Margaret Mead and Me

When I was a child, visiting an anthropology conference, I sat on the lap of Margaret Mead. My recollection is vague yet always is flavored by people later telling me that Mead was curious how I would evolve with two anthropologists as parents.

If she were alive today I’d maybe disappoint her to admit I strayed from anthropology into being a student of history instead. And I might defend my choice by telling her it helped me better understand stories she told such as this one:

Anthropological Intelligence, David Price, page 287

It surely sounds good for anthropologists to say they were engaged in a form of historic exceptionalism by serving to defeat fascism in the 1940s. However, historians probably could disagree with that framing and say an eternally valid moral choice was being made more than an historic one.

To be fair, she earlier had famously said:

Children must be taught how to think, not what to think. They must be taught that many ways are open to them.

The question however is whether we can restrict ways for people (even anthropologists, or sons of anthropologists), given how reasonably we can predict (based on history) where they will lead in the future.

2019 CWE Top 25 Most Dangerous Software Errors

MITRE has released their new prioritized list for software development teams to help ensure product safety:

The Common Weakness Enumeration (CWE™) Top 25 Most Dangerous Software Errors (CWE Top 25) is a demonstrative list of the most widespread and critical weaknesses that can lead to serious vulnerabilities in software. These weaknesses are often easy to find and exploit.

The top error “score” of 76 for “Improper Restriction of Operations within the Bounds of a Memory Buffer” stands far above the total distribution, and about half are above a score of 10:

Mozilla’s $100M Nudge Towards User Control

In a nod to behavioral economics the Mozilla Foundation has announced it’s offering funds to anyone working to combat ongoing “surveillance capitalism”:

Special consideration will be given to creators who promote a vibrant commons; increase users’ autonomy, privacy, and control over their own data; promote diversity and inclusion on the internet; and increase access to the full capacity of the internet, both for content consumption and content creation, and for communities and individuals that have historically been marginalized, disadvantaged, or without access

It will be interesting to see whether such a large nudge can reverse the information “targeting” models that thirsty Facebook and Google executives notoriously have banked upon.

Take Your Bike Helmet Off and Hold Cars Accountable

There’s a new first-person account in the New Yorker of some cultural differences between cycling in Holland and America:

Angela van der Kloof, a cycling expert and project leader with the Delft mobility consultancy Mobycon, told me, “From a young age in the Netherlands, we’re trained to take note of others. Not by a teacher but by the way we do things. I think we are very much used to physical negotiation.” Dutch people live in small houses, ride on crowded trains, and generally jostle against one another—the Netherlands has the sixteenth-highest population density in the world. Navigating complicated traffic situations, calmly and systematically, came naturally to our neighbors.

The key to this story is actually how Dutch women had the power to organize and campaign for protecting children from being murdered by people operating cars:

With cars came carnage. In 1971 alone, thirty-three hundred people—including more than four hundred children—were killed on Dutch roads. A number of organizations, including a group named Stop de Kindermoord, or Stop the Child Murder, began agitating to take the streets back from automobiles.

Contrast this story with America, where cars are treated like guns and operators are allowed to commit indiscriminate murder as an expression of an individual’s power over society, which Next City has explained in qualitative examples:

Morgan stayed in the intensive care unit for another month. For the first two weeks, the doctors weren’t positive she would survive. By the end of it all, medical expenses totaled more than $500,000.

“I was scared to death,” says her husband, David Morgan.

His fear would soon turn to anger when he realized that local police had no interest in pursuing charges against the woman who nearly killed his wife. After the State Highway Patrol’s investigation concluded that there were no grounds for felony charges, the district attorney also demurred from pressing charges.

“As far as the state of Mississippi goes, you could be an armadillo hit on the road, and the state treats you just the same as a… cyclist,” Morgan says.

What the New Yorker article about cycling in Holland misses entirely, ironically, is that the density of crowds cited by those living in Holland is not a sufficient ingredient on its own. Next City explains this using NYC quantitative data. Clearly NYC is an American city where people also are used to physical negotiation:

Consider crash data from New York City, which has installed more than 350 miles of bike lanes. There were 14,327 pedestrian and cyclist injuries in 2012 as a result of vehicle crashes, but police cited only 101 motorists with careless driving, a rate of less than 1 percent.

