Security – Page 28 – A Geek With Guns

Starting Off Somewhere

I received a comment from Sonia on my post detailing Bruce Schneier’s tips for protecting yourself from the National Security Agency (NSA):

This kind of endeavor only works is everybody does it, otherwise is useless. Also inviting laymen to “learn” reveals how much you underestimate the fact that being a programmer gives you all the mental models you need.

Those people who “learn” will only end up compromising their own security under the impression that they are doing something secure.

Although I addressed these concerns in a reply I wanted to write a post because I feel what I’m about to say is relevant to anybody interested in computer security.

In another comment Sonia mentioned she (I’m assuming Sonia is female based on name, this being the Internet I could be incorrect) is a Ph.D. That being the case, I can see where her views on this subject come from. Oftentimes those of us who have been involved in the computer field for some time fall victim to two issues. First, we develop a form of elitist attitude that causes us to think of ourselves as somehow superior to non-techie people. Second, we forget about the early days when we knew little about computers. I’ve fallen victim to these issues before and I believe Sonia has fallen victim to them in her comment.

She does make a very important point. When you first dive into computer security you’re going to make mistakes. This is a problem all people face when learning something new. Just because you know how to utilize OpenPGP to encrypt your e-mail doesn’t mean you fully grasp underlying concepts such as private key security, the inability to know whether or not a closed system is secure, the value of a proper security audit, or the potential issue of generating keypairs on a system that lacks a true cryptographically secure pseudorandom number generator. All of these things, and more, play a part in OpenPGP and computer security.

You know what? That’s OK. You don’t need to know everything right away. Everybody has to start from the beginning. I didn’t become a computer programmer or system administrator overnight. I wasn’t blessed with the innate knowledge required to operate and manage an OpenBSD system. At one point I had no idea what Postfix was, let alone how to run and maintain a Postfix server. The difference between C and C++ were unknown to me back in the day. All of this knowledge came with due time. I’ve invested years into learning what I now know about computers and will likely invest a lifetime into learning more. When I started to program I made countless amateur mistakes. That didn’t discourage me because I learned from those mistakes. I’m happy to report that I’m still learning from my mistakes today.

Learning how to use the tools necessary to keep yourself safe online isn’t going to happen overnight. You’re going to make mistakes. Those mistakes will compromise your security. But you will learn from those mistakes and you will become more secure because of it.

Computer security isn’t an all-or-nothing thing. Even if you don’t practice proper private key security or generate an easily determinable keypair because your system lacks a secure pseudorandom number generator you’re more secure by using OpenPGP or Off-the-Record Messaging than not. Every encrypted communication requires potential spies to throw time and resources at decrypting it just to find out what’s in it. Simply put, every encrypted communication helps defend everybody’s privacy. As the number of encrypted communications increase potential spies must either prioritize the computing resources available to them or invest other resources into more computing resources.

Julian Assange is Tracking Spyware Contractors

Another weapon we have against the state’s surveillance apparatus is Julian Assange. Mr. Assange, through his Wikileaks project, has provided a platform whistle blowers can use to leak information and remain anonymous. Wikileaks has now announced another project called the Wikileaks Counterintelligence Unit, which will attempt to actively surveil surveillance contractors:

The inaugural release zeroes in on 19 different contractors as they travel visit countries like Bahrain, Kazakhstan, Spain, and Brazil. The location data displays only a time stamp and a country for each entry, but occasionally displays the message, “phone is currently not logged into the network,” indicating the data likely comes from some kind of cell-tracking service. The contractors in question work for Western companies like Gamma International, designer of the infamous FinFisher spyware tool — and as with previous Wikileaks releases marked as “Spy Files,” readers will also find marketing brochures for surveillance products to intercept and monitor web traffic.

I think this is a great idea and needs to be expanded. It would be great if we could eventually do to the surveillance apparatus what it has done to us. Imagine a world where anybody working to spy on us, whether they be private contractors or public National Security Agency (NSA) employees, was being spied on 24/7. Perhaps losing all sense of privacy would be enough to discourage people from working for these bastards.

