Terry Zink's Cyber Security Blog

Discussing Internet security in (mostly) plain English

Should we trust the libertarians?

Should we trust the libertarians?

  • Comments 10

One of the RSS feeds that I read is Reason magazine, which is a web site for libertarians.  In general, libertarians want less government intervention both in our personal lives and in the economy.  The idea behind libertarians is that today’s Republicans want less government intervention in our economy but are perfectly fine to have them dictate some aspects of morality.  Similarly, today’s Democrats want less government intervention in our personal lives but are perfectly fine with creating government bureaucracy to deliver social services.  That’s an oversimplified summary, but is more or less correct.

About two months ago I got an article in my RSS feed where Reason was commenting on the government’s response to the cyber war threats.  The summary of the article is that the government is using the threat of cyber attacks to increase its power to control, regulate and/or spy on the Internet… and the threat is overblown.  I’m going to reproduce the article here and add some comments.


Sensible "Cyber War" Preparation, Or Just More Government Snooping?

Ryan Singel at Wired has a great, detailed article warning us of the growing dangers of the military-security complex and its hyping of "cyber war" to give government more control over monitoring the Internet, and private companies more money helping sell the government the means to do it. Read the whole thing, and here are some choice excerpts:

The biggest threat to the open internet is not Chinese government hackers or greedy anti-net-neutrality ISPs, it’s Michael McConnell, the former director of national intelligence.

McConnell’s not dangerous because he knows anything about SQL injection hacks, but because he knows about social engineering. He’s the nice-seeming guy who’s willing and able to use fear-mongering to manipulate the federal bureaucracy for his own ends, while coming off like a straight shooter to those who are not in the know.

And now McConnell is back in civilian life as a vice president at the secretive defense contracting giant Booz Allen Hamilton. He’s out in front of Congress and the media, peddling the same Cybaremaggedon! gloom.

And now he says we need to re-engineer the internet.

We need to develop an early-warning system to monitor cyberspace, identify intrusions and locate the source of attacks with a trail of evidence that can support diplomatic, military and legal options — and we must be able to do this in milliseconds. More specifically, we need to re-engineer the Internet to make attribution, geo-location, intelligence analysis and impact assessment — who did it, from where, why and what was the result — more manageable. The technologies are already available from public and private sources and can be further developed if we have the will to build them into our systems and to work with our allies and trading partners so they will do the same.

Re-read that sentence. He’s talking about changing the internet to make everything anyone does on the net traceable and geo-located so the National Security Agency can pinpoint users and their computers for retaliation if the U.S. government doesn’t like what’s written in an e-mail, what search terms were used, what movies were downloaded....

The NSA dreams of “living in the network,” and that’s what McConnell is calling for in his editorial/advertisement for his company. The NSA lost any credibility it had when it secretly violated American law and its most central tenet: “We don’t spy on Americans.”

Unfortunately, the private sector is ignoring that tenet and is helping the NSA and contractors like Booz Allen Hamilton worm their way into the innards of the net. Security companies make no fuss, since a scared populace and fear-induced federal spending means big bucks in bloated contracts.


So do the libertarians have a point?  Is the government proposing this in order to expand its influence and shut down dissenters?  Or is Singel unaware of the nature of the threat?

The problem that we have today in cyber security is exactly what McConnell is talking about.  Attackers can hide behind anonymity in order to launch DOS attacks, host phishing, send spam, create malware, and so forth.  This inherent in the design of the Internet.  For example, SMTP is the protocol we use to send email.  In its basic form, SMTP does not require authentication and anybody can send as anybody else.  For sure, we have built identity technologies like SPF, DKIM and SenderID.  However, email receivers still have to support unauthenticated email.  And because the cost of email is borne by the receiver and not the sender, there is plenty of incentive for spammers to spam.  They can hide behind that anonymity, or fake identity.  We can attempt to back trace some spammers but it doesn’t always work.  Tracking down a spammer is a non-trivial task and it’s made easier because there is no inherent identity or authenticity. 

If we were to start all over again, the designers of the Internet would not design it so that anyone could do anything.  The reason that the Internet is open and anonymous (to some degree) is because when it was created, it was only intended to be used by a very small user base.  It wasn’t anticipated that it would be launched for widespread use, and it wasn’t foreseen that the types of abuses that we see today would occur.  Geeks all trust each other and they don’t always understand that if you give something away for free, spammers will abuse it.  If the geeks who built the original Internet would have taken into account all of the ways that the Internet could be abused, they wouldn’t have been so loosey-goosey with it. 

