Not specifically an American issue, but want to made a modest proposal with regards the American government.
A look at the 'demise' of TrueCrypt. It's an interesting story and this is a reasonably level-headed look at it (if you want conspiracy theories they are just a google away...).
But these parts stuck out;
But beyond that, the episode re-emphasizes the challenge of an “open source” method of security. ... As with Heartbleed, open source methods work only for as long as volunteers are willing to work on the project. ...
Finally, the episode serves to also illuminate how broken our system of security is. We can’t trust the government to provide it; we can’t trust private corporations to provide it; and we can’t rely on the kindness of strangers to provide it either. Unless you are one of the rare individuals who can build and install their own encryption code (I am =not=!) you are inevitably reliant on somebody else for your security. Yet nobody is somebody you can trust. And that leaves us hopelessly vulnerable – not just to mistrusted governments but to malevolent actors across the globe. The Russian cyber gangs must rejoice at the demise of TrueCrypt.
One thing the US fully has the power to do is create a cryptographic locker system that
can be trusted. While there is absolutely no reason to trust any
closed system created by the government, we are perfectly willing to use crypto algorithms created by them because they are open and tested widely. They originate from the government but by and large abide by the mathematical equivalent of open source philosophy. Hell, if they didn't they'd be useless to the government.
Is there any reason that a government with a strong interest in protecting individual privacy (stop sniggering), corporate security and general liberty couldn't pony up the investment and seed talent needed to create and manage an open source cryptographic locker similar to TrueCrypt? I mean, the corporate security angle alone is worthwhile.
As a rough outline;
1) The government provides funding to pay a full time development team to create and maintain the software. The team should be recruited from the general population.
2) The software in question should be mandated for use for all government agencies using on-disk cryptography, with all users required to use the latest official build (within reason).
3) Audit teams should be formed with rotating members to periodically do deep examinations of the software. These teams should include members from or nominated by various government departments as well as NGOs and other bodies. At a minimum I'd say you want permanent members from the DoD and NSA, as well as the ACLU, EFF and maybe straight up partisan political nominees from each party. Each audit completes a full report which is open to the public, along with any changes suggested and implemented by the coding team.
4) The code is fully open source, and public contributions are possible, but changes to the main build can only be implemented by the main team and official version releases are only done after a complete audit and report cycle. Licensing should allow alternative builds and parallel development efforts based on the code base.
Poll
7 (6.5%)
Author
Topic: Bay12 Election Night Watch Party (Read 832356 times)