ITU Approves Deep Packet Inspection

dsinc sends this quote from Techdirt about the International Telecommunications Union's ongoing conference in Dubai that will have an effect on the internet everywhere: "One of the concerns is that decisions taken there may make the Internet less a medium that can be used to enhance personal freedom than a tool for state surveillance and oppression. The new Y.2770 standard is entitled 'Requirements for deep packet inspection in Next Generation Networks', and seeks to define an international standard for deep packet inspection (DPI). As the Center for Democracy & Technology points out, it is thoroughgoing in its desire to specify technologies that can be used to spy on people. One of the big issues surrounding WCIT and the ITU has been the lack of transparency — or even understanding what real transparency might be. So it will comes as no surprise that the new DPI standard was negotiated behind closed doors, with no drafts being made available."

Ancient Chinese secret, huh?

[rayhigh]

Ancient Chinese secret, huh?

Re:Ancient Chinese secret, huh?

[Jeremiah+Cornelius]

ITU approves of transparency... For your packet payload!

Re:Ancient Chinese secret, huh?

Deep packet inspection was available using western made software and hardware since a decade ago. It wasn't the ITU who invented it.

Wiretapping the communications has been done by western countries much earlier than the Chinese and it is being performed in USA and UK by governments on their citizens.

Re:Ancient Chinese secret, huh?

[kiep]

ECHELON is a global communications interception system, created by the United States, the United Kingdom, Canada, Australia and New Zealand to routinely and indiscriminately monitor and record all forms of electronic communications worldwide both military and civilian and overseen by the National Security Agency. Designed during the cold-war, ECHELON primarily intercepts worldwide non-military communications, including those from governments, organizations, businesses and individuals. It could intercept practically any communication between countries anywhere in the world. The project ECHELON receiving system thieves this streams of millions of communications every hours to massive rez of computers. These computers decrypt messages when necessary, than when required utilize optical character recognition or advanced voice recognition techniques to extract words from each message. Every message captured is analysed for keywords or phrases found in the ECHELON dictionary. Keywords include all the names, places, code words or subjects that might be of interest. There are second search lists for each member country. Messages acquired at any of the receiving posts, containing requested keywords are automatically past on to intelligence organizations requesting those keywords. Those messages are flagged for further analysis. ...and ray of receiving stations collect all international communications carried by approximately 20 INTELSAT satellites. The INTELSATs are used by telephone companies of most countries. Thou they carry primarily civilian traffic, they also carry diplomatic and governmental communications. These INTELSATs are positioned in the stationary orbit around the equator and carry tens of thousands of simultaneous phone-calls, faxes and e-mails.

Re:Ancient Chinese secret, huh?

Increase customer happyness, and great fun for whole famiry with security enhance

can you say hell no

[lister+king+of+smeg]

lets assume that the governments don't say no, they would still have to overturn wiretapping laws in the US at least. but maybe we could use this to get our security complacent friends to use strong encryption.

Re:can you say hell no

[TheRealMindChild]

No they won't. It is a matter of "national security"

Re:can you say hell no

[BlueStrat]

...they would still have to overturn wiretapping laws in the US...

Except that treaties that the US agrees to trump all domestic laws, regulations, and statutes...everything but the US Constitution, and as much as that meant to halting anything the government/politicians really wanted over the last few decades, I wouldn't put a lot of faith in that "goddamn piece of paper!"

Treaties entered into by the Executive Branch need to be ratified by Congress, but even if Congress fails to ratify it, that would not necessarily kill it. In many instances over the last decade, Congress has been bypassed by Executive Orders and similar Executive Branch power tactics to achieve their goals and simulaneously grab more Executive Branch power despite Congressional inaction and/or opposition, Congressional and/or popular.

There has to be a BIG push-back on this to stop it. Whether or not that push-back materializes to the strength and magnitude required to stop it is anyone's guess at this point, although I admit being pessimistic.

Strat

Re:can you say hell no

[Mashiki]

This is Canada's response on DPI from the privacy commissioner. For what it's worth, this won't fly here.

Re:can you say hell no

[thoughtlover]

There has to be a BIG push-back on this to stop it. Whether or not that push-back materializes to the strength and magnitude required to stop it is anyone's guess at this point, although I admit being pessimistic.

Strangely, I am, too. This isn't like SOPA with the legislature doing the dirty work.. this is the executive that's term-limited, now. Unless the administration has some weakness, elsewhere, that could stop them signing this crap, despite the necessary congressional ratification that likely won't happen, it's gonna be as real as socialized medicine. And then there's this inkling in the back of my mind saying there's no way that the gigantic US telcoms won't find some way to convince the administration that this 'treaty' is a terrible idea.

Re:can you say hell no

[BlueStrat]

There has to be a BIG push-back on this to stop it. Whether or not that push-back materializes to the strength and magnitude required to stop it is anyone's guess at this point, although I admit being pessimistic.

Strangely, I am, too. This isn't like SOPA with the legislature doing the dirty work.. this is the executive that's term-limited, now. Unless the administration has some weakness, elsewhere, that could stop them signing this crap, despite the necessary congressional ratification that likely won't happen, it's gonna be as real as socialized medicine. And then there's this inkling in the back of my mind saying there's no way that the gigantic US telcoms won't find some way to convince the administration that this 'treaty' is a terrible idea.

I don't think the telecoms will put up much fuss as they see what's happened to the private health insurance industry, auto industry, etc. They don't want to be next, and with an already-bold Executive Order pen that now isn't worried about re-election in play, they may be justified in their fears.

Especially when the current FCC chief has said these kinds of things publicly on video:

Part 1> http://www.youtube.com/watch?v=ysqsa_TeLys

Part 2> http://www.youtube.com/watch?v=vQb_H6rxhQc

Be afraid.

Be very afraid.

I shudder to think what the internet would become if the FCC is allowed to grab regulatory control. Probably a lot like a combination of the worst of the POTS and the cable TV systems.

Strat

Re:can you say hell no

[Xest]

Don't US ISPs use this already?

Here in the UK ISPs have been using DPI for many years anyway to allow traffic prioritisation.

I agree with you that it's horrible, I don't like it either, but it seems naive to assume whether this will or wont be a threat, it already is and has been for many years.

I'm not terribly sure what the ITU's approval will mean, countries all around the world are already using it and have been for some time. It looks like they're just standardising how it should work. If it's standardised then it should be trivial to poke holes in the standard and work around it, but this will surely mean countries will start using non-standard DPI techniques, which means we're just right back to square one, where we are now.

Re:can you say hell no

Don't treaties become automatically part of domestic laws via reference or rewrite? That is the way treaties are assimilated in other countries.
  It would be almost trivial to think that a treaty could modify the constitution as well if sufficiently important issues are at stake. Some countries do have rewrites of the their constitutions occasionally for those reasons.

Re:can you say hell no

[BlueStrat]

Don't treaties become automatically part of domestic laws via reference or rewrite? That is the way treaties are assimilated in other countries.

In the US, it is both Congress' and the Executive Branch's duty to pass legislation/regulations and to issue necessary Executive directives and orders to bring domestic law and policy into harmony with the treaty terms and conditions. The Judicial Branch also has a role in interpreting existing laws, regulations, and policies in accordance with the treaty.

It would be almost trivial to think that a treaty could modify the constitution as well if sufficiently important issues are at stake. Some countries do have rewrites of the their constitutions occasionally for those reasons.

The US Constitution specifically addresses this and forbids treaties from superseding the Constitution. Changes to the Constitution must be made by Constitutional Amendment. It was intentionally written that way to prevent the government from simply signing a treaty to effectively bypass Constitutional limitations on government power and abrogate individual freedom and the Bill of Rights through the back door.

