This is a great piece that should go to top of HN.
We can reverse the trend as consumers, by questioning our consuming behaviour. And as hackers, by building tools that the users like and which make the web more free.
Power is where the money is. And power makes legislation. It will only get harder from now on..
But on the upside, software is a very malleable thing. New applications can be developed quickly. And they can replace established ones.
Off-topic observation: I like Bruce Schneier, really. But now I dread the sense of déjà vu that accompanies most of his posts on HN, because each one gets reposted multiple times. Mostly because Schneier himself reposts all his columns that appear elsewhere on his own blog after a few days or weeks, and those reposts get reposted to HN.
For instance, this piece originally appeared at The Atlantic on 24th Oct:
"Our e-mail, photos, calendars, address books, messages, and documents are on servers belonging to Google, Apple, Microsoft, Facebook, and so on."
That's not a given. Not only is it trivially easy to host your own email, there are a number of very positive side-effects of doing so. For instance, when I email my wife, it's just a local copy operation - no network traffic is generated, and thus nothing can be intercepted by third parties.
Further, although I have not done it yet, it appears to be only slightly more technically challenging to provide your own dialtone.
In 2013 the Internet traffic I actually do generate is much more secure than the Internet traffic I generated 20 years ago. Now I have a VPN to various endpoints around the globe. That's much better than telnet to tc.umn.edu :)
The disconnect here is that he is talking about particular consumer properties (walled gardens) that happen to exist on the Internet. It surprises me, given who the author is.
> Not only is it trivially easy to host your own email
Perhaps for you, but average Joe does not know, nor care how to do this. I've worked with "technical people" who couldn't figure out how to use PGP to encrypt emails, imagine trying to explain to random people what a VPN is.
As long as signing up with gmail stays easier than hosting your own email, nobody will ever bother - and this is the danger schneier is talking about.
Maybe it's trivially easy to host your own e-mail, but isn't it pretty hard to convince other servers to accept e-mail originating from your host? I haven't been following things closely, but I remember reading about stuff like DKIM and SPF and I seem to recall that you need a static IP for some of the stuff involved. All in all, sounds like a non-trivial hassle and non-trivial cost.
On that note, is there a down-to-earth guide to setting up your own e-mail host?
You need a static IP, yes, but any VPS will get you one, so that can hardly be an issue. In seven years of hosting my own email I never had issues with delivering mail to other providers.
Setting up an SMTP daemon and IMAP/POP3 server is rather easy, the most difficult decision being which SMTPd to choose (I like Postfix, but Exim is Debian’s default and hence supposedly good as well, others like Courier) and then reading the relevant manpages :)
If you search for, e.g., "Postfix tutorial", you'll find plenty of reasonably good guides.
Setting up an email server, which at least comes close to the gmail's quality is definitely not to be qualified as "easy" process.
Going through this several times, I can assure you spending good several days and nights to investigate, choose, configure, debug, and enable useful features like greylisting.
Then again, you have to worry about redudancy. How would you feel missing an important email, due to your VPS/Dedicated server being currently ddos'ed or unreachable for other reasons.
In addition, do not forget about backing up.
So, that again is in no way "easy 1 hour" task, especially for those who are doing it first time.
> You need a static IP, yes, but any VPS will get you one, so that can hardly be an issue.
At which point all your data is up for grabs by your VPS provider?
I host my own mail (for values of "my own" where mail server is hosted on a vps on a foreign server), but I think it's a stretch to say it's trivial to do so.
I think one of the most serious problems the Internet is facing is the growing split between "servers and hosts" and "consumers and clients" -- and the asymmetric bandwidth (both adsl and cable). It favours designs that are centralized, not because of sound architectural reasons -- but because of inferior infrastructure.
I don't understand why email hosting has to be so difficult. You say it is easy, which it is if you know what you are doing, but it is not really that simple, is it? There is no out of the box solution that just works, even the microsoft effort called exchange is not that. You should be able to configure a mail server with the ease that you can configure a mail client.
In 16 years of running my own mail server(s) I have never done anything to "get my mail accepted", other than make sure relaying is turned off, which I think it is by default in just about every implementation since 1998.
I think it's safe to say he was referring to the 99.99% of internet users for which his statement is true. Sure, he's generalizing a tiny bit, but it's basically true.
The biggest reason for having Gmail is that it is backed up and accessible anywhere. But this is easily replicated in local caches:
You can make it accessible anywhere with a smart phone. You can back up by encrypting the data with a public key and sending to a drop box type service; with the private key stored offline. Most web apps could be easily replicated by storing the data in an append only structure with timestamps. The internet then just becomes a messaging system.
