1) What do you think about Anonymnity? by Planesdragon
Although there's a certain moral argument to an individual's right to privacy, there's also a statistical argument that people simply act irresponsibly when given anonymnity.
What's your take on anonymnity in the internet? Is a good thing? A bad thing? Just a thing not worth talking about?
Vint:
Anonymity is very much worth talking about. The right to privacy is sometimes manifested as a right to anonymity. Window shopping and cash transactions should not require one to reveal identity - and many people feel the same about surfing the net. In some cases, it might be argued that it is sufficient merely to protect 3rd party access to identity information but to require network users to reveal identity. In cases where whistle-blowing is at issue, or reporting of some kind of crime, anonymity may be important to protect. However, the same protection can also lead to potential abuse, as you suggest above. The ability to exploit anonymity, rather than to be legitimately protected by it, creates a genuine conundrum. So this is indeed worth talking about - I'd be interested in your further thoughts.
2) DRM? by GreyWolf3000
What is your perspective on DRM? Specifically, do you think that the Fritz chip, Palladium, and lobbying of the MPAA/RIAA, will change the Internet fundamentally? Can the Internet be tamed at this point? If so, do you find this DRM and such to infringe upon fair use? Is there legitamacy to the common fear that in the future, computers themselves, in order to gain access to the Internet, will have so many restrictions that the Internet itself will begin to suffer from it?
Vint:
I am very concerned about legal policies that are either technically unenforceable or which would have the effect of crippling an entire genre of digital technology. Some of the DRM positions, such as those expressed in the Digital Millennium Copyright Act, that make it illegal to study and publish information about cryptographic methods that might be used to protect intellectual property, are unrealistic and fundamentally unsound. Your concerns strike me as well-founded. While I do believe that techniques for protecting intellectual property are desirable, I am troubled by arguments that essentially make it impossible to allow SOME information to be freely shared, if the parties producing it so desire. The Internet is a big tent and should be able to support many different models of operation ranging from highly protected information to completely open information.
3) Commercial Email's Early Days by ekrout
As vice president of MCI Digital Information Services from 1982-1986, you led the engineering of MCI Mail, the first commercial email service to be connected to the Internet.
As most engineers know, we have to make some sacrifices with every project and get rid of certain features that we had hoped would be there but cannot due to monetary constraints, etc.
Could you explain some of the more difficult decisions you had to make as the head of this particular project? Moreover, was there ever a point in the project where no one thought the final product was viable?
Vint:
This project had its beginnings in late 1982. One of the most difficult decisions that Dave Crocker and I faced in the design of the underlying technology was the departure from linear addressing to allow for multiline "addresses" in MCI Mail. We had undertaken to allow people to send to email targets within the MCI Mail subscriber community, send to postal addresses, to non-MCI Mail destinations (e.g. CompuServe), to Telex destinations and (later) to FAX destinations. We departed from the classical linear addressing structure of Internet email and it took several months of debate before we concluded it was important to accommodate these multiline address structures.
We tried to get the contractors involved (HP, Digital Equipment Corporation, American Management Systems, etc) to use TCP/IP, but you can imagine that Internet and TCP/IP were completely unknown to these parties - as it had only been "rolled out" on a broad scale on the ARPANET on 1/1/1983! So we ended up having to use X.25 and a variety of proprietary protocols developed specifically for MCI Mail for lack of commercial support for TCP/IP.
Email was not well-known in the business sector when we were launching MCI Mail (Sept 27, 1983) and it was hard going to convince business people to use it. We linked MCI Mail to CompuServe as part of the roll-out of MCI Mail, seeking to make MCI Mail more useful by expanding its "connectivity". Generally, it would take from 1983 to 1992 before email became a widely appreciated service in the business world.
4) TCP/IP by sdjunky
considering your work with TCP/IP protocols what would you change now that you can look back retrospectively to how it has been used/misused. What would you incorporate into designs now that weren't even thought of at the time that TCP/IP was created?
Vint:
I suppose I wish I had decided on a larger address space than 32 bits! (that decision was made in 1977 after a year of argument about it). Moreover, I now believe that it would have been wise for us to incorporate into the design principles the notion that every end unit ("thing with an IP address") has a way to "authenticate" itself to any other end unit. As it stands now, these end devices have to declare their own IP addresses and that leads to an architectural opportunity for deception and spoofing. In addition to that, I wish there had been some opportunity to develop end/end cryptographic methods such as IPSEC to increase the confidentiality of information passing through the net. Ironically, beginning in 1975 I began work on a secured version of Internet with the National Security Agency. Because the details of this design were classified, none of this design could be shared with the uncleared developers at universities and industry engaged in the unfolding design of the Internet.
5) Negatives of the 'Net by Dirk Pitt
Of all the Internet has evolved to be, in what aspect of it are you the most disappointed?
Vint:
That's a difficult question. Spam, pornographic and hate web sites, the collision of domain names with trademarks, the desire of some authorities to engage in censorship are all examples of aspects of the Internet that I find disappointing. The countervailing examples of enormously valuable information sharing and applications on the Internet seem to me to more than make up for these shortcomings. Generally speaking, the more the Internet becomes infrastructure for all parts of our complex, global society, the more we are likely to see all aspects of that society reflected in the Internet - one has to be realistic about the diversity of the population of users of the net.
6) The most surprising thing? by zero110
Of all of the surprising uses that people have invented for the Internet, which surprised you the most (good or bad)?
Vint:
I think what surprised me most was the avalanche of content that flowed into the Internet after the invention of the WWW by Tim Berners-Lee and the subsequent rapid deployment of Marc Andreessen's Mosaic implementation of the WWW followed by Netscape Navigator and Internet Explorer and many other web implementations and applications. Of course, the incredible range of content on the net was equally surprising (or disappointing - see above). Internet radio, video and instant messaging were not surprises because the concepts had been around since the late 1960s and early 1970s but when millions of people have access to these facilities and use them, the ensemble takes on characteristics that are hard to predict based on smaller scale deployments of these capabilities of the past.
7) Internet Governance by cleetus
The internet, in order to work even at the most basic technical level, needs some standards; some governance. What do you think is the proper scope of that governace/standard setting, who are the constituents, and what are the proper mechanisms for governing?