Strat

Re:can you say hell no

ECHELON is a global communications interception system, created by the United States, the United Kingdom, Canada, Australia and New Zealand to routinely and indiscriminately monitor and record all forms of electronic communications worldwide both military and civilian and overseen by the National Security Agency. Designed during the cold-war, ECHELON primarily intercepts worldwide non-military communications, including those from governments, organizations, businesses and individuals. It could intercept practically any communication between countries anywhere in the world. The project ECHELON receiving system thieves this streams of millions of communications every hours to massive rez of computers. These computers decrypt messages when necessary, than when required utilize optical character recognition or advanced voice recognition techniques to extract words from each message. Every message captured is analysed for keywords or phrases found in the ECHELON dictionary. Keywords include all the names, places, code words or subjects that might be of interest. There are second search lists for each member country. Messages acquired at any of the receiving posts, containing requested keywords are automatically past on to intelligence organizations requesting those keywords. Those messages are flagged for further analysis. ...and ray of receiving stations collect all international communications carried by approximately 20 INTELSAT satellites. The INTELSATs are used by telephone companies of most countries. Thou they carry primarily civilian traffic, they also carry diplomatic and governmental communications. These INTELSATs are positioned in the stationary orbit around the equator and carry tens of thousands of simultaneous phone-calls, faxes and e-mails.

End-to-end encryption

[characterZer0]

End-to-end encryption. Problem solved.

Re:End-to-end encryption

[MichaelSmith]

You terrorist you.

Re:End-to-end encryption

[Albanach]

I often wonder why we don't see more take up of opportunistic encryption.

While it's obviously not a solution to keep things secret that need to be secure, it would surely present a significant obstacle to deep packet inspection unless ISPs were to deliberately interfere with the security negotiation.

Re:End-to-end encryption

Well there could be man in the middle if the browser or operating system certificates gets hijacked. I could imagine vendors get friendly with governments. Thus the chain of certs to the root servers is compromised.

Re:End-to-end encryption

[fustakrakich]

Until it's restricted for authorized use only. However, it would be nice if everybody pushed it to the limit to see how the government/corporation reacts. In some countries it's already prohibited. And it is very easy to detect.

Re:End-to-end encryption

[BitterOak]

End-to-end encryption. Problem solved.

That's not quite the ultimate solution that many believe it to be. There are firewalls and routers on the market now that have man in the middle programming right in the hardware, and decryption is a basic part of the DPI system. How many people actually check that the certificates match who their supposed to, and how do we know which root authorities can be trusted? I imagine the vast majority of people don't even look at the certificate information. And how many ssh users actually check the key fingerprints and verify they match those stored on the remote host? Is that even possible in most circumstances? And if you do discover something's up, what then? If a router is doing man in the middle DPI, your choices are pretty much accept it, or don't communicate with the remote host at all. Most people just sigh and go on doing what they're doing.

And that doesn't even take into account hacks on your computer, like browser attacks which quietly install new trusted certificate authorities, or more aggressive malware like keyloggers and such. Encryption is much harder to use properly than most people realize, and it is highly unlikely that people on BOTH ends of the connection are using it properly.

Re:End-to-end encryption

Add to that, encrypt a lot of garbage, send it overseas. Encryption might be broken, but wasting their CPU cycles as you muddy the waters... priceless.

Re:End-to-end encryption

[lister+king+of+smeg]

double public key is hard to man in the middle when you exchange public keys in meatspace

Re:End-to-end encryption

end-to-end encryption + distributed wireless mobile geocasting protocols. Problem solved.

What needs to happen is some network standard that doesn't assume people are in a fixed location, and doesn't operate through a set of fixed servers.

Re:End-to-end encryption

I would worry more about the ISPs that are already friendly with governments doing the MITM attacks. This would be catostrophic to security and nearly transparent to 98% of the Internet population.

Re:End-to-end encryption

Most ssh software checks the key fingerprints by default and alerts the user if different.

Re:End-to-end encryption

> double public key is hard to man in the middle when you exchange public keys in meatspace

Key exchange in metaspace is hard. As is finding protocols that support double public key encryption.

Re:End-to-end encryption

With what crap is sitting on endpoints, either something like Carrier IQ which could be used for monitoring, or other possible backdoors which end up getting reported as "oopses", the first thing is start cleaning up those. Then, we move to a WoT, trusted introducers, get people to trade public keys at parties like they do business cards... then DPI will be amusing, but the only thing a bad guy can do is DoS a link, or make it seem so corrupted in hopes that people send in plaintext.

Endpoints are usually the easiest thing to compromise... Even an encrypted laptop is no match for a rubber hose.

Re:End-to-end encryption

[davester666]

The standard provides for the possibility you wish to have an encrypted connection. All you need to do is have the data transmitted both encrypted and unencrypted. That way, DPI can still effectively enable your government to know what you are doing.

Re:End-to-end encryption

[epyT-R]

sending the data again unecrypted defeats the purpose..

Re:End-to-end encryption

[davester666]

double whoosh!

Re:End-to-end encryption

[klingers48]

You say "meatspace" and I think "whack someone through airlock with a side of ham".

Re:End-to-end encryption

[grumpy_old_grandpa]

Please, can we get over the "OMG! Encryption is difficult, it is not meant for mere mortals". That mantra is completely counter productive.

Any security solution has to be aligned to the enemy you are facing. In this case, we are up against dragnet surveillance. We are not defending against James Bond style keyloggers, nor other directed attacks, or even automated malware. The fact is that even the most basic encryption settings would have been enough to render the current dragnets cost ineffective, perhaps with the exception of China's systems. Yet, we are still sending all e-mails on open postcards, because security "experts" want to defend against James Bond and other completely unlikely attacks.

Regarding the MIM DPI routers, they are not widely deployed, again perhaps with the exception of China. How do I know? Well, because if they were, your hand-shake would trip over constantly, as you moved your laptop from network to network. There are currently no widespread claims that that is the case.

The current danger is that western "democracies" are still deploying their surveillance in a fly-by-night manner. This can easily be countered through basic levels of encryption. Once they are forced out in the open, and everybody are aware what is happening, like China's great firewall, then we can start upgrading our countermeasures. However, first we have to get the basics installed and in widespread use. Putting people off through FUD is not helpful.

Re:End-to-end encryption

[Roman+Mamedov]

And how many ssh users actually check the key fingerprints and verify they match those stored on the remote host? Is that even possible in most circumstances?

Hello, have you ever used ssh? As in, at all? It raises a holy hell if the keys have been tampered with.

$ ssh hostname.tld
@ WARNING: POSSIBLE DNS SPOOFING DETECTED! @
The RSA host key for hostname.tld has changed,
and the key for the corresponding IP address xxxxxxxxxxxxxxxxxx
is unknown. This could either mean that
DNS SPOOFING is happening or the IP address for the host
and its host key have changed at the same time.
@ WARNING: REMOTE HOST IDENTIFICATION HAS CHANGED! @
IT IS POSSIBLE THAT SOMEONE IS DOING SOMETHING NASTY!
Someone could be eavesdropping on you right now (man-in-the-middle attack)!
It is also possible that a host key has just been changed.
The fingerprint for the RSA key sent by the remote host is
zzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzz.
Please contact your system administrator.
Add correct host key in /home/username/.ssh/known_hosts to get rid of this message.
Offending RSA key in /home/username/.ssh/known_hosts:76
RSA host key for hostname.tld has changed and you have requested strict checking.
Host key verification failed.

