What the public NEEDS is different from what the AI community WANTS. AI is no different from other forms of IT automation. For all of them, the public needs to have product liability imposed.

Dan Geer covered this quite well back in 2014 in his BlackHat keynote. See http://geer.tinho.net/geer.bla... (section 3.) Schneier and many others also agree. Currently, there are many situations where IT automation creates great harm for the public. But, the lack of product liability has removed the incentive to remove those harms.

What the AI community WANTS is a magic checklist that will absolve them of guilt for the problems they create.

It is easy to show that CyberSecurity is insolvable. There are multiple, easy proofs. They include:

• Proof 1: We can't know all attacks. We can't defend against unknown attacks.
• Proof 2: Even if we could know all attacks, we can't afford to defend against all attacks.
• Proof 3: Even if we could afford to defend against all attacks, if risky CyberSecurity behavior is more profitable, then we won't eliminate failure.

A more useful question is, how can we make things better? After a couple decades of doing the things they currently call CyberSecurity, I have found several much more interesting questions. They include:

1. 0) Can we more accurately measure effective CyberSecurity success? Currently we are measuring the failures. Shouldn't we measure the successes?
2. 1) Can we do a better job of measuring the complete costs (to ourselves and society) of failure?
3. 2) Can we do meaningful epidemiology of CyberSecurity? Can we more accurately determine what helps, and how much it helps?
4. 3) Can we be more accurate and complete in distributing responsibility for failure and improvement?
5. 4) Can we create and sustain meaningful positive incentives that favor CyberSecurity over insecurity?

I have found that when I improve these areas, I improve security.

Never rolling your own encryption is more of a guideline than an absolute rule. Sometimes, you should roll your own IF the alternative is obviously bad. So:

• - You would have been better off to "roll your own" initialization than using the backdoored initialization that NIST/NSA provided as default for eliptical encryption. We can't trust the NSA to not abuse their snooping power. We can't trust US intelligence to keep a secret. If you rolled your own initialization, then future attackers have to do a lot more work.
• - Given the situation, you may be better off using MUCH bigger public key key sizes than is the current standard, to prepare for the possibility of quantum computers.
• - Almost all the big encryption solutions that maintain some form of trust bottleneck are vulnerable to single point failure, including government coercive force. Lastpass is a good example. The grandparent poster WAS better off "rolling his own password manager with emacs and standard encryption on a Text File" then using Lastpass.

This is not a technical issue.

For the last 232 years, the supreme law of the land in the United States is the US Constitution. All government powers, whether Executive, Legislative, or Judicial, are subordinate to the limits defined in the Constitution.

Claiming that the US Legal system must have unfettered access to all information is the same as saying that the US Legal system must not be fettered or subject to the US Constitution. That leads me to 3 important questions:

1. Why is NOW a good time to abandon the US Constitution?
2. What authority does Director Wray claim to be superior to the US Constitution?
3. Shouldn't Director Wray be immediately fired for violating his Oath to "..Protect and Defend the Constitution of the United States.."?

The US has been attacking multiple countries via the Internet for years. We did it first. We did it best. Yay US. Years ago, our doctrine was that Internet attack was a favorable option, because it had less unfortunate consequences than physical attack. But now, Internet can be much more devastating that physical attack. And the US has the most to lose in Internet attack.

The US economy is totally dependent on the Internet. Internet attack can cripple or destroy us. We can no longer afford to legitimize Internet attack. The past aggressive internet attacks by the US, China and Russia have legitimized Internet attack for all the remaining governments. EVERYBODY who has anything valuable, now gets a chance to receive targetted, remote attack by several governments, PLUS targetted attack by the many organized crime groups.

The US must formally cease undeclared war via the Internet. We must work with all other governments to ensure that we ALL stop waging undeclared war via the Internet.

