USENIX '04: Security SIG, Avi Rubin et al: The Politicization of Security

This talk appears to be sponsored by krispy kreme, but WASN'T. Just so we're clear on that.

Moderator, Avi Rubin, JHU
Gary McGraw, Cigital
Jeff Grove, ACM
Ed Felten, Princeton

Rubin has no background in politics, but has had to deal with it while getting involved with e-voting.

Ed Felten's blog - http://freedom-to-tinker.com

Live chat blog: http://www.freedom-to-tinker.com/archives/000632.html#comments

*****

Diebold, by promising to deliver Ohio to Buh, put their agenda too front & center. Rubin tried to keep his politics out of the discussion on C-SPAN, but was called out as a democrat when a caller asked his politics and was told that he is a nonpartisian computer scientist.

The Congressional committees are polarized; he testified for the committee, then the democrats called him back to testify again when the republican leadership wasn't around. Eventually, the republicans wouldn't agree to let the meeting proceed and he didn't get the second chance to speak; maybe he will next month.

Washington has never been more politicized. CS geeks need to get involved & learn to speak to the wonks.

*****

Felten: it's false to assume that one side of the political spectrum will be more willing to help us than the other

*****

Gary McGraw

As computer scientists, we're vulnerable to the same risks that were faced by Galileo, Darwin, Oppenheimer, et al. before us.

Seucirt is a sensitive subject: in managing risks, individual rights are often trampled (DMCA, Patriot Act), and technology can compound this problem (Echelon, CSS).

A big budget does not imply good security (Java marketing, Windows, Diebold).

Full disclosure is an open question: Open, liberal societies let the public decide based on clear evidence; debate is healthy, attacks are necessary and in ways constructive.

*****

Jeff Grove

Has worked for the past decade as a lobbyist for technology issues.

Bad laws have made it through, and more are on the way. There are European cybercrime laws that are now being considered in the Senate; these laws need close scrutiny.

Laws under consideration now will have unintended consequences, with regulations of P2P networks spilling over to technologies like email, IM networks, etc. We don't want to risk letting non-infringing technologies to be suppressed by uninformed regulators in the government.

*****

Ed Felten -- "Fun with the RIAA"

Alex Halderman studied a DRM technology for CDs from a company called SunComm that could be defeated by holding down the shift key when inserting the CD (and for the 30% of people who turn off autorun, even that didn't work). SunComm threatened to sue, and Princeton management panicked, with SunComm pressuring the university to crack down on their researchers. Felten got the school to come around to why security research is valuable, and they now defend him.

Sen. Brownback & the broadcast flag that would limit the scope of legislation to decrypt encrypted television broadcasts. "It was clear that the entire thing was theatre." It was a chance for interest groups to send messages to each other, make speeches on the record, etc -- BUT NOT ACTUALLY DEBATE AND REACH A MUTUAL CONCLUSION. Everyone was too entrenched in their positions to reach any kind of concensus.

*****

General discussion

Rubin: In an era of soundbite media politics, an out of context remark can lead to getting both sides pissed at you. A remark that he didn't know if voting machines are vulnerable or not ended up getting both pro & anti e-voting people up in arms over his remarks.

Grove: The "all politics is local" bromide is relevant: you have more influence over local officials than you ever will at a national level, so leverage that.

Felten: the penalties mandated by laws like DMCA are draconian, but prosecutorial discretion is a useful counterbalance to such extremities.

*****

Questions:

The Slashdot effect can be useful: it brought unwanted attention to Michigan's "SuperDMCA", and brought 5000 letters on to SumComm executives.

Being open is obvious & conservative to scientists, but seems radical to politicians. We need to make it clear to politicians that this is sound, well-accepted reasoning. (Questioner: Matt Blaze -- the panelists all seem to know him.)

Getting involved at the local issue can encourage issues to "trickle up" to the state & federal level -- either by bringing national recognition to current issues, or by getting yourself known to people who will be players at higher levels in 10 or 15 years.

Nat Howard really wants USENIX attendees to know about his site, stupidsecurity,com. Two mentions so far!

Rubin: Getting the League of Women Voters to add a one line comment about "auditability" to their policy statement was perceived in the press as drastic policy change, even though that wasn't their intention. In any case, this was effective & appreciated.

Perry [...]: In dealing with the press, the most frustrating useful advice is "DON'T BE COMPLICATED." Don't give them room to misinterpret nuanced points, don't give them room to take comments ouf of context. Handouts reinforcing the official version of your point of view are also effective reinforcement.