The actual difference is thus not growing up in density, but rather the levels of political engagement by women.

Cycling historically has been described as an independence movement for women, which should put male-dominated legislative action impeding people cycling in its proper perspective. Also women cyclists in America tend to be more at risk from cars and thus more likely to design safety infrastructure, as drivers put them more at risk:

“What we found was that female cyclists had a significantly different experience riding than the male riders did. … Female riders tend to have more aggressive interactions with drivers than male riders did.” …researchers found — no surprise — that protected bike lanes offered the best protection. Cars stayed an average 7.5 feet from cyclists cruising along a bike lane separated from traffic by bollards. No bike lanes, more close calls.

A campaign like “Stop de Kindermoord, or Stop the Child Murder” emphasizes the rights of children to live free from harm by adults in cars. America is about as likely to see a campaign like that succeed as elect a woman President instead of a man repeatedly accused of harming children for his self-benefit.

Don’t forget, America remains the only country in the world that has failed to sign the Convention on the Rights of the Child.

Holding cars accountable for killing cyclists and pedestrians would be like Epstein going to jail decades ago for harming children, yet instead he was seen free and partying freely with the White House Occupant.

The bottom line is that the safety of roads is about political power. That is why putting on helmets is the wrong answer. When cycling below 12 mph, which is the vast majority of commuter cyclists, the right answer is to place responsibility of safety upon those operating heavily armored machinery.

In a world where others may be harmed by their actions, machine operators must be accountable. If you think this is foreshadowing the problem of holding drone owners responsible for killing people, you are right.

Bay Area Bicycle Law points out that from 2013 to 2017 3,958 Cyclists have died across the U.S. for an average of 792 each year. 98% (777 of the 792) were in accidents with motor vehicles and 83% of cyclists had helmets on when they were murdered.

Let me say that again, 98% were in accidents with motor vehicles and a whopping 83% died with helmets on. Do you see the problem?

California, with far less density than NYC or Holland, repeatedly has opposed helmet laws and for the right reasons (same as in Holland).

Peter Jacobsen, a Sacramento-based public health consultant, believes helmet laws may make streets less safe for cyclists. Australia and New Zealand recently introduced compulsory helmet laws, and bike use fell by 33 percent, he said. Numerous reports have found that cycling conditions improve with more riders on streets. By reducing the number of cyclists through helmet laws, conditions actually get more dangerous.

He also said studies have shown that motorists drive closer to cyclists with helmets on, and that helmets only reduce minor injuries, not fatalities. “Bike helmets are padding; they’re not armor,” he said.

Cars are armor. If cyclists put on armor, they’d be a car.

Not only do helmet laws decrease cycling by a significant amount, they do not show any real decrease in the death rate. In other words, data repeatedly shows how helmets impede cycling and thus make it less safe for the vast majority of cyclists.

Exceptions do exist and are important: habitually unsteady high-risk riders such as children and racers. These exceptions are easily handled, however, such as requiring helmets to compete in a race where contestants will gladly abide for the chance of winning.

The right formula is encourage more cyclists operating at speeds averaging below 12 mph in physically separated lanes, with NO adult requirement for helmets, and strict accountability for those who operate heavy (i.e. dangerous) machinery in the midst. Protecting the vulnerable shouldn’t be that difficult to figure out for our streets.

The fact that Holland has effectively already done it (as well as Denmark, etc.) means America is running out of excuses to justify murderous drivers, as “A view from the cycle path” has illustrated quite simply:

“The absolute number of child fatalities dropped by 98% over a period of time when the population size and the proportion of trips made by bicycle both rose significantly.”

The answer to the problem of cars killing cyclists is directly related to how the American political system allows care and consideration for vulnerable populations at risk of being harmed due to a weapon authorization for individuals.

We need to be intelligent enough to start the move away from these American headlines:

Which means sites like Twitter need to recognize the harm from its role in peddling active calls to use cars to murder non-whites, and how this propaganda relates to “Republicans want to legalize running over pedestrians“:

…state Rep. Keith Kempenich, perversely suggested that shielding drivers who kill protesters was a necessary anti-terrorism measure.

