Solved Has the Internet changed for the worse before?

We have to be careful here and distinguish between espionage and censorship.

In most western countries, there is remarkably little censorship at the internet level. I could write nearly anything here in this window, and you (hruodr) and the other FreeBSD forum members would be able to read it, obviously assuming that our dear moderators and administrators are OK with it being written here. That includes strongly anti-government messages. Due to some interesting circumstances, I read in some discussion forums that have lots of highly libertarian and anti-government members (off-road dirt motorcyclists, gun enthusiasts), and there is a lot of stuff posted there which most people would find highly offensive (like using scatological terms to describe government officials and the judicial system), and quite open calls for revolt and assassination. It's not uncommon to read there that "the tree of liberty has to be watered with the blood of ... (insert disliked politician here)" and "string her up" for the likes of Senator Schumer or Secretary Clinton. That situation is very different in China and Russia. Yes, I have colleagues who work in China, a few in Moscow, and a few friends in Russia, and in those states, if you were to write things like that, they would not remain visible. But that's not a debate for the low level of TCP/IP protocols, and in particular not about countries taking control of the address and port numbering authority; this type of censorship is at a different level. The Huawei proposal helps to make packet filtering easier at the low levels, but it has nothing to do with content-based censorship.

What it has to do with is control of addressing and numbering. Say a totalitarian government finds that a computer at IP address 1.2.3.4 is transmitting packets (for example to WhatsApp) that have unwelcome content. Today, the mapping of that IP address to a person is complex, and control of that mapping is spread all over. For example, you can ask DNS servers (which are visible at addresses such as 1.1.1.1, 8.8.8.8 and 9.9.9.9) who that person is, but most of those servers and the number assignments are not under the control of a single totalitarian country government. What the New IP proposal wants to do is to take the numbering and mapping authority and make it a political function.

Here is just one example of simplification. Have you ever tried blocking or identifying all packets that come from China at a firewall? It is doable, and I know people who have to do such tasks. But it is backbreakingly difficult, and a huge maintenance hassle, because China uses about 7000 or 8000 IP address blocks on IPv4 alone. So answering the question "is IP address 1.2.3.4 in China or not" is today a very nasty question, and doing such filtering at speed requires extraordinary hardware resources. With Huawei's "New IP", such things become trivial, and under the full authority of a country. Want to block all IP traffic from Aachen and Zurich? Done. How about inspecting all packets that go to 123 Main Street, Everytown, USA? Easy-peasy.

Today, the internet is one way people can (to some extent) work around communications restrictions imposed by national governments, because no single government controls TCP/IP. With Huawei's New IP, that changes. Actually, within China it doesn't change very much, because there much of the filtering is already well established (but even there, people are capable of working around it).

A separate question is espionage. In most countries with well-funded and well-working "agencies", we can safely assume that much of the network traffic (both voice and IP traffic) is monitored. For most encrypted connections, this is only traffic analysis, unless something about it has been flagged as a high-value target (decrypting everything takes too much CPU power). This applies both in the west as well as in the east. It probably does not apply in developing countries, where there is simply not enough funding for their local agencies. As an example, I don't think the Brasilian government has the CPU power to listen to 200 million people chattering excitedly on cell phones, whereas the NSA in the US does have such abilities. To do that today, they don't need new protocols; they can do that perfectly well already. Taking full control of numbering authorities makes espionage somewhat harder to evade, but I don't think it makes a big difference.
 
In most western countries, there is remarkably little censorship at the internet level. I could write nearly anything here in this window

People in the west are so convinced of living in a fantastic constitutional, democratic state, or fear so much to lose some of their wellfare, that they censor one another. The ISP, the moderator, the owner of the platform does the job.

Try for example to say something against the so called only democracy in the near east, a totalitarian state since its creation till today, a selective democracy, a state in which not the people of the land elect the government, but the government elect who is the people of the land, a state at which the intended "character of the population" has precedence to the most elementary civil rights of people of the land that is not elected by the state.
 
The ISP, the moderator, the owner of the platform does the job.
This is because of rules. Call it constitution, law, forum rules, terms of use.
FreeBSD Forum rules say "no politics here" - period.

And then you give a nice example of self censoring or chilling effect. You talk about "near east", "only democracy", "people of the land". What are your intentions? Why not clearly name what country you mean?

Remember here is tech-talk.
 
What are your intentions?