How do they differ from what we have to day? On the whole, are you optimistic or pessimistic about all this?
Vint:
It is plain that we need standards to assist in making billions of interacting systems compatible - and the voluntary standards developed in the IETF and many others developed by various bodies seem to have been effective means by which this interoperability has been effected. I would distinguish technical standards from the far more general term "governance". That term covers a multitude of issues well beyond technical interoperability. Your question is phrased in a way that leads me to wonder whether you are mixing technical standards development and the legal framework in which the Internet functions. If you meant only to focus on the governance of the standards process, I would submit that the open procedures of the Internet Engineering Task Force have served the community of Internet users and providers well for many years.
I continue to be optimistic that we will sustain and evolve workable mechanisms both for standards development and for the general governance of the Internet, largely in the belief that the system is too valuable not to get the support it needs to satisfy both needs.
by Evro
Did you ever respond to this message from John Gilmore, which asks why you sided against Karl Auerbach, who (to the best of my knowledge) sought to gain access to ICANN's financial documents? From what I can tell, ICANN's only motivation is to make ICANN more influential (i.e. for its directors to line their own pockets). Given that ICANN is technically a nonprofit organization, this doesn't seem very ethical. Anyhow, the email text is below:
Date: Tue, 19 Mar 2002 14:26:26 -0800 From: John Gilmore Subject: Re: ICANN: Auerbach's Allegations Off Target To: vcerf@mci.net, gnu@new.toad.com
> "Karl paints this as a dispute between him and ICANN management, but > nothing could be further from the truth," noted Board chairman Vint Cerf. > "ICANN management is merely carrying out its obligation to follow the > wishes of the Board as a whole rather than follow the dictates of any > single Director."
Hi, Vint.
I haven't wanted to disrupt our friendship, so I've held off a long time in telling you what I think about how you are leading ICANN. That's why this message is a little longer than it needs to be; I'm saying things that I've been bottling up for a while.
I don't want to be considered a friend of what you now stand for.
You are on the wrong side of this issue, as you have been on the wrong side of many issues regarding ICANN. If ICANN has secrets about who it is doing backdoor favors with, those *should* be made public. And you, as Chairman, as the most prominent and trusted board member, and as the architect of the openness that should still be in the Internet, should have been way ahead of Karl Auerbach in making them public.
Even if those secrets are never made public, or even if there are no terrible secrets inside ICANN, the activities of ICANN MUST be available to every person on the Board of Directors. Without restriction, without delay, without subversion. By law, and for good reasons.
You have been a rubber stamp for many corrupt ideas out of Network Solutions, Verisign and ICANN ever since your election. When I complained to you in the past, such as when the NSI contract was amended to give them a perpetual monopoly, you said that there was nothing else that you could do. I disagreed with that sentiment then, and I disagree with it now. You could have left the contract the way it was, rather than amend it. You don't even have to make things better to keep my respect; you could keep things from getting worse. But you continue to choose to make things worse. Now you are defending ICANN's lack of openness even with its own elected directors!
ICANN was created to promise openness, transparency, accountability, and competition. It has provided none of those, and actively works every month to reduce what little it has provided. You have worked with it to eliminate, rather than create, those promises.
Opening whatever squirming can of worms that is calling the shots at ICANN is what is needed. I can see that ICANN management is terrified that directors from outside the old-boy network might actually find out the details of what ICANN does day by day. They have eliminated any future threat of that, by eliminating outside directors after this term. And they are delaying the current directors' access to information, in the hope that they can permanently avoid outside scrutiny.
I've been a director of several California corporations. I've read that part of the law myself. I've invoked it in a couple of occasions. I contributed significant funding for Karl's lawsuit. Karl is right and you and the ICANN staff are wrong. And now I find you lying about it in a press release. "ICANN management is merely carrying out its obligation to follow the wishes of the Board as a whole..." ICANN *management* instigated those policies, the board didn't. The board has never even considered them.
Virtually everyone at EFF has been looking for ways that we could help to open ICANN and get it to do what it was chartered to do. I've had to hold them back for years, telling them that participation was a waste of our scarce time -- and that no matter how much time they put in, ICANN would have to get really bad before it would ever get better. I put two years of my own life into the domain-name issues, with CORE. It became clear that the strings were being pulled behind the scenes, because the right answers were relatively obvious, yet the wrong answers got approved, providing billions of dollars of benefit to certain parties with heavy ties to the US military. Rather than ICANN making open decisions and using transparent processes, whoever pulls those strings is still controlling what happens. But under ICANN, the process is even murkier and further hidden from public scrutiny. And you're helping.
All the way back at the start of ICANN, EFF and I proposed amendments that would provide a "Bill of Rights" and a "Sunshine Act" and a "Freedom of Information Act" in ICANN's Bylaws. These were all summarily rejected. ICANN does not give a damn about the fundamental rights of citizens or Internet users. It does not want to operate in. the sunshine. And it does not want information about what it's doing to be made available even to its own directors, let alone to the public. Give me one good reason why such an organization should get even a millisecond more of your support -- or anyone's.
The law gives directors an "absolute right" because directors exist to be INDEPENDENT OF and SUPERIOR TO the management. Each and every director has a separate duty to the company; each one carries it out in their own. way. The Board cannot prevent any board member from merely inquiring into the state of the company. The Board cannot condition any board member's inquiry on agreement to a set of arbitrary terms. Nor can the management. This is not only a good idea -- it's the law.
ICANN is going down, one way or another. Either it will go down like East Germany, with a peaceful transition to governance responsive to the public will, or it will go down like Japan, with big bombs dropped on it. ICANN has lost all semblance of credibility and merely seeks to entrench its unaccountable power.
I have absolutely no idea what you are doing leading that megalomaniac, unaccountable, unresponsive, anti-expression, anti-public-interest organization. Did they take your kids hostage? Did you sell your soul for a mess of pottage? What hold do they have over you?
I used to think much better of you than this, Vint. You can see that even now I'm grasping at straws rather than believe that YOU are one of the megalomaniacs. But the evidence continues to pile up, and I'm afraid it's true. I don't want to be the friend of such a person. I'll see you from the other side of the courtroom. Bye.
John
Vint:
I did not respond to John's letter.