All that being said, there recently have been at least two notable exceptions to the sad state of weaponized roadways in America:

  1. White supremacist use of car as weapon. Found guilty of first-degree murder
  2. Driver charged with intent to kill. 5 cyclists dead

Scientists Use HDT to Stop Common Cold

Host-directed therapy (HDT) suggests that a change to the human body can inhibit the spread of disease. A new study found viral infections may require SETD3 access, such that blocking a link or reducing availability means the virus is stopped.

The strategy behind HDT is to interfere with host-cell proteins required for viral infection. Respiratory enteroviruses (EVs) are an attractive target for the development of HDT.

…our data provide rationale for the development of peptides or small molecule inhibitors that specifically block the SETD3–2A association, and for the development of small molecules inducing SETD3 protein degradation using proteolysis-targeting chimaeras.

In computer terms this would mean blocking the protocol or disabling the service, which security professionals should immediately recognize as common practices.

What the Bird Said Early in the Year

Recently I was fortunate to have a gate unlocked that led onto grounds of Magdalen College, Oxford, England for a stroll along the “Addison Walk” around a small island in the River Cherwell.

A paragraph in the 1820 topographical guide to Oxford gives some perspective on the walk’s namesake (page 85):

On the north side of the grounds is a long walk, still termed Addison’s walk, once the chosen retreat of that writer, when intent on solitary reflection. In its original state no spot could be better adapted to meditation, or more genial lo his temper.

Shield of C.S. Lewis’ 1938 poem
No monuments to Addison were found along this walk, although apparently the Spanish oaks famously lining both sides were planted by Addison himself.

As I exited the secluded leafy path and crossed a bridge I couldn’t help but notice an engraved shield of C. S. Lewis placed upon on an old stone wall.

Lewis seemingly wrote this poem to contrast his faith in eternity with his disappointments in a series of ephemeral life events. Despite the age and environment of the poetry, I believe it provides excellent food for thought in our modern era of cloud computing.

I heard in Addison’s Walk a bird sing clear:
This year the summer will come true. This year. This year.

Winds will not strip the blossom from the apple trees
This year nor want of rain destroy the peas.

This year time’s nature will no more defeat you.
Nor all the promised moments in their passing cheat you.

This time they will not lead you round and back
To Autumn, one year older, by the well worn track.

This year, this year, as all these flowers foretell,
We shall escape the circle and undo the spell.

Often deceived, yet open once again your heart,
Quick, quick, quick, quick! – the gates are drawn apart.

It is said that in this poem Lewis was describing his feelings from taking walks along this same walk in Oxford where he engaged in deep philosophical/theological conversations with his “inklings” colleagues J.R.R. Tolkein and Hugo Dyson.

While some try to limit the poem’s relevance to Lewis’ own religious struggles (raised a Christian, after the death of his mother and in his teens he left the faith disappointed and rebellious, then returned later to his roots) his words seem much more broadly insightful.

If nothing else, we can recognize Lewis experienced many trust failures as he grew up, which tested his faith. This poem emphasizes how repeated failures need not be seen as terminal when belief matures to account for greater good. He found permanence by believing operations run on something beyond each instance itself.

Perhaps I should re-frame his poem in terms of a certain “open-source container-orchestration system for automating deployment, scaling and management”…and then we’ll talk about what the container said early in the deployment.

NIST Privacy Framework RFC

NIST has put its privacy framework (PDF) up for comment again.

Current controversy circles around whether the framework appropriately handles the relationship between privacy and security. Should the framework, for example, even be separate from the cybersecurity framework, or a sub/superset?

Also worth considering is how it will fare with an expansion of the IoT market and the adoption of artificial intelligence.

US Senator Argues for Jailing Facebook Execs

From a recent interview with Oregon’s Senator Wyden

Mark Zuckerberg has repeatedly lied to the American people about privacy. I think he ought to be held personally accountable, which is everything from financial fines to—and let me underline this—the possibility of a prison term. Because he hurt a lot of people. And, by the way, there is a precedent for this: In financial services, if the CEO and the executives lie about the financials, they can be held personally accountable.

