If Someone Is Testing Ways To Take Down The Internet, Perhaps It's Time To Build A Stronger Internet

from the let's-get-it-done dept

There's been a lot of buzz over respected computer security expert Bruce Schneier recently talking about how someone, or some organization, or (most likely) some state actor, is running a series of tests that appear to be probing for ways to take down the entire internet. Basically, a bunch of critical infrastructure providers have noticed some interesting attacks on their systems that look like they're probing to determine defenses.
Recently, some of the major companies that provide the basic infrastructure that makes the Internet work have seen an increase in DDoS attacks against them. Moreover, they have seen a certain profile of attacks. These attacks are significantly larger than the ones they're used to seeing. They last longer. They're more sophisticated. And they look like probing. One week, the attack would start at a particular level of attack and slowly ramp up before stopping. The next week, it would start at that higher point and continue. And so on, along those lines, as if the attacker were looking for the exact point of failure.

The attacks are also configured in such a way as to see what the company's total defenses are. There are many different ways to launch a DDoS attacks. The more attack vectors you employ simultaneously, the more different defenses the defender has to counter with. These companies are seeing more attacks using three or four different vectors. This means that the companies have to use everything they've got to defend themselves. They can't hold anything back. They're forced to demonstrate their defense capabilities for the attacker.
This article is getting a collective "oh, shit, that's bad" kind of reaction from many online -- and that's about right. But, shouldn't it also be something of a call to action to build a better system? In many ways, it's still incredible that the internet actually works. There are still elements that feel held together by duct tape and handshake agreements. And while it's been surprisingly resilient, that doesn't mean that it needs to remain that way.

Schneier notes that there's "nothing, really" that can be done about these tests -- and that's true in the short term. But it seems, to me, like it should be setting off alarm bells for people to rethink how the internet is built -- and to make things even more distributed and less subject to attacks on "critical infrastructure." People talk about how the internet was originally supposed to be designed to withstand a nuclear attack and keep working. But, the reality has always been that there are a few choke points. Seems like now would be a good time to start fixing things so that the choke points are no longer so critical.
Hide this

Thank you for reading this Techdirt post. With so many things competing for everyone’s attention these days, we really appreciate you giving us your time. We work hard every day to put quality content out there for our community.

Techdirt is one of the few remaining truly independent media outlets. We do not have a giant corporation behind us, and we rely heavily on our community to support us, in an age when advertisers are increasingly uninterested in sponsoring small, independent sites — especially a site like ours that is unwilling to pull punches in its reporting and analysis.

While other websites have resorted to paywalls, registration requirements, and increasingly annoying/intrusive advertising, we have always kept Techdirt open and available to anyone. But in order to continue doing so, we need your support. We offer a variety of ways for our readers to support us, from direct donations to special subscriptions and cool merchandise — and every little bit helps. Thank you.

–The Techdirt Team

Filed Under: attack, bruce schneier, cybersecurity, internet, vulnerabilities


Reader Comments

Subscribe: RSS

View by: Time | Thread


  • identicon
    Anonymous Capitalist Snob, 15 Sep 2016 @ 8:32am

    NSA?

    I wouldn't put it past the NSA. They want to make sure they have more control then those commie bastards!

    link to this | view in chronology ]

    • icon
      Richard (profile), 15 Sep 2016 @ 9:02am

      Re: NSA?

      They want to make sure they have more control then those commie bastards!

      Which Commie bastards would that be. The Soviet Bloc was finished 25 years ago - and the Chinese stopped most actual communist policies even longer ago than that - turning itself into a big version of Singapore.

      Are Cuba and North Korea a serious threat?

      link to this | view in chronology ]

      • icon
        Roger Strong (profile), 15 Sep 2016 @ 9:17am

        Re: Re: NSA?

        North Korea isn't communist anymore. Their 2009 constitution dropped references to communism.

        Given the magical powers attributed to its hereditary rulers, it might be described as a theocracy.

        link to this | view in chronology ]

      • icon
        That One Guy (profile), 15 Sep 2016 @ 1:32pm

        Re: Re: NSA?

        The USG has always been at war with Easta- I mean communis- I mean terrorism.

        link to this | view in chronology ]

  • icon
    Anonymous Anonymous Coward (profile), 15 Sep 2016 @ 8:36am

    Distribution option

    So, nerd harder is a thing.

