Network Security Blog

If you’re reading this post, chances are you’re a security practitioner and you know exactly what’s coming up in February:  RSA.  You know the dates like you know few others in your life and you plan for months to make the pilgrimage to San Francisco and the Moscone Center.  Or maybe you don’t work for a vendor like I do and you realize a week or two before the event you need to get a plane ticket.  But in either case, most security professionals know about the RSA Conference and the tens of thousands of people who will be gathering there to look at all the cool, new blinky lights and attend the parties each night.

Beside security practitioners, there are a couple of other groups who attend RSA:  Press and PR.  Press attends RSA for much the same reason that most security professionals do: they want to see the new shiny and find out what it does.  But rather than figure out how to budget for toys in 2014, the press is there to hear about the toys, then write about it so that the people who can’t (or don’t want to) make it to the conference.  And the PR folks are there to do everything they can to feed that appetite for information, hopefully to the benefit of their particular client. It makes for an interesting interplay, since the people who want the most to be noticed at RSA are not necessarily the people who are actually doing the most interesting things.

I’m lucky, or unlucky, depending on your point of view; thanks to the blog and the podcast, I get to be on both sides of this particular issue.  As part of my day job for a little internet start up, I get to see a lot of the effort that goes into the PR and marketing for an event of this size.  There are literally months of planning, meetings and arguments about where booths will go, what direction they’ll be facing and what the main ‘message’ of the show will be.  Everyone does their best to make the most of an event that can literally cost their company hundreds of thousands of dollars, as they should be.

The other side, for me, is being part of the press corp and doing my own best job of finding my own unique twist on the stories coming out of RSA.  In my case, this takes the form of microcasts, short interviews with other security practitioners and companies. This gives me a lot of access to talk to interesting people during the conference and share those conversations with my audience.  It works, it gains awareness for the companies I interact with and everyone benefits.  Except when the PR folks start wanting me to talk to someone in their marketing department rather than the people who are actually making the product or doing the research.

I’m a security professional, I’ve been doing both the press thing and the security thing for quite a while now.  And as such, I want to talk to someone who speaks the same language as I do, has the same mindset as I do and is more interested in the cool, geeky stuff that makes their product work than spinning exactly the right message in order to get that honey of a quote in an article.  I want to talk to someone who’s as excited about information sharing and the latest attacks as I am; I don’t want to talk to a VP of Marketing who has two or three bullet points he has to work into a conversation no matter what questions are asked.  I want to talk to someone who’s willing to go off on a tangent, even if it doesn’t directly relate to his or her company.  In other words, I want to talk to another geek!

Nothing against Marketing Directors or VP’s, but I have yet to meet one that’s as excited or as knowledgeable about a product as the girl who built it.  Marketing has a purpose, it’s to create and craft a message so that as many people as possible will hear it.  I understand and support that.  But that’s not the person I want to talk to!  Throw your ‘message’ in the corner with the hundreds of others that will be thrown at us this February.  We’re all inundated with messages, when what we really want is a live person to talk to, not a talking head who’s going to do everything possible to get the three bullet points about his company into an article. 

Your marketing department’s job should be 99% done when the doors open at Moscone Center.  Get the technologists, the scientist and the uber-geeks in front of people like me and let them run with it.  The people who attend RSA, the people who read about RSA and the people listening to my podcast want to hear what they have to say, even if it isn’t neat and tidy and might ramble a little off topic once in a while.  If you really want to differentiate your company from the other 350 odd companies at RSA, this is going to be one of the best ways to do it.  At least in my case.

So let’s gird our loins and continue preparing for this year’s RSA.  Send someone who’s as passionate about security as I am to talk to me.  Let out your researchers, who you might not normally be comfortable having in front of the press.  Have a little fun after all the stress of planning this one week in February.

One final thought:  I’m not all that interested in hearing about anti-virus, firewalls or authentication technologies.  I don’t want to hear about a tweak on a technology that’s decades old.  What I, personally, want to hear about this year at RSA is information gathering, information sharing and new, unique ways of doing security.  Tell me how your company is contributing to the knowledge of security as a whole or about a new way of doing security that’s actually effective.  Don’t tell me about your new blinky light technology that I can just bolt on to my network in order to have all my problems solved.  There are no silver bullets, even Gartner knows that.