I think the VPN tunnel approach should be pushed by everyone. Lots of companies could secure most of their communication by creating a few tunnels to key clients. Email would be immediately secure without any PKI.
> In 2013 the Internet traffic I actually do generate is much more secure than the Internet traffic I generated 20 years ago.
For someone to be successful in 1993 to use the Internet, you had to be knowledgable enough to do the things you're talking about. I'd wager roughly 97%+ of the population is not smart enough, which is why Bruce's statements are in effect true.
Yes, I think so - especially for intercompany email and your family.
It may interest you to know that not one piece of intercompany email at rsync.net has ever traversed any network. It's all just a local copy operation.[1] So, no encryption, but ... that's not relevant in this case.
The same could be true for your family, or small social circles that share an email server. If you use a secure mail client to connect to the server, and all mail on that domain doesn't traverse a network ... that's a win, even without "email encryption".
> So who wins? Which type of power dominates in the coming decades?
Institutional power will win in the coming decades, but fringe power in the coming centuries as humans colonize the solar system. Each planet/moon will eventually have control of its technical infrastructure. In the coming millenia, as humans journey out to the stars, it will be almost impossible for one star system to control another. Thank God for the Speed of Light!
> Medieval feudalism evolved into a more balanced relationship in which lords had responsibilities as well as rights.
I'm not sure "evolve" is the best word. Diseases killed many surfs in both Europe and China, often many all at once (e.g. Black Death) which gave the survivors more power suddenly.
I think institutional power is on the wane. The fact that so many institutions are flexing their muscle is a prime indication. There's a saying "when you're taking flak you know you're over the target".
I'd say the biggest problem right now is one of awareness and direction. But as people become more atuned to these latent problems that are becoming more obvious it will drive ideas and action. Since the problem is not a lack of know how or resources, it's that growing awareness which will make all the difference.
Consider the amount of work that has gone into open source projects (like firefox, linux, apache, rails) and crowd sourced projects (like wikipedia or stack exchange). With the right kind of well directed projects the tables can, and will, be turned.
Imagine, for example, a web that was designed to prevent evesdropping and designed to ensure maximum longevity of content (through duplication). Something closer to bittorrent than today's web. It would be technologically challenging, but doable. Then imagine what happens if the equivalent of the worldwide workforce developing, say, linux was dedicated to developing tools to decentralize the network.
Over the next few decades the cost of wireless APs will become trivial even as their capabilities increase vastly. It won't take long before it's possible for unregulated internetworks with wireless backbones owned by many individuals to become possible, among many other innovations. At some point centralized control over communications becomes untenable. And that's just square one.
I am not convinced that the solution to criminals increasing their power with technology is purely political. There are technological solutions as well. Criminals are raiding bank accounts by tricking people into divulging secret passwords or other information? Banks can issue smart cards, thus ensuring that secrets cannot be inadvertently divulged (because the cards cannot divulge their secrets). Governments are abusing their surveillance powers? We can build systems that encrypt messages and send the ciphertexts through mix-nets (or more complicated approaches for things like social networking [1]).
The political side of this should be encouraging or at least not discouraging the deployment of such technologies. Laws can be changed more easily than technologies. Deploy a secure infrastructure now; if the law changes later, the technology will still protect us.
The other side of this is countrys using the NSA furor as an excuse to create a more balkanized Internet fire walling off themselves form those nasty furineers.
I would hardly call "other countries" reactions just an excuse... If the internet becomes more balkanized, it is on the NSA and American government's head, nobody else's.
Considering such a thing has been underway since well before the recent Snowden revelations, I'd say you're buying the convenient excuse that has landed in their collective laps.
Schneier asserts that the modern situation is like feudalism. There's a bit of wild west situation in which various groups can cyberattack others and then hide. Powerful entities like Google and the U.S. government have the capacity to defend themeselves against cyberattacks, and even to attack, but most individuals do not; except for the small percentage of technologically sophisticated individuals, similar perhaps to the warrior classes of old. The ordinary individuals, like peasants, are stuck with the security configurations given to them by the feudal lords. The lords usually act in their own interests, rather than for the interests of the peasants.