If you think that the directors of ICANN or its staff have any opportunity to "line their pockets" you need to look more carefully at the facts. None of the directors are compensated for their work by ICANN - except for reimbursement for travel expenses and many of the directors pay their own travel costs (or their companies do).
In accordance with the court order arising from Karl's lawsuit, ICANN has released to Karl all the information he has requested, as far as I am aware. The basic dispute was NOT that the information should not be released to Karl but rather whether Karl had absolute discretion to decide what information could be released on the public. ICANN deals with proprietary information supplied by various domain name service providers, for example, and the dispute, as I understood it, revolved around how confidential information would be protected, once released to any director.
I do not agree with John's characterization of ICANN. There is an enormous amount of information that ICANN puts on its web site about all of its activities. Compared to most non-profits, ICANN is far more transparent and provides a remarkable degree of opportunity for inputs from all quarters. Even reasonable people can disagree about such things and in this, John and I plainly see things differently.
9) IPv6? by Ransak
We've heard the hype and the 'plans' to move to IPv6 for years now, but the USA seems fairly complacent at IPv4. Do you see IPv6 becoming a reality in the near future (2 to 3 years), and from a high perspective, what do you think (besides the obvious running out of addresses) could spur the movement? Or should we not move at all, and depend on network address translation more?
Vint:
Generally I think the pressure will build only when there are a large number of IPv6 enabled devices entering into Internet space (Internet-enabled cell phones, PDAs, set-top boxes, other consumer devices, etc). People often speculate about "killer applications" for IPv6 but I generally believe that the simple availability of large amounts of address space and ease of configuration (plug and play) will be considered sufficiently significant advantages. The mixed IPv4/IPv6 environment will not be an easy one to manage - and Network Address Translation devices that today are used to "stretch" the use of IPv4 space may prove necessary to act as a bridge from an all-IPv4 world to an all (or mostly) IPv6 world. I think it will be 2-3 years before IPv6 has significant penetration but by 2005 I expect to see that happen. There has been substantial progress in implementing IPv6 in Japan and a notable "push" for it in Europe. The slogan "6 by 6" has emerged as a kind of challenge to get to significant deployment of IPv6 by 2006. In a few years, we will know whether this is realistic or not.
10) An internet of the people, or for the people?... by tekrat
Back when the internet (as we now it) was being developed, it was a government military project.
Vint:
well, it was funded by the US Defense Advanced Research Projects Agency but it was designed by graduate students at research Universities or research Institutions in the US, England, Norway, Germany and Italy.
However, after the internet revolution (of the early 90's) freed it from being Arpa-Net, we had a "golden age" where anyone could connect, and anyone with enough technical know-how could run a server and become a permanent part of the system.
well, actually, ARPANET was separated into ARPANET (bis) and MILNET around 1983 when Internet was first deployed. Commercial use came around 1989. ARPANET was retired in 1990 and NSFNET in 1995. It was open to virtually anyone with the advent of commercial access and service.
But now we see a day looming in the future where large media conglomerates control it all through draconian service agreements that dis-allow private individuals to run servers in their homes, as well as "linking lawsuits", and patents of obvious business methods, all resulting in an internet where the vast majority of the people can only passively view information rather than interactively take part in providing information.
There are a number of such issues associated with the commercial spread of the Internet - however I don't agree with your conclusion that the majority of people cannot contribute information. My impression is that many ISPs offer opportunities to put information on managed web sites. I think running servers at home is still largely not for the general public but that this will change as servers become more simple to operate and configure (plug and play). Moreover, Internet access providers will seek to offer symmetric, high capacity gigabit ethernet services because this is a most efficient way of servicing a wide range of customer needs.
Do you think it's a "good thing" for everyone to run servers (an internet of the people), or do you believe that it's better for the government and corporations to control the flow of information to citizens (an internet for the people).
I think we will see value in both - moreover, until there is ample, symmetric capacity, users will probably prefer that their server sites be operated by outsourcers and even when home servers seem natural, users may prefer to leave their operation to specialists.
While it seems an obvious choice, remember that the situation we have now, where the internet is the "wild west" and mailboxes are littered with spam, and internet rumours become accidental news stories, is a direct result of an internet "of the people".
So there are pros and cons either way. Basically the question boils down to "do you prefer the wild west" versus "do you prefer a controlled, moderated internet?"
I think if I had to choose, I would prefer the more open environment but I also appreciate the need for legal frameworks and shared practices that are predictable. No one really likes surprises from the Internet Service Providers, for example.
CERT® Advisory CA-2002-28 Trojan Horse Sendmail Distribution Original release date: October 08, 2002 Last revised: -- Source: CERT/CC
A complete revision history is at the end of this file.
Overview The CERT/CC has received confirmation that some copies of the source code for the Sendmail package were modified by an intruder to contain a Trojan horse.
Sites that employ, redistribute, or mirror the Sendmail package should immediately verify the integrity of their distribution.
I. Description The CERT/CC has received confirmation that some copies of the source code for the Sendmail package have been modified by an intruder to contain a Trojan horse.
The following files were modified to include the malicious code:
sendmail.8.12.6.tar.Z sendmail.8.12.6.tar.gz
These files began to appear in downloads from the FTP server ftp.sendmail.org on or around September 28, 2002. The Sendmail development team disabled the compromised FTP server on October 6, 2002 at approximately 22:15 PDT. It does not appear that copies downloaded via HTTP contained the Trojan horse; however, the CERT/CC encourages users who may have downloaded the source code via HTTP during this time period to take the steps outlined in the Solution section as a precautionary measure.
The Trojan horse versions of Sendmail contain malicious code that is run during the process of building the software. This code forks a process that connects to a fixed remote server on 6667/tcp. This forked process allows the intruder to open a shell running in the context of the user who built the Sendmail software. There is no evidence that the process is persistent after a reboot of the compromised system. However, a subsequent build of the Trojan horse Sendmail package will re-establish the backdoor process.
II. Impact An intruder operating from the remote address specified in the malicious code can gain unauthorized remote access to any host that compiled a version of Sendmail from this Trojan horse version of the source code. The level of access would be that of the user who compiled the source code.
