A mutual aid framework could also make the Internet secure in other ways. PCs can alert others not to run code that just sickened them, signaling health levels to others. Internet providers could also develop technologies to validate their relationships to one another and ferret out misleading data, the way Wikipedia volunteers can quickly act to roll back thousands of acts of vandalism a day.
We rightly fear our networks and devices being attacked—but we should not let this fear cause us to destroy what makes the Internet special. We have to become more involved and more subtle—and soon.
This article was originally published with the title Freedom and Anonymity.
Subscribe
Buy This Issue
Already a Digital subscriber? Sign-in Now
If your institution has site license access, enter here.
Already a Digital subscriber? Sign-in Now
If your institution has site license access, enter here.
See what we're tweeting about
12 Comments
Add CommentThe attribution problem is essentially impossible to resolve. It's not something that can be solved in the Internet architecture or protocols, because that's not where the problem is. Every packet of data on the Internet IS already engraved with its source, an IP address. The problem is that the machine sending the data may be acting on behalf of someone else -- the proximate source is not the ultimate source. We have proxy servers that voluntarily transmit data on others' behalf (a special case of this is TOR networks, which use multiple relays and encryption so that even the network operators can't find the originator), and botnets, where a third party takes control of thousands or millions of computers. As long as computers can initiate network communications independently of interactive commands by users, you can't stop these types of activities.
Reply | Report Abuse | Link to thisIf it ain't broke...don't fix it!
Reply | Report Abuse | Link to thisThere has never been a cyber-attack of critical infrastructure, and it's not for a lack of trying.
We are hardly bothered by viruses, spam, or DDOSes.
On the other hand, the "chilling effects" of removing anonymity would be catastrophic. There is a reason why it was put in the US constitution centuries ago.
It is simply naive to think that, granted the power to filter the Internet, people will only use that power for good. And once that power is granted, there will be no way to know whether it is being abused, no way to safely investigate, or report on it.
Far better is it to learn to live with anonymity. If you don't want identity theft, do not put your financial information online. If you want privacy, be anonymous. If you're afraid of predators, do not trust so called friends that you have never met.
If someone libels your name, be a better person, or company, or government, and it will happen to you less than your competitors. If you are a creator, put your work online; you'll become famous, then sell what isn't online. If your business model is outdated, then take up a trade.
Information is not, itself, dangerous. Fraud is stealing money, not information. Terrorism is destroying flesh, not information.
Information is harmless. But a lack of information is never good. And the ability to restrict information is worse than a license to commit fraud, it is worse than terrorism.
I can't verify this, but I think that the core of the attack on Wikileaks, Julian Assange, and internet freedom in the USA today is not necessarily from government. There is some such pressure, certainly.
Reply | Report Abuse | Link to thisBut the big boys in the banking sector are far more arrogant and used to getting their way when they want it than anybody in government. And they are looking at the distinct possibility of going to prison for the rest of their lives after Wikileaks processes their files and posts them. That is a much stronger motive to twist arms to exert the kind of criminal pressure on the government of Sweden that we have seen than anyone in the State Department has.
In a not unrelated story …
Reply | Report Abuse | Link to thishttp://www.examiner.com/social-media-in-national/us-gov-software-creates-fake-people-on-social-networks-to-promote-propoganda
You can never successfully control what EVERYONE else does. To attempt to do so will always be doomed because someone will always figure out a way to circumvent your controls. Those who fear attacks should set up reasonable security measures for themselves and allow others to act freely the same way. That's how the non-cyberworld operates. Cooperation is more powerfull than total control.
Reply | Report Abuse | Link to this"Every packet of data on the Internet IS already engraved with its source, an IP address."
Reply | Report Abuse | Link to thisUh, no.
While technically true, there is no guarantee that the ip address is a valid one. Attackers who have no desire to form a legitimate connection routinely forge the return IP addresses when they flood targets with UDP packets.
A solution, which wouldn't compromise the essential anonymous nature of the internet, would be to require all ASs to implement source level filtering, i.e. ensuring that packets they are sending out could have originated within their network. If for no other reason than to make DDOSs traceable back to their source hosts.
This would cause programs that rely on forged packets to do firewall tunneling to fail, i.e. Skype, but there really ought to be a less hackish solution for that anyway.