Often in 2018 I made similar suggestions, based on the thought that our security industry would mature faster if a CSO personally can be held liable like a CEO or CFO (e.g. post-Enron SOX requirements):

And at Blackhat this year I met with Facebook security staff who said during the 2016-2017 timeframe the team internally knew the severity election interference and were shocked when their CSO failed to disclose this to the public.

Maybe the Senator putting it all on the CEO today makes some sense strategically…yet also begs the question of whether an “officer” of security was taking payments enough to afford a $3m house in the hills of Silicon Valley while intentionally withholding data on major security breaches during his watch?

Given an appointment of dedicated officer in charge of security, are we meant to believe he was taking a big salary only to be following orders and not responsible personally? Don’t forget he drew press headlines (without qualification) as an “influential” executive joining Facebook, while at the same time leaving Yahoo because he said he wasn’t influential.

To be fair he posted a statement explaining his decision at the time, and it did say that safety is the industry’s responsibility, or his company’s, not his. Should that have been an early warning he wasn’t planning to own anything that went awry?

I am very happy to announce that I will be joining Facebook as their Chief Security Officer next Monday…it is the responsibility of our industry to build the safest, most trustworthy products possible. This is why I am joining Facebook. There is no company in the world that is better positioned to tackle the challenges…

There also is a weird timing issue. The start to the Russian campaign is when Facebook brings on the new CSO. Maybe there’s nothing to this timing, just coincidence, or maybe Russians knew they were looking at an inexperienced leader. Or maybe they even saw him as “coin-operated” (a term allegedly applied to him by US Intelligence) meaning they knew how easily he would stand down or look away:

  1. June 2015: Alex Stamos abruptly exits his first ever CSO role after failing to deliver on year-old promises of end-to-end encryption, and also failing to disclose breaches, to join Facebook as CSO. Journalists later report this as “…beginning in June 2015, Russians had paid Facebook $100,000 to run roughly 3,000 divisive ads to show the American electorate”
  2. October 2015: Zuckerberg tries to shame outside critics/investigators and claim no internal knowledge… “To think it influenced the election in any way is a pretty crazy”
  3. January 2017: US Intelligence report conclusively states Russia interfered in 2016 election
  4. July 2017: Facebook officially states “we have seen no evidence that Russian actors bought ads on Facebook”
  5. September 2017: Facebook backtracks and admits it knew (without revealing exactly how soon) Russian actors bought ads on Facebook
  6. September 2017: Zuckerberg muddies their admission by saying “…investigating this for many months, and for a while we had found no evidence of fake accounts linked to Russia running ads”, which focuses on knowledge of fake accounts being used, rather than the more important knowledge Russia was running ad campaigns
  7. September 2017: Zuckerberg tries to apologize in a series of PR moves like saying “crazy was dismissive and I regret it” and asking for forgiveness
  8. October 2017: Facebook’s Policy VP issues a “we take responsibility” statement
  9. October 2017: Facebook admits 80,000 posts from 2015 (i.e. from when Stamos started as CSO) all the way to 2017 (i.e. when Stamos was still CSO) reached over 120 million people. Stamos brands himself both as the influential officer in charge of uncovering harms yet also a wall flower paid an officer salary to not speak out. It does somehow come back to the point that the Russian Internet Research Agency allegedly began operations only after Stamos’ joined. Even if it started before, though, he definitely did not disclose what he knew when he knew it. His behavior echoes a failure to disclose massive breaches while he was attempting his first CSO role in Yahoo! (see step 1 above)

Given the security failures from 2015 to 2017 we have to seriously consider the implications of a sentence that described Stamos’ priors, which somehow are what led him into being a Facebook CSO

At the age of 36, Stamos was the chief technology officer for security firm Artemis before being appointed as Yahoo’s cybersecurity chief in March 2014. In the month of February, Stamos in particular clashed with NSA Director Mike Rogers over decrypting communications, asking whether “backdoors” should be offered to China and Russia if the US had such access.

There are a couple problems with this paragraph, easily seen in hindsight.

First, Artemis wasn’t a security firm in any real sense. It was an “internal startup at NCC Group” and a concept that had no real product and no real customers. As CTO he hired outside contractors to write software that never launched. This doesn’t count as proof of either leadership or technical success, and certainly doesn’t qualify anyone to be an operations leader like CSO of a public company.