    I would think something like P2P would be a way to distribute some things. However, the MAFFIA's would have a conniption that would make global nuclear war seem like a mild summer shower.

    link to this | view in chronology ]

    • identicon
      Anonymous Coward, 15 Sep 2016 @ 9:00am

      Re: Distribution option

      Without IPv6 (to get enough addresses), and fixed IP addresses for fixed connections, peer to peer requires some centrally managed address resolution protocol, and that can be attacked.

      link to this | view in chronology ]

      • identicon
        Anonymous Coward, 15 Sep 2016 @ 10:23am

        Re: Re: Distribution option

        And here's your solution. We've been migrating to IPv6 for 20 years. Most of IPv4 address space is now exhausted.

        For Internet-facing traffic, it's time to move from IPv4 to IPv6, and leave IPv4 for the LAN. What I mean here is that the Internet backbones have to fully drop IPv4, such that beyond BGP, everything's IPv6. If you want to continue using IPv4 over the Internet (many devices have no choice), you stick a tunnel in front and expose an IPv6 interface.

        This alone will clear up many of the current issues with Internet choke points. The other issues are physical, and the only real way to route around them is to build out the infrastructure. Not having to route IPv4 packets however would enable the built out infrastructure to scale much better, and reduce saturation potential at the switches.

        link to this | view in chronology ]

        • identicon
          Anonymous Coward, 15 Sep 2016 @ 10:28am

          Re: Re: Re: Distribution option

          The other advantage, from a security viewpoint, is that their are enough IPV6 addresses to allocate every person, and company an at least IPV4 sized address block. That make scanning the IPv6 Internet for connected devices much harder.

          link to this | view in chronology ]

        • identicon
          Skeeter, 15 Sep 2016 @ 11:30am

          Re: Re: Re: Distribution option

          The problem (in a nutshell) for IPv6 is the same as why IPv4 not only saturated, but why the world is eat-up (and I mean SATURATED) with subnets now, and that is SECURITY PROBLEMS!

          With IPv4, you don't have enough nodes...I mean, you saturated in the single-digit billions, just not enough 'phone numbers' for all those phones (that we thought we'd never use). Add in cast-off numbers (Little Jimmy was playing games online, until he posted his IP online, now when he turns his computer on, it gets hacked instantly), as a result we (the 'parents') made the cable company give us a new IP. Irresponsibility led to DHCP from provider (wasn't always like this), which led to eventual subnetting and port controls (you can't run a website from home, when your IP is 192.168.x.x from your provider).

          Now, in one breath, you're going to give 'ole granny' a real IPv6 number, that's live on a 'bigger world backbone', never explain to her what this means for her in terms of world 'exposure', and expect this to 'end up ok?'.

          This sounds more like a plan from the NSA to see EVERYONE's home data, more than it is to build a 'better, stronger internet', but then again, I'll bet you really liked the idea of 'cloud computing' a few years ago, too.

          link to this | view in chronology ]

  • icon
    Roger Strong (profile), 15 Sep 2016 @ 8:40am

    > ...it's still incredible that the internet actually works. There are still elements that feel held together by duct tape and handshake agreements.

    That's not necessarily a bad thing.

    Demand a stronger internet and governments will build it based solely on input from corporations and intelligence agencies. You'll get a internet designed by the RIAA, MPAA and NSA. With a Great Firewall of China baked in for EVERYONE.

    You'll be replacing a potentially unreliable internet with one unreliable by design.

    link to this | view in chronology ]

    • identicon
      Anonymous Coward, 15 Sep 2016 @ 10:18am

      Re: Demand a stronger (I)nternet

      "and governments will build it based solely on input from corporations and intelligence agencies. You'll get a internet designed by the RIAA, MPAA and NSA."

      So basically Comcast.

      link to this | view in chronology ]

    • identicon
      Skeeter, 15 Sep 2016 @ 11:34am

      Re:

      Roger, this is EXACTLY how Windoze became the ultimate 'malware-impersonating-an-OS by design' software, ever! Sheep input, Pro-design, Government-oversight with a touch of Orwellian-fulfillment, for flavor.

      link to this | view in chronology ]

  • icon
    orbitalinsertion (profile), 15 Sep 2016 @ 8:46am

    As distributed as you make things, it's always going to be a thousand times easier to just distribute the attack a little more.