We use the words: cyberweapon, cyberwar, and cyberattack and think that we know the consequences of conflict. But our prior experience with conflict deceive us. Our instincts are wrong. Our sports metaphors delude us. We undervalue defense. We greatly overvalue attack. At the core, we still believe that Internet warfare is win-able. We believe that victory will go to the righteous aggressor. We believe that attack is sexy and desirable.

The reality is, Internet attack is like poisoning all sources of water, and hoping that your enemy dies first. There is no "Win" in "CyberWar". We all have to defend the same stuff. None of us have functional defenses. Every successful attack weakens us all.

It is easy to capture, analyze and reproduce somebody else's attack. If somebody drops a bomb on you, it is hard to reassemble all the bits, unburn the chemicals, and reuse it. But, if a government deploys an Internet attack, it is easy to copy the attack and repurpose it. When the US deploys an Internet attack, we give our enemies the motive, means, and opportunity to destroy us.

The Pentagon is trying to CyberAttack our way to a more secure future. But Security comes from Defense, not attack.

Thousands of years of human experience have shown that destruction is easier than creation. One man can quickly destroy something that takes a community months to create. It may be that "To every thing there is a season; and a time for every purpose under heaven." But, if you don't spend more time on creation than destruction, you end up a lonely, starving scavenger. Any stable, prosperous society must provide more rewards for creation then destruction.

Modern economies of manufacture and transportation have made many things better, but this is not one of them. In almost every way, the modern economy favors attack:

• * The huge advantage granted to market leaders guarantee that we all, government, corporate, and private, foreign and domestic, use the same computers and software.
• * There are great economic incentives to ship quickly, with many features, rather than spend time and money to create secure products.
• * Our sales and advertising driven economy has convinced us that new stuff, with new features and vulnerabilities is always better than old stuff.
• * Products are deployed LONG before understanding. Most of the issues, bugs, and vulnerabilities are discovered after things go into production.

The Internet has made many things better, but this is not one of them. In almost every way, the Internet favors attack over defense:

• * The Internet makes everything more complex. This provides the attacker with a vast array of attack surfaces.
• * The Internet makes it easier to extend influence. This allows attackers to greatly extend their list of victims. An attacker can easily apply a viable attack strategy to every eligible Internet target.
• * The Internet increases the pace of attack. Usually attack can easily outrun any possible warning.

The transition to digital has made many things better, but, again, this is not one of them. In almost every way, being able to make effortless, accurate copies favors attack:

• * It is easy to automate attack. This greatly reduces the cost of attack. It also removes the economic cost of scaling up attack against multiple victims.
• * It is easy to make self-replicating attack. This allows attack to spread itself beyond any previous control or limit.
• * It is easy to capture, analyze and reproduce somebody else's attack. If somebody drops a bomb on you, it is hard to reassemble all the bits, unburn the chemicals, and reuse it. But, if somebody develops an Internet attack, it is easy to copy the attack and repurpose it. Internet attack efficiently spreads destructive knowledge and capability direct to your enemies.

The reality is, Internet attack is like poisoning a common watershed, and hoping that your enemy dies first. There is no "Win" in "CyberWar". We all have to defend the same stuff. Every successful attack weakens us all.

We have a fairly clear understanding of how to increase security through defense. Almost every Internet Security expert agrees on the general shape of the necessary changes. But, the changes are HARD and EXPENSIVE. So, we keep hauling out the "Security Through Destruction" fantasy. If we were really serious about improving Defense, we would make changes like:

• 1) Change US politics and policy toward CyberWar. Our long-held belief is that Internet attack is less devastating than conventional attack. But now, all economies are so dependent on the Internet, that a sustained Internet outage would kill more people than a nuke. We need to lead the world to the negotiating table and impose strategic limits on Internet Attack. This needs to be enforced by cooperative International Internet monitoring and meaningful penalties.
• 2) Separate the Defenders from the Attackers. Defense needs it's own budget. Internet Defense must be prioritized OVER Attack. While Attack can inform Defense, it can't create Defense. Successful Defense requires entirely different skills and attitudes than Attack. And currently the supporters of Attack keep trying to kill any effective Defense measure in it's infancy.
• 3) Impose Product Liability on Software. The model proposed by Dan Geer could be a good start: https://www.youtube.com/embed/...
• 4) We also must have International rejuvenation of consumer protection standards. Manufacturers must be held accountable for dangerous defects in their devices. Even when the sale is across national boundaries.
• 5) Update our regulatory requirements to create large mandatory penalties for "Failure to Defend". Currently we have slight penalties for "Failure to Comply". In response everybody is encouraged to achieve minimal compliance and no more. New regulations must push us to REAL security, not the illusion of false security.
• 6) Create meaningful Internet/Cyber epidemiology. Schneier has discussed this a couple times. Government must compile accurate, available statistics that allow us to determine: The actual nature of current threats; The likelyhood of threat; The effectiveness of various "treatements" to counter the threat.
• 7) We must adopt a more consistent understanding of the "First Sale" doctrine. We need to consistently apply the rights and responsibilities of ownership to all our internet connected devices. There should be no question that we are responsible for our internet connected devices.
• 8) We must understand that connecting to the internet effects everybody. We must accept that our internet-connected devices can effect everybody. We must accept responsibility to properly configure and maintain our devices.
• 9) We must allow our ISP's to act for the good of ourselves and our communities. We must require them to properly handle abuse reports. We must require them to properly pass abuse reports to the owners of internet connected equipment. We must require them to disconnect misbehaving internet equipment if an abuse report doesn't result in timely mitigation.
• 10) We must update copyright law to aggressively mitigate orphaned code. We need to understand that code is orphaned, once disclosed vulnerabilities and exploits are not promptly addressed. When code is orphaned, ownership (and full code publication) must quickly pass to the community.
• 11) In order to enable the previous point, we should require the Copyright Office to escrow source code before granting extended (beyond a few weeks) copyright protection.

Our culture has turned away from Defense and Security on many fronts. We need to make progress on many fronts, if we wish to have meaningful improvements in Internet Security.

We already have limits on how US government can use personal information. The Carpenter Vs US lawsuit will continue to define those limits. We created these protections because we realized that government can use personal information to predict, manipulate, and control us. The combination of powerful government and enabling personal information is a threat to self-determination and rule by consent of the governed.

We have seen many recent examples where powerful modern entities used technology and personal information to predict, manipulate, and control us. FaceBook can predict, control and manipulate us. So can Google, Amazon, Political Action Committees, The Russian Government, advertising agencies, and so on. We need to take further action to protect our unalienable right of self determination. If we fail to act, our society and government continue to transform into "Rule by Manufactured Consent of the Manipulated".

Manipulation is a threat to ourselves and our society. Manipulation advances the goals of the manipulator. Manipulation has no fundamental respect for reality. Past manipulation divorced the victims from reality. Manipulation weakens both individuals and society. Present day manipulation must not be assumed to be legitimate, just because it is cheaper, more effective, more powerful, or wielded by new entities.

Once personal information is collected, it is almost impossible to destroy. It will be monetized. It will leak. It will spread. The cell-phone companies will sell or breech. An Intelligence agency will seize and leak. A well-meaning judge will issue a General Warrant.

For NOW, when you need privacy, you must DITCH THE PHONE.

One path forward is to realize that any personal information that is effective at predicting, controlling or manipulating us IS our identity. As long as this information is effective, and valuable, it is a part of us. We must establish that owning your own personal information is an unalienable right. The right of owning your personal information can not be stolen, seized, legislated or contracted away.

Attempts to legislatively say: "Thou Shalt NOT" will probably be ineffective when the underlying economy strongly favors collecting, storing, and using private information.

The most effective legal protections against invasive data collection are to change the economy of personal information. This sounds harsh and invasive, but it may be the only workable protection from widespread privacy threats and manipulation.

