Freewill is fun to debate. There are so many levels:

• 1) If It bothers you to be following somebody else's orders, then you probably have free will.
• 2) If you can ask: "Do I have Free Will?" then you have finished level 2.
• 3) You complete Level 3 by doing a random thing, and then saying: "I'll bet they didn't predict that!"
• 4) Level 4 consists of unproductive analysis of the limits of comprehension and influence of an unknown Capable Mind.
• 5) Level 5 is when you realize that you don't need to know everything, you just need to know yourself. Once you clearly understand yourself, you lose free will.
• 6) Level 6 mostly consists of drunken babbling.

Here is the guide we provide to the SSH users at our University: https://it.wiki.usu.edu/ssh_description

Some of the major points:

• We try to use multiple overlapping security layers to protect SSH:
• * The firewall limits the vulnerable scope of SSH to a few trusted hosts.
• * The firewall can also be used to prevent credential guessing by rate-limiting connections to the SSH port.
• * The SSH Port is treated as a shared secret. Only interesting, targeted attacks find the SSH server.
• * The SSH server should not allow known usernames including root. The attacker must find a username.
• * The admin is trained to create good passwords for his usernames.
• * SSH users are taught to verify the identity of their systems when they first connect.
• * System admins must regularly review the activity of their SSH servers.
• * USU IT Security monitors all SSH connections, including ones on non-standard ports. We follow up on interesting connections.
• * USU has SSH Honeypots that help us respond to SSH attack.

Hi Ruir,

I work for USU. We are the Land Grant university for Utah. We built the WISE satellite for NASA.

If you are interested in our approach to security, I made a couple introductory Youtube videos:

• https://www.youtube.com/watch?v=LDah5RdP3gc describes our security approach for our people.
• https://www.youtube.com/watch?v=dQc5FU_jqCk describes some of the legal implications of our security monitoring.

Good Luck!

I have been doing IT for 30 years. I have been doing Security for a University for about the last 15 years. I have found that security is possible, but you have to focus.

The biggest problem is we are not taught how to do security. We are taught attack. But attack is not security. We are taught checklists, but checklists are not security.

Security is a meaningful assurance that your goals are being accomplished. The details are transitory. But, without goals, security has no point. Sticking to your goals when attacked is the heart of defense. Ultimately, it is the only thing that matters in security. Your organization adds value by sticking to it's goals. But this is more than just a matter of value added. Goals are the spirit of the organization. If you don't stick to your goals when attacked, then you have lost. The attacker may not have won, but you have lost.

But, security folks are not taught how to support institutional goals. Instead, we are taught myriads of other things. You can see examples of the mechanics of security defeating meaningful security all over the place. One striking example is the SANS 20 Critical Controls: http://www.sans.org/critical-security-controls/ While they contain many good points, they fail to teach security. When we analyzed them, we found that they tended to replace security process with checklist. When we had finished the evaluation process we had eliminated, reordered and replaced many of their controls. Our most important control was not even mentioned. It is:

Critical Control 1: Unity of Vision

Security is a MEANINGFUL Assurance that YOUR goals are being Accomplished. Most security failures are enabled and enhanced by disagreement of purpose. Are the fundamentals of management in place?

• A. How does your organization create a sense of community?
• B. What are your Institution's Goals?
• C. How are those goals propagated throughout the organization?
• D. How do your security actions promote your institutional goals?
• E. How do your security actions provide assurance to your institution?
• F. How does your institution reward long term loyalty?

Another glaring omission is the complete lack of strategic thinking in the security community. Winning battles, but loosing the war is our way of life. Nothing in the SANS controls guides you to ask the important questions like: "Were am I going?" and "How did I get in this handbasket?" and "Do I HAVE to eat this crap?" For our analysis of the SANS Controls, we added another Control. We valued it at number 3:

Critical Control 3: Enable a Better Future

This control assumes that our actions affect the future. Do your actions enable a more secure future?