They are clear and more than clear. My message was an answer of a previous one, it was in a clear context: western countries do not need tech for their censorship (it is at a higher level than IP protocol). I wrote: people censor one another, and I do not restrict it to ISP, platform owner or moderator. And I gave an example and your answer shows that it was a good example. One should ask you: What are your intentions?
 
Yes, China (and Russia and a few other totalitarian states) want to have the ability to perform censorship and espionage at the protocol level. That has been making the round for months now. And in view of their political stance, this is completely not surprising. There is a reason that one shouldn't buy networking gear from Huawei. By the way, many other governments also like to perform espionage, all I need to say is Clipper chip. The difference is that the Chinese government and its commercial arm Huawei are totally open about it: We want the low-level protocols to be make censorship easier, and if the IETF doesn't give it to us, we'll go somewhere else. They're not the slightest bit
https://www.reuters.com/article/us-usa-apple-cyber-idUSKCN2242IK
 
ralphbsz,

Cheers, that was a detailed response and in general I do agree with it. One question I suppose I have though is that if certificates signed by central authorities are key to real security. How come SSH servers do not use them? Only web pages? Frankly I like the way SSH works now so I am not complaining, would be nice to know though.

Like you said, real security doesn't really exist or is almost impossible to get right; so in that case I guess I feel that I would rather not have to rely on a central authority *as well as* not having guaranteed privacy. It almost seems like blackmail now where in order for users to "trust" you, you need a certificate; even if your website is a store of cat pictures.

I slightly disagree that security is too difficult to get right. Mostly because my use-case allows me to remove almost every feature making security fairly easy. In my case I do feel I can do better than relying on others (who are mostly concerned with use-cases that need all the functionality in the world to be retained whilst being secure).

When discussing string trimmer engines on the web, I will make sure to start using a different nick! You have me worried now! XD
 
And I gave an example and your answer shows that it was a good example. One should ask you: What are your intentions?
No it was not. Your example is intentionally cryptic. In this thread a lot of countries were called by name (i.e. US, Russia, China). Obviously you do not have the guts to be clear. Which country do you mean? India? Turkey? Israel?

My intentions are to be clear.
 
India? Turkey? Israel?

You are right, to some extent these three countries are ideologically similar, some more radical than other, some more official in this ideology than other, but what of these countries receive more support from the west, or is considered part of the west with all its pretty values, and is more a holy cow? We were speaking about censorship. Sure you knew what country I meant.
 
How come SSH servers do not use them?
As most times a look on ssh(1) helps:

A variation on public key authentication is available in the form of certificate authentication: instead of a set of public/private keys, signed certificates are used. This has the advantage that a single trusted certification authority can be used in place of many public/private keys. See the CERTIFICATES section of ssh-keygen(1) for more information.
 
Yes, China (and Russia and a few other totalitarian states) want to have the ability to perform censorship and espionage at the protocol level. That has been making the round for months now. And in view of their political stance, this is completely not surprising. There is a reason that one shouldn't buy networking gear from Huawei. By the way, many other governments also like to perform espionage, all I need to say is Clipper chip. The difference is that the Chinese government and its commercial arm Huawei are totally open about it: We want the low-level protocols to be make censorship easier, and if the IETF doesn't give it to us, we'll go somewhere else. They're not the slightest bit ashamed of being a totalitarian regime, nor do they have to be.

And: IPv6 is pretty universally installed. I've seen quite a few IPv6-only installation.


It has undergone many changes. Not at the basic protocol level so much, but in questions of governance, commercialization, and such. Example is the sale of the .us domain; the move of the root servers. A lot was brought on by the fact that the IANA died; it is at times like this that I think how much we all miss Jon Postel. Alas, he couldn't have stopped the flow of money and power by himself; today the internet is the most important industry in the world (more than oil or transportation), so it is not surprising that it also has to respond to political and economic pressure.


Two comments. Russia and China could easily legislate that the internet within their countries only use protocols that are allowable to them. Then they could route content from the outside. That's exactly what the great firewall does today; all you'd be adding would be a protocol translation.

