Archive for the ‘Public Policy’ Category

Internet Governance in the Crosshairs

Monday, July 2nd, 2012

The Internet has historically largely run in an open and cooperative fashion, speaking very broadly of course. The implication being that it has largely been unregulated in an international sense, and not subject to the recommendations and policies fostered by formal nation State-level organizations such as the ITU-T, which is a specialized agency of the UN. Historically, various forms of telegraph and voice communications (radio and wireline) have been subject to this, but the Internet is a fundamentally different beast.

Various actors are apparently presently maneuvering in a Pynchonian attempt to not-so-subtly add language to the ITU-T’s International Telecommunication Regulations (ITRs) — which are up for review and revision in Dec 2012 at the World Conference on International Telecommunications (WCIT) — such that the Internet either explicitly or implicitly falls under the purview if the ITRs, thus the ITU-T.

Of course this is all extremely complicated, infested with swarms of acronyms, and has implications for how Internet governance policies and technical standards development plays out in the longer term. Thus it has implications for how the Internet evolves as a platform for international communication and commerce — for individuals, businesses, organizations, governments, you-name-it.

Others are paying direct attention to these developments and are blogging extensively about it. A modest selection is:

There’s more sources out there, but hopefully that will provide you gentle readers with good starting points.

Seems we can all just GetYourCensorOn ..or we can go after SOPA and ProtectIP/PIPA

Saturday, December 17th, 2011

For illustrations of potential end-user downsides of SOPA and ProtectIP/PIPA, and to do something about them (yes, you), see..

GetYourCensorOn
http://getyourcensoron.com/

Stop American Censorship
http://americancensorship.org/

For what a bunch of folks involved in engineering the Internet think, see..

An Open Letter From Internet Engineers to the U.S. Congress
December 15, 2011 | By Parker Higgins and Peter Eckersley
https://www.eff.org/deeplinks/2011/12/internet-inventors-warn-against-sopa-and-pipa

For some further commentary, see the below (this is just some highlights, you don’t have to look far to find a bunch more out there)..

Some Data On How Much The Big Media Firms Are Donating To SOPA/PIPA Sponsors
http://www.techdirt.com/articles/20111203/00494716961/some-data-how-much-big-media-firms-are-donating-to-sopapipa-sponsors.shtml

YouTube rejects UMG demand – Megaupload Mega Song returns
http://www.nnsquad.org/archives/nnsquad/msg06203.html

SOPA-Rope-a-dope (by Stewart Baker)
http://volokh.com/2011/12/14/sopa-rope-a-dope/

Technical Comments on Mandated DNS Filtering Requirements of H. R. 3261 (“SOPA”)
http://www.circleid.com/posts/20111211_technical_comments_on_mandated_dns_filtering_requirements_sopa/

‘Combating Cybercrime’ whitepaper

Sunday, May 8th, 2011

My colleagues Michael Barrett, Andy Steingruebl, and Bill Smith recently authored a whitepaper..

Combating Cybercrime: Principles, Policies, and Programs

..and Michael blogged an executive summary here.

The executive executive summary is:

Technical measures alone cannot significantly address the cybercrime trends, we believe action is needed, and are proposing a multi-faceted regulatory approach. We’re occasionally asked to “list the three things you want us to do.” And while we’re hesitant to say any of these initiatives is more important than any other, in general, we list:

Also, Dave Piscitello, ‘The Security Skeptic’, reviewed the whitepaper here.

=JeffH sez check it out :)

‘HTTP State Management Mechanism’ (“cookies”) to Proposed Standard

Monday, March 7th, 2011

There’s been various fundamental issues with “HTTP cookies” for ages, e.g. technically and policy-wise (i.e. privacy). The two extant formal specifications of cookies, IETF RFCs 2109 and 2965, as well as the original informal and incomplete “Netscape cookie spec”, have not been implemented uniformly across browsers and servers. Thus how cookies are actually constructed, parsed, and used in practice has been essentially technical folklore. Anyone wanting to craft a new browser or some other application or tool that needs to consume or send cookie headers had to reverse engineer how the browsers were actually doing it as there wasn’t (until now) an accurate specification an implementer could use for reference. This has led to divergence on edge-cases for cookies within various browsers, servers, and other tools.

We’ve been working with browser, server, and web app folk in an IETF working group, “httpstate“, to rectify this, and the draft spec was recently approved for publication as an IETF RFC at the “Proposed Standard” maturity level. This spec differs from the prior specs in that it specifies how cookies are actually used on the Internet today. Anyone crafting a new client or server can implement the spec and have an interoperable implementation as a result.

This is great in that getting this finally explicitly documented will be a key underlying piece of moving “the Web“, and the wider Internet its built upon, on towards its next stage(s). Hopefully, browsers and servers can now converge their “cookie behaviors” :)

Our more detailed blog post (which includes some history) is here..

‘HTTP State Management Mechanism’ to Proposed Standard
http://www.thesecuritypractice.com/the_security_practice/2011/03/http-state-management-mechanism-to-proposed-standard.html

=JeffH sez check it out :)

Susan Landau’s new book and Huffington Post blog

Wednesday, February 23rd, 2011

Susan Landau, with whom I’ve had the pleasure of working and co-authoring some documents (e.g.: a, b, c), has new book that’s now available: Surveillance or Security? The Risks Posed by New Wiretapping Technologies.

Additionally, NPR ran an All Things Considered piece yesterday on the wiretapping topic and interviewed Susan for it.