It is important to understand that the compromise is to the system that is used to build the Sendmail software and not to the systems that run the Sendmail daemon. Because the compromised system creates a tunnel to the intruder-controlled system, the intruder may have a path through network access controls.
III. Solution Obtain an authentic version of Sendmail The primary distribution site for Sendmail is
http://www.sendmail.org/ Sites that mirror the Sendmail source code are encouraged to verify the integrity of their sources.
Verify software authenticity We strongly encourage sites that recently downloaded a copy of the Sendmail distribution to verify the authenticity of their distribution, regardless of where it was obtained. Furthermore, we encourage users to inspect any and all software that may have been downloaded from the compromised site. Note that it is not sufficient to rely on the timestamps or sizes of the file when trying to determine whether or not you have a copy of the Trojan horse version.
Verify PGP signatures The Sendmail source distribution is cryptographically signed with the following PGP key:
pub 1024R/678C0A03 2001-12-18 Sendmail Signing Key/2002 Key fingerprint = 7B 02 F4 AA FC C0 22 DA 47 3E 2A 9A 9B 35 22 45 The Trojan horse copy did not include an updated PGP signature, so attempts to verify its integrity would have failed. The sendmail.org staff has verified that the Trojan horse copies did indeed fail PGP signature checks.
Verify MD5 checksums In the absence of PGP, you can use the following MD5 checksums to verify the integrity of your Sendmail source code distribution:
As a matter of good security practice, the CERT/CC encourages users to verify, whenever possible, the integrity of downloaded software. For more information, see
http://www.cert.org/incident_notes/IN-2001-06.ht ml Employ egress filtering Egress filtering manages the flow of traffic as it leaves a network under your administrative control.
In the case of the Trojan horse Sendmail distribution, employing egress filtering can help prevent systems on your network from connecting to the remote intruder-controlled system. Blocking outbound TCP connections to port 6667 from your network reduces the risk of internal compromised machines communicating with the remote system.
Build software as an unprivileged user Sites are encouraged to build software from source code as an unprivileged, non-root user on the system. This can lessen the immediate impact of Trojan horse software. Compiling software that contains Trojan horses as the root user results in a compromise that is much more difficult to reliably recover from than if the Trojan horse is executed as a normal, unprivileged user on the system.
Recovering from a system compromise If you believe a system under your administrative control has been compromised, please follow the steps outlined in
Steps for Recovering from a UNIX or NT System Compromise Reporting The CERT/CC is interested in receiving reports of this activity. If machines under your administrative control are compromised, please send mail to cert@cert.org with the following text included in the subject line: "[CERT#33376]".
Appendix A. - Vendor Information This appendix contains information provided by vendors for this advisory. As vendors report new information to the CERT/CC, we will update this section and note the changes in our revision history. If a particular vendor is not listed below, we have not received their comments.
>From The Economist print edition
"Free-space" optics requires no fibre. That may be an advantage
FIBRE optics revolutionised communication by abolishing the law that light
can travel only in a straight line. From that point on, light signals could
be treated in the same way as electrical ones, and bent round corners. Some
people, however, are never satisfied. And these dissatisfied engineers are
trying to turn the clock back by developing systems that use "free-space"
optics-in other words sending information from place to place by shining
laser beams through the air.
Free-space optics has three advantages. It is easy to install. It can
handle a technology known as wavelength division multiplexing (WDM)
without, as it were, blinking. And it seems suited to a new-and allegedly
uncrackable-encryption technique called quantum key distribution.
Speed of installation comes from not having to dig up the road to lay
conduits. Free-space optics may thus be an answer to the difficulty of
providing broadband connections to customers' homes and offices-the
so-called "last mile". Free-space links that operate at speeds of up to 20
gigabits a second-as good as fibre-have now been demonstrated. They can be
installed in hours rather than the weeks or months normally needed for
broadband access. And if they can be put into place quickly, they can be
upgraded quickly, too.
That matters in the context of WDM, a technique that allows a single
optical path to carry thousands of parallel channels, as long as each is
encoded in a slightly different colour. Upgrading a fibre network for WDM
is hard. First, individual fibres are each compatible with only a few WDM
schemes. The exact chemical composition of a fibre's glass determines how
transparent it is to different frequencies, and also its tendency to
disperse those frequencies even when it is transparent. Both restrictions
reduce the number of channels that can be carried. Moreover, even if a
particular fibre can be used with a particular scheme, the light sources,
amplifiers, switches and associated paraphernalia usually cannot.
Amplifiers, for instance, will not boost all colours equally, so special
devices are necessary to compensate.
Free-space optics suffers from none of these problems. Air is transparent
to a wide range of frequencies and has few dispersive tendencies (at least,
when the weather is good). And with the associated kit clustered together
in base stations, upgrades are easy to carry out.
The third advantage-for quantum key distribution-is more speculative. The
technique exploits the arcana of quantum mechanics to let two computers
swap a cryptographic key (and thus the means to decode a message) with
perfect security.
Quantum key distribution has been demonstrated successfully in fibres, but
it suffers from one major drawback: it requires a dedicated link, and so
cannot be implemented in a network. However, two experiments carried out in
the past few weeks have shown that it works with free-space optics. First,
researchers at QinetiQ, a British-government-owned company, and Ludwig
Maximilian University, in Munich, Germany, exchanged keys between two
alpine mountain-tops more than 23km apart, though they did so at night,
when sunlight could not confuse the signal. Then, another group of
researchers, from Los Alamos National Laboratory in New Mexico, announced
that they had performed a 10km key exchange in broad daylight.
These two groups are working towards military applications in which the key
is exchanged from the ground to a satellite. But both recognise that the
technology might be exploited commercially, and are part of a European
Union collaboration called QuComm that is encouraging this.
Free-space optics would have the odd drawback, such as flocks of birds,
showers of snowflakes or banks of fog interrupting the beams. But
message-encoding systems are already set up to cope with lost data. Many
customers might be willing to put up with a 99.999% available service that
could be installed straight away, rather than waiting indefinitely for the
100% availability of fibre.
Slashdot Mirror
Article text, just in case /. get /.ed.
---
1) What do you think about Anonymnity?
by Planesdragon
Although there's a certain moral argument to an individual's right to privacy, there's also a statistical argument that people simply act irresponsibly when given anonymnity.