    Of course i can't wait for the feds to identify who is doing this and charge them accordingly. It would be stunning to see some laws and and power applied to something that is actually harmful and wrong on the internet.

    link to this | view in chronology ]

    • icon
      Machin Shin (profile), 15 Sep 2016 @ 9:10am

      Re:

      "Of course i can't wait for the feds to identify who is doing this and charge them accordingly."

      That makes two really big assumptions. 1) That the feds don't already know who is doing it and 2) that is isn't the feds themselves doing it.

      I would say that NSA is pretty high on the list of possible suspects. The others on the list like China and Russia... Well, we are not very likely to call them on it. Even if we do call them on it, it is not like we really have the power to stop them.

      link to this | view in chronology ]

      • identicon
        Skeeter, 15 Sep 2016 @ 11:41am

        Re: Re:

        I think the only possible 'real' culprit is one of 3-nations' clandestine services. No other could pull this off, and it is highly unlikely it is any but our own, to be able to do configured DDoS attacks regularly.

        This is where the average 'sheep' says, 'but why in the world would our government do such a terrible thing?'

        Easy - because if they can determine exactly what it takes to bring down the internet (just like they already know and have ability to bring down the nation power grid), then they not only know what it would take for an enemy to take it down, but what they must be prepared to do if THEY have to take it down. Why do they need this knowledge? Well, they've already idealized the 'People' as the 'biggest enemy', planned for 'continuity of government', and so much more. Why not plan to cut your vocal cords, so you can't cry out, can't plot against them or share intelligence?

        Tactically, it's quite an obvious choice. What were you thinking?

        link to this | view in chronology ]

        • identicon
          Thad, 15 Sep 2016 @ 12:51pm

          Re: Re: Re:

          It's not a question of whether or not our government would do something "terrible", it's a question of whether it would do something that would significantly hobble its own operations. Do you think the NSA becomes *more* capable of maintaining its surveillance network if it takes the Internet down?

          Our government doesn't want to stop you from getting on Facebook. Just the opposite. The Internet is the most valuable spying tool that the governments of the world have, and populations' willing participation is exactly the thing that helps them to spy on those populations.

          I don't disagree with your premise that the US government may be responsible for these probes. I just disagree with your assessment of its purpose in doing so.

          link to this | view in chronology ]

    • identicon
      Anonymous Coward, 15 Sep 2016 @ 9:19am

      Re:

      LoL. Call the world police and arrest a government agency in country x!

      Good luck, have fun. :)

      link to this | view in chronology ]

    • identicon
      Anonymous Coward, 15 Sep 2016 @ 9:51am

      Re:

      Oh it's easy. Just blow up "The Nexus" in Oslo, Norway. Apparently this is a central hub through which all internet traffic in the world flows.

      *crickets*

      I'll get my coat.

      link to this | view in chronology ]

  • icon
    Machin Shin (profile), 15 Sep 2016 @ 9:13am

    I have been thinking for the last several years that the internet is due for a major change. The mass spying going on around the world made me think that. Then also seeing how countries love turning off the internet to try and deal with revolts only makes that feeling stronger.

    People need a communication platform that is out of the reach of governments.

    link to this | view in chronology ]

    • identicon
      Anonymous Coward, 15 Sep 2016 @ 9:26am

      Re:

      People need a communication platform that is out of the reach of governments.

      In other words sneakernet, as demonstrated by the Cubans

      link to this | view in chronology ]

      • identicon
        Skeeter, 15 Sep 2016 @ 11:45am

        Re: Re:

        It's called 'peer-to-peer' networking, and you'll be hacked in 2-minutes and crashed in 3.

        See, the problem with 'non-government peer-to-peer' is that the slime of society don't value a network, are challenged by crashing it, have no intent to build a network, want to infect any network they stumble on, and consider it their personal life goal to crush any who would dare lock them out of administrative rights.