Re:End-to-end encryption

I assume he was talking about the initial connection.

Re:End-to-end encryption

Despite all your technical inaccuracies, what exactly are you suggesting?

You seem to imply that because doing encryption right is not mind numbingly easy, and that some people do it wrong... we should completely get rid of encryption and go back to 100% compromised plain text???

How is your suggestion going to improve anything? You just lowered secure communications from a non-zero percentage to exactly zero.
You are saying that because some people fuck up encryption, that no one at all should have it.

Let me guess, in the previous ITU story about handing control of the root DNS over to them, you were one saying how everything would be better and they of course only have our best interests at heart?

I'm sorry but the rest of us are not going to stop using proper encryption just because you and others can't be bothered to use it correctly.

Re:End-to-end encryption

[L4t3r4lu5]

The whole point of public key encryption (RSA, for example) is that you wouldn't have to exchange keys outside of the communication channel. If you're going to meet in person, you should probably exchange data there as well. Sneakernet is always an option; It's just inconvenient.

Re:End-to-end encryption

[nazsco]

Yeah, and anytime this happens you pick up the phone and raise a warning within the organization with its 300,000 machines, of which around 500 have something updated that every day that changes the host key....

Or just press Y?

Also, where did you got the key to begin with? ooh, right. Via a gov owned backbone in some point of the connection.

Re:End-to-end encryption

How about using a captcha method of some sort?

Re:End-to-end encryption

Why doesn't the SSH still not log anything to log files if you go in with SCP or SFTP?

Also, why doesn't BASH log anything if you include whitespace before every command?

Security failures, imho, and likely policy to include weaknesses that government uses.

Re:End-to-end encryption

of which around 500 have something updated that every day that changes the host key....

You have a shitty updater, then. Yes, whatever distro or custom solution it is you're going to say "oh, Y is shitty then?" is, in fact, shitty. Whoever your admin is (you?) should be fired. You should probably be fired anyway for thinking this is acceptable.

Re:End-to-end encryption

Repeat after me:

"I am Spartacus."

Re:End-to-end encryption

[JesseMcDonald]

No, public-key cryptography still requires some external form of authentication for the key exchange, if you want to know that the private key is held by a specific person and not some random stranger. The point of public-key cryptography is that the public key need not be secret, so you can publish it freely and the people who have your public key can't use it to impersonate you or read messages sent to you by others. To do the same with private-key cryptography would require a separate secret key for each pair of peers, and it would be impossible to tell which member of the pair signed a given message.

The advantage over simply exchanging the data in person is that once you've authenticated the key, you can rely on it for secure future communications, including authenticating other keys (e.g. with CAs or a web-of-trust). On the other hand, if you only need to exchange data once, a direct exchange probably is easier.

Re:End-to-end encryption

Yeah, and anytime this happens you pick up the phone and raise a warning within the organization with its 300,000 machines, of which around 500 have something updated that every day that changes the host key....

Or just press Y?

Also, where did you got the key to begin with? ooh, right. Via a gov owned backbone in some point of the connection.

Have you ever used SSH? At all? Do you know how it works, and that what you are saying makes you literally look retarded?

Re:End-to-end encryption

[cpghost]

That's not quite the ultimate solution that many believe it to be. There are firewalls and routers on the market now that have man in the middle programming right in the hardware, and decryption is a basic part of the DPI system.

That's not really the point. Consider a Tier-1 router. That machine will NEVER be able to handle the load of MitM-ing the connections going through it. A Tier-2 router will also be overwhelmed by the sheer amount of traffic going through it. It's about selectively enabling DPIs on very specific connection pairs... once you know who to monitor! That is a far cry from the generalized DPI infrastructure for everyone that some politicians and content companies are dreaming about.

Re:End-to-end encryption

Actually, Germany is creating a new version of their state-sponsored surveillance malware. They've also passed laws making it a crime to remove it, reverse program it, etc. This malware apparently also has no legal restrictions requiring it being used solely on German citizens, nor within German borders.

This is not such a fly-by-night manner.

Re:End-to-end encryption

[grumpy_old_grandpa]

Interesting. Any links would be useful. And yes, this definitely falls within the level of escalation I mentioned in the previous post.

Deep

[JustOK]

Deep pockets fund deep packets

Re:Deep

[alostpacket]

Deep? I'm lost.

fucking politicians...

[wierd_w]

Sorry for the flamebait here, but goddamn!

They *clearly* know that these measures are against the public interest, and are only desirable for reasons that are directly counter to a free and legitimate government; that the voting publics that they represent would never willingly agree to this kind of "microscope colonoscopy" type surveylence if they knew what it really meant.

That's why the fuckers do closed room and secret fucking "negotiations" to plan, orchestrate, and implemet bullshit like this.

About the only way to combat this is to make closed room negotiations so undesirable from a political career standpoint that the slimeballs treat like radioactive waste.

Something like immediate no-confidence being enacted for mere participation or something, and blacklisting from ever running for public office ever again.

Of course, such strong measures would never make it passed the slimeballs to begin with.

Fox fucking owns the henhouse.

Re:fucking politicians...

Never a truer word spoken!

Re:fucking politicians...

You should do some research on what the ITU is. It is mostly old fogy bureaucrats from state owned telcos, and not elected politicians. Or even unelected ones. And the old fogy bureaucrats that sit on ITU committees are the worst of the bunch, as they specialize in creating standards and rules. So they do nothing but create rules and standards.

The ITU is why it costs more to call one country than another, even though sending an email to Egypt or Portugal is the same price. Why do phone calls have different rates? It is 2012.

The ITU voted in 2011, to confirm that FAX was the only authorized way to distribute committee documents! Email was determined to be not widespread enough (?), and less reliable. That should just you some idea of the mindset you are dealing with.

And even with their so called "stewardship" of the public switched telephone network, it is still riddled with fraud and scams. In fact, there has been accusations that some of the ITU members benefit from these scams, and are creating a regulatory framework to allow them to continue.

Re:fucking politicians...

[mikeiver1]

Hard to argue with one letter from all of the above. The next killer app, an easy to use seamless end to end encryption tool. I may just encrypt all my BS communication for the fun of knowing that they can't read it but think they should. Think of the countless hours that are going to be wasted by the watchers trying to decrypt shopping list and sexting between married couples. The mind boggles...

Re:fucking politicians...

[wierd_w]

Then their little good-ol-boys club should be shuttered in place of an organization with some fucking public oversight, that CAN be policed against this bullshit!

A room of wrinkled old penises whacking off to violating the public trust should never be accepted. Ever!

Re:fucking politicians...

why are you only angry at the internet traffic club? there is a "club" that controls western banking, one for oil, one for "defense contracts". they violate public trust, they steal and kill and take away freedoms, they have your governmet in their pockets.

captcha - "repress"

Re:fucking politicians...

While I basically agree with you, I think existing political and governmental systems are so compromised, and the elites who operate them are so out of touch, that it is going to keep getting worse and worse until blood literally runs in the streets. I don't want to see that as the future, because it's horrible and depressing, but I find I cannot believe that the current global crop of politicians, bureaucrats, multi-billionaires and their tools have enough empathy or awareness to realize when they've gone too far. They're just going to keep controlling, squeezing and destroying until the enraged populaces rises up and starts killing them. Corporate CEOs aren't going to look past their next quarter bonuses until their fellows who pollute, destroy, and abuse start getting shot. Politicians won't vote for transparency or responsibility until their colleagues are dragged from their limos and hanged from traffic lights. And not one or two incidents either - the first couple times this happens it will just boost the police state to new heights. But once the violence becomes endemic, then they might start listening. I just hope civilization can survive it. :-(

Re:fucking politicians...