• 1st, we need to increase the expense of collecting and storing personal data.
• 2nd, we need to decrease the value of using personal data.

For example, we can increase the expense of collecting, storing and exchanging personal data by:

• * Require accurate tracking information on the collection, storage and exchange of personal data. This should include identifying information for every entity that handled the data. This should be coupled with large mandatory fines for any data that is missing past transaction history. Currently, data brokers have low overhead and bear no responsibility for their behavior. They are selling goods worth billions. Their activity should be tracked as completely as credit card transactions. Requiring accurate documentation of the personal data marketplace will increase the expense of reselling personal data.
• * Impose aggressive taxes on collected, stored and exchanged personal information. It obviously has value. It is a major asset of Google and Facebook. It should be taxed like real estate or an economic transaction. The higher the taxes, the less incentive to collect, store and exchange personal information.
• * Forbid exporting personal information from the country of origin. If an entity wishes to collect, store, or exchange personal information, they must do it in the country of origin.
• * Add more teeth to "data breach" legislation. Remove any "due diligence" protection. Impose mandatory fines for data breach. Fines should be based on the number and severity of personal "facts". The higher the fines, the less incentive to collect and store personal information.
• * Impose full breach liability on every upstream entity in the data collection stream. Currently, data collectors and brokers get rich by selling to a wide market and experiencing no liability. Imposing liability for the behavior of down-stream purchasers of personal data will greatly increase the expense of collecting, storing and exchanging personal data.

Then we must work to harden our society against the manipulative effects of collected personal data. This is a continual challenge. Things we might consider include:

• * Require search engines and social media to unmistakably indicate if we are viewing "Relevant, tailored for us illusion" or "Consensus Reality".
• * Consistently penalize search engines and social media when they inaccurately represent "Consensus Reality"
• * Require search engines and social media to provide a simple, always on-screen method to easily switch between "Relevant, tailored for us illusion" or "Consensus Reality".
• * Impose meaningful, effective restrictions on our government's ability to attempt to manipulate "Consensus Reality"
• * Require our government to protect it's citizens from other government's or corporation's attempts to manipulate "Consensus Reality"
• * Impose mandatory penalties on the enabling parties for every occurrence of identity theft. This means penalize the banks, the credit reporting agencies, and even the IRS. If identity theft occurred, then their process must have immediate, corrective feedback.
• * Require multi-factor authentication when authenticating to critical resources.
• * Educate our society that biometrics might be identifiers, but should never be an authentifier.

Ultimately, dealing with the problem of privacy abuse and invasive data collection will take much more than a legislative "Thou Shalt Not".

I believe that the FBI is attempting to distract us from the critical, core issues of this debate. In arguing the technical details of accessing cell phones, they distract from the critical speech issues. They REALLY don't want us to ask:

• * What should be the limits of government power?
• * Are we engaged in Speech or Association when we use our phones?

The US government has managed to bypass the 1st, 4th and 5th amendments by creating and extending the 3rd party doctrine. This doctrine roughly states that once information passes out of an individual's direct control, he can no longer exercise any control over it. This gives the government easy access to huge amounts of shared information.

The "Responsible Encryption" debate is a new legal theory to destroy speech and freedom. It is a "No Party Doctrine". That is, No Party, except the government, is allowed to control information. The No Party Doctrine says that information is so important to the government, that nobody except the government should be allowed to control it. There is no information so sensitive, private or protected that it should escape government control. Since information is so important, individuals must not be allowed to control it through their speech, actions, tools, or situations.

The FBI is cheerfully stating that the creators of the constitution would have allowed complete government control if only they had realized that information was important to a criminal investigation.

We should denounce the "Responsible Encryption" proposals as a straightforward attack on our freedom of thought, speech and association.

Instead, we should act to limit the 3rd party doctrine and restore our rights of speech and association.