Protect Yourself from the NSA

As I said, those of us who dwell on the Internet aren’t going to take the NSA and GCHQ’s attack lightly. We have more firepower than they realize and have unleashed one of our best weapons, Bruce Schneier. Mr. Schneier has been working with Mr. Greenwald for the last two weeks and has written a short list of things, based on the information provided by Mr. Snowden, you can do to keep yourself secure online:

1) Hide in the network. Implement hidden services. Use Tor to anonymize yourself. Yes, the NSA targets Tor users, but it’s work for them. The less obvious you are, the safer you are.

2) Encrypt your communications. Use TLS. Use IPsec. Again, while it’s true that the NSA targets encrypted connections – and it may have explicit exploits against these protocols – you’re much better protected than if you communicate in the clear.

3) Assume that while your computer can be compromised, it would take work and risk on the part of the NSA – so it probably isn’t. If you have something really important, use an air gap. Since I started working with the Snowden documents, I bought a new computer that has never been connected to the internet. If I want to transfer a file, I encrypt the file on the secure computer and walk it over to my internet computer, using a USB stick. To decrypt something, I reverse the process. This might not be bulletproof, but it’s pretty good.

4) Be suspicious of commercial encryption software, especially from large vendors. My guess is that most encryption products from large US companies have NSA-friendly back doors, and many foreign ones probably do as well. It’s prudent to assume that foreign products also have foreign-installed backdoors. Closed-source software is easier for the NSA to backdoor than open-source software. Systems relying on master secrets are vulnerable to the NSA, through either legal or more clandestine means.

5) Try to use public-domain encryption that has to be compatible with other implementations. For example, it’s harder for the NSA to backdoor TLS than BitLocker, because any vendor’s TLS has to be compatible with every other vendor’s TLS, while BitLocker only has to be compatible with itself, giving the NSA a lot more freedom to make changes. And because BitLocker is proprietary, it’s far less likely those changes will be discovered. Prefer symmetric cryptography over public-key cryptography. Prefer conventional discrete-log-based systems over elliptic-curve systems; the latter have constants that the NSA influences when they can.

Mr. Schneier does rightly point out that many Internet users aren’t currently capable of doing all of these things. To those of you who don’t know how to use the above mentioned tools, learn. Information on all of the tools Mr. Scheneier mentioned is freely available online. If you’re still having trouble I’m more than happy to help. Shoot me an e-mail at blog [at] christopherburg [dot] com and I’ll give you as much assistance as I can. Together we can push back against the state’s surveillance apparatus and return the Internet to its original form, a network where those wanting to remain anonymous can do so.

How The NSA and GCHQ Defeat Privacy

Glenn Greenwald has done it again. With the help of Edward Snowden he has been buy leaking many of the National Security Agency’s (NSA) dirty little secrets. Yesterday he dropped another bomb as he laid out the methods used by the NSA and British Government Communications Headquarters (GCHQ) to destroy online privacy:

US and British intelligence agencies have successfully cracked much of the online encryption relied upon by hundreds of millions of people to protect the privacy of their personal data, online transactions and emails, according to top-secret documents revealed by former contractor Edward Snowden.

[…]

The files, from both the NSA and GCHQ, were obtained by the Guardian, and the details are being published today in partnership with the New York Times and ProPublica. They reveal:

• A 10-year NSA program against encryption technologies made a breakthrough in 2010 which made “vast amounts” of data collected through internet cable taps newly “exploitable”.

• The NSA spends $250m a year on a program which, among other goals, works with technology companies to “covertly influence” their product designs.

• The secrecy of their capabilities against encryption is closely guarded, with analysts warned: “Do not ask about or speculate on sources or methods.”

• The NSA describes strong decryption programs as the “price of admission for the US to maintain unrestricted access to and use of cyberspace”.

