The single best part of this techdirt article is reading the pro-PROTECT IP-shills perform writing gymnastics to "prove" that Vixie doesn't know what he's talking about, that only pirates would circumvent a state-sponsored and censored DNS system, and that the state would bother censoring non-"rouge" web sites. Oh, and that administrative punishment, not transparent to the citizenry, won't allow abuse and use for other purposes.
I love the techdirt Shill Corps. They're the best!
Lawrence Lessig once wrote something to the effect of, on the Internet, we're bound less by the paper laws contrived by policymakers and more by the intrinsic policy decisions made by code. The point I take from that is, one way or another, people are making decisions for you. Unless you can both build infrastructure and secure adoption for it, someone else is making decisions that curtail your liberty.
In this case, one of the same people who says DNS filtering will break the Internet just one year ago advocated a whole new piece of infrastructure to allow people to filter the DNS.
When Vixie did it, it was to suppress malware sites. I agree that this is a more admirable use of fiat third-party filtering than anti-piracy (note though that unlike the rest of HN, I think anti-piracy is a fine goal). But fundamentally, what's happening in both cases is mostly the same; other people making decisions about what you can and can't see on the Internet. And my point is, maybe that's OK.
Note also that nobody can impeach the DNS administrators and standards group sherpas.
>In this case, one of the same people who says DNS filtering will break the Internet just one year ago advocated a whole new piece of infrastructure to allow people to filter the DNS.
Filtering infrastructure is one thing, this is an actual law you could break (accidentally even) and then get into real trouble.
"In the last few months we've been hearing from more folks in the startup world who are really concerned about the excessive burdens PROTECT IP is going to put on them. If you're an entrepreneur who's worried about this, we'd like to hear about it. Please contact us."
Contrary to the lede of this article, it's not impossible to merely question Vixie's credibility here†.
First, this is the same Paul Vixie who proposed and advocated for RPZ. RPZ is a distributed blacklisting scheme for the DNS. Unlike the the email spam RBL, RPZ works at the level of DNS, allowing "policy" to determine which lookups fail. So it seems that DNS filtering doesn't break the Internet when it's used to combat malware, but does break the Internet when it's used suppress piracy.
Second, however urgent the authors of this document want to make DNSSEC sound, the entire Internet functions without DNSSEC today. I can go on and on about how broken I think DNSSEC is, but I don't think I need to bother, because there's an even stronger argument as to how unnecessary it is. Put simply, the "secure Internet" was designed to assume that the DNS was untrustworthy. We built an entire parallel directory alongside the DNS to resolve that. To a large extent, that secure directory (the X509 SSL/TLS PKI) works whether or not the DNS is unsafe. To the extent that the DNS threatens TLS, those are fixable flaws in the TLS infrastructure (and many of those flaws are policy issues in TLS, and the majority of the balance of those flaws are UX issues stemming from the fact that we haven't refined the UI for TLS since it was introduced by Netscape).
Breaking DNSSEC does not break the Internet. Proof: go do a Google search for your bank, click through it, log in, and check your balance. Let me know if any DNSSEC happens along the way.
Tying this back to Paul Vixie: Vixie is the Internet's foremost advocate for DNSSEC. It's unfair but not totally unreasonable to suggest that Vixie resisted the randomization fixes to BIND that Djbdns adopted because he preferred DNSSEC as the solution to that problem; as a result, BIND's DNS cache was vulnerable for almost a decade while Djbdns wasn't.††
Next, as smart as Danny McPhereson may be, I think it's far from proven that DNSSEC can't coexist with fiat third-party filtering. In the DNSSEC implementation originally envisaged by the working group's current iteration of the protocol, end systems don't even run DNSSEC; they run stub resolvers that talk to cache servers that run the whole protocol. Those cache servers could have lookaside rules for a policy zone without breaking the security model for DNSSEC.
Finally, because the reality is that virtually nobody speaks DNSSEC today, it may suffice for PROTECT IP's goals to filter only insecure DNS. The sponsors of PROTECT IP could just easily say, "uh, of course we don't mean DNSSEC is illegal; we'll deal with DNSSEC another day, but for now, we're suppressing websites, not trying to destroy them, and we're content to have our intervention only impact DNS users".
I'm not a believer in PROTECT IP, I just think this argument is fragile.
For whatever it's worth, I think all 5 of the authors of this report are advocating in good faith what they think is best for the Internet. And I do buy the argument that fiat third-party filtering is bad for the Internet. I just don't think "it breaks DNSSEC" is the most compelling or intellectually honest argument. I think the honest argument is, "because we don't think any one authority will be an adequate steward of the Internet".
† I'm choosing my words carefully; the answer to the question might still be "he's totally credible".
†† Again this is a drastically unfair summary of an issue that could possibly reworded in a way that would refute my point, which is that Vixie's going to tend to err on the side of whatever makes DNSSEC easier to deploy.
I think one of the reasons flawed legislation like "Protect IP" comes into the picture is because the "Internet" community does not have a technical ruling body like the AMA (American Medical Association). The Congress trying to legislated IP packets is a ridiculous idea. But their trying to legislate medical procedures is an equally ridiculous idea (well, except for the anti-abortion zealots), and for that we have the AMA to thank for. They step in and tell the politicians: stay away from our business; we know what we are doing.
So maybe an association like AMA (American Network Association?) would be beneficial here. Every practicing computer scientist/engineer can join in, and with their membership fees, they would make sure that asinine legislation doesn't see the light of the day.
The main reason the AMA and similar orgs exist is to make more money for the members. The functional result of those bodies is actually a lot like a white collar union.
Computer people would be smart to start something like that -- it would benefit them tremendously. But computer nerds have a slave mentality.
I don't know if they "should get to decide", but as the group tasked sort of "de facto" with implementing the technical controls which result from enforcement, I think you could argue that they should be more involved than being told "hey, we just legislated this, now make the internet comply."
I generally have a bug up my ass about the idea that those capable of doing $X with technology should be the ones to decide when/how we do $X. We don't, by way of example, leave the rules about deploying deadly force up to the best marksmen in the police; or, more reasonably, we don't leave air traffic flight paths entirely up to the air traffic controllers.
But that is generally the attitude we seem to favor with regards to the Internet. It's a sort of "might makes right" setup; "Oh yeah? You want to stop people from violating centuries-old copyright laws? Why don't you design and implement a scalable distributed directory system?" Whether you support copyright or don't (I do), this doesn't seem like a good process for determining policy.
Part of that is just 15+ years spent in software security. The notion seems to be "if it's hard to stop someone from doing $X with technology, we shouldn't make it illegal to do $X". Well, you'd be surprised what it's hard to stop people from doing.
I don't disagree. I think maybe it's partly just "nerd exceptionalism" (which seems to run rampant in discussions with technical people). I like the idea of policies/laws being created with advise from people actually knowledgeable in the effected area, but I don't think that's the same thing as saying that those policies/laws should be drafted by that same special interest.
I like the idea of financial people being advisors in policy-making regarding economics, but also cringe at the thought of them being the ones to draft the legislation.
I'm actually a pretty bad nerd, in that I don't get particularly riled up about issues like this. I also support copyright (self-serving as a working photographer, but also as someone who just doesn't see a problem with the arrangement of paying people who make things I enjoy, and not feeling entitled to disregard the way they want to make those things available).
I also think I'm a dinosaur, and that in another fifteen years, the entire makeup of content creation and distribution will have been gutted by a society that increasingly feels like it's their inalienable right to have access to whatever they want. I hope I'm wrong about that though.
I love the techdirt Shill Corps. They're the best!