Second, nobody in their right mind in technology leadership let alone security would ask if China and Russia are morally equivalent to the United States government when discussing access requests. That signals a very weak grasp of ethics and morality, as well as international relations. I’ve spoken about this many times.

If the U.S. has access it in no way has implied other governments somehow morally are granted the same access. Moreover it was very publicly discussed in 2007 because Yahoo’s CEO was told to not give the Chinese access they requested (when Stamos was 28):

An unusually dramatic congressional hearing on Yahoo Inc.’s role in the imprisonment of at least two dissidents in China exposed the company to withering criticism and underscored the risks for Western companies seeking to expand there. “While technologically and financially you are giants, morally you are pygmies,” Rep. Tom Lantos (D., Calif.)

If anything these two points probably should have disqualified him to become CSO of Facebook, and that’s before we get into his one-year attempt to be CSO at Yahoo! that quickly ended in disaster.

In 2014, Stamos took on the role of chief information security officer at Yahoo, a company with a history of major security blunders. More than one billion Yahoo user accounts were compromised by hackers in 2013, though it took years for Yahoo to publicly report…Some of his biggest fights had to do with disagreements with CEO Marissa Mayer, who refused to provide the funding Stamos needed to create what he considered proper security…

Let me translate. Stamos joined and didn’t do the job disclosing breaches because he was campaigning for more money. He was spending millions (over $2m went into prizes paid to security researchers who reported bugs). While his big-spend bounty-centric program was popular among researchers, it didn’t build trust among customers. This parallels his work as CTO, which didn’t build any customer trust at all.

The kind of statements Stamos made about Artemis launching in the future (never happened) should have been a warning. Clearly he thought taking over a “dot secure” domain name and then renting space to every dot com in the world was a lucrative business model (it wasn’t).

I’m obviously not making this up as you can hear him describe rent-seeking with a straight face. His business model was to use a private commercial entity to collect payments from anyone on the Internet in exchange for a safety flag to hang on a storefront, in a way that didn’t seem to have any fairness authority or logical dispute mechanism.

Here is a reporter trying to put the scheming in the most charitable terms:

In late 2010, iSEC was acquired by the British security firm, NCC Group, but otherwise the group continued operating much as before. Then, in 2012, Stamos launched an ambitious internal startup within NCC called Artemis Internet. He wanted to create a sort of gated community within the internet with heightened security standards. He hoped to win permission to use “.secure” as a domain name and then require that everyone using it meet demanding security standards. The advantage for participants would be that their customers would be assured that their company was what it claimed to be—not a spoof site, for instance—and that it would protect their data as well as possible. The project fizzled, though. Artemis was outbid for the .secure domain and, worse, there was little commercial enthusiasm for the project. “People weren’t that interested,” observes Luta Security’s Moussouris, “in paying extra for a domain name registrar who could take them off the internet if they failed a compliance test.”

Imagine SecurityScorecard owning the right to your domain name and disabling you until you pay them to clean up the score they gave you. Dare I mention that a scorecard compliance engine is full of false positives and becomes a quality burden that falls on the companies being scanned? Again, this was his only ever attempt at being a CTO (before he magically branded himself a CSO) and it was an unsuccessful non-starter, a fizzle, a dud.

From that somehow he pivoted into a publicly traded company as an officer of security. Why? How? He abruptly quit Artemis by taking on a CSO role at Yahoo, demanding millions for concept projects more akin to a CTO than CSO. He even made promises upon taking the CSO role to build features that he never delivered. Although I suppose the greater worry still is that he did not disclose breaches.

It was after all that he wanted to be called CSO again, this time at Facebook. That is what Wyden should be investigating. I mean I’m fine with Wyden making a case for the CEO to be held accountable as a starting point, the same way we saw Jeff Skilling of Enron go to jail.

It makes me wonder aloud again however if the CFO of Enron, Andrew Fastow, pleading guilty in 2004 to two counts of conspiracy to commit securities and wire fraud…is an important equivalent to a CSO of Facebook pleading guilty to a conspiracy to commit breach fraud.