What's your take on anonymnity in the internet? Is a good thing? A bad thing? Just a thing not worth talking about?
Vint:
Anonymity is very much worth talking about. The right to privacy is sometimes manifested as a right to anonymity. Window shopping and cash transactions should not require one to reveal identity - and many people feel the same about surfing the net. In some cases, it might be argued that it is sufficient merely to protect 3rd party access to identity information but to require network users to reveal identity. In cases where whistle-blowing is at issue, or reporting of some kind of crime, anonymity may be important to protect. However, the same protection can also lead to potential abuse, as you suggest above. The ability to exploit anonymity, rather than to be legitimately protected by it, creates a genuine conundrum. So this is indeed worth talking about - I'd be interested in your further thoughts.
2) DRM?
by GreyWolf3000
What is your perspective on DRM? Specifically, do you think that the Fritz chip, Palladium, and lobbying of the MPAA/RIAA, will change the Internet fundamentally? Can the Internet be tamed at this point? If so, do you find this DRM and such to infringe upon fair use? Is there legitamacy to the common fear that in the future, computers themselves, in order to gain access to the Internet, will have so many restrictions that the Internet itself will begin to suffer from it?
Vint:
I am very concerned about legal policies that are either technically unenforceable or which would have the effect of crippling an entire genre of digital technology. Some of the DRM positions, such as those expressed in the Digital Millennium Copyright Act, that make it illegal to study and publish information about cryptographic methods that might be used to protect intellectual property, are unrealistic and fundamentally unsound. Your concerns strike me as well-founded. While I do believe that techniques for protecting intellectual property are desirable, I am troubled by arguments that essentially make it impossible to allow SOME information to be freely shared, if the parties producing it so desire. The Internet is a big tent and should be able to support many different models of operation ranging from highly protected information to completely open information.
3) Commercial Email's Early Days
by ekrout
As vice president of MCI Digital Information Services from 1982-1986, you led the engineering of MCI Mail, the first commercial email service to be connected to the Internet.
As most engineers know, we have to make some sacrifices with every project and get rid of certain features that we had hoped would be there but cannot due to monetary constraints, etc.
Could you explain some of the more difficult decisions you had to make as the head of this particular project? Moreover, was there ever a point in the project where no one thought the final product was viable?
Vint:
This project had its beginnings in late 1982. One of the most difficult decisions that Dave Crocker and I faced in the design of the underlying technology was the departure from linear addressing to allow for multiline "addresses" in MCI Mail. We had undertaken to allow people to send to email targets within the MCI Mail subscriber community, send to postal addresses, to non-MCI Mail destinations (e.g. CompuServe), to Telex destinations and (later) to FAX destinations. We departed from the classical linear addressing structure of Internet email and it took several months of debate before we concluded it was important to accommodate these multiline address structures.
We tried to get the contractors involved (HP, Digital Equipment Corporation, American Management Systems, etc) to use TCP/IP, but you can imagine that Internet and TCP/IP were completely unknown to these parties - as it had only been "rolled out" on a broad scale on the ARPANET on 1/1/1983! So we ended up having to use X.25 and a variety of proprietary protocols developed specifically for MCI Mail for lack of commercial support for TCP/IP.
Email was not well-known in the business sector when we were launching MCI Mail (Sept 27, 1983) and it was hard going to convince business people to use it. We linked MCI Mail to CompuServe as part of the roll-out of MCI Mail, seeking to make MCI Mail more useful by expanding its "connectivity". Generally, it would take from 1983 to 1992 before email became a widely appreciated service in the business world.
4) TCP/IP
by sdjunky
considering your work with TCP/IP protocols what would you change now that you can look back retrospectively to how it has been used/misused. What would you incorporate into designs now that weren't even thought of at the time that TCP/IP was created?
Vint:
I suppose I wish I had decided on a larger address space than 32 bits! (that decision was made in 1977 after a year of argument about it). Moreover, I now believe that it would have been wise for us to incorporate into the design principles the notion that every end unit ("thing with an IP address") has a way to "authenticate" itself to any other end unit. As it stands now, these end devices have to declare their own IP addresses and that leads to an architectural opportunity for deception and spoofing. In addition to that, I wish there had been some opportunity to develop end/end cryptographic methods such as IPSEC to increase the confidentiality of information passing through the net. Ironically, beginning in 1975 I began work on a secured version of Internet with the National Security Agency. Because the details of this design were classified, none of this design could be shared with the uncleared developers at universities and industry engaged in the unfolding design of the Internet.
5) Negatives of the 'Net
by Dirk Pitt
Of all the Internet has evolved to be, in what aspect of it are you the most disappointed?
Vint:
That's a difficult question. Spam, pornographic and hate web sites, the collision of domain names with trademarks, the desire of some authorities to engage in censorship are all examples of aspects of the Internet that I find disappointing. The countervailing examples of enormously valuable information sharing and applications on the Internet seem to me to more than make up for these shortcomings. Generally speaking, the more the Internet becomes infrastructure for all parts of our complex, global society, the more we are likely to see all aspects of that society reflected in the Internet - one has to be realistic about the diversity of the population of users of the net.
6) The most surprising thing?
by zero110
Of all of the surprising uses that people have invented for the Internet, which surprised you the most (good or bad)?
Vint:
I think what surprised me most was the avalanche of content that flowed into the Internet after the invention of the WWW by Tim Berners-Lee and the subsequent rapid deployment of Marc Andreessen's Mosaic implementation of the WWW followed by Netscape Navigator and Internet Explorer and many other web implementations and applications. Of course, the incredible range of content on the net was equally surprising (or disappointing - see above). Internet radio, video and instant messaging were not surprises because the concepts had been around since the late 1960s and early 1970s but when millions of people have access to these facilities and use them, the ensemble takes on characteristics that are hard to predict based on smaller scale deployments of these capabilities of the past.
7) Internet Governance
by cleetus
The internet, in order to work even at the most basic technical level, needs some standards; some governance. What do you think is the proper scope of that governace/standard setting, who are the constituents, and what are the proper mechanisms for governing?
How do they differ from what we have to day? On the whole, are you optimistic or pessimistic about all this?
