[discuss] we need to fix what may be broken

Tue Apr 15 23:29:00 UTC 2014

Hi Carlos,
At 14:47 15-04-2014, Carlos A. Afonso wrote:
>A bit more than six years passed, and what we see? Relevant and
>frightening examples of the frailty of the current "governance" or
>coordination model of the network -- mostly in the expert hands
>basically of the I* group of entities and forums, which goes beyond just
>names, numbers and protocols, and badly in need of fixing (and I assume
>that the fix in general will involve more than just technical
>coordination measures):
>
>- The net was revealed as incredibly vulnerable by the revelations on
>NSA surveillance, and we discovered that the NIST was at cahoots with
>the NSA in "backdooring" the cryptographic systems.

Noted.

>- The IPv6 transition was literally abandoned by Icann. This on the one
>hand is good, since I am one of the people who defend the
>decentralization of Iana functions, and the RIRs structure works
>technically quite well. But they cannot carry alone the burden of the
>political/economic aspects of this transition. A more assertive Icann
>(and other stances, such as the ITU pressuring their clients, the big
>telcos, and equipment manufacturers taking the transition really
>seriously) would have helped avoid this situation of crisis in the
>addressing system (just read the situation papers and strong alerts by
>Geoff Huston), which by the way increases vulnerability of the net with
>improvised concoctions such as CGNAT and so on.

I don't see what ICANN can do about the IPv6 transition.

>- The OpenSSL memory leak bug was sitting in our servers for years, to
>the joy of NSA and similar peeking folks, and this is an open source
>system maintained by the "technical community" -- supposedly, open
>source code is there to be verified, double-checked etc, particularly
>such a key security element of the net; there is nothing more disruptive
>of the net security that we know of since the net became so pervasive
>worldwide; I operate a very small non-profit Web service and am
>horrified by the implications of this failure to verify the code.
>Literally no one could know how far their servers' data have been
>compromised after Heartbleed was sitting there for so many years -- and
>who knows how many servers are still in need of patching.

The open source software is not maintained by the so-called technical 
community.  It is maintained by a few people who give away the code 
for free.  It is possible to determine how many servers are still 
need of a patch.  There is a government which used that 
software.  Did that government pay someone to review the code which 
it got for free?

>- Now Yahoo decides unilaterally to implement an email verification
>feature (DMARC) which is still in beta, affects all its users, and even
>the implementation they did is not clear, as Miles Fidelman verified,
>and I quote: "They knowingly did massive damage, published some
>suggestions on how to mitigate that damage - using a capability defined
>in the spec. that they deployed - then say "we don't support that"."

The (technical) feature is being discussed on the appropriate mailing list.

>- And there are signs that Gmail may be taking unilateral measures as
>well (not clear yet what is being done), as suspected recently by Lauren
>Weinstein.
>
>In the last two cases, there is a caveat -- they are free, opt-in
>services, no one is required to use them to be on the net. But hundreds
>of millions of users rely on their services, and these users are
>basically "voluntary shareholders" of them, as the profiling of their
>presence adds revenue to the respective companies -- but they are a
>special kind of shareholders whose share just earns them unlimited mail
>and social net services' use in exchange for their profiling. Someone
>described these users as "products", which also makes some sense. And
>the central fact is that these unilateral measures (using features which
>the "technical community" describes as still beta) impact on hundreds of
>thousands of email and listserv services worldwide, even on their own
>users (!), and their response seems to be "this is what we are doing,
>sorry".

What has any organization done about the above?

>The OpenSSL failure is so incredibly disruptive that some entities who
>have Web sites in our servers are happy they never used SSL -- their
>argument is: "if I had SSL, it would attract peekers thinking that,
>well, this site uses SSL so there may be something worth mining there...
>and it is easy to mine!"

I suggest that stakeholders start donating money to open source 
projects on which they rely on.

Regards,
S. Moonesamy 