Stamos says he deserves as much blame as anyone else for Facebook being slow to notice and stamp out Russian meddling in the 2016 presidential election

Ironically Stamos, failing to get anywhere with his three attempts at leadership (Artemis, Yahoo and Facebook) has now somehow reinvented himself (again with no prior experience) as an ethics expert. He has also found someone to fund his new project to the tune of millions, which at Blackhat some Facebook staff reported to me was his way to help Facebook avoid regulations by laundering their research as “academic”.

It will be interesting to see if Wyden has anything to say about a CSO being accountable in the same ways a CFO would be, or if focus stays on the CEO.

In any case, after a year of being CSO at Yahoo and three years of being CSO at Facebook, Stamos’ total career amassed only four years as a head of security.

Those four years unmistakably will be remembered as one person who sat on some of the biggest security operations lapses in history. And his 2015 tout he was taking an officer role because “no company in the world is better positioned” to handle challenges of safety continues to produce this legacy instead:

Another month, another Facebook data breach.

Update September 7th, 2019:

In another meeting with ex-Facebook staff I was told when “CEO and CSO are nice people” it should mean they don’t go to jail for crimes, because nice people shouldn’t go to jail. That perspective makes me wonder what people would say if I told them Epstein had a lot of friends who said he was nice. I mean it suggests to me a context change might help. I first will raise the issue in my CS ethics lectures with an example outside the tech industry: Should the captain of sunken ship face criminal investigation for saving self as 34 passengers died in an early morning fire?

Chinese drone company reports 98% kill-rate

A Chinese/German drone collaboration is delivering micro-dose poison at 14 hectares/hour and achieving a 98% kill-rate on armyworm.

Specifically, the drone atomises the pesticides into micron-level droplets, so the chemicals can evenly adhere to the surface of maize plants with higher coverage rate. The strong downdraft generated by the propellers can significantly reduce liquid drifting and increase pesticide deposition, which means that both sides of the leaves and the central part of crops can be more precisely targeted. Such mechanism can not only increase fall armyworm’s exposure to chemicals but also cut down a large amount of pesticide use and better conserve the beneficial insects.

Targeting sounds like it’s more of a “bracketing” spray than an injection into each worm on a leaf, although the drone company suggests they are looking into worm-recognition capabilities.

Targeting the individual worms instead of plant-level dosing still seems cost-prohibitive in this story. To achieve that accuracy I think we’d be talking Integrated Pest Management (IPM) with technology-augmented insects, or micro-drones, instead of these sprayers.

Perhaps soon there will be Integrated Drone Management (IDM) appearing in agricultural operations centers where augmented bugs are deployed from drones like static-line parachute jumpers.

Many years ago when we were starting research on how to stop drones setup as biological weapons, we looked at them as flying bombs in the same way the Italian fascist military dropped mustard gas on field-hospitals and ambulances.

Chinese agriculture, however, clearly is being driven to develop more highly-efficient low-dose toxin delivery at a micro-target levels. That kind of emphasis in tooling accuracy means drones soon may advance past U.S. bladed assassination missiles, innovating so quickly we will have to update the risk discussions.

To be fair, five years ago any kind of anti-drone methods to stop weaponized versions meant a specific audience where examples needed to be general. Today it seems a general audience is open to hearing what harms may be ahead and more specific examples are more welcome.

Unfortunately what I must emphasize most today isn’t just how drones rapidly move towards highly-targeted assassination methods for something labelled pest. I must also point out members of our security community actively have been found labeling non-whites as pests. Beware people advertising themselves as deserving authority to protect humans from harm, who may in fact be enabling and promoting harm through technology.

DEFCON27: Would the White House Use Executive Privilege to Back Door Your Crypto?

I said I would write up my notes from DEFCON27, where I had the “opportunity” to meet General Flynn’s residual guy with cyber in his title, so here it is.

DEFCON always has been for me about meeting with the Federal Government. Since the mid-1990s it has felt like the place government staff come to party with reduced accountability and oversight.

This year I stepped into the “Ethics Village” and listened to Joshua Steinman present his vision. To be honest in my decades of experience in security and working with the government I never had heard of Josh. When he began speaking I kind of realized why. He said very emphatically to the moderator:

Please don’t ever say cyber security. It’s just cyber.

This was like telling us not to say Internet security because just saying Internet somehow magically implies security. Yeah, not going to happen.