        Not only is your government working against you, but you have slime amongst you that says 'when it falls, it will never return'.

        link to this | view in chronology ]

        • identicon
          Anonymous Coward, 15 Sep 2016 @ 12:17pm

          Re: Re: Re:

          Sneaker net is a peer to peer network, but without relying on a medium controlled by other to carry your data, and given the capacity of micro SD cards, (much safer than thumb drives as they cannot pretend to be keyboards etc.), an have a high bandwidth, but with a high latency.UUCP, and FidoNet provide code for handling bulk data transfers over intermittent connections. Such techniques for communication require the skills of letter writing, which leads to a more considered conversation.

          link to this | view in chronology ]

        • identicon
          Thad, 15 Sep 2016 @ 12:40pm

          Re: Re: Re:

          Aside from your misunderstanding of what a sneakernet is (it's a network where transmission is handled by people physically transporting physical media -- sneakers as in walking shoes, geddit?), we've seen some examples of pretty robust peer-to-peer networks. Tor has its flaws, but it's proven to be remarkably resilient and safe. Freenet's been around for ages too.

          It's not that there aren't bad people doing bad things on these networks; of course there are. And it's not that they're invulnerable, either; a lot of infrastructure is concentarted in a few hands, and if a single large provider leaves the network (either voluntarily or by being forced), that can have a significant impact on everybody who uses them. But the former is a problem on the plain ol' client-server Internet that most everybody uses, and the latter is a matter of scale that would become less of an issue as more devices joined the network.

          link to this | view in chronology ]

  • icon
    dfed (profile), 15 Sep 2016 @ 10:06am

    Fine! I'll go make my own internet with blackjack and hookers!

    ...or you know, use the one that already has that.

    link to this | view in chronology ]

  • identicon
    wiserabbit, 15 Sep 2016 @ 10:22am

    i noticed this about a year ago and started keeping a map of some of the just seemingly odd attacks that were showing up in all the weirdest places. it just started smelling like intelligence gathering - large scale intel gathering. i just found it interesting and possibly a great foundation for a book...yet again pre-empted by the insanity of real life.

    link to this | view in chronology ]

    • identicon
      Skeeter, 15 Sep 2016 @ 11:50am

      Re:

      Yeah, DDoS attacks all the time here, too, but different. Won't go into it other than to say, strange in the method used. They got lucky once, even was able to wipe my most-outer firewall router of all the 'block list' (incoming), real pain.

      The biggest problem I ever have with local network integrity is the time wasted checking tracking cookie sites constantly rolling IPs! Swear to god, if you made them illegal, you'd recover 10-percent of the IPv4 IP numbers currently used!

      link to this | view in chronology ]

  • identicon
    Anonymous Coward, 15 Sep 2016 @ 10:29am

    Don't presume that the goal is disruption

    It might be, but that's just one of many possibilities. Another much more likely one -- likely because we've already seen it many times -- is extortion, i.e., "pay up or we overwhelm your perimeter routers".

    Yes, there are people who might do this out of ideology or politics, but there are many people who would do it for profit. Like the man said, Follow the money.

    link to this | view in chronology ]

  • icon
    Ehud Gavron (profile), 15 Sep 2016 @ 10:48am

    Internet philosophy

    TL;DR - the Internet would need to be redesigned from scratch in a way that wouldn't work with today's applications, web pages, etc. Governments are against encryption and authentication (by others) so this will likely never see the light of day outside of research labs.

    Now the part for people with attention spans:

    The Internet wasn't designed for its evolution. The original founding fathers of the Internet include Jon Postel (RIP) who famously created "The Robustness Principle" which states "Be liberal in what you accept, and conservative in what you send" (RFC-1122).

    The Internet was designed to do something that hadn't been done before -- get interoperability. Prior to TCP/IP (and IMPs nee routers) IBM devices talked SAN. DEC devices talked DECnet. On a lower layer there were token-ring networks, coaxial-Ethernet networks, none of which could communicate effectively with each other.

    Jon's philosophy encouraged and enabled interoperability -- the original goal. As a result in "being liberal in what you accept" there were no firewall considerations, very little protocol checking (the IP packet checksum, for example, only provides a rudimentary check that the IP header has not been changed in transit... but now of course a MITM attack does exactly that). There was no crypto consideration so no hashing or signing of packets, port connect request, transmission control protocol streams, etc.