• A. How do you increase the cost of attack?
• B. Do you report attack to the remote ISP/attacker?
• C. How do you coordinate with law enforcement?
• D. How do you decrease the cost of defense for yourself and others?
• E. How do you reduce the motivation for local attack?
• F. Do you disclose vulnerabilities to others? If so, will your institution protect it’s people when others attempt to punish disclosure?
• G. Do you facilitate others disclosing vulnerabilities to you?
• H. Do you help your peers improve their security?

The SANS 20 Controls were originally written by the NSA for the Department of Defense: http://www.sans.org/critical-security-controls/history.php The recent NSA disclosures make me wonder if maybe they are flawed, because the NSA simply doesn't value effective security?

We finally found the NSA mentioned in the same sentence as an actual, tangible, external threat. And now we see that instead of attacking them, they are giving them money?!? How can they get confused on this? You ATTACK enemies. You HELP friends.

The Exploit marketplace (here symbolized by VUPEN) is possibly the greatest threat to to existence of the internet. You can fight mistakes. You can fight attackers. But it is almost impossible to fight economics. The exploit market is creating an economy that creates and enables exploit. It is a great driving force reconfiguring the Internet for Attack, instead of Defense.

VUPEN is a worthy opponent. The NSA should hack them front, back and center. They should never pat them on the head and give them money.

It looks like the Exploit Marketplace was dreamed up, founded and sustained by the NSA. The leaked Black Budget showed that the NSA devotes huge resources to purchasing exploit. We have also learned that the NSA's budget included vast resources to create exploit:

So, the NSA creates exploit in everything they can influence. And they can influence almost everything. The NSA purchases exploit. Many times, they must be purchasing info on the exploits that they created. They preserve exploit. They mask everything in secrecy. And it all enhances the exploit marketplace. The NSA is no longer debating the Equities issue (https://www.schneier.com/blog/archives/2008/05/dualuse_technol_1.html ) They have only token interest in defending the Internet.

If we could just get the NSA out of the exploit market, the whole thing would probably collapse like 2008's Housing bubble.

I'd like to think that this mess is unintentional. But many of the recent changes to the USPTO appear to have optimized it to create lots of poor quality patents. I believe that we could reverse these changes. But, we would need to muster the political will to admit we have made mistakes. I have listed some of these obvious structural problems at: https://plus.google.com/b/101806809558932714222/101806809558932714222/about

I believe that the most serious problems with the structure of the USPTO are:

• 1) More patents are not better than fewer patents. Patents are not Innovation. Patents are not Progress. Patents are simply grounds to file a lawsuit against an industry. More Patents are simply more grounds for more lawsuits. An occasional lawsuit might spur innovation. BUT LAWSUITS DO NOT PRODUCE. Lawsuits are parasitic on innovation and production. Reform must recognize that patents are dangerous monopolies. Reform must place hard limits on the number of patents.
• 2) Running the US Patent Office as a cost-recovery operation is a mistake. The US Patent Office is a very small, but critical component of the US economy. It's purpose was "..to promote the Progress of Science and useful Arts.." (US Constitution Article One, Section 8(8).) But, once the USPTO started to become completely cost recovery, (See: Omnibus Budget Reconciliation Act of 1990, Title X, Subtitle B), that primary goal became overshadowed by the more pressing goal of securing funding via patent fees. The primary effect of cost recovery has been to promote the collection of patent fees. Reform is painful, but simple. Admit cost recovery is a failed experiment. Revert the funding model to the model used for the first 200 years. The USPTO must be centrally funded by the US government. Any collected fees should be returned to the US Government.
• 3) It is a mistake to organize the US Patent Office to create economic incentives to grant poor patents. Currently most of the revenue of the US Patent Office comes from GRANTING patents. See the USPTO FY 2013 President's Budget page 37: www.uspto.gov/about/stratplan/budget/fy13pbr.pdf "..More than half of all patent fee collections are from issue and maintenance fees, which essentially subsidize examination activities." A recent study by the Richmond School of Law found that the USPTO's actual grant rate is currently running at about 89%. In 2001, it was as high as 99%. See http://papers.ssrn.com/sol3/papers.cfm?abstract_id=2225781 page 9. In 2001, it didn't matter if an application was overbroad, obvious, trivial, a duplicate, or unreasonable, they ALL got granted. Things haven't improved much since then. Reform could come in many forms, but the simplest and most reliable would be to eliminate and unify the Patent office fees into a single filing fee. This fee would provide no guarantee of receiving a patent, only a guarantee that your patent would be considered. This would free the Patent Office to be able to deny poor patents. The filing fee should be high enough to discourage spurious patent applications.
• 4) Scaling up the Patent Office to produce more poor quality patents is a mistake. Currently, we expand the number of patent examiners based on demand. See the USPTO FY 2013 President's Budget, page 60, Gap Assessment: "Meeting this commitment assumes efficiency improvements brought about by reengineering many USPTO management and operational processes (e.g., the patent examination process) and systems, and hiring about 3,000 patent examiners in the two-year period FY 2012 and FY 2013 (including examiners for Three-Track Examination)." Again, the assumption is, more patents are better, even if it means decreasing examination, and increasing the number of untrained examiners. Poor quality is an inevitable result of this patent process. Reform must tightly control and limit the number of patent examiners.
• 5) It is a mistake to grant all patents that meet minimum standards. A review of the last couple decades changes in the patent approval criteria will reveal that the minimum standard for granting a patent has consistently shifted downwards. We must abandon the idea that any patent that meets minimum standards is granted. Over time, the standard always degrades. Reform is easy. We rank Patent Applications according to an agreed measure of quality, and only grant the top few percent. Over time, the pressure will be to improve the quality of patent applications, instead of degrade them.
• 6) Finally, I suggest that it is a mistake to allow patent applicants to modify or extend their patents after submission. This complicates the patent pipeline. It facilitates ‘submarine’ patents. It enables capturing Standards. It also enables gaming the patent system. Reform must simplify and reduce the patent process. Patents should be quickly evaluated. Most should be denied. If an applicant wishes to modify a denied patent, they should alter it, resubmit, and pay a new filing fee.

Congressman Holt,

Thanks for your efforts. But please remember that you have other, more effective tools at your disposal. The NSA has shown themselves a master in creative interpretation of law. Any new law will be twisted to their purposes. Then there will be years of appeals in the courts. Before you attempt new laws, you should immediately reassert Congress's most basic and irresistible power: The power to control the purse.

Your first act should be to slash the NSA's budget in half.

It is like working with a mule. First, you have to get their attention. As you slash their budget, explain that many of the NSA's actions have been dishonest. They have created long term problems for the rest of the country. And they have been spending their budget in ways that congress does not approve.

After you slash their budget, ask them to give the complete Congress a full accounting of how they intend to spend their remaining budget. Give them a week.

If they waffle or present an incomplete accounting, then cut their remaining budget in half.

Don't worry about the NSA. They have tens of billions of budget. You can cut their budget in half several times and they will still be able to support their best analysts. Their hardware is cheaper and more powerful than ever before. Even after the cuts, they will be as effective as any time in the past few decades. But, the cuts will remove their ability to dominate entire industries. And they will not be able to use that support to justify their illegal and unethical acts. And that is a good thing.

Above all, don't let the executive branch deter you. Controlling budget is your natural, constitutionally mandated role. Congress has been shirking their duties lately. The Black Budget has been a shameful abrogation of your responsibilities. Controlling the budget of the executive branch is your job. Don't let anybody talk you out of it.

It may take several rounds of budget cuts, but eventually they will come back in line. Then you can use law to guide them.