However, i opine that there are huge differences that make the feudal metaphor ill-fitting. Quoting Wikipedia, "In its classic definition, by François-Louis Ganshof (1944), feudalism describes a set of reciprocal legal and military obligations among the warrior nobility, revolving around the three key concepts of lords, vassals and fiefs....A lord was in broad terms a noble who held land, a vassal was a person who was granted possession of the land by the lord, and the land was known as a fief....the lord and vassal entered into a contract in which the vassal promised to fight for the lord at his command, whilst the lord agreed to protect the vassal from external forces....Since at least the 1960s, when Marc Bloch's Feudal Society (1939) was first translated into English in 1961, many medieval historians have included a broader social aspect that includes not only the nobility but all three estates of the realm, adding the peasantry bonds of manorialism and the estates of the Church; this is sometimes referred to as "feudal society" since it encompasses all members of society into the feudal system.".
The present-day cybersecurity situation involves none of:
(1) peasants who to pay feudal dues
(2) a subset of peasants (call them serfs) who were not permitted to migrate
(3) the Church estates
(4) vassals and peasants to which the lords provide land and protection
(5) vassalage in which the vassal promises to provide military service
The first four are debatable. One might say that one's loss of privacy on facebook is like a feudal due.
Although people are certainly not prohibited from migrating between facebook, gmail, macOS and their competitors, the high costs of migration from lock-in and network effects may be thought of as a "soft serfdom" if not an absolute one.
One might argue that the construct of feudalism is still useful without the role of the Church.
Internet security differs from physical overland security in the feudal era in that a distant invading army need not conquer or ally with your neighbors in order to be able to reach you; cybercriminals can attack you from anywhere in the world. This has implications for the relevancy of a nearby 'lord' who gives you land; however one could still argue that the 'land' being given is something like a software configuration, and to the extent that yours is vulnerable, so are others running similar configurations, so there is in fact some way in which it is somewhat more efficient for the lord to protect 'his' land than for you to contract protection from some other powerful entity on the other side of the globe.
However the last point, vassalage involving military service, is both absolutely central to feudalism and entirely lacking in the present-day cybersecurity situation. Nowdays we exchange money, not service, for protection, and while this arrangement became common in later feudalism, i opine that it is because that was not workable at the beginning that feudalism even arose.
Still, it does seem that the existence of an elite 'warrior class' of cybersecurity warriors is coming to pass: people with both skills that require extensive training, and artifacts which are relatively expensive, and whose skills and artifacts would allow even one of them to decisively defeat large numbers of untrained, poorly equipped non-warriors. The existence of a warrior class was one of the primary reasons that the system of feudalism arose. So perhaps we'll see the emergence of a feudal cybersecurity system sometime in the future, one in which individual cybersecurity experts, and organizations who can employ them, subordinate themselves to greater 'lords' by pledging military service, in exchange for protection and 'land', meaning software platforms and 'network real estate' (e.g. things like a facebook page).
But there are reasons to doubt that. First, i think feudalism arose during a time of a breakdown of trade and declining populations; in such a situation a lord needs to demand military service directly, rather than taxes with which to buy mercenaries, because of high transaction costs. This is not the case today; it is easier for facebook to collect money from business activities and spend some of that on employing cybersecurity professionals, rather than to grant lavish privileges to those of its users who are cybersecurity experts in exchange for their labor.
Second, today many governments might choose to prosecute cybersecurity vigilantes within their borders, making non-state 'armies' of 'cybersecurity warriors' ineffective.
In summary, what Schneier is talking about is a situation where a variety of large organizations have a lot of power. Imo feudalism means something more specific.
It seems Schneier is saying less and less specific, fundamental issues and speaking more of abstract, high-level political and social concepts. He seems to have lost all power over his understanding of important breaking security issues and is left playing catch-up trying to understand what has already happened. My guess this is a result of the privatization/monitization/markets of zero-days, re-establishing control of technology by the classic economic systems, and taking it from engineers and experts.
That said, I don't think I'll bother reading anything else from Schneier's desk from this point forward. If he thinks that the "battle" is being fought on the edge of corporate networks, he's lost the trees for the forest. The real battle is happening for eyes and ears, on the streets, like it always has been. Less and less, some random person who happens to be the descendant of some king thinks the way the entire IT market needs to move so that "society" doesn't collapse, less and less is anyone listening to that person or believing he has any power. Real Time web of things or whatever you want to call it, nobody is buying it. If he thinks that people buying an iPod is signing allegiance to Apple's security forces, well he's wrong. If he thinks EULAs are going to be enforced in court, he's wrong. So considering those two flaws in the foundation of his world view, the rest of his rambling screed has been lost to the world of fiction.
We can reverse the trend as consumers, by questioning our consuming behaviour. And as hackers, by building tools that the users like and which make the web more free.
Power is where the money is. And power makes legislation. It will only get harder from now on..
But on the upside, software is a very malleable thing. New applications can be developed quickly. And they can replace established ones.