• A GCHQ team has been working to develop ways into encrypted traffic on the “big four” service providers, named as Hotmail, Google, Yahoo and Facebook.

I think the most important thing to note is that, from the information leaked, it doesn’t appear as though the NSA or the GCHQ have actually broken common encryption algorithms. In cryptography terms an encryption algorithm is only broken if an attack finds a method of decrypting data encrypted with that protocol faster than can be done via brute force (guessing every possible decryption key). What the NSA and GCHQ are doing is buying off commercial entities to insert back doors into their security products. Keep this in mind as major media outlets wrongly (as far as we know) begin reporting about how the NSA is able to break all known encryption algorithms.

None of the information in this latest leak surprises me. It’s been apparent for a while that the state’s surveillance apparatus has been relying on a fascist marriage between private and public entities. The game is afoot and the NSA and GCHQ believe they can wage war on the Internet without suffering repercussions. Those of us who dwell may not be as agreeable as they think.

The State Cannibalizes Its Servants

Bruce Schneier has a good blog post urging companies to fight the National Security Agency’s (NSA) rampant spying:

It turns out that the NSA’s domestic and world-wide surveillance apparatus is even more extensive than we thought. Bluntly: The government has commandeered the Internet. Most of the largest Internet companies provide information to the NSA, betraying their users. Some, as we’ve learned, fight and lose. Others cooperate, either out of patriotism or because they believe it’s easier that way.

I have one message to the executives of those companies: fight.

Do you remember those old spy movies, when the higher ups in government decide that the mission is more important than the spy’s life? It’s going to be the same way with you. You might think that your friendly relationship with the government means that they’re going to protect you, but they won’t. The NSA doesn’t care about you or your customers, and will burn you the moment it’s convenient to do so.

This is a point I’ve brought up to many people many times: the government doesn’t love you. Many people cooperate with the state because they view themselves as patriots, believe cooperating will make their lives easier, or value monetary gain more than principles. In the short term this seems like an effective strategy but in the long term the state has a nasty habit of turning against those who serve it.

In the state’s eyes everybody is a pawn. Nowhere is this more noticeable than politics. If you’ve worked on campaigns then you know how disposable people are. One of my favorite examples, since I’m living in Minnesota, is a particularly sketchy politicians by the name of Kurt Bills. Mr. Bills ran for office under the guise of understanding economics and he did his damnedest to court Ron Paul supporters. After receiving an endorsement from Ron Paul his job of courting became very easy indeed. What happened after Ron Paul supporters sunk tons of time and money into Kurt Bill’s campaign? They were tossed to the side of the road as he pursued social issues, endorsed Mitt Romney, and lambasted Ron Paul supporters for not voting for neo-conservatives. Political campaigns aren’t the only example of this. Law enforcement agents and members of the military are quickly disposed of when they are no longer politically convenient. If you get into bed with the state you will find yourself infected with 15 different sexually transmitted diseases after the breakup.

As Bruce Schneier points out, the companies currently cooperating with the state will soon find themselves out in the cold:

It will be the same with you. There are lots more high-tech companies who have cooperated with the government. Most of those company names are somewhere in the thousands of documents that Edward Snowden took with him, and sooner or later they’ll be released to the public. The NSA probably told you that your cooperation would forever remain secret, but they’re sloppy. They’ll put your company name on presentations delivered to thousands of people: government employees, contractors, probably even foreign nationals. If Snowden doesn’t have a copy, the next whistleblower will.

As Google, Yahoo, and Microsoft are finding out, once your cooperation with the NSA becomes public the NSA will do nothing to help you dig yourself out of the hole.

Lavabit Shutdown and Silent Circle Shutters Its E-Mail Service

Lavabit, the e-mail host that gained recent popularity by being the go to host for Edward Snowden, has been forced to shutdown. By the looks of it the order to shutdown came from the glorious defender of freedom known as the United States government:

My Fellow Users,

I have been forced to make a difficult decision: to become complicit in crimes against the American people or walk away from nearly ten years of hard work by shutting down Lavabit. After significant soul searching, I have decided to suspend operations. I wish that I could legally share with you the events that led to my decision. I cannot. I feel you deserve to know what’s going on–the first amendment is supposed to guarantee me the freedom to speak out in situations like this. Unfortunately, Congress has passed laws that say otherwise. As things currently stand, I cannot share my experiences over the last six weeks, even though I have twice made the appropriate requests.