As a security professional, one of my greatest threats is the Exploit Marketplace. You can fight mistakes. You can fight attackers. But it is almost impossible to fight economics. The exploit market is creating an economy that creates and enables exploit. It is the greatest driving force optimizing the Internet for Attack, instead of Defense. Now, it looks like the Exploit Marketplace was justified, founded and sustained by the NSA. We have learned that the NSA has enormous budgets devoted to purchasing exploits. Today we learn:

"The NSA spends $250m a year on a program which, among other goals, works with technology companies to 'covertly influence' their product designs."

So, the NSA creates exploit in everything they can influence. And they can influence almost everything. The NSA purchases exploit. Many times, they must be purchasing info on the exploits that they created. They preserve exploit. They mask everything in secrecy. And it all enhances the exploit marketplace.

If we could just get the NSA out of the exploit market, the whole thing would probably collapse like a real-estate broker's wet dream.

The other chilling revelation is the names of these programs:

"The NSA's codeword for its decryption program, Bullrun, is taken from a major battle of the American civil war. Its British counterpart, Edgehill, is named after the first major engagement of the English civil war, more than 200 years earlier."

The NSA has crappy internal discipline. Instead of using meaningless codewords for project names, their codewords frequently describe the project. PRISM described how the NSA collects info. These project names shout that the NSA is fomenting civil war. They are at war with the rest of the country.

• * The NSA must be stripped of it's ability to create exploit.
• * The NSA must be stripped of it's ability to purchase exploit.

If we survive as a nation of liberty, the NSA must serve us, not attack us.

So far, Poitras and Greenwald have done an incredibly good job of handling the Snowden material. They have been implementing a long term, strategic, plan that seems to have 2 goals:

• * Restore the US Constitutional limits on the Executive branch.
• * Make the Executive branch accountable to the Legislative and Judicial branches.

As ambitious as it seems, this level of correction has happened several times in US history. I believe that these goals can be achieved if 3 conditions are met:

• 1) Poitras and Greenwald must succeed in maintaining public awareness of the problem.
• 2) Poitras and Greenwald must continue to be regarded as responsible journalists.
• 3) The Public must agree that the threat of an unbridled Executive is greater than the external threat.

So far, Poitras and Greenwald have played Obama and the US Intelligence like a hooked trout. They have skillfully countered every attempt to divert or end the discussion. It looks like they have a chance of advancing reform of the US Executive branch. They may also help bring reform to England.

But now, I think we are seeing the beginning of more strategic responses from the US Intelligence community. I suspect that they are now trying to end the discussion by re branding Poitras and Greenwald as traitorous threats. This approach worked so well with Manning and Assange. Not only did they succeed in discrediting the messenger, they also turned the messenger into an external threat. Now, they can use 'Traitors' to justify Executive excess.

I suspect that the goals of US Intelligence are now:

• * Get Poitras and Greenwald to do an irresponsible disclosure. From the Intelligence communities viewpoint, even an immediate, complete disclosure of the Snowden material is a small price to pay in return for swift end to the discussion and discrediting the whistle-blowers.
• * Or create an irresponsible disclosure of the Snowden material. Remember, neither Manning nor Assange/WikiLeaks did the big, irresponsible disclosure. But, they were blamed when it happened. On considering this objective, it seems to me that the primary objective of the Miranda incident may have been to acquire the secret key of the distributed file, so they could create an irresponsible disclosure.

If they can't shutdown or re-brand Poitras and Greenwald, then I expect the next step will be to create an immediate, external threat that requires an unbridled Executive.

I am praying for Poitras and Greenwald. We need their help. And their enemies are capable of doing terrible things.

We are all terrorized by the threat posed by the enormous number of poor quality patents. We are all searching for shelter. Excluding software seems like it might pose temporary shelter. But, the difference between hardware and software is not a sharp line. They blend smoothly together. In this situation, somebody with a lot of lawyers can draw the line anywhere they want. That is what got us into this mess in the first place.