Also, she’s blogging (here) at the the Huffington Post on these and overall security/policy topics.

=JeffH sez check it out :)

New version of OpenID SAML comparison document

Monday, January 21st, 2008

I’ve done a modest editorial and copy editing update to the OpenID SAML technical comparison document announced earlier. Going forward, the latest rev will be available via this URL:

http://identitymeme.org/doc/draft-hodges-saml-openid-compare.html

(Draft) Technical Comparison: OpenID and SAML

Monday, December 17th, 2007

Over the past couple of years quite a few folks have asked me, and I’m sure others, “what’s the salient differences between OpenID and SAML?” So earlier this year I began hacking together a technical comparison of the two. It’s an interesting exercise comparing two Web SSO protocols, even one as ostensibly simple, and straightforwardly specified, as OpenID. It turns out to be a fairly complex task given all the different facets inherent in authentication protocols in general, and in web-, i.e. HTTP-based, protocols (and profiles thereof) in particular. And also given the various audiences affected by such protocols: implementors, deployers, end users, and protocol designers.

The resultant comparison paper, “Technical Comparison: OpenID and SAML – Draft 05” seems to me to be at a stage where it can be shared widely (i.e. on the web :) ), here it is..

http://identitymeme.org/doc/draft-hodges-saml-openid-compare-05.html

..For many readers, sections 1, 2, and perhaps 3 ought to cover things. For those necessarily interested in gory, really geeky details, parts or all of section 4 will be of interest. Note that this is still a “draft“–there are various items, especially in section 4, that are not as yet evaluated as thoroughly as I’d like, or at all (as yet).

I’ve tried as much as possible to provide an objective comparison. It’s admittedly difficult given I’ve been intimately involved in SAML’s gestation since essentially the very beginning. It’s also a technically difficult comparison because of the differing design centers of OpenID and SAML, as well as differing specification styles, and thus the difficulty in presenting the comparison to the reader, not to mention attempting to be “balanced“.

So, I hope this paper will prove at least somewhat enlightening and useful to the multifaceted “identity” community out there, and to those shepherding websites who are wondering what these two oft-mentioned beasts are, how’re they’re different/similar/alike, and also nominally how they work.

=JeffH sez check it out.

Debate on Cost Analysis of Windows Vista Content Protection

Friday, January 26th, 2007

Well, I’m using the term “debate” loosely here because it seems to me, given the marshalled evidence, there isn’t much of a debate to be had, but in any case, Microsoft has responded to Peter Gutmann‘s cost analysis of the DRM subsystems in Windows Vista (of which I’d written about earlier), and also in system hardware that has anything to do with handling of so-called “premium content” (i.e. content encoded onto newly emerging HD-DVD and Blu-Ray discs). Their reply is here..

Windows Vista Content Protection – Twenty Questions (and Answers)
http://windowsvistablog.com/blogs/windowsvista/archive
/2007/01/20/windows-vista-content-protection-
twenty-questions-and-answers.aspx

Peter Gutmann’s rebuttal to Microsoft’s response is here..

Microsoft’s Response
http://www.cs.auckland.ac.nz/~pgut001/pubs/vista_cost.html#response

..which is an appendix of his overall “Cost Analysis of Windows Vista Content Protection” paper.

If you are at all curious as to the veracity and logic of Microsoft’s response, it is worth reading Peter Gutmann’s response in detail.

A Cost Analysis of Windows Vista Content Protection

Thursday, December 21st, 2006

Peter Gutmann has just published a fairly detailed examination of Windows Vista Content Protection. It is highly recommended reading in that it has non-trivial implications for essentially all personal computer users of any stripe…

A Cost Analysis of Windows Vista Content Protection
http://www.cs.auckland.ac.nz/~pgut001/pubs/vista_cost.txt

Note that this analysis dovetails with Bruce Schneier‘s overall “DRM is futile” piece from 2001…

The Futility of Digital Copy Prevention
http://www.schneier.com/crypto-gram-0105.html#3

And also it has been coming for a while. Here’s a Microsoft doc from early 2005 that goes into fair detail describing the DRM-driven system workings that Peter analyzes…

Output Content Protection and Windows Vista
Updated: April 27, 2005
http://www.microsoft.com/whdc/device/stream/output_protect.mspx

..although interestingly enough, technorati lists only 13 references to it in their view of the blogosphere. Perhaps this upcoming train wreck isn’t all that widely perceived.

To me, Microsoft’s introduction of this level of bizzare complexity into the hardware and software platform, simply tends to reinforce the refrain of one of my colleagues: “I ain’t going anywhere near Vista.”

Seems like I’ll have to sooner or later get around to experimenting with bringing up Ubuntu and/or CENT/OS and evaluating what it’ll take to migrate my environment over to one of them. Oh, yeah, and get my hardware upgraded sooner rather than later here so that it hopefully won’t have this foolishness in it. I wonder how long into the future XP will be supported?

[update 25-Dec-2006]

Peter has updated his analysis paper to provide pointers to publicly available sources.

Observing and Analyzing the Intersection of Privacy, Security, and Public Policy

Saturday, March 11th, 2006

My colleague and friend, Susan Landau, works (in one of her multi-facets) at the intersection of privacy, security, and public policy. I find it a good idea to keep up on what she’s writing in these areas. She doesn’t (yet?) have a blog per-se, but watching the publications section of her homepage works pretty well — hence there being a link to her page in my sidebar here. She has a couple of recent articles on the multi-faceted topic of the Internet/VoIP and wiretapping/CALEA that are interesting and provocative…