One of the main reasons I started blogging was to work on my writing skills.  Similarly, one of the main reasons I’m forcing myself to start blogging regularly again is also to work on my writing skills.  Yes, I learned to write well in high school and college, but those were both a long time ago and writing is definitely one of those skills that gets rusty when not used.  If there’s one skill that we, as security professionals, can’t afford to get get rusty, it’s the ability to communicate with the people who don’t share the same passion for risk, analysis and vulnerabilities we do.

I think the whole ‘learn to write’ meme is one we circle around to at least once a year, and there’s a good reason for it.  If you talk to people who frequently review RFP’s and other sorts of open calls for papers, you’ll find that many of them cringe when thinking of the quality of writing they encounter in the process.  I don’t know the exact percentages, but I’m led to believe that as high as 50% of the papers submitted get culled in the first round just for being poorly written and full of grammatical errors.  If you can beat 50% of your competition by simply using complete sentences and proper punctuation, why not at least start by giving yourself that much of a edge?

Another place where lack of English (or whatever your primary language is) skills show up is in email.  How often have you read an email, only to have to call the person just to find out what they really meant to say?  Think of the last time you had to go through a long email exchange only to find that the thing was a miscommunication that could have been clarified with one or two sentences early in the process.  So often we’re in such a hurry to simply answer an email and get it off our own plate that we sacrifice clarity in order to simply get stuff done.  How many times have you spent time trying to decipher a coworker’s rambling only to find out he or she actually wanted something totally different than they wrote in the email?  It’s easy to have happen when you’re more interested in getting the email out than you are in getting the right email out.

A few months ago a friend asked me about writing and one book I recommended him was ‘On Writing’ by Stephen King.  The book really is about half autobiography, but it makes for a good counterpoint to the why’s of his editing and usage of words.  If you’re a King fan, learning about his life and the roads he’s traveled makes for a good read, but even if you aren’t, it’s still a good in any case.  “Eat’s, Shoots and Leaves” is another good book if you’re just looking for something to remind you of all those annoying rules that teachers tried to force into your head all those years ago.  The rules are still annoying, but at least you can be slightly amused while remembering them.

One final thing to remember is what you write about isn’t as important as the fact that you’re writing.  I’ve written over 2000 posts for the blog, and I’d say 90% of them, including this one, are rambling diatribes that probably weren’t worth repeating (or retweeting).  But the 10% of them that actually came out clear, concise and with a few good points in them are worth the time.  And I never would have written that 10% (or 5% or 1%, depending on your point of view) if I hadn’t written all the drivel that came before and after the few gems in the rough.  So, rather than wait for the perfect moment of inspiration to catch fire in your brain, start writing now with the understanding that you’ll produce a lot of crap before you have the one good thought that you’ve been trying to uncover for months.

In the spirit of my only ‘resolution’ for the new year, here’s a quick post on some of what I’m reading this week.  Like many security professionals, I read dozens of posts and articles each week, but only a few of them are worth retweeting or blogging about.  This week is the first of the year, so it’s likely many of the stories I read and rejected were about the way people looked back at the old year or looked forward to the new year.  Very few ‘prediction’ articles made it into my stream, though I did use a few of the stories to decide which sites to stop reading.  Hint:  Your ’2013 Security Predictions’ are worth the paper they’re printed on.

• DEFCON: The Documentary (a preview) – In his copious amounts of spare time (okay, maybe it’s what he does for a living) Jason Scott and a crew of videographers taped over 280 hours of video at DEFCON for it’s 20th anniversary.  He’s released a preview of the documentary, and it’s fun for me to see some of the people and places that are essential for this event to happen every year.  If you’ve never been, don’t be intimidated by some of the strange antics you see in the preview; people let lose at DEFCON in ways they won’t most of the rest of the year.
• how the pci standards will really die – I was initially a fan of PCI when I started working in that portion of the field six or so years ago.  I was hopeful that it would spark change and force businesses to spend more energy (and money) on security.  It did, but the standards stagnated and really haven’t changed in any significant way since those early days.  PCI Guru points out a number of the fatal flaws with PCI and why it will be the card brands themselves that eventually kill it.  Which can’t come soon enough for me.
• My 2013 Resolutions – Unlike me, SecJitsu believes in New Year’s resolutions and this is a pretty good list of them.  We have a habit of getting a bit insular in the security community and it’s important to remember from time to time that we’re part of a larger corporate culture.  I know I need to do a better job of this myself.