What’s going to happen now? We’ve already started preparing the paperwork needed to continue to fight for the Constitution in the Fourth Circuit Court of Appeals. A favorable decision would allow me resurrect Lavabit as an American company.

This experience has taught me one very important lesson: without congressional action or a strong judicial precedent, I would _strongly_ recommend against anyone trusting their private data to a company with physical ties to the United States.

Sincerely,
Ladar Levison
Owner and Operator, Lavabit LLC

Defending the constitution is expensive! Help us by donating to the Lavabit Legal Defense Fund here.

Since Mr. Levison wrote that he’s unable, for legal reasons, to discuss why he’s being forced to shutdown it’s likely that he either received a national security letter or the National Security Agency (NSA) demanded he created a backdoor in his service less he be harassed with legal charges for cause harm to national security.

As a preemptive move to avoid suffering the same fate, Silent Circle, another organization that attempts to provide means of secure communications, has shuttered its e-mail service:

However, we have reconsidered this position. We’ve been thinking about this for some time, whether it was a good idea at all. Yesterday, another secure email provider, Lavabit, shut down their system less they “be complicit in crimes against the American people.” We see the writing on the wall, and we have decided that it is best for us to shut down Silent Mail. We have not received subpoenas, warrants, security letters, or anything else by any government, and this is why we are acting now.

We’ve been debating this for weeks, and had changes planned starting next Monday. We’d considered phasing the service out, continuing service for existing customers, and a variety of other things up until today. It is always better to be safe than sorry, and with your safety we decided that in this case the worst decision is no decision.

Shutting down their e-mail service before receiving a national security letter or being coerced into installing a backdoor for the NSA is a smart move. At least Silent Circle is able to publicly discuss their reason for doing so, unlike Lavabit.

These shutdowns go to show how far this police state of a country has gone. An organization can’t even provide secure e-mail hosting without becoming a target of the state’s aggression. I can only hope Mr. Levison and the people at Silent Circle moves their operations to a country that respects a man’s privacy, such as Iceland, so they can continue offering services their customers want.

Careful What You Plug Your Phone Into

I’ve often said that I would enjoy putting several phone charging stations in an airport or mall that would exploit whatever phone was plugged into them. As it turns out, I’m not the only one with such demented ideas:

This news couldn’t wait for the Black Hat conference happening now in Las Vegas. We reported in June that Georgia Tech researchers had created a charging station that could pwn any iOS device. The full presentation revealed precise details on how they managed it. I’m never plugging my iPhone charger into a USB port in a hotel desk again.

This is a potential vulnerability with any device that is capable of receiving data over it’s power input. Most smartphone, and many dumb phones for that matter, use a Universal Serial Bus (USB) to transfer data and charge the battery. Manufacturers of assume the USB port, being a port that requires physical access, is secure and doesn’t need much in the way of verification of validation (although this attitude is slowly changing) making the transfer of malicious software relatively easy. Just because a port requires physical access doesn’t mean one can’t do away with security measures. It’s trivial to convince most people to plug their phone into a random USB port (just claim that they’re plugging it into a phone charger).

Social engineering, the art of tricking somebody to do something for you, is probably the most effective security bypassing mechanism. You may not have access to a machine you want to exploit but chances are you can convince somebody who does have access to grant you access. For example, gaining access to a phone is often as easy as asking the person with the phone if you can make a phone call. If you make an effective story that appeals to the owner’s emotions chances are high that they’ll hand you the device.