Vint:
It is plain that we need standards to assist in making billions of interacting systems compatible - and the voluntary standards developed in the IETF and many others developed by various bodies seem to have been effective means by which this interoperability has been effected. I would distinguish technical standards from the far more general term "governance". That term covers a multitude of issues well beyond technical interoperability. Your question is phrased in a way that leads me to wonder whether you are mixing technical standards development and the legal framework in which the Internet functions. If you meant only to focus on the governance of the standards process, I would submit that the open procedures of the Internet Engineering Task Force have served the community of Internet users and providers well for many years.
I continue to be optimistic that we will sustain and evolve workable mechanisms both for standards development and for the general governance of the Internet, largely in the belief that the system is too valuable not to get the support it needs to satisfy both needs.
by Evro
Did you ever respond to this message from John Gilmore, which asks why you sided against Karl Auerbach, who (to the best of my knowledge) sought to gain access to ICANN's financial documents? From what I can tell, ICANN's only motivation is to make ICANN more influential (i.e. for its directors to line their own pockets). Given that ICANN is technically a nonprofit organization, this doesn't seem very ethical. Anyhow, the email text is below:
Date: Tue, 19 Mar 2002 14:26:26 -0800
From: John Gilmore
Subject: Re: ICANN: Auerbach's Allegations Off Target
To: vcerf@mci.net, gnu@new.toad.com
> "Karl paints this as a dispute between him and ICANN management, but
> nothing could be further from the truth," noted Board chairman Vint Cerf.
> "ICANN management is merely carrying out its obligation to follow the
> wishes of the Board as a whole rather than follow the dictates of any
> single Director."
Hi, Vint.
I haven't wanted to disrupt our friendship, so I've held off a long time in telling you what I think about how you are leading ICANN. That's why this message is a little longer than it needs to be; I'm saying things that I've been bottling up for a while.
I don't want to be considered a friend of what you now stand for.
You are on the wrong side of this issue, as you have been on the wrong side of many issues regarding ICANN. If ICANN has secrets about who it is doing backdoor favors with, those *should* be made public. And you, as Chairman, as the most prominent and trusted board member, and as the architect of the openness that should still be in the Internet, should have been way ahead of Karl Auerbach in making them public.
Even if those secrets are never made public, or even if there are no terrible secrets inside ICANN, the activities of ICANN MUST be available to every person on the Board of Directors. Without restriction, without delay, without subversion. By law, and for good reasons.
You have been a rubber stamp for many corrupt ideas out of Network Solutions, Verisign and ICANN ever since your election. When I complained to you in the past, such as when the NSI contract was amended to give them a perpetual monopoly, you said that there was nothing else that you could do. I disagreed with that sentiment then, and I disagree with it now. You could have left the contract the way it was, rather than amend it. You don't even have to make things better to keep my respect; you could keep things from getting worse. But you continue to choose to make things worse. Now you are defending ICANN's lack of openness even with its own elected directors!
ICANN was created to promise openness, transparency, accountability, and competition. It has provided none of those, and actively works every month to reduce what little it has provided. You have worked with it to eliminate, rather than create, those promises.
Opening whatever squirming can of worms that is calling the shots at ICANN is what is needed. I can see that ICANN management is terrified that directors from outside the old-boy network might actually find out the details of what ICANN does day by day. They have eliminated any future threat of that, by eliminating outside directors after this term. And they are delaying the current directors' access to information, in the hope that they can permanently avoid outside scrutiny.
I've been a director of several California corporations. I've read that part of the law myself. I've invoked it in a couple of occasions. I contributed significant funding for Karl's lawsuit. Karl is right and you and the ICANN staff are wrong. And now I find you lying about it in a press release. "ICANN management is merely carrying out its obligation to follow the wishes of the Board as a whole..." ICANN *management* instigated those policies, the board didn't. The board has never even considered them.
Virtually everyone at EFF has been looking for ways that we could help to open ICANN and get it to do what it was chartered to do. I've had to hold them back for years, telling them that participation was a waste of our scarce time -- and that no matter how much time they put in, ICANN would have to get really bad before it would ever get better. I put two years of my own life into the domain-name issues, with CORE. It became clear that the strings were being pulled behind the scenes, because the right answers were relatively obvious, yet the wrong answers got approved, providing billions of dollars of benefit to certain parties with heavy ties to the US military. Rather than ICANN making open decisions and using transparent processes, whoever pulls those strings is still controlling what happens. But under ICANN, the process is even murkier and further hidden from public scrutiny. And you're helping.
All the way back at the start of ICANN, EFF and I proposed amendments that would provide a "Bill of Rights" and a "Sunshine Act" and a "Freedom of Information Act" in ICANN's Bylaws. These were all summarily rejected. ICANN does not give a damn about the fundamental rights of citizens or Internet users. It does not want to operate in. the sunshine. And it does not want information about what it's doing to be made available even to its own directors, let alone to the public. Give me one good reason why such an organization should get even a millisecond more of your support -- or anyone's.
The law gives directors an "absolute right" because directors exist to be INDEPENDENT OF and SUPERIOR TO the management. Each and every director has a separate duty to the company; each one carries it out in their own. way. The Board cannot prevent any board member from merely inquiring into the state of the company. The Board cannot condition any board member's inquiry on agreement to a set of arbitrary terms. Nor can the management. This is not only a good idea -- it's the law.
ICANN is going down, one way or another. Either it will go down like East Germany, with a peaceful transition to governance responsive to the public will, or it will go down like Japan, with big bombs dropped on it. ICANN has lost all semblance of credibility and merely seeks to entrench its unaccountable power.
I have absolutely no idea what you are doing leading that megalomaniac, unaccountable, unresponsive, anti-expression, anti-public-interest organization. Did they take your kids hostage? Did you sell your soul for a mess of pottage? What hold do they have over you?
I used to think much better of you than this, Vint. You can see that even now I'm grasping at straws rather than believe that YOU are one of the megalomaniacs. But the evidence continues to pile up, and I'm afraid it's true. I don't want to be the friend of such a person. I'll see you from the other side of the courtroom. Bye.
John
Vint:
I did not respond to John's letter.
If you think that the directors of ICANN or its staff have any opportunity to "line their pockets" you need to look more carefully at the facts. None of the directors are compensated for their work by ICANN - except for reimbursement for travel expenses and many of the directors pay their own travel costs (or their companies do).