No, not really. There are two things that are being conflated here. First, we need SSL (meaning https) to security in transit, so packets don't get spied on or modified along the way. In the normal encryption scheme we use today, that means we need keys. SSH also uses keys. Ever noticed that when you first ssh to a host, it asks you whether you want to trust that host? That's because of the second function of https: authentication. When I look at the web site www·ibm·com, I want to be 100% sure that I'm looking at the real thing (the web site of Itsy Bitsy Machines, a local chainsaw repair place that my son and me operate out of our basement), and not some impostor like Irish Business Machines or Immense Bowel Movement. So when a certificate authoritity issues a SSL certificate to my son and me, they really need to check that (a) we hold the trademark or copyright on the term "IBM", (b) we really are authorized representatives of Itsy Bitsy Machines. That probably requires my passport, matching my picture against what I look like, a certified copy of the articles of incorporation of IBM, Inc., a statement signed in ink by the lawyer that this really is a truthful copy and that User RalphBSz with Elbonian passport number 12345 is indeed the chairman of the board of IBM. To really authenticate, you need a "web of trust", and that trust has to go back to entities such as courts and professions such as lawyers (please don't laugh now, you might cough and catch a virus). Today's certificate issuance doesn't do all of it, but it tries to get as close as practical (which isn't very).

Authentication is exactly the opposite of anonymity: To get an SSL certificate that demonstrates that this packet you got from server www.ibm.com is really an expression of my son's and my opinion, the two of us can not possibly be anonymous, on the contrary: to verify that the web of trust isn't lying, you need to be able to go to the local courthouse and demand to inspect the paperwork for our company, and there you will see a photocopy of the same ugly picture of me, holding my trusty chainsaw.

Now, you say that there should also be a way to have anonymous but authenticated and encryption web service. For example, you might want to publish your opinions on the best way to tune up string trimmer engines on the web, but because you fear retaliation from me, you don't want to who kpedersen really is. I respect that, and being a champion of free speech, I'm also in favor of you being able to post your opinions (whether right or wrong is irrelevant) anonymously. But you need authentication: If someone comes back a week later to recheck your revolutionary carburetor adjustment instructions, you need to ensure that they really see your page; not a harmless looking page of bambi munching the flowers on a mountain meadow, which the most evil government of Elbonia has placed their after silencing you (silencer is a pun ... 2-stroke engines do have mufflers). Alas, today's https protocol and certificate issuance mechanism isn't designed to provide for anonymous but authenticated secure communications. Diffie and Hellman were not present in the room when it was designed. You lose.

But the important thing is this: Authentication is vitally necessary for 99% of all internet traffic, and I'm super happy that it is in widespread use now. Even though I had to spend countless evenings setting up the SSL certificates for my own personal stuff (even with LetsEncrypt it was painful).

And if you think, just for a moment, that real anonymity exists, you need to get a clue. With relatively little effort, an adversary can trace back where and who you are.


That is a common view in ultra-libertarian circles: Trust nothing, except oneself. Doesn't work and leads to complete nonsense. Very few people have the skills and knowledge to design and implement secure systems. Matter-of-fact, with today's complexity, I bet no single person can do it at all, and it requires teams. If you try to secure your own systems (or if I did), the result would be a security hole the size of a barn door. The reality is that you have to make informed decisions about what you can trust and what you can't.

Here's my favorite funny story about anonymity. A few years ago, I was running a political campaign in a local election, for a certain local issue that involved our schools. We were the "Yes on X" campaign, and measure X was something that was nearly universally popular in our local district, and eventually proposition X won at the election with 85% yes at over 55% turnout. But to make sure we would really win, we campaigned for it, we put up posters, we mailed out letters and postcards, and called voters. And we did that all very officially, with a campaign finance registration, keeping track of all donations and expenses, and all that.

Well, like all political issues, we had opponents. Let's call them Adam, Bob and Charlie. They wanted to campaign against measure X, but they knew that the community opinion was going to be overwhelmingly against them. To protect themselves, they wanted to campaign anonymously. So they sent a letter to the state campaign law and finance commission, asking whether it would be legal for them to anonymously put up posters saying "vote NO on X". The commission sent them a very nice letter, telling them that it is indeed legal to campaign anonymously and without disclosing where the money comes from, but only within very narrow limits (I think it was something like 20 posters, 200 letters and $2000 in expenditures). What these idiots forgot is that government is by its nature public: The campaign commission listed their case on the agenda of a public meeting, they discussed the case at the meeting (with journalists in attendance, although this question was so small it didn't get into the newspaper), and the letters were duly published in the record of the campaign's decision making on the web. Where I promptly found them. So when the posters "No on X" showed up by the road side (without any note on them: "paid for by campaign number 54321"), we immediately knew who had done it: Adam, Bob and Charlie. What's even funnier is that many of our volunteers had seen the three of them, driving around in a burgundy-colored Volvo station wagon, and putting up posters at street corners. What do we learn from this? If you want to do something anonymously, then (a) don't officially ask for permission from a public agency, and (b) don't wear your own faces and drive your own car when doing something anonymous on a public road.
Thank you for your reply that did help make it clearer to me.