    Now we are in a new era. It started somewhere in 1993 when the "commercial Internet" became a thing. The ubiquitous "coasters" sent by AOL, Netcom, and others (originally 3.5" floppies and then later CDs) allowed anyone with a MODEM to connect at incredible speeds of 9600 baud to 52Kbps (yes, baud and bps are different).

    The evolutionary phases continued: everyone could get email; web 2.0; e-commerce; social media. With that came companies eager to connect the millions of worldwide businesses to the net, and also the hundreds of millions of worldwide users.

    As with any society, once something is open to all that means even that bad guys have access. That had evolutionary phases too. Spam. DoS. DDoS. Malware. Then a combination of those (spam to get you to download malware and malware that put your computer in a botnet to do a DDoS). Now we have the latest which is ransomware, and this "attack vector intrusion tests."

    The Internet, as designed, doesn't have the mechanisms to protect against any of this, nor can retrofitting it be done simply. The move to IPv6 (a VERY VERY incremental change) has taken over a decade and is still at less than 25% adoption.

    Protecting against DDoS attack vectors requires that intermediary devices block LEGITIMATE-APPEARING-TRAFFIC. That goes against the grain of all the ISPs contracts with their customers. It also requires validation of IP addresses (to prevent spoofing) and elimination of non stream-oriented (UDP) protocols. These changes will not happen on the current Internet and they will not happen in an interoperable ("be liberal in what you accept") way with current TCP/IP.

    SO philosophically, yes, we need a new communication infrastructure with signing, encryption, and elimination of Windows (malware/DDoS vector). Governments the world over do not want any of this to occur.

    Ehud

    link to this | view in chronology ]

  • identicon
    Capt ICE Enforcer, 15 Sep 2016 @ 11:02am

    Dixie cups

    I hate to be a conspiracy theorist / realist. But governments have no desire to protect the internet. When people are connected they have power. When you remove the connection then the government has the power. The only true secure communication is 2 Dixie cups and a really long string.

    link to this | view in chronology ]

    • identicon
      Thad, 15 Sep 2016 @ 12:28pm

      Re: Dixie cups

      I don't agree with your premise that governments would be *more* powerful if they had no Internet access.

      What makes a government powerful is when the leaders have Internet access and the citizens don't. That's not what we're talking about here; we're talking about a situation where *nobody* has Internet access. That would throw governments into just as much disarray as the general public.

      link to this | view in chronology ]

  • identicon
    Alex Elsayed, 15 Sep 2016 @ 11:19am

    There's work going on for this

    There are definitely people working on this, from the HIP working group in the IETF[1] to the SCION folks (largely from ETH Zurich)[2].

    The latter, in particular, has some VERY interesting ideas, which would lead to comprehensive encryption from end-to-end, with endpoint privacy via onion routing, minimal overhead, and guarantees of traffic between two hosts in the same "ISD" (likely approx. one per nation) never leaving that ISD, solving both the "rerouted via Pakistan" and "insane regime breaks Youtube for everyone" issues.

    [1] https://datatracker.ietf.org/wg/hip/documents/
    [2] http://www.scion-architecture.net/

    link to this | view in chronology ]

  • identicon
    Thad, 15 Sep 2016 @ 12:25pm

    Build a stronger Internet? Jeepers, how has nobody else thought of that before?

    Given the complexity of this problem, I'm not expecting you to come up with an extensive, protocol-level list of improvements that developers should implement. But "hey, we should make this thing better" is (a) obvious and (b) useless. At least throw out a few high-level suggestions for what you're talking about.

    It's not an easy problem, and a lot of the biggest and most advanced companies have been chipping away at it in any way they can for years and years. As others have noted, the rollout of IPv6 has been a long time coming. Google's been working on web improvements in everything from transferring more data in fewer requests to automatically minifying and gzipping everything at the Apache level. While these are primarily intended as usability improvements, anything that reduces bandwidth consumption makes a DDoS harder.

    There's also MS dipping its toe into P2P distribution -- specifically, Windows Update doesn't just use a client-server model anymore; by default, updates are shared among users. This, naturally, makes it a lot less likely that MS's servers will go down under heavy demand (as has happened before -- I believe when the Windows 7 preview was released).