In accordance with the court order arising from Karl's lawsuit, ICANN has released to Karl all the information he has requested, as far as I am aware. The basic dispute was NOT that the information should not be released to Karl but rather whether Karl had absolute discretion to decide what information could be released on the public. ICANN deals with proprietary information supplied by various domain name service providers, for example, and the dispute, as I understood it, revolved around how confidential information would be protected, once released to any director.
I do not agree with John's characterization of ICANN. There is an enormous amount of information that ICANN puts on its web site about all of its activities. Compared to most non-profits, ICANN is far more transparent and provides a remarkable degree of opportunity for inputs from all quarters. Even reasonable people can disagree about such things and in this, John and I plainly see things differently.
9) IPv6?
by Ransak
We've heard the hype and the 'plans' to move to IPv6 for years now, but the USA seems fairly complacent at IPv4. Do you see IPv6 becoming a reality in the near future (2 to 3 years), and from a high perspective, what do you think (besides the obvious running out of addresses) could spur the movement? Or should we not move at all, and depend on network address translation more?
Vint:
Generally I think the pressure will build only when there are a large number of IPv6 enabled devices entering into Internet space (Internet-enabled cell phones, PDAs, set-top boxes, other consumer devices, etc). People often speculate about "killer applications" for IPv6 but I generally believe that the simple availability of large amounts of address space and ease of configuration (plug and play) will be considered sufficiently significant advantages. The mixed IPv4/IPv6 environment will not be an easy one to manage - and Network Address Translation devices that today are used to "stretch" the use of IPv4 space may prove necessary to act as a bridge from an all-IPv4 world to an all (or mostly) IPv6 world. I think it will be 2-3 years before IPv6 has significant penetration but by 2005 I expect to see that happen. There has been substantial progress in implementing IPv6 in Japan and a notable "push" for it in Europe. The slogan "6 by 6" has emerged as a kind of challenge to get to significant deployment of IPv6 by 2006. In a few years, we will know whether this is realistic or not.
10) An internet of the people, or for the people?...
by tekrat
Back when the internet (as we now it) was being developed, it was a government military project.
Vint:
well, it was funded by the US Defense Advanced Research Projects Agency but it was designed by graduate students at research Universities or research Institutions in the US, England, Norway, Germany and Italy.
However, after the internet revolution (of the early 90's) freed it from being Arpa-Net, we had a "golden age" where anyone could connect, and anyone with enough technical know-how could run a server and become a permanent part of the system.
well, actually, ARPANET was separated into ARPANET (bis) and MILNET around 1983 when Internet was first deployed. Commercial use came around 1989. ARPANET was retired in 1990 and NSFNET in 1995. It was open to virtually anyone with the advent of commercial access and service.
But now we see a day looming in the future where large media conglomerates control it all through draconian service agreements that dis-allow private individuals to run servers in their homes, as well as "linking lawsuits", and patents of obvious business methods, all resulting in an internet where the vast majority of the people can only passively view information rather than interactively take part in providing information.
There are a number of such issues associated with the commercial spread of the Internet - however I don't agree with your conclusion that the majority of people cannot contribute information. My impression is that many ISPs offer opportunities to put information on managed web sites. I think running servers at home is still largely not for the general public but that this will change as servers become more simple to operate and configure (plug and play). Moreover, Internet access providers will seek to offer symmetric, high capacity gigabit ethernet services because this is a most efficient way of servicing a wide range of customer needs.
Do you think it's a "good thing" for everyone to run servers (an internet of the people), or do you believe that it's better for the government and corporations to control the flow of information to citizens (an internet for the people).
I think we will see value in both - moreover, until there is ample, symmetric capacity, users will probably prefer that their server sites be operated by outsourcers and even when home servers seem natural, users may prefer to leave their operation to specialists.
While it seems an obvious choice, remember that the situation we have now, where the internet is the "wild west" and mailboxes are littered with spam, and internet rumours become accidental news stories, is a direct result of an internet "of the people".
So there are pros and cons either way. Basically the question boils down to "do you prefer the wild west" versus "do you prefer a controlled, moderated internet?"
I think if I had to choose, I would prefer the more open environment but I also appreciate the need for legal frameworks and shared practices that are predictable. No one really likes surprises from the Internet Service Providers, for example.
- Vint
CERT® Advisory CA-2002-28 Trojan Horse Sendmail Distribution
d 9d2137 sendmail.8.12.6.tar.Za fef34 sendmail.8.12.6.tar.sig
t ml
Original release date: October 08, 2002
Last revised: --
Source: CERT/CC
A complete revision history is at the end of this file.
Overview
The CERT/CC has received confirmation that some copies of the source code for the Sendmail package were modified by an intruder to contain a Trojan horse.
Sites that employ, redistribute, or mirror the Sendmail package should immediately verify the integrity of their distribution.
I. Description
The CERT/CC has received confirmation that some copies of the source code for the Sendmail package have been modified by an intruder to contain a Trojan horse.
The following files were modified to include the malicious code:
sendmail.8.12.6.tar.Z
sendmail.8.12.6.tar.gz
These files began to appear in downloads from the FTP server ftp.sendmail.org on or around September 28, 2002. The Sendmail development team disabled the compromised FTP server on October 6, 2002 at approximately 22:15 PDT. It does not appear that copies downloaded via HTTP contained the Trojan horse; however, the CERT/CC encourages users who may have downloaded the source code via HTTP during this time period to take the steps outlined in the Solution section as a precautionary measure.
The Trojan horse versions of Sendmail contain malicious code that is run during the process of building the software. This code forks a process that connects to a fixed remote server on 6667/tcp. This forked process allows the intruder to open a shell running in the context of the user who built the Sendmail software. There is no evidence that the process is persistent after a reboot of the compromised system. However, a subsequent build of the Trojan horse Sendmail package will re-establish the backdoor process.
II. Impact
An intruder operating from the remote address specified in the malicious code can gain unauthorized remote access to any host that compiled a version of Sendmail from this Trojan horse version of the source code. The level of access would be that of the user who compiled the source code.
