[discuss] we need to fix what may be broken

Tue Apr 15 22:30:35 UTC 2014

Sorry. Many stories and many things mixed up
Nii

> On Apr 15, 2014, at 21:47, "Carlos A. Afonso" <ca at cafonso.ca> wrote:
> 
> Dear people,
> 
> I recall our discussions with folks in the so-called "technical
> community" between IGFs 2006 and 2007, in which the mantra "do not fix
> what is not broken" was used to convince us all that management of the
> logical infrastructure of the net should not be even considered as an
> Internet governance topic in the IGF dialogues (and this with the IGF
> prohibited from making recommendations). Thanks to pressure from sectors
> of civil society and the government of Brazil (host to the 2007 IGF), we
> finally managed to insert the theme in the IGF agenda, but it had to go
> under the disguise of "critical Internet resources".
> 
> A bit more than six years passed, and what we see? Relevant and
> frightening examples of the frailty of the current "governance" or
> coordination model of the network -- mostly in the expert hands
> basically of the I* group of entities and forums, which goes beyond just
> names, numbers and protocols, and badly in need of fixing (and I assume
> that the fix in general will involve more than just technical
> coordination measures):
> 
> - The net was revealed as incredibly vulnerable by the revelations on
> NSA surveillance, and we discovered that the NIST was at cahoots with
> the NSA in "backdooring" the cryptographic systems.
> 
> - The IPv6 transition was literally abandoned by Icann. This on the one
> hand is good, since I am one of the people who defend the
> decentralization of Iana functions, and the RIRs structure works
> technically quite well. But they cannot carry alone the burden of the
> political/economic aspects of this transition. A more assertive Icann
> (and other stances, such as the ITU pressuring their clients, the big
> telcos, and equipment manufacturers taking the transition really
> seriously) would have helped avoid this situation of crisis in the
> addressing system (just read the situation papers and strong alerts by
> Geoff Huston), which by the way increases vulnerability of the net with
> improvised concoctions such as CGNAT and so on.
> 
> - The OpenSSL memory leak bug was sitting in our servers for years, to
> the joy of NSA and similar peeking folks, and this is an open source
> system maintained by the "technical community" -- supposedly, open
> source code is there to be verified, double-checked etc, particularly
> such a key security element of the net; there is nothing more disruptive
> of the net security that we know of since the net became so pervasive
> worldwide; I operate a very small non-profit Web service and am
> horrified by the implications of this failure to verify the code.
> Literally no one could know how far their servers' data have been
> compromised after Heartbleed was sitting there for so many years -- and
> who knows how many servers are still in need of patching.
> 
> - Now Yahoo decides unilaterally to implement an email verification
> feature (DMARC) which is still in beta, affects all its users, and even
> the implementation they did is not clear, as Miles Fidelman verified,
> and I quote: "They knowingly did massive damage, published some
> suggestions on how to mitigate that damage - using a capability defined
> in the spec. that they deployed - then say "we don't support that"."
> 
> - And there are signs that Gmail may be taking unilateral measures as
> well (not clear yet what is being done), as suspected recently by Lauren
> Weinstein.
> 
> In the last two cases, there is a caveat -- they are free, opt-in
> services, no one is required to use them to be on the net. But hundreds
> of millions of users rely on their services, and these users are
> basically "voluntary shareholders" of them, as the profiling of their
> presence adds revenue to the respective companies -- but they are a
> special kind of shareholders whose share just earns them unlimited mail
> and social net services' use in exchange for their profiling. Someone
> described these users as "products", which also makes some sense. And
> the central fact is that these unilateral measures (using features which
> the "technical community" describes as still beta) impact on hundreds of
> thousands of email and listserv services worldwide, even on their own
> users (!), and their response seems to be "this is what we are doing,
> sorry".
> 
> The OpenSSL failure is so incredibly disruptive that some entities who
> have Web sites in our servers are happy they never used SSL -- their
> argument is: "if I had SSL, it would attract peekers thinking that,
> well, this site uses SSL so there may be something worth mining there...
> and it is easy to mine!"
> 
> Frankly, there are things scarily broken in this "governance" or
> coordination system (and let us recall that coordination does not
> necessarily mean centralization), and I hope NETmundial will provide an
> opportunity to dialogue on what to do. It is the billions of Internet
> users who are expecting us to do something better.
> 
> fraternal regards
> 
> --c.a.
> Carlos A. Afonso
> [writing in my personal capacity only]
> 
> 
> _______________________________________________
> discuss mailing list
> discuss at 1net.org
> http://1net-mail.1net.org/mailman/listinfo/discuss