Sep 15 2013

Taking back the Internet by going back to basics

Bruce Schnier, all around security guru and hero of the revolution, says we should ‘Take back the Internet‘. If you haven’t read that link, follow it and read it now. Go ahead, I’ll wait…

Now, let’s laser-in on one of Bruce’s points:

Dismantling the surveillance state won’t be easy. Has any country that engaged in mass surveillance of its own citizens voluntarily given up that capability? Has any mass surveillance country avoided becoming totalitarian? Whatever happens, we’re going to be breaking new ground.

Again, the politics of this is a bigger task than the engineering, but the engineering is critical. We need to demand that real technologists be involved in any key government decision making on these issues. We’ve had enough of lawyers and politicians not fully understanding technology; we need technologists at the table when we build tech policy.

Oh, so it’s back in our laps is it? Everyone goes flocking off to play with the shiny new social tools in the brutally centralized world of HTTP and DNS. Then, when they find out Walled Gardens are not actually any safer from bad guys and government spies – that in fact they are even better hunting grounds than the lawless reaches – well then they come crying back to the techies. “Save us from our stupid choices!”

Well, we techies are used to it. How many times have we done something technically stupid because of choices made by sales or management, and then were later called back to fix the mess that resulted? We are here to help and help we will. Mind you, we think we have some quality “Told you so,” moments coming. But now isn’t the time for that.

Bruce is right that technologists should be at the table when tech policy is discussed. In fact I trust him to represent me in those forums. But he is forgetting one important factor of the techie mindset: we don’t like talking about things, we like fixing them. And fix we will. In fact it is already happening.

Right now there are hundreds of Open Source projects in various stages around the world aiming to fix the security problem with software and protocols. Some of them are just aborning in the minds of smart people and some of them have been around for long enough the NSA has already worked at compromising them. Some will try to replace Facebook and Twitter, while others will focus on anonymity or additional security for existing systems. A few will enable Darknets in an attempt to Balkanize the Internet.

In my opinion, no matter what they do, each and every successful project to emerge out of this explosion of creativity will share two very important features: Strong encryption and decentralization.

And I say it is all re-inventing-the-wheel and a wasted effort!

Why? Not because it won’t work. Not at all. These are smart guys and they will come up with some good solutions. Some of those good solutions might even be actually new in some way, instead of just a different way to make a round thing attached to an axle.

No, I say this because the software and the protocols needed to enable those two features already exist. Have for years. Hell, some of them go back to the dawn of the Internet when IBM 360‘s ruled the earth!

What the hell am I talking about?

  1. NNTP – Network News Transfer Protocol (data store and transmission)
  2. TLS – Transport Layer Security (self-explanatory)
  3. UUCP – Unix-to-Unix Copy (can be used to create ad-hoc darknets, even in the absense of an Internet transport)
  4. RSS – Really Simple Syndication (a way for the data pushed around by NNTP to be self-describing)

There you go: four existing technologies, each with dozens of implementations and APIs. Four mature technologies you can combine together to create anything from a mixup of Facebook and Instragram to a complete darknet with no connection to the Internet. All the plumbing you will ever need on the back-end.

In fact, all you do need is some server configuration and a custom front-end. And you can make it incredibly secure since everything NNTP is pushing about can be encrypted in a way only authorized users can decrypt it. Meaning you can push both the security and the implementation logic out to the endpoints. 

But don’t mind me. I’m sure you will prefer one of the new shiny things some smart guy is working on right now. Just beware of implementations requiring central services. Let’s not repeat our mistakes too.