Along with the other posts here I believe I understand the new ip. As far as the fact that every country can use whatever networking protocols they deem appropriate for them.

Thanks again.
 
They're not the slightest bit ashamed of being a totalitarian regime, nor do they have to be.
I strongly disagree. China and Russia, and other brutal totalitarian regimes have much to be ashamed of.

Authentication is exactly the opposite of anonymity...
What if I don't really care what person or organization is behind a public key I've come to trust? All I care about is that we've had many mutually beneficial interactions in the past.

Very few people have the skills and knowledge to design and implement secure systems. Matter-of-fact, with today's complexity, I bet no single person can do it at all, and it requires teams. If you try to secure your own systems (or if I did), the result would be a security hole the size of a barn door.
I'm going to keep tilting at them windmills. Your say-so is not enough to get me to stop.
 
Very few people have the skills and knowledge to design and implement secure systems. Matter-of-fact, with today's complexity, I bet no single person can do it at all, and it requires teams.
I'm going to keep tilting at them windmills. Your say-so is not enough to get me to stop.
It is one thing trying to have a system that is designed to be more secure than default. But it is still wise not claiming to have a secure system but suspect it still may be insecure. It's a matter of mindset and behavior. Some may find it difficult to stand this cognitive dissonance, but it is not only a deterministic bit that can be flipped easily. Think about IT-security as a process and yes that might look like tilting windmills, but it has a purpose.

ralphbsz regarding "teams" and state of the art engineering: You should really have a look at the Crypto AG case. It is a brilliant example how cryptography can be turned in snake oil even with foul playing on team members. The hardware was regarded to be 'safe' and that was not questioned. What a fatal error!
 
You have to distinguish between mistake, in particular those that are quickly corrected, and intentional actions. The Apple case you quote seems to be an unintentional bug, which is getting rapidly closed. A counterexample of an intentional action was the (aborted) Clipper chip: the US government, working together with some academic researchers and systems vendors, tried to make encryption of phone conversations de-facto pointless, by trying to legislate that all encryption keys need to be disclosed to the government. That proposal didn't go anywhere.

One question I suppose I have though is that if certificates signed by central authorities are key to real security. How come SSH servers do not use them?
As getopt pointed out, SSH can use authenticated certificates, but by default and usually it does not. I think the reasons are mostly that it is a very different use case. In addition to identifying the host one logs in to, one also has to give username/password credentials, which have to have been distributed beforehand by a different channel. The fact that the server accepts that pair adds a lot of authentication already. And once logged into a machine, one can pretty well validate its identity (for example examine the network configuration). None of that works for reading HTTP pages.
I strongly disagree. China and Russia, and other brutal totalitarian regimes have much to be ashamed of.
I'm sorry, I expressed myself unclearly. This was not a statement about ethics, but about practicality: they are currently succeeding with those behaviors, and there seems to be currently no need to atone for them.
 
The Apple case you quote seems to be an unintentional bug, which is getting rapidly closed.
Yup! It seems to be. Without trying to accuse Apple in this case, but it happens that employees implant bugs intentionally for being compensated "externally".
Tinfoilhat? No. Can be exploited a long time, denied easily and often applauded by the public when fixed rapidly. Therefore audits are made. Very costly but doesn't catch everything.
 
Yup! It seems to be. Without trying to accuse Apple in this case, but it happens that employees implant bugs intentionally for being compensated "externally".
Tinfoilhat? No. Therefore audits are made. Very costly and doesn't catch everything.
I would have voted "tinfoilhat" before I saw the PHK video on Openssl. Now I'm not so sure.
 