Few things self-reveal someone inexperienced in security like their overuse of the term cyber, leaving off modifiers needed to clarify, or lacking a sense of irony.

He also gave an intro of his background where he claimed to be a world-class expert on Al Qaeda before 9/11, issuing a national security report based on all available evidence (I later found out this was just a short paper he wrote in high school, and I am not kidding).

He also said he was a big supporter of the Republican candidate for President and that pulled him straight into the White House after victory.

And finally he called himself entrepreneurial (I later found out he started a knitting company to make socks for men, and again I am not kidding).

While he definitely puffed out himself in presenting his background as someone believing he is on the right side of history and ahead of his time, something about his self-promotion seemed off, especially compared to the quality of other speakers in prior sessions in the Ethics Village.

For the next 30 minutes or so Josh rattled randomly about personal life philosophy like basic water-cooler tactics and how surprised he was to find out the 1800s-era White House is physically small.

For someone repeatedly claiming he was able to see into the future, it was the opposite of substance. Imagine travelling all the way to a conference, sitting down to hear the “head of cyber” for a national government, and getting a presentation like this:

Usually I like to stand around in the break room area by the coffee. That’s where I hear conversations others are having and can find out what’s happening in the White House. Sometimes I join their conversation.

This was by no means a comforting talk to hear from the person purporting to be the policy making leader of our industry. I’m also paraphrasing here as Josh said several times “Raise your hand if you are a reporter. There are no reporters here? What I’m saying is off the record.” It appeared he was joking about this, although nobody laughed.

What caught my attention, among the rambling stories of hanging around and doing nothing tangible, was Josh said with the utmost confidence “executive privilege is right there in the Constitution. Go read it to see for yourself.”

I’m no constitutional lawyer but as a historian who studied cold-war machinations of Presidents I’m well aware that the executive privilege line most definitely is NOT something you can read in the Constitution. Furthermore, as a security professional, I’m well aware of the danger of executive privilege being used to suppress evidence/speech and deny freedoms necessary to avert suffering at massive scale.

Perhaps Constitution Daily put it best:

One of the great constitutional myths is the principle of executive privilege. Though the term is not explicitly mentioned in the Constitution, every President has called upon it when necessary.

I really have no idea why Josh would say “go read it” for something that doesn’t exist in writing. He’s supposed to be a policy expert. Moreover you can imagine there is a big issue with oversight for that qualifier “when necessary”, since it’s for a privilege that is going to be argued as above all oversight.

Ronald Reagan infamously invoked executive privilege, while carefully avoiding use of the exact phrase, in attempts to avoid accountability for illegal arms deals:

The alternative language used by Mr. Reagan’s lawyers appears to reflect a desire to avoid the negative connotation associated with the term, which over the years has come to be thought of by critics as a legal ploy invoked by Presidents seeking to deflect embarrassing inquiries.

The legal skirmish is taking place in advance of Mr. Poindexter’s trial, which is scheduled to begin on Feb. 20. He faces five criminal charges, including accusations that he obstructed Congressional inquiries and made false statements to Congress about the Government’s secret arms sales to Iran and about efforts to aid the Nicaraguan rebels, or contras, at a time when such assistance was banned by Congress.

That reference to legal ploy comes from Richard Nixon, who similarly claimed he had such an executive privilege to conceal his guilt. He thought he could block White House tape recordings being revealed during the Watergate Scandal.

During the Bush Administration, executive privilege was argued to be not only non-specific but also quite limited. Note the reference to Kavanaugh (now on the Supreme Court) lying to Congress.

Predictably, the White House is claiming executive privilege and refusing to cooperate with the legitimate Congressional investigations, one springing from Mr. Bush’s decision to spy on Americans without a warrant and the other from the purge of United States attorneys. The courts have recognized a president’s limited right to keep the White House’s internal deliberations private. But it is far from an absolute right, and Mr. Bush’s claim of executive privilege in the attorneys scandal is especially ludicrous. […] Nor can it be used to shield an official who might have lied to Congress. The Senate Judiciary Committee has asked the Justice Department to investigate Brett Kavanaugh, a former White House official who told a Senate hearing on his appointment to a federal judgeship that he was not involved in forming rules on the treatment of detainees. Recent press accounts suggest that he was.