It's a Golden Age of Surveillance. We have widely deployed multiple forms of mass surveillance without once asking:

• Is mass surveillance consistent with an assumption of innocence?
• Is mass surveillance consistent with government that is based on the consent of the governed?

Out personal information is widely available to multiple groups. The government has easy access to an almost endless amount of information about us. There is:

• Collected credit-card purchasing information.
• Collected cell-phone tracking information.
• Real-time car tracking.
• Collected browser activity from Google, Web sites, and search engines.
• Collected travel information from hotels/airlines.
• Mass monitoring of the Internet by the Intelligence community.

The 3rd party doctrine roughly states that we can only assert a privacy right over information we directly control. If the information is shared with a 3rd party, they we don't control it, and we can't assert a privacy right over it. As the 3rd party doctrine has expanded, we have lost privacy over any shared information.

Now, law enforcement wishes to move beyond the limits of the 3rd party doctrine. They advance the legal theory that we should not be allowed to control our own information/privacy AT ALL. They believe that the desires of law enforcement should always outvote an individual's desire for freedom, privacy or liberty. That we should never be allowed to be secret, private or alone.

The proposals for "Responsible Encryption" are a simple end-run around the 1st, 4th and 5th amendments to the US constitution. Instead of debating this crap, we should be demanding stronger privacy protections. We need to restrict the 3rd party doctrine. We need to penalize any lawyer or judge who participates in granting "General" warrants. We need to restrain the Intelligence community from conducting mass surveillance on the US public.

I think it is entirely unreasonable that I can't excrete diamonds. Therefore, I shouldn't have to go to work..

The government knows every important detail of the Sutherland Springs shooter's life. There is no question of what he did, where he went, how he did it. This case is completely irrelevant to their demand to discard the constitution and remake the world into a police state.

The proposal to ban laptops from the cabins of planes appears to be attempting to take advantage of the following logical fallacies and cognitive biases:

• * Zero-risk bias: Prefer to reduce a small risk to zero, over a greater reduction of a larger risk. https://en.wikipedia.org/wiki/...
• * Nirvana/Perfection fallacy: Prefer to abandon functional good for unachievable perfection. https://en.wikipedia.org/wiki/...
• * Identifiable victim effect: We respond more strongly to a single identified victim, than a faceless group of victims. https://en.wikipedia.org/wiki/...

Remember that time they said they needed porno scanners? It turned out that the porno scanners didn't work. https://radsec.org/secure1000-... And, DHS upper management (Chertoff http://www.motherjones.com/moj... ) got rich off the sale of the porno scanners. This shows that we should not blindly accept TSA/DHS proposals.

The TSA success rate at finding known weapons and explosives is 5%. IE, they only find 1 out of 20: https://www.theguardian.com/co... This means that the laptop change will not actually make a difference to the real risk.

If they are worried that a well funded group will make explosives that look like a laptop, why would they only do laptops? Why wouldn't an attacker make explosives that look like a suitcase? A CPAP? A baby stroller? Why can't an attacker disguise explosives as a big enough item that it doesn't make any difference where it is on a plane? If they can't find an explosive shaped like a laptop, they are not going to find an explosive shaped like other things. Are they going to ban all carry-ons and checked items?

On the face, It seems looke like they have decided to increase their security theater.

While we wait for the TSA's analysis, lets review a few facts. Here are some reference pages on various types of death in the US:

• * https://www.cdc.gov/nchs/fasta...
• * http://www.nsc.org/NSC%20Image...
• * https://www.start.umd.edu/pubs...
• * https://www.theguardian.com/us...