One of the most entertaining rooms at Defcon this year was the Social Engineering Village. Inside they had a phone booth where competitors would call various businesses and try to use social engineering to pump important information out of employees. The tactic worked frighteningly well. During one of the times I popped in the competitor had a man on the phone spilling his guts about the entire network setup for his company. Trickery works.

Exploiting Automobiles

It has been apparent since automobile manufacturers began inserting computers into automobiles that security hasn’t been a high priority. After decades of warnings the automobile manufacturers may finally be forced to deal with their lack of foresight:

Charlie Miller and Chris Valasek say they will publish detailed blueprints of techniques for attacking critical systems in the Toyota Prius and Ford Escape in a 100-page white paper, following several months of research they conducted with a grant from the U.S. government.

The two “white hats” – hackers who try to uncover software vulnerabilities before criminals can exploit them – will also release the software they built for hacking the cars at the Def Con hacking convention in Las Vegas this week.

They said they devised ways to force a Toyota Prius to brake suddenly at 80 miles an hour, jerk its steering wheel, or accelerate the engine. They also say they can disable the brakes of a Ford Escape traveling at very slow speeds, so that the car keeps moving no matter how hard the driver presses the pedal.

One of the golden rule of security is that exploits only become more elaborate with time. It sounds like the exploits that will be demonstrated at Defcon will require physical access to the automobile but, in all likelihood, the ability to remotely execute these exploits will show up shortly after the paper is published. All modern automobiles have tire pressure sensors (all of which, as far as I know, are wireless) and many now have Bluetooth, both of which could be potential avenues for remote attacks. It will be interesting to see the ramifications of this research in a few years.

The Feds Want Everything

The federal government sure is a grabby little bastard. First it taps all of our phones and Internet connections and now it’s demanding passwords and Secure Sockets Layer (SSL) certificates. Let’s start with their demands that online service providers hand over their customers’ passwords:

The U.S. government has demanded that major Internet companies divulge users’ stored passwords, according to two industry sources familiar with these orders, which represent an escalation in surveillance techniques that has not previously been disclosed.

If the government is able to determine a person’s password, which is typically stored in encrypted form, the credential could be used to log in to an account to peruse confidential correspondence or even impersonate the user. Obtaining it also would aid in deciphering encrypted devices in situations where passwords are reused.

“I’ve certainly seen them ask for passwords,” said one Internet industry source who spoke on condition of anonymity. “We push back.”

A second person who has worked at a large Silicon Valley company confirmed that it received legal requests from the federal government for stored passwords. Companies “really heavily scrutinize” these requests, the person said. “There’s a lot of ‘over my dead body.'”

Some of the government orders demand not only a user’s password but also the encryption algorithm and the so-called salt, according to a person familiar with the requests. A salt is a random string of letters or numbers used to make it more difficult to reverse the encryption process and determine the original password. Other orders demand the secret question codes often associated with user accounts.

The difficulty of handing over user passwords is that any system administrator worth his salt (pun intended, deal with it) only stores a hash of the password. For those of you who don’t know, a hash is the result of a one-way algorithm. You put some text in and the hashing algorithm gives you some output. Ideally, the input cannot be recovered from the output and the algorithm gives a different output for each unique input. Salts are often added to the hashing algorithm to trip up word list attacks, as the added information to the input creates a different output than sending the clear text password alone.

Assuming the system administrator or software developer properly implemented this system (which is difficult to do), receiving the password hashes would do the federal government very little good. They may be able to reverse individual passwords given enough time and computing power but it’s almost certainly outside their capabilities to revere every user’s password. I would be less concerned about the federal government receiving and reversing my password than I would be of it performing rubber-hose cryptanalysis on it.

The other thing the federal government has apparently been demanding from only service providers are their SSL private keys:

The U.S. government has attempted to obtain the master encryption keys that Internet companies use to shield millions of users’ private Web communications from eavesdropping.

These demands for master encryption keys, which have not been disclosed previously, represent a technological escalation in the clandestine methods that the FBI and the National Security Agency employ when conducting electronic surveillance against Internet users.