    These are all slow, incremental improvements. Because when you're trying to preserve compatibility with an existing system based on a decades-old protocol stack and used by billions of devices, slow, incremental improvements are all you're going to get. (And those are just the technical constaints; other posters have already noted some of the political ones.)

    link to this | view in chronology ]

  • icon
    Norahc (profile), 15 Sep 2016 @ 12:53pm

    Actually....

    Actually, they're just looking for the "backdoors" that Director Comey wants. Of course, this is the same guy that says duct tape protects him from webcam hackers.

    http://arstechnica.com/tech-policy/2016/09/fbi-urges-low-tech-solution-to-high-tech-webcam-h acking-tape/

    link to this | view in chronology ]

    • identicon
      Thad, 15 Sep 2016 @ 1:02pm

      Re: Actually....

      So does the EFF.

      It's also, y'know, obvious. If your camera is covered, nobody can see out of it.

      It doesn't protect against other forms of attack -- audio and keystroke logging, MITM attacks on your communications, van parked across the street reading the radiation coming off your monitor, etc. -- but it's an absolute defense against anybody seeing you through your laptop camera. I don't really see how that's arguable.

      link to this | view in chronology ]

      • identicon
        Anonymous Coward, 15 Sep 2016 @ 1:21pm

        Re: Re: Actually....

        A piece of folded black colored beer can gives an almost invisible slide cover for the camera on my laptop and is springy enough to grip over the edge of the bezel and stay put.

        link to this | view in chronology ]

  • icon
    Adrian Cochrane (profile), 15 Sep 2016 @ 1:21pm

    Why hasn't this been done before?

    I've been following the developments on rebuilding the Internet, and let's see if I can summarise why we aren't there.

    Most commenters on this topic are pointing out the threat of political pressure on a redesigned Internet, but there are other issues at play.

    The biggest problem (whether it's for IPv6, mesh networking, or a peer-to-peer Web built on a DHT), is that before end-users see value in running the protocol it must already be popular. As such it's actually not that hard to build a stronger alternative to the Internet, the issue is navigating the catch22 in order to get it used.

    Furthermore there's an issue that any purely peer-to-peer identifier (AKA a "pubkeyhash") is inherently unreadable and harder to communicate to friends then a phone number, but an open-minded UI designer should be able to help solve this problem.

    In short, we have been onto this task of building a stronger, better Internet but to some extent or other we can only do so incrementally. This is due to not only political pressure, but also marketing.

    link to this | view in chronology ]

    • identicon
      Thad, 15 Sep 2016 @ 1:55pm

      Re: Why hasn't this been done before?

      The biggest problem (whether it's for IPv6, mesh networking, or a peer-to-peer Web built on a DHT), is that before end-users see value in running the protocol it must already be popular. As such it's actually not that hard to build a stronger alternative to the Internet, the issue is navigating the catch22 in order to get it used.


      Right, and it's not just end users; it's the local plumber who just has a website up with his business address and phone number; it's publicly-traded companies whose shareholders don't see the benefits in switching to a new system that their customers don't use; it's understaffed IT departments that simply don't have the time to work on infrastructure changes like that because they're too busy dealing with regular day-to-day issues.

      Furthermore there's an issue that any purely peer-to-peer identifier (AKA a "pubkeyhash") is inherently unreadable and harder to communicate to friends then a phone number, but an open-minded UI designer should be able to help solve this problem.


      Yeah, that's not such a hard problem; we've already got a protocol that translates a human-readable address into an IP address. And my E-Mail address used to be SJMD68B.

      In short, we have been onto this task of building a stronger, better Internet but to some extent or other we can only do so incrementally. This is due to not only political pressure, but also marketing.


      And just plain lock-in. When you've got billions of people using a thing, it's not easy to get all of them to transition over to a different thing.

      link to this | view in chronology ]

      • identicon
        Alex Elsayed, 15 Sep 2016 @ 2:17pm

        Re: Re: Why hasn't this been done before?

        > Yeah, that's not such a hard problem; we've already got a protocol that translates a human-readable address into an IP address. And my E-Mail address used to be SJMD68B.

        Yeah, we have such a protocol in DNS. It's also possibly the most fragile part of the internet, bar none.