And some non-security reading for you as well.  

• To my 13-year-old, an iPhone contract from your Mom, with love – I have two geek spawn who got phones for Christmas this year, so this resonated with me.  I especially like the end, “You’ll make mistakes, we’ll work through them.”  I don’t think my offspring exactly appreciated me sending this to them via Skype IM though.
• Best of 2012:  Raspberry Pi Projects – I love my RPi’s.  I just haven’t quite figured out any long term projects for them yet.  This article has given me some ideas though.

I don’t generally do New Year’s resolutions.  The fact is, if I can’t work up the will power needed to do something the other 364 days a year, there’s no reason to think an arbitrary date of January 1 is going to make me any more likely to develop the needed internal strength needed to follow through on my commitments.  That being said, when you’re doing something public, like blogging, January 1 is as good a date as any to restart efforts.  Which brings me to this post, which is basically my New Year’s resolution to blog more. 

2012 was a very interesting year for me.  I stepped off of planes on four different continents during the year and flew nearly 140,000 miles on United alone.  I took on the role of Security Evangelist in 2011 and got to a point in 2012 that I feel comfortable in the role.  I can actually answer most of the questions people ask me about the inner workings of the Akamai platform, rather than having to say “I’ll find out” and asking our engineers.  I wrote several security sections for Akamai’s State of the Internet Report.  I presented at half a dozen conferences during the year and learned a lot about what I need to do to become a better presenter.  All in all, it was a very good year from a professional perspective and looking forward to 2013, things will continue to get better if how we closed out 2012 is any indication. And I’ve been told I need to cut back on the travel this year, which may make the year even better.

From a personal perspective, 2012 was a ‘more of the same’ year. The Spawn (as I call my children publicly) continue to grow at an alarming rate and my grocery grows at a similar rate.  Spawn0 is already as tall as Wife0 and Spawn1 is threatening to catch up to him before too long.  They both continue to expand their horizons and give me at least a little faith that maybe the next generation isn’t as completely hopeless as the current generation.  It’s that hope that keeps us from strangling them at birth, I suppose.  Neither Wife0 nor I changed much, other than gaining a little more weight and losing a little more hair.  Wait, that was just me, Wife0 is still the same beautiful woman I married 20 years ago.

What I really didn’t like about 2012 though was my blogging and podcasting schedule.  I resolved several times to write more, but didn’t follow through on it as much as I really should.  The podcast recording schedule with Rich and Zach was severely compromised much of the year, with all three of us being on the road more than we probably should have been.  We’ll be recording episode 300 of the Network Security Podcast in a couple of weeks and there’s a good possibility that we’ll be making some changes in order to make the podcast something that we can continue doing despite our travel.  It was either make some changes or quit podcasting, and all three of us have committed to another year of recordings, so plan on listening to us at least a little longer.  I wonder if we have it in us to make it to episode 500?

But it’s the lack of consistent blogging that really makes me annoyed with myself.   When I started writing in 2003, I could write about any story or just spew my thoughts on to the page randomly.  Everything was new and shiny and I had opinions on it all.  Now it’s over 9 years later and I’ve written well over 2000 blog posts; I’ve read and written on almost every aspect of security at some point.  It’s hard to think of anything that I haven’t already seen or been involved with previously that I want to write on, and so much of my thinking last year was based on just learning how to do my job the best I can, with little time left over for contemplation.  And what I do have time to contemplate creates more questions in my own mind about how we do security in the corporate world with few answers being obvious. 

So my resolution for 2013 is to write at least one blog post a week this year.  I’m not going to promise that the content of any of these posts will be spectacular or insightful, but one thing I learned from my early efforts is that sometimes it’s more important to write than to write the perfect post.  If you write enough crud, someone out there will sift through it to find the one or two kernels of wisdom that make it through the system.  Usually those kernels aren’t even what the writer was trying to express, but as long as they resonate with someone, it’s a positive.  Which is all I really want to do, create a positive impact on the security community one rambling post at a time.

With that said, this is my first blog post of 2013.  In August I will have completed 10 years of blogging.  Hopefully I’ll also have completed at least 40 or so posts by that time as well.  Maybe one or two of them will contain something you, the reader, find useful.  If not, I’ll keep writing anyway.  There are still too many ideas in my head aching to get out.

