What’s WCIT about? It depends on who you ask.

This week the World Conference on International Telecommunication (WCIT) began with a remarkable and important declaration from the Secretary General, Dr. Hamadoun Touré:

And WCIT is not about Internet governance.  WCIT is about making sure that we connect the billion people without access to mobile telephony, and that we connect the 4.5 billion people who are still off line.

Let’s first take a moment to celebrate the fact that 2.5 billion people have access to the Internet, and that the rate of Internet penetration has grown at a rate of 14% over the last few years to 35%, according to the ITU’s own numbers.  That’s great news, and it leads to a question: how shall WCIT focus on improving on that number?   How have the International Telecommunication Regulations that have served 2.5 billion people not served the other 4.5 billion?

Unfortunately, none of the proposals that have been made available actually focus on this very problem.  Instead, at least one prominent proposal from Russia focuses on… Internet governance.  Let’s wish the Secretary General great success in persuading Russia and other governments that indeed that is not what this conference is about.

How Important Is Your EMail Address To You?

Really it’s not clear to me if this is a generational thing or what, people tell me that email addresses are no longer that important to them, what with MySpace, FaceBook, and the like.  Others just use SMS, where their cell phone number is the important for people to reach them.  For some, however, their email address is their identity, and their only means of being reached by friends and family.  That’s true for me, at least.  I’ve had the same sets of email addresses for about 12 years– one for work, one main one for play, and a bunch of others for special use.  This is nothing compared to my parents, who have had (roughly) the same phone number for almost forty years.

If your email address is important, here’s a question you should ask: is it important for you to control it from a legal standpoint?  Why would you want to do this?  Let’s look at a few cases:

  1. Your Internet Service Provider (ISP) provides you your email address with your Internet service, be that DSL, Cable, or something else.  What happens if you decide to change ISPs?  Do you lose your email address?  And do you care?  Can someone else get your old email address, and what are they likely to receive?
  2. You have a free email account from a service like Yahoo!, MSN, or Google, and the account gets broken into.  The first thing the bad guy does is change all of the security questions that are meant to cover password recovery.  How, then, are you able to prove to the service provider that the account was yours in the first place?  Can you even get your old account shut down, so that the attacker can’t masquerade as you?
  3. This is the inside-out version of (2): suppose someone claims you are masquerading as the legitimate owner of your account?  Who do you go to in order to prove that you are the legitimate owner of the account?
  4. Your mail service provider goes out of business, and the domain they have been using for you is sold.
  5. There’s one special case I’ll mention, but let’s not try to solve it: you use your work email for all email, and you change jobs or are laid off.  It’s a safe assumption that the primary use of your work email account should be work, and that you are taking a risk by using the account for more than work.

For all but the last case, you have a way of  at least mitigating the problem by have your own domain name, like ofcourseimright.com.  That is- go to a registrar that you trust and choose a domain name that will be yours as long as you pay the bill for the domain.  However, is this just moving the problem?  It could be if someone breaks into a registrar account that is not well secured.  However, because you own the domain and the registrar does not, you are able to take at least some actions, should either your registrar not recognize you, or should your registrar itself go out of business (this has happened).

The hard part is finding someone to host your domain.  This sounds like a royal pain in the butt.  And it is!  So why not just use your cell phone or a social network site?  Cell numbers are at least portable in many countries.  Social networking like Facebook is another matter, and can leave you with many of the same problems that email has, and more, as we have seen.  Similarly, many financial services that play with your money, like PayPal and eBay, rely on you having a stable email address.

My online identity is tied to...

View Results

Loading ... Loading ...

Unwitting Mules and Computers

Scales of JusticeWhen I first traveled through Switzerland some 16 years ago, I went to France for the day, leaving from Geneva.  On entering France, the guards saw a long, curly haired, American in a rental car, and they assumed I would be carrying drugs, so they took apart the car.  I didn’t mind it until it occurred to me that perhaps the last guy who rented might have left something behind.  Fortunately, none of that happened.

Last year, I attended one of my favorite conferences, the Workshop on the Economics of Information Security (WEIS08).  I met there a number of good folk from the law enforcement community, and some talked about some of their successful investigations into crime on the computer.  In one case, the investigators found megabytes of illicit material on someone’s hard drive.  An astute and bright man from Microsoft by the name of Stuart Schechter pointedly asked the question how the investigators knew that the owner of the PC had stored the illicit material.  The implication here would be that bad guys could be using the computer without the knowledge of its owner.  The  detective answered that such evidence is only one component used to charge and/or convict someone.

Now comes a case reported by AP in neighboring Massachusetts where this scenario has been brought to the fore.  Michael Fiola, an employee of the state government, was fired, arrested, and shunned because some criminal broke into his computer.