Even though it may be hard, we probably need to start by reforming the US Patent Office to reduce the number of poor patents. It is not impossible. The USPTO was mostly functional 30 years ago. We just need to recognize that we have made mistakes and address them. I have enumerated what I believe to be the major mistakes in a rant at: https://plus.google.com/b/101806809558932714222/101806809558932714222/about I sent my CongressCritters a letter describing the problem. Feel free to mine it for ideas. It is available at: https://docs.google.com/document/d/1mCG_vwfHN8xPnVyGq46BfKKyRflQtVcebuT0rwrpTG0

The biggest problems with patent reform aren't understanding how to improve quality. They are:

• * How do you reform in the face of determined opposition from the Patent Industry? Or
• * How do you strip the Patent Industry of it's enormous influence? And
• * How can we possibly survive the current flood of crappy patents.

I believe the major mistakes that create poor quality patents are:

• 1) More patents are not better than fewer patents.
• 2) Running the US Patent Office as a cost-recovery operation is a mistake.
• 3) It is a mistake to organize the US Patent Office to create economic incentives to grant poor patents.
• 4) Scaling up the Patent Office to produce more poor quality patents is a mistake.
• 5) It is a mistake to grant all patents that meet minimum standards.
• 6) It is a mistake to allow patent applicants to modify or extend their patents after submission.

My representatives surprised me. I am in Utah. I figured that there was little point in complaining about NSA abuses. But, I couldn't live with myself if I did nothing. So I mailed my 2 Senators and my Representative. Hatch responded with the expected: "Sit down and shutup." But Senator Lee responded by saying that he agreed the NSA had greatly exceeded Constitutional authority. He said he would try to address the problem.

So, today, I called Representative Bishop and urged him to support the Amash amendment.

Who knows? If a Utah Senator can acknowledge there is a problem, maybe there is some hope.

I made my letter available at: https://docs.google.com/document/d/1Bd9crUNvPF71alxCVKcUmVarn80aJQJmZe4FLyzKWXU Feel free to mine it for suggestions for your own action.

Whoops, forgot one more basis of loyalty that the NSA subverted:

The NSA could not appeal to Snowden's protective instincts, because he was in a position to discern that the threat from terrorism is fairly minor.

Jeeze. The more we learn, the more incompetent the NSA seems.

When I examine US intelligence activities, I can tolerate seeing a little evil. It is a messy business. But I demand to see some indication of intelligence. So far, all we are seeing is a lot of CYA and incompetence.

To me, it appears that the NSA systematically eliminated all the historical sources of loyalty.

• 1) The NSA could not appeal to his patriotism, because they were subverting the core values of the constitution.
• 2) The NSA could not appeal to his desire for job security, because he had none. He was an out-sourced contract employee. He knew he would be replaced as soon as the NSA could figure out a cheaper way to do his job.
• 3) The NSA could not appeal to this professionalism, because he was too young, and inexperienced.
• 4) The NSA could only appeal to his desire for money.

Snowden and the other intelligence contractors are simply mercenaries. Their job, is first and for-most to get paid. You buy their loyalty with money. Anybody who offers a greater reward, can shift their loyalty.

Showden ultimately, found a higher bid for his loyalty than his Booz/Allen/Hamilton paycheck.

This is not rocket science. This is simply Management 101. One of the most shocking revelations has been that the NSA is so incompetent in managing the basics of loyalty. I am afraid that we will eventually find that the only thing that is unique to Snowden is that he acted publicly.

It is very likely that the 'secrets' of the NSA have been cheaply purchased by every other government and large corporation.

The proposed reforms attempt to improve the process of litigating patents. Senator Cornyn's bill seems quite beneficial. They all say that we need to reduce the number of bad patents. But none of the proposed bills do anything to change the incentives that cause the patent office to grant poor patents.