        It's centrally controlled (the root nameservers), integrity of DNS records (DNSSEC) still isn't pervasive, privacy of DNS queries is laughable due to the caching architecture making it almost impossible to retrofit, DNSSEC is based on an EVEN MORE central model than DNS as a base protocol, which makes it trivial for a nation-state attacker to replace all your DNS records with the right orders, it's not distributed and so the authoritative name server for a domain can be trivially taken down...

        DNS is not a solution; it's a huge part of the problem!

        There have been attempts to come up with solutions, but none has yet succeeded. There's a statement of the problem, often called Zooko's Triangle: Secure, Distributed, Human-meaningful: Pick Two.

        Now, that doesn't quite hold - Aaron Swartz, among other things, demonstrated a manner of "squaring" Zooko's triangle. However, that method requires every peer on the network keep a multi-gigabyte log of all names ever issued, which falls down on two properties people care about: privacy and efficiency.

        The former, incidentally, is one of the things that delayed DNSSEC. DNS was never intended to keep the list of records secret, but people assumed it did, and when DNSSEC's NSEC mechanism was found to allow iterating over records, people rejected it. NSEC3 does better, but still has issues, and so forth.

        The value of efficiency, of course, is obvious.

        As yet, I am not aware of anybody having found a system which squares Zooko's triangle efficiently, much less without leaking such information.

        link to this | view in chronology ]

      • icon
        Adrian Cochrane (profile), 15 Sep 2016 @ 3:07pm

        Re: Re: Why hasn't this been done before?

        It's not like the issues I mentioned don't have solutions, just that those solutions can slow down development or hold up adoption.

        The most interesting of these solutions I've seen is a plan to design a peer-to-peer Web where if the client browser doesn't support it, a central server will serve them JavaScript instructing them how to access the page.

        As for the issue of identifiers I've seen a couple of solutions, and introducing a semi-centralized translation service is certainly one of them. But given the mindset behind these projects I find QR codes are a more common one.

        Still lock-in (thank you Thad, forgot to mention it) is a big issue I haven't seen be addressed well, and as for the political angle we just need to review the new protocols and code for security flaws.

        link to this | view in chronology ]

    • icon
      Ninja (profile), 16 Sep 2016 @ 5:10am

      Re: Why hasn't this been done before?

      Unless, of course, the end user can't not use the new protocols because the major infra-structure players have ditched the previous ones and are accepting the more secure. There could be a window where both the new and the old internet would work simultaneously as a transition effort (if possible) or at least where it would be widely communicated that things would change and then just flip off the switch. Sure, shit will happen but it's better than keep the frankenstein barely alive and ailing at every slight probe.

      Sometimes you just need to take a one time hit that will cause major disruptions but will avoid worse problems in the future if nothing is done. Or if you duct-tape pseudo-solutions.

      link to this | view in chronology ]

  • identicon
    John Mayor, 15 Sep 2016 @ 3:23pm

    ALIEN PROBE

    Apart from the possiblity that these "tests" of the strengths and weaknesses of the Net are the work of the "Cyber ISIS crowd", there's also the possibility that the NSA, Homeland Security and DARPA are behind these "probes"!
    .
    Please!... no emails!

    link to this | view in chronology ]

  • icon
    Eldakka (profile), 16 Sep 2016 @ 1:52am

    It's nothing to do with TCP/IP, or p2p, or any other SOFTWARE protocols

    I haven't read through all the comments, but certainly most of the ones at the top seem to be blaming IPv4, or talking about p2p, ditributed computing or whatnot.

    None of those are relevant. They are all software protocols that lie atop the physical, cabling/satellite, infrastructure. And as I understand it, we are talking about the network infrastructure, the CABLES, where they go, where they concentrate, and so on here.

    Have a look at the submarine cable map. Most of the worlds data goes through a few key landing points. And a landing point is a big datacentre/routing point for massive amounts of data. And beyond that, the main trans-continental (land-based backbones) concentrate through a few key distribution points.

    You 'break' half a dozen core physical cable concetration points, you can break an awful lot of the internet. And I'm not talking physical breakage. All the distribution within those conecntrations of cable termination points is done with gateway routers, core routers, and so on. It is these devices we are talking about breaking. These devices that control all the data flow can be hacked, DDoSed, lobotomised.