What are the lessons to be learned?  There is this common notion by many that end users aren’t generally the victims of the people who break into their computers.  Not so in this case.  There is also a belief that faith in government prosecutors alone will get an innocent person out of trouble.  Not so in this case.  They did eventually drop the charges, but only at the cost of his entire savings, large amounts of stress, etc.

This is not the only such case in which this has happened.  So, do you know what’s on your computer?  Are you sure?

Off to Dublin (well sort of)!

Today, the Internet Engineering Task Force begins its 72nd in person meeting.  The IETF as it is known is a standards organization that primarily focuses on, well, the Internet.  The work done in this body has included Multimedia Internet Mail Extensions, Internet Calendaring, Voice over IP, and many others.  Not all work done by the IETF has worked out.  An effort I worked on some time ago weeded out the stuff that either was never used or is no longer used.  One of the key areas that any standards organization struggles with is how much potentially useful stuff to let through versus sure bets.  Sure bets are those things where a necessary improvement or change is obvious to a casual observer.  The people who make those changes are not the ones with imagination.

It’s the people who use their imaginations who make the bucks.  Always has been.  The problem is that there are a lot of people who may have good imaginations, but are unable to convert a good idea into something that can be broadly adopted.  This is a problem for a standards organization because each standard takes time and effort to develop, and each failed standard diminishes confidence in the organization’s overall ability to produce good stuff.

On the whole the IETF has done demonstrably well, as demonstrated by the vast amount of money organizations have poured into personal attendance at the in person conferences, even though no attendance is required to participate.

This summer’s conference is being held in Dublin City West at a golf resort, a bit away from the major attractions.  There are two benefit of this: first the cost isn’t absolutely outrageous.  Second, if people know they the attractions are a bit far off, then fewer tourists will come.  I actually don’t mind the idea of an IETF in Buffalo in the winter, but I may be taking things a bit too far.

Among the many discussions that will take place at this conference include one about what to do about email whose domain cannot be ascertained to have authorized its release.  The standard in question that identifies email is called Domain Keys Identified Mail (DKIM), and is relatively new.  What to do, however, when DKIM is not employed or if the signature sent is broken in some way?  This is the province of a work called Author Domain Sender Policies (ADSP).  The specification provides a means for sending domains to communicate their intentions.  After a year of arguments we hope to have a standard.  Whether it proves useful or not will only be shown by the test of time.

Perhaps I Was Right, Long Ago

Source: Computer History Museum

We are running out of addresses for the current version of the Internet Protocol, IPv4.  That protocol allows us to have 2^32 devices (about 4 billion systems minus the overhead used to aggregate devices into networks) connected to the network simultaneously, plus whatever other systems are connected via network address translators (NATs).  In practical terms it means that the United States, Europe, and certain other countries have been able to all but saturate their markets with the Internet while developing countries have been left out in the cold.

Long ago we recognized that we would eventually run out of IP addresses.  The Internet Engineering Task Force (IETF) began discussing this problem as far back as 1990.  The results of those discussions was a standardization that brought us IP version 6.  IPv6 quadrupled the address size so that there is for all practical purposes an infinite amount of space.  The problem is IPv6’s acceptance remains very low.

While IPv6 is deployed in Japan, Korea, and China, its acceptance in the U.S., Europe, and elsewhere has been very poor.  It is not the perfect standard.  ALL it does is create a larger address space.  It does not fix routing scalability problems and it does not make our networks more secure.  No packet format would fix either of those problems.

One of the reasons that IPv6 is not well accepted is that it requires an upgrade to the infrastructure.  Anything that uses an IPv4 address must be taught to use an IPv6 address.  That is an expensive proposition.  IP addresses exist not only in the computer you’re using right now, but in the router that connects your computer, perhaps in your iPhone (if you are a Believer), in power distribution systems, medical systems, your DMV, and in military systems, just to name a few.  Changing all of that is a pain.

Back around 1990, I had posited a different approach.  Within IPv4 there is an address block 240.0.0.0/4 (16 /8 blocks).  What if one could continue to use normal IPv4 address space, but when needed, if the first four bytes of the IPv4 address space contained addresses from that reserved block, one would read the next four bytes as address as well?  View that block, if you will, as an area code, and everyone would have one.  That would mean that you would only need it if you were contacting someone not in your area code.  It would also mean that eventually we would have increased the address space by the size of a factor of 2^28.  That’s a big number, and it probably would have sufficed.

Even after these addresses became prevelant, since devices would only need to use them if they were communicating outside their area code, it would mean they could be upgraded at a much slower pace.

The problem that people had with the idea the time was that the cost to implement this version of variable length addressing would have been high from a performance factor.  Today, routers used fixed length addresses and can parse them very quickly because of that.  But today that is only because they have been optomized for today’s world.  It might have been possible to optomized for this alternate reality, had it come to pass.