It’s a bit frustrating sometimes, working for a company like Akamai.  When you hear stories about DDoS and other attacks on large institutions, we’re often involved in the mix somewhere, simply because we deliver so much of the Internet’s traffic.  But we long ago decided we don’t want to be sensationalist or ambulance chasers, we don’t want to reveal too much about specific customers and we don’t want to reveal too much of the secret sauce that allows us to protect our customers.  The result has been that it’s easier to let other people tell the stories rather then get involved in the conversation, even if we often know the person who was interviewed for an article knew very little about what’s actually going on.  Plus it’s been a little annoying to have to recuse myself from the discussion on the podcast when I can’t talk without revealing what I know about the story in question.

That being said, it’s been nice to be able to be a bit more active in some of the current stories that are happening on the Internet, especially for my teammate, Mike Smith.  Last week I was able to post about the recent SSL vulnerability tool (Take a Byte out of CRIME) and how it affects our company (not much, soon not at all).  But more importantly, Mike was able to write a post about the recent spate of DDoS attacks that have been in the news (Information, not Hope, is the Key to Surviving DDoS Attacks) and has been interviewed for a number of articles by news outlets (Bank attackers more sophisticated than typical hactivists, expert says and US Banks Hit by More than a Week of Cyberattacks).  There’s probably a few more to come out, but that’s a start.

It’s nice to have information that can be freely shared and is public about news stories.  Having to keep quiet about things like this is frustrating, especially since as part of my role at Akamai I’d like to do is sharing as much information about what’s happening on the Internet as is possible.  The fine line to walk is between being a source of valid information and being a media whore who just wants attention.  Though, as a blogger, it’s probably too late for me.

I got to attend my first SOURCE event last week, thanks to a lucky confluence of events which freed up my time.  Mainly, I didn’t have to go to the PCI Council’s Community Meeting and was able to take advantage of SOURCE Seattle instead.  I know many of the people involved in SOURCE and I’d been wanting to go for a long time.  This was the 10th SOURCE event, and I walked away very happy I’d finally been able to attend.

The Seattle conference is very different than any other event I’ve been a part of; with under 100 people in attendance, it’s small and personal.  I had the opportunity to talk to almost every person there, which is something you rarely get to say at any event these days.  During lunch on both days the team running the event led interesting discussions and helped encourage people to talk to other security professionals they’d never met before.

My favorite talk was by Tony Rucci, giving a detailed account of what it was like to be part of the White House staff on 9/11/2001.  It was interesting to hear the first hand account of someone who’d been on the ground at the time.  I liked getting to go to talks by friends like Adam Shostack and Zach Lanier, even if Zach did lose me about 15 minutes into his talk (I’m not an Android debugger by trade, so shoot me).  Robert M. Lee’s talk on the maturity of security was good to hear, but I feel he may be a bit optimistic.  The Base Rate Fallacy talk by Florer & Lowder made my brain hurt; my wife is currently taking a statistics class, maybe I should ask her for help.

I haven’t been to the larger SOURCE Boston, but if you’re in the Seattle area, look at coming to the con when it happens next year.  Hopefully it stays small and intimate for a few more years.  And hopefully it can stay in the Maritime Museum for a few more years as well.

Oracle CSO, Mary Ann Davidson, says information sharing isn’t happening based on her experience as CSO and President of an IT Information Sharing and Analysis Center (IT-ISAC) chapter.  I think someone who says information sharing isn’t going on is looking in the wrong places and has her head stuck in the sand.  Her conclusions are probably accurate from her point of view; she’s not seeing much information sharing from Oracle or IT-ISAC, so it must not be going on.  But I think her viewpoint is myopic.

From my point of view, there is a lot of information sharing going on out there. This week I was at the bi-weekly Advanced Cyber Security Center (ACSC) meeting in Boston, MA.  Over the summer I spent a week in Malta at the annual Forum of Incident Response and Security Teams (FIRST).  I’ve been to over a dozen conventions this year alone and spoken to hundreds of security professionals of every level.  There’s also thousands of people in security who spend time every day interacting on Twitter and other social networks, building relationships with people who share their passion for security, sharing information .