[baKanale]

But we're not talking about any of those clubs right now. We can show outrage about them when we discuss their respective issues. If people had to enumerate everything they get angry about every time they express some rage then every post would be a mile long and threads would take forever to read.

Re:fucking politicians...

[elashish14]

Unfortunately, far too many stupid people are allowed to vote.

Look at the recent US election. How many politicians who approved NDAA were re-elected? Here's one for example: the President.

Re:fucking politicians...

[Johann+Lau]

On the one hand I agree with you, on the other I have to think that punishing corrupt politicians doesn't automatically creates honest ones (I don't even like the distinction between "politician" and "citizen" a lot -- all adults are equally responsible for what goes on in the state that derives its authority from them), and killing greedy people doesn't automatically feed, clothe and shelter the poor.

There is lots of stuff to be built, to be constructed, to be found out, for oneself and collectively, to be communicated etc... and we're fucked mostly because we're not doing that, not because we're being overpowered in any way, shape or form. You have to realize that anything you could accuse a politician or CEO of, someone else, a lowly drone most likely, executed for them. So if the drones would simply stop BUILDING THEIR OWN PRISON AND ATTACHING THEIR OWN COLLARS *ahem* (sorry for screaming, sometimes it gets to me ^^), there wouldn't even be much need to punish anyone; the former leaders would just wither away like a plant that's not being watered anymore.

I say it's much easier to help people see through deception, than to try to stem the flow of deceivers... fuck em, ignore them, they're not worth the dirt under your fingernails; focus on attaining and spreading immunity. Don't stare too much into the abyss, it's not all there is.

Re:fucking politicians...

The correct response is to dox each and every flunkie in the ITU. Then assassinate them one by one.

How will they speak if we deactivate their entire nervous system, rendering them unable to exercise muscle control over their mouths?

Murder solves a lot of problems. ESPECIALLY bad governance. Just look at the success the USA had in Iraq! You just have to frame it as if you're fighting for the good guys. As in many areas of life, it's all about the marketing.

Re:fucking politicians...

[ghostdoc]

Except this is not politicians making these deals. It's unelected bureaucrats, effectively outside the control of the politicians because a senior bureaucrat can do a lot more damage to a politician's career than the other way around.

You don't vote for these people, so they don't care about your opinion.

The treaty they come up with will need to be ratified by each country's politicians, but it'll either go through unannounced and unremarked, or there'll be a convincing 'If you've done nothing wrong you've got nothing to fear' campaign to lull the moron majority into complacence.

I hate to sound defeatist on this, but we are going to have to start building darknets if we want truly free communication in the future.

Re:fucking politicians...

About the only way to combat this is to make closed room negotiations so undesirable from a political career standpoint that the slimeballs treat like radioactive waste.

Death is a pretty good deterrent. There are more of us than there are of them. Would you die/sacrifice your life for your children's (and fellow American's) freedoms? Posted anonymously for obvious reasons. Even though I'm too much of a pacifist to do anything about it.

Re:fucking politicians...

To address one of your points.... no, the people with the best and biggest pile of strong-willed, like-minded individuals with weapons decides what goes on in a state, no matter which political system is in place.

This has been true ever since civilization started. You can almost argue that's a hallmark of civilization period.

We can see it happening today, in Syria for instance (although that is not the only example, by far).

Too bad for the USA, is that we have had weak leaders for a long, long, long time - and have tolerated such, and all of the ill that comes from it.

Over My Cold Dead Body

Over My Cold Dead Body will the ITU introspect anything of mine.

The ITU, previously known as the CCITT is a body known for promulgating overcomplex incomprehensible standards that no one in their right mind uses.

Now, without sanction, these blowhards are trying to capture regulation and management of the WORKING internet.

Both Corporations and country blocks have found it far too easy to pack/suborn these institutions and then claim control of really important issues like exergy (Climat Change).

As a Swiss, the best thing the US could do for Democracy is to de-fund and send home this den of Dictators, like many things it started off well intentioned but has become a turd.

MFG, omb

Re:Over My Cold Dead Body

[fustakrakich]

Over My Cold Dead Body...

Your proposal is acceptable. -- ITU

Re:Over My Cold Dead Body

[dwywit]

"Zed, we've got a bug"

Re:Over My Cold Dead Body

The ITU, previously known as the CCITT is a body known for promulgating overcomplex incomprehensible standards that no one in their right mind uses.

Unfortunately, those standards are used very much. Their complexity and lack of comprehension comes from trying to force completely different and opposed solutions from industry "leaders" into "standards". It ends as complete and utter mess.

The answer to 1984 is RFC 1984

[WaffleMonster]

Props to Bellovin et al for arranging the numbering coincidence.

The control fanatics finally won

[u64]

So,
Stop SOPA! Done.
Stop ACTA! Done.
Stop ITU...? Oups.

We missed a letter-combo. Well played.

It reminds me

of Obamas massive data surveillance centers. The thing is, they are giving you some rights. If they weren't then they wouldn't track you. They'd just insure you can't get online - then again maybe it's a 2-pronged approach.

DPI != spying

[sgt+scrub]

You do not have to do deep packet inspection to spy on traffic. In fact, you have to spy on traffic to do deep packet inspection. The vast majority of information gleaned about people has absolutely nothing to do with traffic filtering. Things like redirecting DNS queries, logging x-forwared-for headers, persistent HTTP connections, are vastly more popular for garnishing user information. It is easier, and much less expensive, to drop information gathering warez on a large number of machines than implementing DPI. DPI is best used to protect networks from stupid people. Yes it is used to filter access. Only a really stupid network engineer would use it for spying.

Re:DPI != spying

Seriously. DPI means the forwarding router being able to check against protocol signatures at more or less line rate, so that you can have forwarding/firewall/QoS rules that say things like "from application-group [VOICE | GAMING | PEER-TO-PEER | ETC]" instead of dumb rules based on tcp/udp and port. Yes, as an ISP, you want to be able to give preferential treatment to voip and gaming packets over filesharing, since everything is always oversubscribed, by necessity. The government has your packets if they want them, and they don't need "DPI" to see what is in them.

Re:DPI != spying

You have to do DPI to block hidden traffic you don't want to occur. It is how oppressive regimes stop the flow of information via Tor or I2P.

The people using these technologies are doing so that they can communicate with the outside world without being killed.

It is not hard to see why the UN ( which has a lot of member states which would benefit from not having the outside world privy to their actions ) would enact this measure.

Countries like China routinely block this kind of traffic using DPI. Saying that this is necessary for packet prioritisation is like allowing your postal service to read your mail to see if it looks urgent. This is a heinous violation of privacy.

Re:DPI != spying

[sgt+scrub]

You don't need to inspect the deep end of the packet for that kind of traffic. The shallow end (4 bits in) is all you need to do that. TCP over HTTP, HTTP over ICMP, et al all are all easily recognizable by the 4th bit. China doesn't use a great firewall. They use spyware on machines tied into what people think is a great firewall. You need to have something on the end user's machines to filter encrypted traffic or have the keys. China has the keys but prefer spyware.

Fragmentation

[XeLiTuS]

This type of all of your data are belong to us mentality is simply going to drive fragmentation of the Internet as well as a rush to spawn unrouted networks and darknets. These governments and agencies pushing for this would be better served leaving things as is since everything is on one network at this point. They're just going to make it more difficult for themselves since people will simply encrypt data and adapt.