If the government obtains a company’s master encryption key, agents could decrypt the contents of communications intercepted through a wiretap or by invoking the potent surveillance authorities of the Foreign Intelligence Surveillance Act. Web encryption — which often appears in a browser with a HTTPS lock icon when enabled — uses a technique called SSL, or Secure Sockets Layer.

“The government is definitely demanding SSL keys from providers,” said one person who has responded to government attempts to obtain encryption keys. The source spoke with CNET on condition of anonymity.

Having a service provider’s SSL private keys would allow a malicious individual to intercept and decrypt any SSL secured traffic going to or coming from a service provider’s network. This concern can be put to rest if service providers began implementing forward secrecy (which I enabled on this site beginning last month). Forward secrecy negotiates temporary session keys for SSL connections. The temporary keys are used to encrypt and decrypt data going between a service provider and a customer. After the session concludes the keys, at least ideally, are to be disposed of. Implementing forward secrecy means that an attacker is unable to decrypt SSL secured traffic even if they are in possession of the correct private key. Unfortunately, as a recent study by Netcraft noted, very few service providers currently implement forward security (leading one to wonder why a guy operating a free blog is able to implement security technologies before multi-billion dollar corporations). It would be wise, especially in light of recent developments, to put pressure on service providers to implement forward secrecy.

While it’s annoying that the federal government has become a surveillance state, there are technologies that allow us to mitigate many of their demands. We live in a world where the spying powers of the state are incredible but the power to avoid surveillance is also very powerful. The state is a collection of a handful of individuals fighting the rest of the world. With such high odds against it, the state will be unable to win in the long run.

On Zimmerman and Society as a Whole

The polarization that has developed in the wake of Zimmerman’s encounter with Martin is even more fervorous than it was when MSNBC and CNN doctored the 911 recording to create a narrative or racism. One side sees Zimmerman as a child murdering racist who went out of his way to kill a black child. The other side sees Zimmerman as a pillar that upholds civilization by patrolling his community and defending it against all manner of shady characters. One side views Martin has an innocent child who never harmed a fly, always did his homework, and showed constant respect to his elders. The other side views Martin has a thug who stalked the streets at night looking for victims to rob and homes to burgle. Needless to say, both sides have ignored the flaws of their chosen hero and the virtues of their chosen demon.

I firmly believe Zimmerman’s heart is in the right place. His history of helping people in need, specifically a homeless man who was beaten and left unassisted by police, and his recent act of helping individuals involved in a car accident shows that he has a desire to help people.

I also believe that Martin wasn’t planning to do wrong that night. There have been several uncited accusations made that Martin was planning to make Purple Drank with the iced tea and Skittles he had purchased. In my book making and using a drug isn’t a crime and is therefore irrelevant to the case at hand. Many people have also claimed that Martin was casing houses to burgle, which is just as speculative as the accusations of his intent to make Purple Drank.

In other words that night involved a well-meaning man encountering a man making his way home. The well-meaning man, seeing an unidentified individual cutting through yards in a downpour, believed he was witnessing something suspicious. As the captain of his neighborhood watch he did what he was told to do, he reported the incident to the police. As a person interested in the welfare of his fellow community members he decided to exit his vehicle and investigate the individual that he found suspicious. The man making his way home, seeing an unidentified individual pursuing him, first in a vehicle and then on foot, became fearful. He may have attempted to flee, which would have cause the well-meaning man to become more suspicious and therefore convince him to pursue his investigation more vigorously. The other man, seeing the unidentified individual continuing his pursuit, may have become irrational as fear began to set in. Events from there could easily escalate to the point of physical confrontation.

Don’t get me wrong, I’m not trying to place blame on either Zimmerman or Martin, nor am I trying to excuse either of them. My point is that the situation likely looked different to both individuals and that difference in viewpoint likely lead to their physical confrontation.