Then there are all the information sharing efforts I’m not involved in but probably should be.  Things like the Dragon Research Group, the Shadow Server Foundation, the SANS Internet Storm Center, Emerging Threats, as well as a host of others.  These efforts are led by volunteers who like to dig deep into some of the dark corners of the Internet and share with others what they’ve found.  Some of it’s supported by businesses, but the majority of the effort is led by people who are passionate about security and want to share what they’re finding for everyone’s benefit.

There’s also a lot of intelligence being shared by the industry in the form of monthly, quarterly and annual reports.  My personal favorite is the Data Breach Investigation Report (DBIR) provided every year by the folks at Verizon. The reports that come from Symantec, McAfee, Prolexic, Dell and Arbor, just to name a few, also add to the breadth of knowledge we have available.  I’ve even been contributing to the Security section of the Akamai State of the Internet Report the last few quarters myself.  And there’s more industry blogs than you can shake a stick at if you care to spend, oh, maybe 30 seconds in your favorite search engine.

My point is, there’s a lot of information sharing going on, it’s just not neatly packaged up in a way that a senior manager can easily say, “Here are the specific actions my corporation should take based on this data”.  It takes work to review the sources and synthesize the information into something that could legitimately be called knowledge.  So far, the ACSC is the organization that works the best for sharing directed information, but that is in large part because the group is limited in scope (New England area organizations only) and because it meets every other week for face time and information sharing.  It takes trust, which generally is something that you’re only going to earn over time by consistently being available and being trustworthy yourself.  Trust is something that’s gained one person at a time, not just because you’re part of a big company or you think you’re a big name in the industry.  Meeting once a quarter or just using forums and mailing lists isn’t going to earn much trust, nor is admonishing people for not sharing.

If you want to further information sharing in the security industry, businesses need begin by sharing a little of what they’re seeing themselves, not expect everyone else to come to them with information.  Oracle has a horrible reputation when it comes to sharing security information.  When was the last time anyone saw a real, valuable announcement about a vulnerability in an Oracle product before it was a zero day or the researcher ran out of patience after waiting two years to publish his or her findings?  What information is Oracle publishing that’s valuable to the industry or talked about as a resource everyone just *has* to read?  Rather than implying I’m a bad Internet citizen by telling me I should share more information, show me how it’s done.  Come to the table with something of value, show me how to contribute in return, give me an example I’ll want to follow, rather than whining because I didn’t give you something first.  Lead me by showing me how it’s done, not by telling me I need to do a better job of it myself!

One of the points where I think Mary Ann Davidson is dead wrong is in being condescending about concerns for personal privacy in information sharing.  If we have learned anything, it’s that properly anonymizing data is HARD.  Remember when AOL released search data to researchers in 2006, it was quickly proven that it was relatively easy to take the data and link it to people in the real world.  If we’re asking for that level of information sharing between companies and government, we need to be absolutely certain we’ve taken as much care as possible to protect individuals, and only reveal their information when it’s actually needed as part of the threat intelligence. Which I’d say is probably only 1 case in 10,000 or more, since the majority of traffic from individuals has no bearing on security.  Maybe Mary Ann is willing to hand over her information to every information sharing entity and the entities they interact with, but I’m not.  Besides which, I’d be willing to bet that personal privacy is only a stalking horse for most businesses, they’re really more concerned with sharing their company’s private information than the private information of their customers.

Rather than complain that we’re not sharing enough as an industry, we need to work on sharing information about attacks, attackers and malicious traffic in a safe and sane manner.  This doesn’t mean just sharing traffic captures, which 99% of management professionals wouldn’t understand anyway.  It means identifying threat actors, doing what we can to create positive attribution and sharing that data with other companies and the government.  This doesn’t just mean the stuff that goes on behind closed doors, it means creating more reports that show real statistics and contain valuable analysis for the industry as a whole.  Give me tools that I can use to help make informed decisions about securing my corporation and I might just surprise you by reciprocating.

I just spent the last two weeks in Singapore, Kuala Lumpur, Sydney and the Gold Coast.  It was arguably one of the best trips of my career, both from a work perspective and from a tourist perspective.  Of course, I’ve never really been a one man traveling road show before, but it’s part of the role when your job title includes the word ‘evangelist’.  I was more than a little humbled by some of the people I got to meet and excited by the chances I had to meet a lot of people who’d only been digital signatures up until this point.  Nothing like finally putting a face to a name 8000 miles from home to make you realize how small the world really has become.