Re:Fragmentation

[Desler]

This type of all of your data are belong to us mentality is simply going to drive fragmentation of the Internet as well as a rush to spawn unrouted networks and darknets.

And? You think that isn't the goal? The average user isn't going to use unrouted networks and darknets. The content will effectively be inaccessibly the the vast majority of average users and that's all these governments care about. The 1 in 10000 person who is using some obscure darknet really doesn't register on their radar.

What the hell will they inspect?

...With all the connections being encrypted nowadays?

WWW, E-Mail, IM/IRC, games, even DNS...

Sure, it's not end-to-end, and they can still get into the servers, and sure, the concept of a Certificate Authority is an utterly retarded logical fallacy that can never be secure,
but DPI won't do shit on it anyway.

Re:What the hell will they inspect?

Since not all connections are encrypted and many of the encrypted ones can easily be MITMed, probably quite a lot.

Yeah, well...

[Bluecobra]

... I'm gonna go build my own Internet! With blackjack and hookers! In fact, forget the Internet!

Re:Yeah, well...

... I'm gonna go build my own Internet! With blackjack and hookers! In fact, forget the Internet!

Huh, the Internet I've been using already has loads of those...

DPI isn't a problem.

[AK+Marc]

What's the issue? DPI is done today by most carriers. Most DPI I've seen doesn't do much more than look at headers, anyway, unless it's a firewall or other security device.

It's not a bad thing to prioritize HTTP above or below FTP or bittorrent, and that's not even a violation of net neutrality, unless the ISP sells FTP or BT services at additional cost. When everyone has their BT client set to run on port 80, how do you prioritize traffic? Does it matter if you are a large corporation and it's at your own corporate edge? I want to be able to set HTTP above FTP and FTP above BT. But if someone sets up BT on 80, how do you verify the protocol without looking at the payload? Even then, there are "tricks" where P2P protocols can use HTTP GET and PUT in the payload to be able to manipulate inspection.

The problem is when DPI is used for "bad things" and we should worry about the bad acts, not the tools used.

Re:DPI isn't a problem.

[fredprado]

DPI is never a good thing. Period. You should not be able to prioritize any type of package on your network if you are a ISP, that goes against net neutrality even if you do not charge extra for it. Net neutrality has no exceptions, it means that it doesn't matter what flows, it will all be treated the same.

Re:DPI isn't a problem.

The next thing that happens is HTTP becomes the next TCP, everything is wrapped in something that looks like HTTP. Do you look even deeper? Don't play this game, you'll make everyone (including yourself!) miserable. Way too many things are already able to be embedded inside HTTP wrappers (git, bazaar, and Subversion come to mind).

Re:DPI isn't a problem.

Nope. You've got it wrong. You definitely want to do things like optimize the latency of VoIP and game related packets and the throughout of bit torrent related packets. That's just basic network administration.

Re:DPI isn't a problem.

No, GP is exactly right: there should be no exceptions. Even if well intentioned, you do not want to optimize for specific protocols, as in that case, new technologies have no chance to compete with entrenched protocols. The answer is to "optimize" the network so that best effort is good enough for such protocols. (read: build out the network rather than wasting money on DPI, etc.)

Re:DPI isn't a problem.

[smellotron]

But if someone sets up BT on 80, how do you verify the protocol without looking at the payload? Even then, there are "tricks" where P2P protocols can use HTTP GET and PUT in the payload to be able to manipulate inspection.

Ugh. I had to do some research on SOAP as a part of an internship at an "Enterprisey" software shop. Many SOAP software stacks advertised themselves as firewall-friendly because they would "punch through the firewall on port 80". That is, the SOAP service was encapsulated in HTTP, with the implication that this was superior to getting permission from your network admins. Of course, these same service providers also provided "SOAP firewalls" so they could profit off of your company's internal dysfunction. What a pile of garbage, all of it.

Anyhow, I can see why BT would want to encapsulate itself in HTTP, but it stinks of an arms race.

Re:DPI isn't a problem.

[jmottram08]

While this may sound good in ideal circumstances, the reality is that everything has costs, and traffic shaping is -way- cheaper that "building out the network". I worked in IT for a bit during university on campus, and without traffic shaping most HTTP would have been unusable during peak hours. We had two options, try and disallow popular file sharing completely or just limit it, and the best solution for everyone involved was the limiting.

Re:DPI isn't a problem.

[TapeCutter]

Most DPI I've seen doesn't do much more than look at headers

DPI - The 'D' stands for deep, if you're just looking at headers then it's "Shallow Packet Inspection".

Re:DPI isn't a problem.

[AK+Marc]

Anything past the destination IP is deeper than necessary. Why use an ambiguous and subjective word like "deep" when "payload" is the proper technical term? Because many DPI *don't* look into the payload, and confusion allows the liars to advertise port-based DPI as DPI.

Re:DPI isn't a problem.

[fredprado]

Traffic shaping is not to way to solve anything. If you lack resources, limit the use, not the protocols.

Re:DPI isn't a problem.

[AK+Marc]

I agree with one or more of the ACs. We should prioritize the smallest packets over the largest. Why? Because realtime is in small packets, and MTU is reserved for data. Sure, people could then modify data transfers to use smaller packets, but in general, the increased overhead would hurt more than the delay/drops. So small VoIP packets would get priority over data transfers and web pages without having to target protocols or even look inside packets.

Or we could just set all data to a small size and have uniform packets at line speed or less. Nonblocking architecture and fast switching with no smarts needed would be great. I vote for 48 byte payload and we should be able to get by with 5 bytes or so of headers.

Re:DPI isn't a problem.

If a firewall can be so trivially bypassed, what good is it? Malware isn't going to communicate on an obvious port, with the evil bit set.

Re:DPI isn't a problem.

So you've never run even small network, huh? It's pretty easy to get into a situation where 9 people are running downloads or torrents and the 10th wants to use VoIP. Should the 10th guy just be screwed? Maybe your plan is to guarantee the 10th guy 10% of the bandwidth. That's fine, but now he's slowing down everyone else more than he needs to and still getting unnecessary lag from the other guys. Or, you can just do some basic QoS informed by DPI.

Re:DPI isn't a problem.

[nazsco]

We're talking about isp here. You just got offtopic.

To go back, consider them 10 paying customers. Why the voip guy, who paid same as me, should have priority over my downloads?

Screw him.

Re:DPI isn't a problem.

[nazsco]

Also screw you for selling us all bandwidth you didn't have to begin with and thinking that you could later get by cheapily with protocol prioritization.

Re:DPI isn't a problem.

[nazsco]

Also, also, you're mixing up deep packet inspection with packet inspection.

So we're all off topic.

Re:DPI isn't a problem.

[fredprado]

I agree with most of what you said, but we are not entirely off topic here. DPI is the natural progression of traffic shaping and (non-deep) packet inspection, and all of them threaten net neutrality.

Re:DPI isn't a problem.

[WaffleMonster]

I agree with one or more of the ACs. We should prioritize the smallest packets over the largest. Why? Because realtime is in small packets

This is too simple/naive and mucks up congestion avoidance.

So small VoIP packets would get priority over data transfers and web pages without having to target protocols or even look inside packets.

What about VoIP /w video packets with much larger per-packet payloads?

A simple fairness queue works just as well without arbitrary constraints.

Re:DPI isn't a problem.

[Altrag]

Because 50ms of latency on a call is horrendous. 50ms extra time on an 2hr download is unnoticeable.

Even within your own network, its pretty nice to have the ability to prioritize VOIP over BT. I know there's the argument that the user could just do it themselves but that has the pretty fatal flaw that 99% of the users have no idea how the fuck to do that.