Unfortunately, we are now stuck with all of this existing infrastructure.  Microsoft has revamped its image since launching its Trustworthy Computing Initiative in 2002.  Going forward, newer versions of Microsoft software is more secure than the older one.  Unfortunately, there is still plenty of old software out there with security vulnerabilities that Microsoft has to support.  This software accounts for the majority of exploits.  Over time, it’s being replaced with more secure versions but it takes time.

And so it is for the Internet, but worse.  When it went public (or privatized, depending upon how you look at it) in 1995, people built applications.  And applications upon those applications.  Protocols were developed.  And online communication was established.  And they built dependencies upon these open protocols that were so easy to exploit.  And so, we now have a big problem – reinventing the Internet means having to redo a lot of work that’s already been built.  Who wants to redo everything when the current version is already working?

That the Internet is anonymous is not by intentional design, but a byproduct of something that wasn’t originally designed to become as widely used as it is today.  There was no Secure Development Lifecyle back then.  The Internet then became popular and its “anonymity” became trumpeted as one of its strengths as if this was the intention all along.  That’s doubtful that it’s true, but culturally, because freedom of speech is a Western value, that anonymity translated into a core requirement for the ‘net. 

It would kind of like if I had a home and one side of it was sinking into the ground so I put a few cinder blocks under the corner to prop it up.  It’s there for a utility to serve its purpose and nobody other than me cares about it.  But one day, my neighbor decides to build a duplex and uses those same cinderblocks as part of the foundation.  This isn’t the optimal purpose but hey, it works.  And besides which, we can fix it later.  But then a developer builds another duplex, and then an apartment complex.  Pretty soon, it becomes very difficult to replace those cinder blocks.  My house has a dependency on those cinder blocks and so does everyone else.  But by no means is my short term fix intended to be the optimal way of holding up a house.  Cheapskate me should have replaced the foundation when I had the chance.  Cinder blocks are not a good way to hold up a house.

It’s not a perfect analogy, but the way I see it, the Internet’s inherent insecurity is not the optimal way to go about designing a network.

More in another post.

Leave a Comment
  • Please add 2 and 5 and type the answer here:
  • Post
  • I like the way you wrote this content.

  • "Those who would give up Essential Liberty to purchase a little Temporary Safety, deserve neither Liberty nor Safety"

    Benjamin Franklin

  • Excellent! Should be in the dictionary next to: Stateless

  • Thanks, Shammy.

  • Terry,

    Your summary about Republicans and Democrats at the start of this post is the essential long-standing view.

    HOWEVER: In recent years, I see shifts further to the Left on economic issues by both Republicans and Democrats. Republicans today are about where Democrats were 50 years ago. Democrats today are about where the Communist Party of America was 50 years ago.

    Seriously. Today's Republican party is just about the same as the 1960 Democrat Party platform. And the Democrats are just about where the Communist Party of America was back then as well.

    Also, I don't see Republicans being too overly concerned with dictating morality anymore. For example, the Republicans/Conservatives I know are not homophobic or bigets and could care less what consenting adults do in the privacy of their homes. They don't care if drug use or sodomy is happening behind closed doors of their neighbor's houses... the are not the least bit "racists" as the Left propaganda would have many believe... but they just don't want "heather has two mommies" as required reading at the local elementary school! And they don't want someone stung out on pot out on the roads driving. Otherwise, they just assume "live and let live".

    Democrats... on the other hand, seem to have no problem with a full-blown "nanny state".. which, based on recently passed bills in congress, is exponentially increasing in "reach" into our private lives and directly impacting private decisions.

    But, even before the past couple of years, I can think of little-to-none tangible ways in which morality-legislation prevented people from doing things they wanted to do... but I can think of MANY actual situations where MANY U.S. citizens' economic situation was severely and negatively impacted by over-taxation and over-regulation.

  • Thanks, Rob.

  • Rob,

    Apparently you've never been to a republican convention.  As a member of the libertarian wing of the Republican Party I can tell you that that is *not* the prevailing view of those in power.  They very much cheer on the drug war, and everything that goes with it, along with a whole host of other issues that hurt no-one - or at worst hurt the person doing them only.

    Also, I can give you a long list of ways that morality legislation have prevented such.  I can tell you about swat raids on homes running private poker games for example.  Not to mention the daily swat raids on non-violent drug users.