Many people in the Martin camp have asked what would have happened had Zimmerman been unarmed or what would have happened if Zimmerman stayed in his vehicle. That night’s outcome may not have been any different. Zimmerman, doing his expected duty as a member of the neighborhood watch, called 911. As the people in the Martin camp continuously point out, the police disproportionately target black individuals, not just for arrest but also for brutality. What if Zimmerman hadn’t pursued Martin? What if the police were allowed to investigate the entire situation? Can anybody in the Martin camp honestly say that the possibility of the police encountering and killing him was nonexistent? Can they say that the police wouldn’t have gone to his home, kicked in his door, shot any pets or family members in the dwelling, and kidnapped or murdered him? The night may not have played out any differently for Martin had Zimmerman stayed in his vehicle because he already involved the police and involving the police has a tendency of making a bad situation worse.

The crux of this article is that violence is the default tool used in our society to deal with suspicion and wrongdoing. Whenever we see somebody suspicious we’re told the call the police. Police officers, at least here in the United States, are like carpenters that only have hammers; they see every problem as a nail. They are given the privilege of enacting violence on others so long as they can justify their act in some way. Killing a dog for no apparent reason can easily be justified by two words that have become a carte blanche for police officers: officer safety. Transgressions are responded to by police officers through fear, intimidation, kidnapping, and physical force. Violence isn’t the last resort for most police officers, it’s the first resort. Involving the police will almost certainly bring violence into an equation.

In fact, it’s very difficult in our society to lawfully keep an eye on your community without bringing some manner of violence into the equation. The state has declared a monopoly on law enforcement. What private law enforcement options exist either do so with the state’s blessing or are declared illegal operations by the state. If my neighbors and me form a community watch and decide to investigate issues without involving the police we would be seen a reckless vigilantes and would open ourselves up to a great deal of liability.

Much of our childhood is spent being programmed to see violence as the default solution to every problem. How many people reading this article remember the numerous times they were told that the police were their friends and that you could trust the police? That was complete bullshit. The job of a police officer is to use anything you tell them against you:

But we’re programmed from a young age to see the police as the solution to everything we find even remotely suspicious. In essence, we’re programming to see violence by proxy as the only viable solution.

Zimmerman, who is a product of this society as much as anybody else in it, is a well-meaning individual. Just like the rest of us, he was programmed at a young age to see violence as the default solution to suspicious events. When he saw Martin he first called the state’s great violence proxy. Martin, seeing that somebody was pursing him, decided to forgo the proxy and used violence himself.

Perhaps the lesson to be learned from this event is that our children shouldn’t be programmed to see violence as the default solution for everything. Alternatives to the violence of police forces have been used in many societies throughout history. Medieval Iceland, for example, put a great deal of emphasis on arbitration. Until statism began rearing its ugly head on the island, violence was mostly ritualized and Iceland never knew the sheer violence of all out warfare that its European neighbors knew. Medieval Ireland, likewise, used arbitration as the default solution for problems [PDF]. Again, violence was rare as alternatives such as social ostracization and outlawry were used to successfully deal with most severe cases.

Another lesson that could be taken away from this event is that monopolizing violence greatly reduces its cost. Were the state’s monopoly on violence abolished individuals would be made more responsible for their security. More people would likely be armed and that would increase the risk to anybody wanting to commit a violent act. Would-be burglars would probably consider less risky ventures than breaking into a home if the risk of encountering an armed dweller was above 50%. Neighborhoods such as the one Zimmernman lives in may not have suffered the string of burglaries that lead to the community’s decision to form a neighborhood watch if the cost of violence was high enough to dissuade those burglars. In essence, increasing the cost of violence could actually reduce the amount of violence in a society because, as Robert Heinlein wrote in Beyond This Horizon, “An armed society is a polite society. Manners are good when one may have to back up his acts with his life.”

We can bicker over issues of racism and community vigilance, and I believe that is what the state wants us to do, or we could ask ourselves if there were societal reasons that caused that event to take place and if there are changes that could prevent such events from happening in the future. I believe there are and I believe those changes involve decentralizing power, which involves abolishing the state.