Paul Vixie Explains How PROTECT IP Will Break The Internet

from the not-cool-folks dept

It's pretty difficult to question Paul Vixie's credibility when it comes to core internet infrastructure. Creator of a variety of key Unix and internet software, he's still most known for his work on BIND, "the most widely used DNS software on the internet." So you would think that when he and a few other core internet technologists spoke up about why PROTECT IP would break fundamental parts of the internet, people would pay attention. Tragically, PROTECT IP supporters, like the MPAA, appear to be totally clueless in arguing against Vixie. Their response is basically "it's fine to break the internet to evil rogue sites."

That, of course, is missing the point. It's not that anyone's worried about breaking the internet for those sites. It's that it will break fundamental parts of the internet for everyone else as well. And... it will do this in a way that won't make a dent in online infringement. Afterdawn sat down with Vixie who gave a clear and concise explanation of why PROTECT IP is a problem. The biggest issue is how it will impact DNSSEC, which adds encrypted signatures to DNS records to make sure that the IP address you're getting is authentic. You want that. Without that, there are significant security risks. But PROTECT IP ignores that.

Explained simply, for DNSSEC to work, it needs to be able to route around errors. But the way PROTECT IP is written, routing around errors will break the law:

Say your browser, when it's trying to decide whether some web site is or is not your bank's web site, sees the modifications or hears no response. It has to be able to try some other mechanism like a proxy or a VPN as a backup solution rather than just giving up (or just accepting the modification and saying "who cares?"). Using a proxy or VPN as a backup solution would, under PROTECT IP, break the law.

And, of course, none of these DNS efforts will actually stop infringement. As the Afterdawn article notes: "Bypassing DNS filtering is trivially easy. All you need to do is configure your computer to use DNS servers outside the US which won't be affected by the law."

And while supporters of PROTECT IP insist that there's nothing to worry about because it only impacts those "foreign websites," that's misleading in the extreme. PROTECT IP will impact a ton of US-based technology companies. First, if we have a less secure internet, that's going to be a problem for obvious reasons. Additionally, the way the law works is that it puts a direct burden on US companies to figure out ways to block sites declared rogue (you know, like the Internet Archive and 50 Cent's personal website), or face liability. This will increase both compliance and legal costs.

In the last few months we've been hearing from more folks in the startup world who are really concerned about the excessive burdens PROTECT IP is going to put on them. If you're an entrepreneur who's worried about this, we'd like to hear about it. Please contact us.

Filed Under: break the internet, dns, dnssec, paul vixie, protect ip, unintended consequences

Paul Vixie Explains Why COICA Is A Really Dumb Idea

from the read-and-learn dept

If you don't know who Paul Vixie is, you should. When Vixie speaks about something concerning the underlying state of the internet -- or, more specifically, a ridiculously stupid government plan to do something involving the underlying state of the internet, you should listen. On that front, Vixie is now explaining why the proposed COICA bill is incredibly short-sighted and will fail miserably. He focuses on the requirements to block sites at the DNS level that the Justice Department has declared to be "dedicated to infringing content." As Vixie notes, people who don't understand the internet will think that this will stop access to pirated material. People who understand how the internet works realize what it will really do is drive people to alternative DNS systems. He lays out the rather likely scenario of what happens the second COICA passes, in which an alternative DNS system is set up, perhaps by folks associated with The Pirate Bay, and set up in a way that is compelling:

First, they'd decide in advance to mirror the IANA DNS system as closely as possible. Anything that appeared in the IANA DNS system would automatically and instantaneously appear in the Pirate Bay DNS system. If ICANN goes ahead and creates a lot of new TLDs then all of those new TLDs would appear in the Pirate Bay DNS system as well, all pointing at ICANN's chosen registrars. In other words no existing DNS content would be overridden (or dare I say: "pirated".)

Second, they'd pick some new TLD that they wanted to create in the Pirate Bay DNS system that would serve their business needs and would be extremely unlikely to ever conflict with any future IANA TLD. For this I'm thinking .PIRATE or .PIRATEBAY or .ARGHHH but that's a decision best left up to the artistic team. For now let's assume that they chose .PIRATE so that their second level domain names would be content names like TORRENTS.PIRATE or ITS-A-WONDERFUL-LIFE.PIRATE.

It goes on from there. I won't go through all the details he lays out (go there and read it yourself), but he basically concludes that this can be done quickly and cheaply. Of course, he may not know that plans for something along these lines have already been in motion for some time.

His basic point is that COICA won't work. At all. In fact, the growth and acceptance of such alternative DNS systems will break a big part of the internet, potentially in dangerous ways:

My greatest worry is what people will do to bypass all this junk or to prevent other people from bypassing it. My fellow humans are a proud and occasionally adversarial bunch and they don't like being told what they can't do or what they have to do. The things we'll all be doing to bypass the local DNS restrictions imposed by our coffee shops or our governments or our ISPs will break everything. Where this ends is with questions like "which DNS system are you using?" and "which DNS systems is your TLD in?" which in other words means that where this ends is a world without universal naming. We adopted DNS to get universal naming, and today we have universal naming except inside Network Address Translation (NAT) borders. Universal naming is one of the reasons for the Internet's success and dominance. If we're going to start doing stuff like COICA then we should have stuck with a "hosts file" on every Internet connected computer and let every connected device decide for itself what names it recognized.

So his recommendation is not to even try with COICA, but he recognizes the US government seems to want to move forward with it. He's pretty clearly warning that it's going to be a huge mistake with tremendous unintended consequences. Now, the only question is whether or not anyone in the US government will actually listen, or will they blithely move forward not realizing the almost obvious reaction to their initial actions? As so often happens with governments, they seem to forget that any move causes a reaction. COICA is a big move that most people pushing for it do not understand at all.

Filed Under: break the internet, coica, dns, paul vixie, unintended consequences