    Terry,

    It's an interesting and plausible theory.  I think if it were to be done again, we would definitely have better foundations, which would include ways to authenticate information.  However, I think I would have to reject the theory that we would've had the same results.  A number of the major innovations (like file-sharing) would never have driven the advancements they did if there had been no measure of anonymity.  And lets not forget the impact that those benefits have had in other tyrannical countries who are severely oppressed by their government.  They would never have *survived* what has transpired.

    Unfortunately, even if we had developed it to be capable of supporting anonymous communication and access very little of that would be actually supported by most of the infrastructure today.  Look at email itself, and how quickly we were willing to cede that ground to the spammers.  Why bother continuing to allow anonymous access?

    If we want to fix this, I think we can do a far better job from a market perspective than we can through some top-down ordering by the state.  Among other things, digital identification from source to destination over an open protocol is far more useful.  Particularly if it's authentication from the user and not the system, as that identifies the individual, and could potentially be done in such a fashion as to make the connection secure and trustworthy - while still not revealing any information to the ... ahem ... casual observer.  :-)

  • Thanks, mbainter.

  • The government is incompetent at everything else and spends hordes of our cash on useless endeavors and wars that we don't want or need that make us less secure not more.

    So given these facts, why exactly would you think that the government would better protect us on the internet?

    Besides, just like a command economy that has a single point of failure (think giving away houses to people that can't afford them is a perfect example of the disaster that the government driving the housing market created). If you build it, the hackers will try and get into it. Now instead of millions if not billions of points of failure, you now have 1. I wonder which is going to have a worse outcome when (not if) it's hacked?

    More likely, they will get hacked, the whole system will go down, then like the psychopaths that they are, they'll suggest that the only problem is that they didn't have more control and more money! Then we'll do it all again, and they'll keep blaming the damn capitalists that don't want to give up complete control of everything they create the the government for the problem, and thus it will go around and around until the internet is worthless just like everything else the government touches.

    In the mean time, the government will control our speech in the name of protecting us and put people in jail for saying things against the politicians that are incompetent, just like they're trying to do in Australia.

    No thanks! The government is bankrupt, morally and fiscally. The faster they realize that and go out of business the better it will be for all of us.

    The only system that is compatible with freedom is capitalism. Any amount of statism/fascism/communism is a step towards evil and slavery. Oh and it doesn't work.

  • I have no doubt that some things would be done differently today if we were to start over from scratch, but that only tells part of the picture.

    If you look at the philosophical underpinnings of the internet, we find all sorts of sentiments that make it clear that the choices made were not at all made in some sort of blind ignorance of what may later come to pass - in fact I'd call many of those decisions brilliant and visionary.

    Looking through the RFCs, you run across many examples of that philosophical vision: "information wants to be free", "be strict in what you send, liberal in what you receive", "Everything should be made as simple as possible, but no simpler", and so on. In many ways, what started out as ARPAnet and grew into the largest network in the world was a conscious backlash to the interminable bureacratic complexity and over-design being pushed by other entities like the ISO and ITU-T, who way back when was trying to push us into cumbersome monstrosities like the OSI network stack and X.400 email. (Both now consigned to the dustbin of history, pretty much)  People like Jon Postel and Dave Crocker and their colleagues knew very much what they were doing - the success of their handiwork speaks for itself.

    More specifically, TCP/IP and SMTP were a direct response to the bureacratic monstrosities that the ITU-T (formerly CCITT) was pushing, SPECIFICALLY because they were "as simple as possible, but no simpler", and JUST WORKED. I would be willing to bet that the Internet would not have become nearly the ubiquitous element of daily life it has become (or at least anywhere near as quickly) if we had been saddled by those bureaucratic monstrosities all these years.

    The main problem, it seems to me - and a MS person should appreciate this - was not necessarily the poor engineering of the old stuff per-se, but all the momentum that gets going like a freight-train that you can't stop. All the technology in the world isn't going to help if you can't force everyone to upgrade.  It might seem trivial to you or I to switch to TLS or IPv6 or or IPsec or whatever, but when you're living in a country where the vast majority of its citizens live on less than $2/day (3 billion people live on less than $2.50/day), and where you're lucky to have dialup internet if any internet at all, the picture is a bit different.

    We've made some very worthwhile improvements by layering new tech on top of the old - which is exactly what SPF, DKIM and SenderID are.

    (Oh, and I lolled at the political comments - methinks you guys need to stick to the technical stuff you know more about :P )

Page 1 of 1 (10 items)