As you say, criminals will still be able to proxy their connections through owned hosts on the internet, a problem that will never be solveable, so more invasive tracking measures will only hurt our freedom of speech, of which being able to post things anonymously is essential. Even in the Founders' days, the anonymous broadsheets were a core component of free speech.
I read a few days ago on Ars Technica that some large bank believed to be Bank of America was a major player in attacks against Wikileaks because of some "dirty laundry" they have. I think the government has a right to keep some things secret, but I also like the idea of something like Wikileaks (or Anonymous) keeping companies/governments honest. Hopefully whatever bank it was has that dirty laundry shown to the whole world, if for no other reason than to send a message: we'll only put up with so much BS before striking back.
Reply | Report Abuse | Link to thisI have to disagree with boothie on the statement that, "If it ain't broke...don't fix it!
Reply | Report Abuse | Link to thisThere has never been a cyber-attack of critical infrastructure, and it's not for a lack of trying.
We are hardly bothered by viruses, spam, or DDOSes." That may be true of the USA so far, but look at what Russian hackers have been accomplishing in Estonia...to act as if the U.S. is total cyber-terror proof is naive and shortsighted. Just look at the post in the BBC: http://news.bbc.co.uk/2/hi/europe/6665195.stm
Webmaster, http://mybadcomputer.com/
Jonathan Zittrain is a sweet, kind, and well-meaning guy with a very rosy, optimistic view of human nature, but he's seriously confused about how the Internet works. The gap between what the cellular network knows about its users and that the Internet knows is not nearly as large as he imagines. You don't get on the Internet without an ISP handing you an IP address, and most of the time you have to pay a fee for the service. The exceptions - open Wi-Fi access points and the like - are about as profound as the exceptions to the cellular model: I can steal your cell phone, but the phone is registered to somebody, somewhere, just as the open Wi-Fi access point is.
Reply | Report Abuse | Link to thisThe underlying problem for the Internet is the nature of the trust relationships that are required among network operators and users to keep the system running. The Internet is amazingly collaborative, because it must be; the design requires collaboration and cooperation. But nobody wants to cooperate with malicious players, and that's the rub in the systems of blind cooperation that Zittrain fancifully promotes.
There are many more malicious sites on the Internet than Zittrain imagines. It would be nice if he would write something about the real Internet instead of the fairy tale Internet that exists solely in his imagination.
Experiment: Try encrypting a bunch of personal data (e.g. bmp screenshots of a recently submitted obligatory census session over https) to an archive file in some regular working space. (I used a local machine networked to a medium sized company proxy server) On the next day, check if it becomes difficult to evoke responsiveness from that same computer. If so, delete the encrypted file(s), reboot and compare. In my case, I got my responsiveness back on a machine that takes 25 minutes nevertheless to start. I got my machine responsiveness back. This may be the tip of a new iceberg of things to come with competition in the not-so-clean backdoor access business.
Reply | Report Abuse | Link to thisReally a nice article and good info as well.
Reply | Report Abuse | Link to this===================
<a href="http://compareenergyprices.org.uk" rel="dofollow">Compare Energy Prices</a>
There IS a method to stop the DDOS/Smurf attacks, however the method would require (almost) complete cooperation amongst all internet providers. The solution isn't to track an attack and stop it, the solution is to prevent attacks from ever happening.
Reply | Report Abuse | Link to thisEach company connected to the internet has a set or range of IP addresses it either owns or leases..and since individual user must always connect through a company the company and their respective uplink ISPs can push eACLs (Extended Access Lists) to their edge routers (where users/companies connect to upstream networks/ISPs) to block non-source IPs. Meaning, if Company A owns/leases IP range X then both Company A and their upstream providers can put in eACLs to block traffic that isn't sourced from IP range X.
If Company A doesn't comply, then their upstream ISP can turn off their service until they do. With this method in place an attacker couldn't attack anyone anywhere by trying to spoof/fake his origination IP address and only the packets sourced from his real IP address (or his company/providers range) would be permitted through. If the hacker/attack still persisted with the attack using his real IP address (or within the range of his company/provider) then at a minimum the attack can be tracked to the company/provider and A) the attack can be stopped and B) most likely the company/provider can track the attack much easier and nab the tracker.
The furthest edge of any network is where a user connects to that network, the above idea can pushed to that extreme edge and would eliminate any spoofing/dynamic attacks. Translation: every port/user connected to the internet would have an eACL preventing fake-sourced packets from being sent. And with spoofing eliminated you have effectively eliminated attacks.