[discuss] we need to fix what may be broken
Lee Howard
Lee at asgard.org
Wed Apr 16 13:26:27 UTC 2014
In recent times, we have witnesses a significant failure in governance:
- The NSA captured metadata on millions of phone calls, without warrants.
- The IPv6 transition has accelerated in many countries despite government
indifference.
- Credit cards continue to be insecure; the U.S. doesn't even require
chip-and-PIN.
- Facebook has updated its interface and everyone hates it.
- Google bought a drone company.
Governments have governance problems; some of those problems spill into
the Internet.
The world is not a safe place; some people try to make it safer, some try
to exploit the insecurity.
Sometimes, citizens or companies do stupid things (defined as, "Decisions
with which I disagree.").
How would improved "coordination" (not centralization, apparently) improve
any of the issues you or I have identified?
The Internet works because it is decentralized, innovation occurs at the
edges, without coordination ("permission") and requires only
interoperability.
Lee
On 4/15/14 5:47 PM, "Carlos A. Afonso" <ca at cafonso.ca> wrote:
>Dear people,
>
>I recall our discussions with folks in the so-called "technical
>community" between IGFs 2006 and 2007, in which the mantra "do not fix
>what is not broken" was used to convince us all that management of the
>logical infrastructure of the net should not be even considered as an
>Internet governance topic in the IGF dialogues (and this with the IGF
>prohibited from making recommendations). Thanks to pressure from sectors
>of civil society and the government of Brazil (host to the 2007 IGF), we
>finally managed to insert the theme in the IGF agenda, but it had to go
>under the disguise of "critical Internet resources".
>
>A bit more than six years passed, and what we see? Relevant and
>frightening examples of the frailty of the current "governance" or
>coordination model of the network -- mostly in the expert hands
>basically of the I* group of entities and forums, which goes beyond just
>names, numbers and protocols, and badly in need of fixing (and I assume
>that the fix in general will involve more than just technical
>coordination measures):
>
>- The net was revealed as incredibly vulnerable by the revelations on
>NSA surveillance, and we discovered that the NIST was at cahoots with
>the NSA in "backdooring" the cryptographic systems.
>
>- The IPv6 transition was literally abandoned by Icann. This on the one
>hand is good, since I am one of the people who defend the
>decentralization of Iana functions, and the RIRs structure works
>technically quite well. But they cannot carry alone the burden of the
>political/economic aspects of this transition. A more assertive Icann
>(and other stances, such as the ITU pressuring their clients, the big
>telcos, and equipment manufacturers taking the transition really
>seriously) would have helped avoid this situation of crisis in the
>addressing system (just read the situation papers and strong alerts by
>Geoff Huston), which by the way increases vulnerability of the net with
>improvised concoctions such as CGNAT and so on.
>
>- The OpenSSL memory leak bug was sitting in our servers for years, to
>the joy of NSA and similar peeking folks, and this is an open source
>system maintained by the "technical community" -- supposedly, open
>source code is there to be verified, double-checked etc, particularly
>such a key security element of the net; there is nothing more disruptive
>of the net security that we know of since the net became so pervasive
>worldwide; I operate a very small non-profit Web service and am
>horrified by the implications of this failure to verify the code.
>Literally no one could know how far their servers' data have been
>compromised after Heartbleed was sitting there for so many years -- and
>who knows how many servers are still in need of patching.
>
>- Now Yahoo decides unilaterally to implement an email verification
>feature (DMARC) which is still in beta, affects all its users, and even
>the implementation they did is not clear, as Miles Fidelman verified,
>and I quote: "They knowingly did massive damage, published some
>suggestions on how to mitigate that damage - using a capability defined
>in the spec. that they deployed - then say "we don't support that"."
>
>- And there are signs that Gmail may be taking unilateral measures as
>well (not clear yet what is being done), as suspected recently by Lauren
>Weinstein.
>
>In the last two cases, there is a caveat -- they are free, opt-in
>services, no one is required to use them to be on the net. But hundreds
>of millions of users rely on their services, and these users are
>basically "voluntary shareholders" of them, as the profiling of their
>presence adds revenue to the respective companies -- but they are a
>special kind of shareholders whose share just earns them unlimited mail
>and social net services' use in exchange for their profiling. Someone
>described these users as "products", which also makes some sense. And
>the central fact is that these unilateral measures (using features which
>the "technical community" describes as still beta) impact on hundreds of
>thousands of email and listserv services worldwide, even on their own
>users (!), and their response seems to be "this is what we are doing,
>sorry".
>
>The OpenSSL failure is so incredibly disruptive that some entities who
>have Web sites in our servers are happy they never used SSL -- their
>argument is: "if I had SSL, it would attract peekers thinking that,
>well, this site uses SSL so there may be something worth mining there...
>and it is easy to mine!"
>
>Frankly, there are things scarily broken in this "governance" or
>coordination system (and let us recall that coordination does not
>necessarily mean centralization), and I hope NETmundial will provide an
>opportunity to dialogue on what to do. It is the billions of Internet
>users who are expecting us to do something better.
>
>fraternal regards
>
>--c.a.
>Carlos A. Afonso
>[writing in my personal capacity only]
>
>
>_______________________________________________
>discuss mailing list
>discuss at 1net.org
>http://1net-mail.1net.org/mailman/listinfo/discuss
>
More information about the discuss
mailing list