And expecting every dumbass in the world to get 3-6mo of network training (not to mention having to buy more expensive network equipment as very few consumer grade routers support these features) in order to do something that their ISP is perfectly capable of is just asinine.

Network neutrality is important for allowing new innovations to thrive.. but HTTP and BT and VOIP aren't new innovations -- they're well-established protocols with well-established (at least by vast consensus) relative priority levels.

Its true that you're technically breaking neutrality to apply those priorities, but sometimes the tradeoff is necessary for practical reasons (as long as its strictly monitored to prevent abuse!) VOIP would have never made it to consumer level if such prioritization didn't happen.

And yes as another poster mentioned, you can rant about the ISPs overselling bandwidth. But you know what, you can always go get a dedicated line. Then you don't have that problem. Of course the full cost of the line then falls on your shoulders rather than splitting it with everyone else on your node.

But hey if you're expecting me to get an expensive commercial grade router and going through a networking course, I see now reason why I shouldn't expect you to already be paying for your own line.

Re:DPI isn't a problem.

[AK+Marc]

This is too simple/naive and mucks up congestion avoidance.

Many congestion systems take packet size into account now.

What about VoIP /w video packets with much larger per-packet payloads?

You get worse experience than voice alone.

A simple fairness queue works just as well without arbitrary constraints.

The "best" way is to let everyone set their own priorities and honor those, so long as people set their traffic appropriately, which we know doesn't happen.

I looked into encryption for a game...

I looked into encryption for a game I'm working on. I think that's a good example of the "opportunistic encryption" you speak of.

The game remains unencrypted. It's been a little too long (two years ago) to remember the details, but if it were as easy as "call this function with a block of data and an encryption key" we certainly would have done it just for the hell of it. Indeed, we wouldn't have even let key distribution problems prevent us -- if necessary we would have done the equivalent of a web site with a self-signed key -- since it's just a game after all so who cares if it gets man-in-the-middle'd. So I assume that what we found was all either insanely complex for no apparent reason (like trying to use libpng -- we eventually found some simple free public domain code to use) or wrapped up in a license that makes the code useless for closed-source projects (and that includes LGPL, since closed-source projects like people to be able to just run their code without having to resolve a dozen dependencies first, but LGPL doesn't allow static linking). Judging from experience with other code I've tried to find, it more than likely was both issues simultaneously. Most free code on the internet suffers from at least one of those two problems.

It'd be nice if encryption was as simple as opening an "encrypted tcp port" rather than a standard one, but it isn't so simple. If it was, I'm sure we'd see a lot more applications using encryption just because they can.

-- AC, who watches his posts for replies.

Re:I looked into encryption for a game...

[Albanach]

I looked into encryption for a game I'm working on. I think that's a good example of the "opportunistic encryption" you speak of.

IPSec Programs like FreeS/WAN whic hwas followed by Openswan and Strongswan take care of this automatically. If both endpoints have this set up, the traffic will be automatically encrypted. No further user intervention is necessary.

http://en.wikipedia.org/wiki/Opportunistic_encryption

Re:I looked into encryption for a game...

[postbigbang]

Naw.

We just spin up a few dozen machines at AWS, split up the crack load among the, pop your key, and move on to the next twit. /sarcasm

Re:I looked into encryption for a game...

[bzipitidoo]

insanely complex for no apparent reason ... like trying to use libpng

What's so hard about using libpng? I've used it before and don't recall it being difficult. It's easier than OpenGL, and that's not hard either.

Re:I looked into encryption for a game...

[macshit]

... insanely complex for no apparent reason (like trying to use libpng ...)

This is just wrong.

libpng isn't entirely trivial, but it's actually very simple to use, and quite flexible as well—e.g., it's easy to make the library handle all the weird cases automatically itself, but the option exists for you to handle them too if desired. All in all, I'd say it nicely hits the sweet spot between ease-of-use and power.

It's vastly better designed than many other image libraries (e.g. all the horrid examples that only support whole-image I/O into some awful least-common-denominator image format).

Re:I looked into encryption for a game...

No, no, no... I agree that OpenGL is about as simple as one can imagine a graphics library being, but libpng is anything but simple. There's a hundred configurables you have to set up (because you might want to decode into 19-bit integers, even though no such platforms actually exist), then it splits the decompression process into many steps, then requires you implement some incredibly moronic and PITA setup to handle errors.

Instead we use this: http://www.nothings.org/stb_image.c Total code to load an image:

int x, y, n;
unsigned char *data;
data = stbi_load("file.png", &x, &y, &n, 0);
if (data != NULL) {
    process_image_data_or_something(data, x, y, n);
    stbi_image_free(data);
} else {
    report_error_condition_or_something();
};

It's one function call. You tell it to decode a PNG image, and it decodes a PNG image, or decides that it can't and returns NULL. There's an error variable you can read from as well if you care to know why an error occured. By contrast, libpng requires that you use setjmp/longjmp for errors because apparently they couldn't think of a way to make it cleanly handle error conditions, so it has to abort the operation by discarding the current stack contents and restoring a saved state. As much as people hate to use a "goto" I don't know how anyone doesn't vomit reading the setjmp/longjmp man pages.

-- AC, who watches his posts for replies.

Re:I looked into encryption for a game...

libpng isn't entirely trivial, but it's actually very simple to use, and quite flexible as well—e.g., it's easy to make the library handle all the weird cases automatically itself, but the option exists for you to handle them too if desired.

Then why is it that searching for "simple libpng example" turns up stuff like this? I count four abort() in the read function and another six in the write function. That means that between each of them there are four calls to libpng in the read function and six in the write function. I'm only asking it to do two things, why do I have to call it ten times? Not to mention I have to call setjmp() all the time because for some reason the damn thing can't simply return an error code.

It's vastly better designed than many other image libraries (e.g. all the horrid examples that only support whole-image I/O into some awful least-common-denominator image format).

You mean the ones that just do what you want? Hey, I'm all for having options, but there's one option you don't get with libpng: the "just load the fucking image into a buffer" option. ...and that's just stupid since in 99% of cases thats all anyone wants to do.

See my reply above for an example from the library I use. It's one function call and it just returns NULL if it fails. You can't get any simpler than that, and strangely I'm not suffering from the lack of flexibility that libpng offers.

-- AC, who watches his posts for replies.

Re:I looked into encryption for a game...

Encrypt before sending data , and decrypt right after receiving data.
Shouldn't be that difficult : cryptcat has been doing it for years.

All you need to do than is agree on a password.
With regard to DPI, you probably could even mail it unencrypted : it's not very likely it will be able to link that which you just mailed to the password for your encrypted socket ( unless they have really powerful A.I ).

What lack of transparency?

[Attila+Dimedici]

One of the big issues surrounding WCIT and the ITU has been the lack of transparency — or even understanding what real transparency might be.

I am confused. Why would you say that the WCIT and the ITU have lacked transparency? Something that is transparent can be seen through. I don't know about you, but I saw right through them when they said they were doing this to "enhance freedom".

ok now anyone in favor of this is just evil

[CHRONOSS2008]

there is nothing good about DPI ask bell canada...
everythgn on the net now is surveillanced as a standard
once this happens im gona from the net and ill just have a computer with all that i have now
sorry world the govts of this planet are all mental and retarded , and im not one to wish to be spied on.
if i wanted that i would get a website and walk around my room naked and make money at it.
as i wont be making any money off there dpi use and all it does is cost money FUCK THEM YOU AND EVERYONE ELSE that stays and supports the system

i'll buy a solar array kit an ebike and trailor and get a garden going with seeds...enjoy your universe im leaving

DPI always gets it wrong and breaks traffic

Requiring DPI support adds costs to networking hardware.