It is important to understand that the compromise is to the system that is used to build the Sendmail software and not to the systems that run the Sendmail daemon. Because the compromised system creates a tunnel to the intruder-controlled system, the intruder may have a path through network access controls.
III. Solution
Obtain an authentic version of Sendmail
The primary distribution site for Sendmail is
http://www.sendmail.org/
Sites that mirror the Sendmail source code are encouraged to verify the integrity of their sources.
Verify software authenticity
We strongly encourage sites that recently downloaded a copy of the Sendmail distribution to verify the authenticity of their distribution, regardless of where it was obtained. Furthermore, we encourage users to inspect any and all software that may have been downloaded from the compromised site. Note that it is not sufficient to rely on the timestamps or sizes of the file when trying to determine whether or not you have a copy of the Trojan horse version.
Verify PGP signatures
The Sendmail source distribution is cryptographically signed with the following PGP key:
pub 1024R/678C0A03 2001-12-18 Sendmail Signing Key/2002
Key fingerprint = 7B 02 F4 AA FC C0 22 DA 47 3E 2A 9A 9B 35 22 45
The Trojan horse copy did not include an updated PGP signature, so attempts to verify its integrity would have failed. The sendmail.org staff has verified that the Trojan horse copies did indeed fail PGP signature checks.
Verify MD5 checksums
In the absence of PGP, you can use the following MD5 checksums to verify the integrity of your Sendmail source code distribution:
Correct versions:
73e18ea78b2386b774963c8472cbd309 sendmail.8.12.6.tar.gz
cebe3fa43731b315908f44889
8b9c78122044f4e4744fc447ee
As a matter of good security practice, the CERT/CC encourages users to verify, whenever possible, the integrity of downloaded software. For more information, see
http://www.cert.org/incident_notes/IN-2001-06.h
Employ egress filtering
Egress filtering manages the flow of traffic as it leaves a network under your administrative control.
In the case of the Trojan horse Sendmail distribution, employing egress filtering can help prevent systems on your network from connecting to the remote intruder-controlled system. Blocking outbound TCP connections to port 6667 from your network reduces the risk of internal compromised machines communicating with the remote system.
Build software as an unprivileged user
Sites are encouraged to build software from source code as an unprivileged, non-root user on the system. This can lessen the immediate impact of Trojan horse software. Compiling software that contains Trojan horses as the root user results in a compromise that is much more difficult to reliably recover from than if the Trojan horse is executed as a normal, unprivileged user on the system.
Recovering from a system compromise
If you believe a system under your administrative control has been compromised, please follow the steps outlined in
Steps for Recovering from a UNIX or NT System Compromise
Reporting
The CERT/CC is interested in receiving reports of this activity. If machines under your administrative control are compromised, please send mail to cert@cert.org with the following text included in the subject line: "[CERT#33376]".
Appendix A. - Vendor Information
This appendix contains information provided by vendors for this advisory. As vendors report new information to the CERT/CC, we will update this section and note the changes in our revision history. If a particular vendor is not listed below, we have not received their comments.
But if you are gonna make me, I'll take one of these - once pricing gets a bit reasonable. In the meantime, please let me get some sleep.
>From The Economist print edition
"Free-space" optics requires no fibre. That may be an advantage
FIBRE optics revolutionised communication by abolishing the law that light can travel only in a straight line. From that point on, light signals could be treated in the same way as electrical ones, and bent round corners. Some people, however, are never satisfied. And these dissatisfied engineers are trying to turn the clock back by developing systems that use "free-space" optics-in other words sending information from place to place by shining laser beams through the air.
Free-space optics has three advantages. It is easy to install. It can handle a technology known as wavelength division multiplexing (WDM) without, as it were, blinking. And it seems suited to a new-and allegedly uncrackable-encryption technique called quantum key distribution.
Speed of installation comes from not having to dig up the road to lay conduits. Free-space optics may thus be an answer to the difficulty of providing broadband connections to customers' homes and offices-the so-called "last mile". Free-space links that operate at speeds of up to 20 gigabits a second-as good as fibre-have now been demonstrated. They can be installed in hours rather than the weeks or months normally needed for broadband access. And if they can be put into place quickly, they can be upgraded quickly, too.
That matters in the context of WDM, a technique that allows a single optical path to carry thousands of parallel channels, as long as each is encoded in a slightly different colour. Upgrading a fibre network for WDM is hard. First, individual fibres are each compatible with only a few WDM schemes. The exact chemical composition of a fibre's glass determines how transparent it is to different frequencies, and also its tendency to disperse those frequencies even when it is transparent. Both restrictions reduce the number of channels that can be carried. Moreover, even if a particular fibre can be used with a particular scheme, the light sources, amplifiers, switches and associated paraphernalia usually cannot. Amplifiers, for instance, will not boost all colours equally, so special devices are necessary to compensate.
Free-space optics suffers from none of these problems. Air is transparent to a wide range of frequencies and has few dispersive tendencies (at least, when the weather is good). And with the associated kit clustered together in base stations, upgrades are easy to carry out.
The third advantage-for quantum key distribution-is more speculative. The technique exploits the arcana of quantum mechanics to let two computers swap a cryptographic key (and thus the means to decode a message) with perfect security.
Quantum key distribution has been demonstrated successfully in fibres, but it suffers from one major drawback: it requires a dedicated link, and so cannot be implemented in a network. However, two experiments carried out in the past few weeks have shown that it works with free-space optics. First, researchers at QinetiQ, a British-government-owned company, and Ludwig Maximilian University, in Munich, Germany, exchanged keys between two alpine mountain-tops more than 23km apart, though they did so at night, when sunlight could not confuse the signal. Then, another group of researchers, from Los Alamos National Laboratory in New Mexico, announced that they had performed a 10km key exchange in broad daylight.
These two groups are working towards military applications in which the key is exchanged from the ground to a satellite. But both recognise that the technology might be exploited commercially, and are part of a European Union collaboration called QuComm that is encouraging this.
Free-space optics would have the odd drawback, such as flocks of birds, showers of snowflakes or banks of fog interrupting the beams. But message-encoding systems are already set up to cope with lost data. Many customers might be willing to put up with a 99.999% available service that could be installed straight away, rather than waiting indefinitely for the 100% availability of fibre.