It is possible to reform the patent office and mitigate the incentives to grant poor patents. But, first we must acknowledge that we have made some fundamental mistakes. In my opinion, they most critical mistakes are:

• 1) More patents are not better than fewer patents. Patents are not Innovation. Patents are not Progress. Patents are simply grounds to file a lawsuit against an industry. More Patents are simply more grounds for more lawsuits. An occasional lawsuit might possibly spur innovation. BUT LAWSUITS DO NOT PRODUCE. Lawsuits are parasitic on innovation and production.
• 2) Running the US Patent Office as a cost-recovery operation is a mistake. The US Patent Office is a very small, but critical component of the US economy. It's purpose was "..to promote the Progress of Science and useful Arts.." (US Constitution Article One, Section 8(8).) But, once the USPTO became completely cost recovery in 1990's, that primary goal became overshadowed by the more pressing goal of securing funding via patent fees. The primary effect of cost recovery is to guarantee continued regulatory capture by the patent industry.
• 3) It is a mistake to organize the US Patent Office to create economic incentives to grant poor patents. Currently most of the revenue of the US Patent Office comes from GRANTING patents. See the USPTO FY 2013 President's Budget page 37: www.uspto.gov/about/stratplan/budget/fy13pbr.pdf "..More than half of all patent fee collections are from issue and maintenance fees, which essentially subsidize examination activities." A recent study by the Richmond School of Law found that the US PTO's actual grant rate is currently running at about 89%. In 2001, it was as high as 99%. See http://papers.ssrn.com/sol3/papers.cfm?abstract_id=2225781 page 9. In 2001, it didn't matter if an application was overbroad, obvious, trival, a duplicate, or unreasonable, they ALL got granted. Things haven't improved much since then.
• 4) Scaling up the Patent Office to produce more poor quality patents is a mistake. Currently, we expand the number of patent examiners based on demand. See the USPTO FY 2013 President's Budget, page 60, Gap Assessment: "Meeting this commitment assumes efficiency improvements brought about by reengineering many USPTO management and operational processes (e.g., the patent examination process) and systems, and hiring about 3,000 patent examiners in the two-year period FY 2012 and FY 2013 (including examiners for Three-Track Examination)." Again, the assumption is, more patents are better, even if it means decreasing examination, and increasing the number of untrained examiners. Poor quality is an inevitable result of this patent process.
• 5) It is a mistake to grant all patents that meet minimum standards. A review of the last couple decades changes in the patent approval criteria will reveal that the minimum standard for granting a patent has consistently shifted downwards during the past few decades. We must abandon the idea that any patent that meets minimum standards is granted. Over time, the standard always degrades. Reform is easy. You rank Patent Applications according to an agreed measure of quality, and only grant the top few percent. Over time, the pressure will be to improve the quality of patent applications, instead of degrade them.

Real patent reform is possible. The pressures that currently give rise to bad patents are fairly obvious. We can mitigate those pressures and institute processes that tend to increase patent quality. If we can somehow summon and maintain the political will to admit our mistakes.

The US economy is drowning in a sea of crappy patents. This executive order is a matter of trying to build a lifeboat. It does nothing to address the flood.

The first, biggest issues of patent reform are:

• * How do you reform in the face of determined opposition from the Patent Industry? Or
• * How do you strip the Patent Industry of it's enormous influence? And
• * How can we possibly survive the current flood of crappy patents.

The mechanics of patent reform are fairly obvious to everybody, once we acknowledge and fix the big mistakes. I sketched out a few of these mistakes out at : https://plus.google.com/b/101806809558932714222/101806809558932714222/about They include:

• 1) Running the US Patent Office as a cost-recovery operation is a mistake.
• 2) It is a mistake to organize the US Patent Office to create economic incentives to grant poor patents.
• 3) Scaling up the Patent Office to produce more poor quality patents is a mistake.
• 4) It is a mistake to grant all patents that meet minimum standards.

But, I've got no idea how we are going to survive the millions of low quality patents.

Miles