One of the more interesting conversations I found myself in was at the AusCERT Conference.  The Chatham House Rule was invoked, so I can’t say exactly who was involved, which is pretty convenient since I couldn’t remember the names or affiliations of half the people who were in the room at the time in any case.  A large number of the vendors at AusCERT got invited by representatives from the the Australian police forces to participate in open conversation and feedback.  This wasn’t simply a pretense to make vendors feel good, the LEO’s (Law Enforcement Officer) were genuinely interested in hearing from people who worked in the business.  The sad part is that after a break, only a few of the vendors came back for the second half of the conversation.  Not that I had any problems speaking my mind either half of the conversation.

The question that took up most of the time was “Australia is going to put our healthcare information online, how do we keep it safe?”  There were numerous suggestions, but the point that resonated with almost everyone was that the data was almost certainly already compromised and if it wasn’t, it would be soon.  This led to a few incredulous stares and the statement, “90% of businesses already admit to being compromised, the other 10% just won’t admit it or don’t know yet.”  Isn’t it uplifting when you get 20 or so vendors in a room and every one of them tells you you’re probably already compromised?  Several of the comments from the LEO’s gave me the impression that they had exactly the same opinion, even if they couldn’t admit it in any forum that contained people without the proper security clearances.

This conversation left me wondering.  How do we live in a world where we have to assume that if our data isn’t already compromised, it soon will be?  How do we make the data useful to the people who rely on it while denying value to the people who would want to steal it?  We know we can’t secure data forever, so can we give it a lifetime in some way and still continue to use it? 

One of the solutions I thought about was encryption.  We use it widely for the protection of credit cards, though perhaps not as widely as we really should.  It’s great for keeping data in motion secure if we’re using short lived keys and well known algorithms.  It’s relatively good for dealing with data at rest, at least as long as the keys are well maintained and everyone treats the data with due diligence.  Which is seldom the case, since most evidence points to compromises taking place in ways that easily circumvent encryption technologies.  The best encryption in the world doesn’t help much when legitimate user accounts are compromised.

We live in a world where our defenses don’t seem to be working and all data will be eventually compromised by someone.  We’re at a stage where we can’t pretend our static defenses will protect us from much except the pickers of low hanging fruit on the Internet.  Whether it’s a nation state actor, a chaotic actor or an out of work actor, someone wants our data; and they’re going to get it eventually, since we have so many holes in our protections.  Which means we have to change our way of securing the data to make it useless to anyone outside it’s intended audience.

I’m not even sure what making information lose it’s value outside of it’s intended audience would look like.  One idea is to make the information publicly available, which removes the value to an attacker, but that’s probably never going to be a viable option when dealing with healthcare information.  Rumors of technologies that will make data self-destruct when it’s removed from it’s proper environment is appealing, but I have yet to talk to anyone who’s actually given any such solution a walk through.  Hardware based solutions that rely upon encryption are slightly better than software, but then you have problems like vendor lock-in and longer life cycles for the technology, which really only help the vendor.

As usual, I don’t have an answer for this problem.  But I know that our data is leaking from where it’s stored every day and the leak may soon become a deluge.  Australia isn’t the only country that’s looking at putting their healthcare information online, and they need a solution that’s going to work as well for the big corporations as it does for the single doctor clinics in the Outback.  Any technology that can’t be operated by a doctor who’s willing to live hundreds of miles from the closest IT guy isn’t going to work.  And while the US might be a little different, I’m not sure we should look at the tech our doctors might use any differently.

If you have an answer to this problem, it might be the wave of the future.

As a follow up to last week’s episode, Martin was joined last week by Josh Corman to talk to Wade Baker about the 2012 Verizon Data Breach Investigation Report.  Wade talks to us about how the information for the report was gathered, some of the strengths and weaknesses of the analysis and finally how the amazing puzzle that is the front cover was concieved.  The episode is a little longer than normal, but worth the time.

When this podcast was first release, it was mistakenly seen by iTunes as the PDF of the DBIR as being the podcast.  Subsequent attempts to upload were similarly misidentified.  Here’s hoping that a remix of the podcast will be significantly different enough that it doesn’t try keying on the DBIR again

Network Security Podcast, Episode 272v2

“The Internet will never again be as free as it is this morning” – Dan Geer at SOURCE Boston

Think on that for a while.  If it doesn’t scare you, it should.

Update:  Here’s the full text of Dan Geer’s talk at SOURCE Boston