So, your chance of dying of various things in the US is:

• * US Citizen killed by terrorists from 2005 through 2014: (about 1 in 240K deaths.)
• * Killed by lightning in the US: (about 1 in 160K.) For every terrorism death, there are about 1 and 1/2 deaths by lightning.
• * Dying in a plane crash: (about 1 in 10,000) For every terrorism death, there are about 25 deaths by plane crashes
• * Being killed by police in the US: (about 1 in 2300) For every terrorism death, there are about 105 deaths by police
• * Drowning in the US: (about 1 in 1200) For every terrorism death, there are about 200 deaths by drowning.
• * Dying in a motor vehicle accident: (about 1 in 100.) For every terrorism death, there are about 2,200 deaths by motor vehicle accidents
• * Heart disease & cancer in the US: (about 1 in 7 deaths.) For every terrorism death, there are 35,000 deaths by heart disease and cancer.

There hasn't been a big increase in deaths by terrorism. Or laptop. Why aren't we banning laptops in order to protect people from lightning? It would make just as much sense.

It looks like you could show a decrease in deaths by shutting down the TSA and spending the money on all kinds of other things. For example, you would probably extend thousands of lives every year, if you took the TSA's budget and used that money to give a daily carrot to everybody in America. This is the "Identifiable Victim Effect". Somehow they value a couple dozen or so terrorist victims more than thousands of other people.

If the TSA is going to make a change, they must prove that the overall benefits justify the overall costs. The overall costs on this one are awfully high. There does not appear to be any real benefit. Everybody should be opposed to this proposal. It appears to be a perfect example of CYA security. https://www.schneier.com/blog/...

The TSA/DHS have proved that they are incapable of acting rationally in the presence of a risk. Since that is their job, we should sack the lot of them.

I just realized that replacing the TSA with a agency that gives everybody a daily carrot will actually decrease the chance of carroticide (homicide via carrot.) After all, we all know that they only thing that can stop a bad guy with a carrot is a good guy with a carrot. BUT, if everybody has a carrot, all the bad guys should be stopped!

What I actually need to analyze is the cost of outfitting all the swat teams with assault rutabagas (swedes to you Brits.)

If the TSA is going to make a change, they must prove that the overall benefits justify the costs. Remember that time they said they needed porno scanners? It turned out that the porno scanners didn't work. And, TSA upper management made money off the sale of the porno scanners. At this point, we should just assume that any proposed TSA change is simply another "make TSA management rich" scheme. While we wait for the TSA's analysis, lets review a few facts:

Here are some reference pages on various types of death in the US:

• - https://www.cdc.gov/nchs/fasta...
• - http://www.nsc.org/NSC%20Image...
• - https://www.start.umd.edu/pubs...
• - https://www.theguardian.com/us...

So, your chance of dying of various things in the US is:

• - Heart disease & cancer in the US: (about 1 in 7 deaths.) For every terrorism death, there are 35,000 deaths by heart disease and cancer.
• - Dying in a motor vehicle accident: (about 1 in 100.) For every terrorism death, there are about 2,200 deaths by motor vehicle accidents
• - Drowning in the US: (about 1 in 1200) For every terrorism death, there are about 200 deaths by drowning.
• - Being killed by police in the US: (about 1 in 2300) For every terrorism death, there are about 105 deaths by police
• - Dying in a plane crash: (about 1 in 10,000) For every terrorism death, there are about 25 deaths by plane crashes
• - Killed by lightning in the US: (about 1 in 160K.) For every terrorism death, there are about 1 and 1/2 deaths by lightning.
• - US Citizen killed by terrorists from 2005 through 2014: (about 1 in 240K deaths.)

The TSA failure to find weapons and explosives rate is 95%. IE, they only find 1 out of 20: https://www.theguardian.com/co...

It looks like you could show a decrease in deaths by shutting down the TSA and spending the money on all kinds of other things. For example, you would probably save thousands of people every year, if you took the TSA's budget and used that money to give a daily carrot to everybody in America.

Of course, the future of the KID (Karrot Issuance Daily) agency is not all shiny orange. The yearly number of carroticides might even exceed the number of US people killed by terrorists. But, even factoring in the increase of death by carrot, there still would be tremendous net positive benefit.