DPI encourages discrimination on what kind of bits you are sending. Encouraging vendors to do play games like break bittorrent traffic without revealing them to their customers.

What is desirable on over-subscribed links is algorithms like CoDel to solve excess buffering keeping full links running at low latency and not needing special cases for VOIP or gaming.

DPI is only really good for monopolies messing up content.

Re:DPI always gets it wrong and breaks traffic

Sorry, but 50 mbps of bandwidth doesn't cost $50/month wholesale + provisioning + support. Abusive users must be curtailed, and its certainly better than aggressive gigabytes/month caps.

Re:DPI always gets it wrong and breaks traffic

Abusive users? It is not abuse to use the what you signed a contract for. In fact it is abuse to not offer the services you have contracted to provide. Furthermore all internet protocols come with the ability to back off when network congestion is detected. Unfortunately too many routers and switches buffer traffic for much longer than can possibly help to keeps the pipes full and hide the congestion from the protocols running through them. Which is why the fix is to use an active queue management algorithm like CoDel to control that excessive delay caused by the routers and switches.

Traffic classification of any kind does not help. Protocols change and the classification fails to properly classify the packets, especially the deeper you look into the packet. Beyond a certain point with packet inspect protocol designers give up and specify that traffic be encrypted just so that deep packet meddling doesn't break the protocol. At which point you have expensive network gear with useless hardware.

Requiring deep packet inspection ability in all networking gear is just brings the price up, and adds more pot-holes in the information super-highway.

In hosting scenarios bandwidth goes for about 200Gigabit/month for $10-$20 month, and the wholesale bandwidth prices are lower yet. The cost is all in the lines, the maintenance of the lines and the head end equipment.

For cell networks that the ITU controls establishes standards for DPI is all about not letting that VOIP application on your phone compete with their juicy voice plan, and similar serious bits of price gouging.

So while the people involved may have peoples best interests at heart I can't see that DPI makes anything better except for reducing competition amoung the equipment vendors and driving costs up for everyone.

Re:DPI always gets it wrong and breaks traffic

[smellotron]

... the fix is to use an active queue management algorithm like CoDel to control that excessive delay caused by the routers and switches.

I just read the Wikipedia page, and I am familiar with bufferbloat. Since you're advocating the implementation of CoDel as a mechanism for QoS, maybe you can answer these questions:

• CoDel is cited as "parameterless", but I see right away that there is a parameter of 5ms for the desired latency. Isn't "5ms" a parameter to the algorithm? It seems that a QoS algorithm which lacks parameters is either perfect (unlikely) or overfitted to a specific scenario. How does the algorithm scale across link latency? F.e. very low latency (10G Ethernet, e.g. data center) vs. very high latency (satellite link)?
• CoDel ignores "good queues". What happens when all queues are "good", but a transient spike exceeds outbound bandwidth? Does it just kill the last packets to arrive, after 5ms? If I adopted CoDel in my home WAP/router, it would have to deal with this situation regularly.
• What prevents CoDel from working in tandem with DPI for traffic shaping? Maybe the "5ms" parameter could be a function of the packet stream class. Maybe leniency on "good" vs. "bad" flows could be adjusted to favor discards on stream classes which are known to be non-real-time.

Re:DPI always gets it wrong and breaks traffic

[epyT-R]

It's not 'abuse' when the ISP refuses to set hard limits as part of the contract.. go fuck yourself.

Good reasons to not give ITU Internet control

[manu0601]

If we were looking for good reasons to not give Internet governance to ITU, here we are. Of course one could argue that the current Internet steward, USA, is also a spying big player, but at least it does not openly brag about it.

Handing the Internet's control to the UN eh?

[fufufang]

I think ITU's action shows the true colour of the United Nation. I think it is simply too dangerous to pass on the control of the Internet to the United Nation.

Re:Handing the Internet's control to the UN eh?

The Internet shouldn't even be a "thing" that a corrupt group can seize in a simple coup. It's supposed to be everyone's separate networks connected together.

Re:Handing the Internet's control to the UN eh?

[fyi101]

This might surprise you, but the United Nations is a big organization, and different parts of it act and think in different ways, sometimes with great disagreements. In fact, that's the whole purpose of the UN: to gather all this people together in one place and make them lob disagreements at each other instead of grenades. Just because one organization associated to the UN misbehaves doesn't mean the World Government is out to get you. Your comment about the UN's "true colours" betrays somewhat of a misconception of the way things work there. It's messy like all human things, but if you don't like the UN, just wait until the world drops any pretense of working together for a unified civilization, and the dictators participating in the Human Rights Commission leave it and drop any pretense of caring for them, then things will get really fun (at least now they admit Human Rights exist and pay lip service to them, that alone is already an ideological victory, which is more important that you might think).

Maybe it's just me.

But this is actually a good thing...

And anyone who disagrees clearly supports child pornography! :|

Or, they're concerned about quality of service?

[NitWit005]

Motivation

Packet forwarding and DPI (deep packet inspection) are essential for multi-service delivery in packet-based networks and NGN environment. It is particularly true when handling multi-service (e.g. IPTV/VoIP) traffic because these applications have strict requirements on jitter, delay and packet loss rate. The functionalities of DPI and packet forwarding enhancement can properly identify different type of traffic so as to provide performance guarantees to allow for time-sensitive applications.

Yep. That sounds deeply sinister. They want to improve your Skype call quality. Those sick people.

Re:Or, they're concerned about quality of service?

Concern about quality of service is the reason ATM was a complete flop outside the telephone companies. IP took over the world precisely because it didn't give a damn about quality of service, just doing its best to get packets from A to B.

DNSSEC?

[alostpacket]

Isn't this what DNSSEC is supposed to help with? Key loggers and malware aside.... DNSSEC should, in theory, stop MITM attacks, no?

Re:DNSSEC?

How would the attack be stopped if someone was sniffing packets on a router? DNS doesn't matter, it just provides names which humans can recognize. Having DNS security is just making sure to have the registration more locked than it currently is, to aid the authorities when there is abuse. So, it is not relevant to the normal network packets which can be sniffed.

Re:DNSSEC?

[whois]

DNSSEC specifically does not stop MITM attacks. It relies on you trusting your recursive DNS server, which you can't do if you are on an untrusted network.

It's not in the protocol to do so, but you can download the root signing key and verify you're talking to a legitimate DNS server, but what it the protocol is providing is trust between a recursive DNS server and a remote authoritative DNS server. The user -> dns server piece is not addressed.

I asked for some comments from technical people regarding these problems and what you're supposed to be doing if you're surfing at Starbucks and using their DNS server (or the guy next to you who's spoofing a DNS server), but I didn't get a response. I was asking the bind guys and some security lists so I think the message might have been received and correctly understood but maybe they didn't have time to acknowledge or answer it.

FUCK ITU

FUCK ITU, is it possible to overturn such policy politically?
Shame on China, India, Syria, and countries like these

Advance queue management

Somehow they have missed that AQM with algorithms like CoDel work and provide a simpler, cheaper, better solution.

It may not be sinister in intent but it sure looks incompetent. It increases the price of equipment and thus the price of service.

It sets the stage for filtering based on the type of data and allowing a premium to be charged for your skype traffic to work or be allowed at all. We have already seen companies like ATT try this maneuver already.

First time private key exchange

Meatspace is ideal, but even exchanging these keys on the first time between two piers would be enough for most people.