    Sure, some of it will be worked around, but those key choke points between them provide the lions share of the available bandwidth, well in excess of 60% of the internet bandwidth throughout their regions. Most secondary backbones that bypass those core datacentres are, relatively speaking, low-bandwidth, like satellite, or links to small regional areas etc. So, break half a dozen key regional concentration points, and suddenly the internet in trying to route around the break, trying to jam 100Gb/s (or more) through links that are only 1 or 2 Gb/s. And with the atrocious way that core routers, border gateways cache too much, flow-control will be broken beyond recognition. Suddenly all these 100GB/s+ are choking, breaking the remaining backbones. It's like a traffic jam, there's so much traffic it all sits there going nowhere. And "poof", there goes the internets across very large regions, national if not continental-scale telecommunications failures.

    And it doesn't matter whether you are using IPv6, IPv4, P2P like torrenting, cloud datacentres, TCP/IP, ATM, IPX, (although IPoA will still work fine unless as long as you don't need to interface with any telco's!) it's all irrelevant. All the infrastructure that carries that data will be inaccessable.

    link to this | view in chronology ]

  • identicon
    Anonymous Coward, 16 Sep 2016 @ 11:50am

    Internet traffic should be encrypted by default. Internet's infrastructure should always be decentralized.

    link to this | view in chronology ]

  • identicon
    Anonymous Coward, 16 Sep 2016 @ 12:59pm

    Unfortunately the public nature of the forum prevents a proper discussion of this.

    There are seeds out there, of the technologies that will make the next generation Internet. There are working prototypes, and small networks running these systems.

    But... (A big but)

    There are a lot of politicians (read as: white collar pimps) that also read TD. So as much as I'd like to talk about the stuff that is REALLY going on right now, this isn't the forum to do it.

    It would be irresponsible. (Pretty much like inviting NAMBLA to an elementary school.) These technologies need a chance to grow up so they can defend themselves. And that is really the bigger challenge.

    Making a technological system that is monolithic, which reinforces both open communications, AND privacy while running on hardware that is controlled by malicious actors isn't just a technical challenge. It is also a political one.

    What I can say, is that a great deal of effort is being made to deal with the descending spiral into fascism. But making a system free (as in freedom, not beer) is actually a much bigger technical problem than it might appear.

    Jefferson wrote what _should_ be. Now the challenge is to see if there is actually a mathematical means for actually achieving what he articulated.

    I believe there is. And I've seen some stuff that goes a long way in that direction. But I'll be fucked if I'm going to help some shitbag minion of Oligarchy find it before it is ready for market.

    link to this | view in chronology ]

    • identicon
      John Mayor, 17 Sep 2016 @ 11:51am

      Re: Unfortunately the public nature of the forum prevents a proper discussion of this.

      As it was alleged of Lucifer!:... if Lucifer had known that the death of Jesus would have meant Lucifer's defeat, HE WOULD NOT HAVE KILLED THE SON OF GLORY (and thus, we would have no opportunity for salvation!)!
      .
      In other words... and get this!... the W-O-R-S-T T-H-I-N-G Lucifer C-O-U-L-D E-V-E-R H-A-V-E D-O-N-E in his tactical battle plans and WAR against God, would be to have L-E-F-T C-H-R-I-S-T A-L-O-N-E!
      .
      Talk about the M-I-N-D-L-E-S-S F-U-T-I-L-I-T-Y of mere aggressive acts!
      .
      Indeed!... sometimes it's best to keep the cards close to the vest! But!... on other occassions!... it's best to leave just enough rope!
      .
      Please!... no emails!

      link to this | view in chronology ]

  • identicon
    us, 22 Oct 2016 @ 11:12pm

    If state actors took out the net, which wouldn't surprise anyone at this point, it would have an unforeseen awesome consequence: giving today's apathetic social media (ab)users a motive to rise up and fight for something they believe in. People complain about generation y's lack of interest in real life activism, what better antidote for that than to take away their unreal lives online?

    Bring it on.

    link to this | view in chronology ]


Follow Techdirt
Essential Reading
Techdirt Deals
Report this ad  |  Hide Techdirt ads
Techdirt Insider Discord

The latest chatter on the Techdirt Insider Discord channel...

Loading...
Recent Stories

This site, like most other sites on the web, uses cookies. For more information, see our privacy policy. Got it
Close

Email This

This feature is only available to registered users. Register or sign in to use it.