I support all the espionage and censorship apparatus, when is devoted to catch fraud, violence threats, dangerous hoaxes(like trump's dettol, and hydroxicloroquine), human trafficking and child pornography, but trying to catch "political unalignment" is frankly ridiculous and undoable (But China is trying hard). However I can't stop to say that there's lot of obscure and nasty (and in most places illegal) stuff running in Asian countries including by not limited to China, that is backed by people with much money, that start to play to be the victim when governments interfere in their activities, and start to take control or back un-organically, opposition groups, and this turns into a very bad problem, that it can turn or seen as political coercive measures, or even worse, can be a stimulus to governments to harden political censorship. Something that is needed to stress also is that "politics in Asia" and "opposition" are not good friends in any Asian country, and also North American conventions about politics don't apply to the rest of the world, so trying to judge countries in US terms is absolutely wrong (and US politics is turning into the absurd to mutually accusation of <communism> because of be suspected related to "non-communist" country, by 2 conglomerates that are different flavors of the same ideology, neither communist, and neither actually related to it) (So for me US=/Western).
I'm also reading with growing frequency statements like "<New technology>, <I don't understand>,<government backed?>, <espionage!>". This is only a sample from a terrible mix between agoraphobia, ignorance, laziness. The most silly one was the Open Source community rants about UEFI, because of 2 faulty laptop models that not booted linux because a bug.

The idea of freedom of speech in many western countries are far from true since a while, and currently this is more propaganda than reality.
Agree
I.e. UK recently made calling people ugly a hate crime.
Not agree. Freedom of speech is not the right to say the first nonsense that comes into your mind and not see any public disapproval. Is the right to express points of view without arbitrary sanctions or consequences, horizontally like. If the crowd disprove what you say, well, bad luck.
 
It also seems that almost all of the "President Trump injecting himself with silly things" memes have been removed from social media too. They cite "fake news" being the reason so I guess that is the name of western censorship these days. The old name for it used to be "protecting kids".

EU with Structural Funds (and many other funds) throwing money everywhere, US bailouts and all are fine, but when their opponents do: OMG subsidies!
 
Not agree. Freedom of speech is not the right to say the first nonsense that comes into your mind and not see any public disapproval. Is the right to express points of view without arbitrary sanctions or consequences, horizontally like. If the crowd disprove what you say, well, bad luck.

Public disapproval is completely different of hate crime. Also, calling people ugly is not necessary nonsense, aesthetics (beauty) can be proven using fibonacci (while taste is a more complicated situation).
 
rigoletto@ what makes you think, that the FreeBSD forums are the right place to open the well known can of worms "freedom of speech" here at this time in this thread? You are suspected of agitprop. Stop it.
Forum Rules!
 
rigoletto@ what makes you think, that the FreeBSD forums are the right place to open the well known can of worms "freedom of speech" here at this time in this thread? You are suspected of agitprop. Stop it.
Forum Rules!

IDK if you realized yet but the subject, the underling objectives and consequences of the proposed protocol, is just worth to be discussed if done properly, what means establishing its practical consequences.

Since the preliminary observation points to a "censorship" objective and that is directly correlated to "freedom of speech" (among others), and any minimally educated discussion about any subject must begin properly establishing the referenes or "what is what" (in this case "censorship"), how do you aims to properly discuss anything related censorship without establishing what censorship is (and the consequences of it to the "freedom of speech")?

If you are not properly equipped to have an educated discussion on these subjects you can simply ignore the whole discussion. There is no rule telling the forum users must participate or follow every single thread.
 
If you claim an educated discussion, and you seem to be able to post an elaborate answer, what was your point with that dumb UK example? Spreading nonsense when even claimed to be an example without context and explanation is not a 'properly equipped' discussion.
 
If you claim an educated discussion, and you seem to be able to post an elaborate answer, what was your point with that dumb UK example? Spreading nonsense when even claimed to be an example without context and explanation is not a 'properly equipped' discussion.

Search engines are your friends... Do you really want me and the colleges to put a citation on every post with things easily found on the internet (including in the UK law database)?

This is not an academic work otherwise I could write hundreds of pages on the subject in an about week (with the citations). I am more than well versed to discuss these subjects, in here or with anyone, not just academic-wise but also because I have been involved with (EU) international politics (investment and lobbing-wise) for more than a decade.

The point is fairly simple and obvious: establish what is considered censorship. Previously have been pointed the obvious (western-mind-wise) censorship in some jurisdictions while there are blatant censorship happening in "advanced" western countries masked as something else.

The situation is: is tagging anything a particular group don't like as hate crime (or anything) censorship or not?[1] The answer is simple for the group supporting those particular view BUT we don't have a really established group in here and, more important, the group is diverse (including unknown location/affiliations).

So, what is the common ground in here?

[1] this is important to know how deep a particular protocol can be designed and be used to block things before approving or condemning that. This is also important to predict what actors will support that or not, even if just behind the scenes. The capabilities of that protocol seems quite desirefull to many agencies around the world, of the entire political spectrum.
 
Back
Top