1. All email (and all other communication forms) has a public key attached.
2. You recieve an email from Jane, it has the public key.
3. All email you send to Jane now uses the public key.
4. Likewise on the reverse.
5. If you ever receive an unencrypted email from Jane with a different public key, BIG RED FLAG.

They'd have to be man-in-the-middling EVERYONE, EVERYWHERE, substituting every key and keeping the substitution concealed somehow. It uses the fact that we can't travel back in time.

ITU snuggling up to totalitarians

[russotto]

Apparently the ITU, in its bid to take over the Internet, has decided to adhere to the worst totalitarians it can find as allies. Fortunately what they don't appear realize is that this alienates them with their natural allies inside the US, left-wing anti-DoD (if not outright anti-US) intellectuals.

And there's always the risk that Vint Cerf will take his Internet and go home.

Meatspace?!

[formfeed]

double public key is hard to man in the middle when you exchange public keys in meatspace

Whoever uses the term meatspace should be slapped with a pound of raw bacon.

Also, there should be a xkcd about it.

Why do you care?

Americans have had this for a long time. The Patriot Act grants the goverment the rights to listen to citizens communication. You created the echelon network to spy on people. So why do you suddenly care? For over a decade you didnt care enough to change that.
With a warrent (and warrentless wiretap) people are being monitored at this very moment. The only different is that the police of other states can monitor people more efficent. So why do you care now?

Time Warner Cable already does

Like today, I can not load piratebay.se from any machine on my lan. I can RDC to an offsite machine and it hits find. I can load tor and it also hits fine. Ok this might not be DPI but it is still filtering and is bogus. even changing the DNS servers in my router and on my machines do not help.

Re:Time Warner Cable already does

[xenobyte]

Are you using http or https?

Use https and some of the alternative URLs and I'm sure it'll work just fine, DPI or not.

Use your heads please

The ITU doesn't want to spy on your or disable your internet connection. The companies that are asking you to stand up and stop the ebil UN do - Google watches everything you do, all day, every day, and will delete everything you post and remove your account on a robotic whim. Just like every other large internet company.

You say you don't want decisions made behind closed doors? They already are. Google doesn't give a crap what you think. Neither does Apple, or Facebook, or Twitter.

You say you're opposed to censorship? You already have it. From all those guys.

You say you don't want the internet unduly influenced by "other governments"? Well, as someone who is not an American I should point out that most of the world doesn't want their life influenced by the US government. But the US government is quite clear that they will do whatever they want to whoever they want to do it to, and they don't care if you don't like it.

I applaud your zeal. I applaud your lofty goals. But you're really barking up the wrong tree. Everything you say you hate is already here, and the companies you're fighting for are the ones that are doing it to you for fun and profit.

The ITU isn't perfect by any means. But they're not the bad guys.

Re:Use your heads please

That's a false dichotomy. They're all the bad guys.

Re:Use your heads please

[Altrag]

There's a pretty big difference between a state-enforced censorship affecting everybody all the time and a private censorship only affecting their customers and only when those customers are using the service.

If Google decides to censor something that I disagree with I can just not use Google and take my business to Bing (harhar.)

If my government does it, I have to move to a whole other country to avoid it.

And if an international treaty does it.. then what?

As for the US doing whatever it wants well.. that's another story all together. For many intents and purposes the US has been a subtle world "government" for a long time now thanks to being powerful enough and sociopathic enough to just bully every other country until they get their way.

But that's changing. They've got competition now. China's going to be getting up in the US' face more and more as their power expands. (But not on the topic of censorship.. China loves itself some censorship so no complaints on that one I'm sure!)

Encryption

[xenobyte]

...is available for most protocols - use it!

I would not dream of accessing my mail using plaintext protocols for instance; imaps and smtps is the way to go.

And many websites are also available using https instead of http, and there are browser extensions that help you to avoid forgetting, and trying https in vain where not available.

These measures may not be perfect but they do make eavesdropping much more difficult.

Democracy

How do you feel about your democratically elected government now? Keep voting, it makes a difference... lol

And if the ITU weren't involved?

If the ITU were not involved, would DPI be nowhere?

NO.

Hell, it's being used everywhere at the moment, for fucks sake.

This is just another attempt to pretend the ITU would be worse than the USA in controlling the internet domain name system.

Hey, you know all that DMCA stuff? Was that passed any differently? No. Was that in the USA or in some scary "international thingy" that isn't the USA? In the USA.

Really, merkins, you fucked up the internet and that was fine until someone said you are no longer grown up enough to be trusted with it. Now you're catawauling about how it'll be China or Saudi (odd how Saudi is a baddie here when so very often to the USA it's BFF) doing it all, as if the USA weren't part of the frigging international world community.

And, really, that's the problem: the USA sees the world as "Us" and "Everyone Else".

Re:And if the ITU weren't involved?

I don't recognize the ITU, I recognize the US CONSTITUTION.
BIG FUCKING PERIOD.

Re:And if the ITU weren't involved?

Too bad your own government can bind you to international treaties and agreements though, isn't it? I keep voting and nothing happens... could it be that my vote is a placebo?

Hmm. And you voted for the lobbyists?

You know, the ones that drive those politicians.

Your president is also an unelected beurocrat. YOU do not vote for him directly.

Did you vote for PATRIOT? DMCA? UCITA?

Echelon

ECHELON is a global communications interception system, created by the United States, the United Kingdom, Canada, Australia and New Zealand to routinely and indiscriminately monitor and record all forms of electronic communications worldwide both military and civilian and overseen by the National Security Agency. Designed during the cold-war, ECHELON primarily intercepts worldwide non-military communications, including those from governments, organizations, businesses and individuals.
It could intercept practically any communication between countries anywhere in the world. The project ECHELON receiving system thieves this streams of millions of communications every hours to massive rez of computers. These computers decrypt messages when necessary, than when required utilize optical character recognition or advanced voice recognition techniques to extract words from each message. Every message captured is analysed for keywords or phrases found in the ECHELON dictionary. Keywords include all the names, places, code words or subjects that might be of interest. There are second search lists for each member country. Messages acquired at any of the receiving posts, containing requested keywords are automatically past on to intelligence organizations requesting those keywords. Those messages are flagged for further analysis. ...and ray of receiving stations collect all international communications carried by approximately 20 INTELSAT satellites. The INTELSATs are used by telephone companies of most countries. Thou they carry primarily civilian traffic, they also carry diplomatic and governmental communications. These INTELSATs are positioned in the stationary orbit around the equator and carry tens of thousands of simultaneous phone-calls, faxes and e-mails.

Oh please cry me a river

That tech is already used by private party. If it is used and abused by private party then I see no reason to approve it in general.

Pity your government doesn't.

And, apparently, neither do you.

I didn't see you complain bitterly about your USA requiring DMCA or the TSA or using DPI or Echelon or GITMO or....

No, you respect Merika. BIG FUCKING DEAL.

Who gives a shit?

[Cederic]

I'm sorry, but who gives a fuck what the ITU have to say about DPI?

If I invent a new network protocol and people start using it, it gets used. I don't need the ITU to go "Ooh, that's nice. Everybody use Cederic's lovely new protocol"

The ITU didn't design, implement, promote and create a worldwide network based on TCP/IP. It managed perfectly well without them, and its replacement can too.

Let them make up their own little rules. The Internet grew without them, and a new network (with interoperability no less) can too.

Require transparency for secret purpose

[jcdr]

Entities works in secret to require that others don't use secret. If there wants transparency, the minimum is that there are already transparent.

Show the ITU that people still matter!

[Altrag]

http://www.protectinternetfreedom.net/