we just didn’t know), or if the problem is a new one that happens to coincide with the Internet era. Either way, Katie’s story is a call to action. The kids that are in school today need to be taught in no uncertain terms that bullying is not okay.

Fourth, individuality (and some of this goes back to gender stereotypes as well). Everyone is different; no two people are exactly the same. The sooner in life people learn this, the better the world will be. It’s okay to be different, in the minority, to be the one girl in the class that likes Star Wars and playing football, to be the one boy in the class that likes pink water bottles and playing with dolls. While some professions are dominated by one gender over another (when I was in elementary school most of the boys thought it was odd that a boy wanted to be a teacher when he grew up), almost every career has at least some of both. It goes the same for a lot of things, including medical conditions. Not everyone is born or grows up in perfect health; I was underweight through a good portion of my childhood (you would never know this looking at me today).

Fifth and finally, the spectacular (if not first-rate) parenting skills of Carrie Goldman, without which this entire story as it happened would not have been possible, and also without which the result could have been disastrous at some point in the future. I wish there were more moms (and dads) like her out there, with strong and finely tuned instincts (would I be that wrong to refer to such instincts as “The Force?”), that know there’s more to the story than the water bottle is too small. This is an example of parenting every mom (and dad) can learn from.

In closing: To Katie, Carrie, and young bullying victims and their parents everywhere, may the Force be with you. Remember that you’re not alone.

Thoughts on Wikileaks, diplomatic cables, and the future of journalism

Unless you’ve been living under a rock or otherwise intentionally avoiding news reports for whatever reason, you have probably heard something about Wikileaks (if down, try this IP address-based link) and its release of cablegrams between embassies which has sparked a huge controversy. In case you haven’t, or you need to be brought up to speed quickly (all from CBS News):

And this is of course just the tip of the iceberg. I could link you to all the press coverage, but I’d be here all night doing that alone before offering up my viewpoint on some of the things that have happened.

The publication of documents intended to be kept secret is a balancing act that at times makes a circus tightrope walker’s routine seem easy by comparison. I was somewhat familiar with Julian Assange and the Wikileaks site prior to the cablegram releases. However, I had not spent a great deal of time visiting the site on a daily basis. That’s about to change; suffice it to say that I will probably be writing about the material on Wikileaks on a semi-regular basis, especially since the latest release has threatened the site’s continued existence.

And I feel that is a shame. I trust Julian’s judgment, and I do not believe he or the others responsible for maintaining Wikileaks would release the 652 cablegrams marked “Secret” without good reason. From the FAQ:

US authorities have said the release may put people at risk. Is this true?

Wikileaks has a four-year publishing history. During that time we have released documents pertaining to over 100 countries. There is no report, including from the US Government, of any of our releases ever having caused harm to any individual. For this release we are releasing the documents in a gradual manner, reviewing them with the assistance of our media partners.

And later on:

What will the effect be on the Middle East?

One newspaper has alleged the cables might destabalize the Middle East. These cables, by giving the players an unvarnished description of how they are seen, there will be a common ground on which to effectively negotiate peace and stability. We do not see this as a risk of destabilisation, but an opportunity for stabilisation and reform in the Middle East.

While it may be embarrassing to certain individuals for some of the contents of the cablegrams to be made public, this is not the same as being “put… at risk.” Sometimes, journalism requires embarrassing a few people for the greater good.

Until and unless there is hard evidence that someone has been injured or killed as the result of a release of information in the style of Wikileaks (not just from Wikileaks itself, but from any other organization which releases information in the same style), I personally regard Julian Assange as more of a modern-day hero, unlike some who appear to call him a modern-day zero (or other choice words, including “terrorist” and a few things I prefer not to put here).

I believe Wikileaks and websites like it are the future of journalism. Granted, most websites placed online will not have content quite as controversial as the leaked cablegrams currently at the center of attention. However, there is no shortage of information which large corporations, governments, or wealthy and influential individuals want to keep secret, which should be made public. As said by Thomas Jefferson, “An informed citizenry is the only true repository of the public will.”

I believe the latest release from Wikileaks has demonstrated the saying “information wants to be free” has never been more true, and has shattered any remaining doubts that the Internet is just a passing fad. It matters little what Amazon, Paypal, the US government, and others that wish to try to censor Wikileaks do. In the long term, they are all fighting a losing battle.

I wish Julian and his partners the best of luck in continuing the success of Wikileaks. May freedom of the press win and censorship lose.

Blocking traffic is a felony? Really?

As a former professional driver (messenger/courier), I’ve dealt with my share of traffic. I know first-hand it’s not the job to take if you’re trying to reduce your blood pressure from an unhealthy level, or if you’re trying to quit drinking, smoking, or swearing. (I was mostly guilty of the last of these, and I’ve joked that all couriers in Houston are fluent  in two languages: clean English and profanity.) For those and other reasons, it’s a job I will probably never take up again. I’ve learned a lot from the experience.

Nevertheless I was a bit dismayed to learn that over in Los Angeles, the DA is filing felony conspiracy charges against a rap group (the Imperial Stars) that blocked a freeway for a publicity stunt (laweekly.com). My rationale is this: there are all kinds of traffic accidents that result in a freeway getting shut down in major cities across the US (and elsewhere). The driver at fault rarely gets cited for a felony for the accident unless it results in serious injury or death and even then it is only for that and not the consequential traffic tie-up.

I don’t approve of what the Imperial Stars did. It’s inexcusable. However, I feel making it a felony is a step too far. Appropriate relief would include misdemeanor charges, and an injunction forbidding them from repeating this stunt. That, combined with the civil liability as suggested by one of the commenters on the LA Weekly story, is enough of a deterrent. Actually, the civil suits alone and resulting bad PR should be plenty to ensure that not only do the Imperial Stars not repeat this ill-advised stunt, but that nobody else tries this.

Please, let’s reserve felonies for the truly serious crimes. Not blocking traffic.