That’s a far more restrictive interpretation of executive privilege theory versus a Washington Post article from 1986 that spells out how proponents had wanted to use it under the Reagan Administration:

While serving in effect as lawyer for Attorney General Edwin Meese III, Cooper also advises the Justice Department, other federal agencies and inquiring members of Congress on a wide range of legal questions. Most of his opinions remain confidential, but some that have surfaced have generated headlines. In one opinion, Cooper argued that employers may fire persons with AIDS because of fear that the disease may be contagious, even if that fear is irrational. In another, he said that President Reagan must support an executive privilege claim by former president Richard M. Nixon to keep Nixon’s White House papers secret. […] In addition, department sources say, Cooper has been advising Meese on the U.S. decision to allow arms to be shipped to Iran in connection with efforts to free American hostages. Meese, in turn, has provided assurances to the White House that the shipments were legal.

Perhaps most importantly for this Ethics Village talk, that comment on AIDS is more significant than you might realize. Ronald Reagan claimed executive privilege could block the Centers for Disease Control from issuing a pamphlet on the AIDS crisis despite tens of thousands of Americans dying.

First, let’s set the context of how Reagan handled a threat to Americans that started in 1981. After it already killed nearly twice the number of 9/11 casualties Reagan used his authority to stay silent on the issue:

One of the most prominent stains on the…Reagan administration was its response, or lack of response, to the AIDS crisis as it began to ravage American cities in the early and mid-1980s. President Reagan famously…didn’t himself publicly mention AIDS until [Sept 17th] 1985, when more than 5,000 people, most of them gay men, had already been killed by the disease.

Even in 1985, Roberts (now on the Supreme Court) wrote an infamous memo that recommended the President keep quiet for self-benefit, avoid reassuring people with science, and wait instead for hyperbolic commentators to be proven wrong by scientists.

I would not like to see the President reassuring the public on this point, only to find out he was wrong later. There is much to commend the view that we should assume AIDS can be transmitted through casual or routine contact…

AIDS can not be transmitted through casual or routine contact. It is known today as it was already known then.

After years of intentional silence on the subject by an American President the threat went on to be the greatest public health catastrophe of the twentieth century and kill approximately 650,000, the same as number of Americans estimated killed during the Civil War.

…for the first four years in office, the nation’s top health officer was prevented from addressing the nation’s most urgent health crisis, for reasons he insisted were never fully clear to him but that were no doubt political.

Imagine executive privilege being used to prevent experts from addressing the nation’s most urgent security crisis, then look at this graph of Reagan’s policy of censorship and silence on harms.

Data on American death was suppressed by Reagan until 1987. Source: National Center for Health Statistics

So this prompted me to ask Josh about the large and vague theory of executive privilege. Already we can see Josh was wrong about executive privilege being written in the Constitution. Now I wanted to know if he supported its use to block discussion of a bug that can kill hundreds of thousands of Americans.

I stepped up at the end of his presentation and asked 1) where executive privilege was written and 2) whether Ronald Reagan’s interpretation of it would enable the White House to secretly harm Americans with backdoors in encryption, much in the same way he avoided public accountability for export death (illegal arms shipments to Iran) and domestic death (blocking AIDS scientific alerting).

As I asked my question he shook his head disapprovingly. Perhaps my question, like my blog posts, was rambling and lacked clarity.

I was thinking of how to ask about executive privilege in terms of the AIDS epidemic because in computer security terms it would be a virus that easily could be remotely controlled. If the executive privilege theory means the White House can block scientific discussion for political self-benefit, leading to masssive harms of citizens, is the White House cyber policy head also saying secret government backdoors in encryption could be within this privilege?

Josh didn’t answer directly and instead said in a long statement that encryption was complex as a topic, there were many sides, and the market would decide backdoors. He also invited everyone to speak with him after as he could easily show where in the Constitution executive privilege was written (it’s not).

When he finished and got up to leave I walked up to him and he quickly exited towards the back of the room, passing directly by me. Several people said “he must not have seen you” so I rushed out the door and caught him in the hallway. He looked me directly in the eyes, turned and ran away.

the poetry of information security