> "What is corruption? On the Internet, it's botnets and DDoS attacks."
While I don't disagree these are problems, it seems like the real corruption is misinformation. To follow the flow of the article, the cheaper and faster information flows, the more likely it is to be wrong. Think of how major news networks having "breaking news" that ends up being flawed or wrong. (I'm struggling to find it, but someone watched "breaking news" a couple of weeks after it broke, and tried to figure out how accurate news reporting was. Huge eye-opener for me). It used to be a small number of people knew how to make web pages and host them. Now anyone can comment on any number of social media platforms with maybe even more than one account.
To quote Dogbert: "Do you know how hard it was to spread rumors before the internet?"
And it's the people that are spreading the information, although some botnets seed it. People are very diverse, and are a great transmission mechanism, since they change it in any number of ways.
Also, I remember DDoS attacks and botnets were around and thriving long before most people knew what they were. Anyone remember WinNuke? This isn't some magical new problem, it's just that more people are affected, and therefore more people have heard of it.
I think the real problem with the internet isn't that it's too big, or has too many people, but now it basically mirrors the real world. Many people and companies are on the internet, trying to do what they were in the real world on the internet. That invites criminals and troublemakers to also do what they do on the internet.
The real problem is human nature, and that system is definitely large enough to be corrupted. And it has been, for a long time.
The point being made is that it's some mathematical thing, more fundamental than human nature, things that aren't human mediated behave this way too.
Think of the transmission of a disease as the percentage of the population immune to it decreases. Island infections isolated by being unable to reach new susceptible victims fizzle out. But above a certain susceptible percentage, the infection can leap from group to group along the edges where they touch, and it becomes a pandemic.
It's no just that the internet mirrors the real world, although it does. It's that it breaks down isolation barriers in the real world which used to passively defend against the spread of all sorts of unrelated corruption, everything from Nigerian prince scams to bitcoin wallet stealing to nation state disinformation.
>It's that it breaks down isolation barriers in the real world which used to passively defend against the spread of all sorts of unrelated corruption
You've just put into words the loosely formed thought that's been trying to escape my brain. Nature has a mechanism for limiting the positive feedback effect of new corruption forces: geographic isolation. It's as fundamental to diversity as evolution. Think e.g. the species that survive on the Galapagos islands that would otherwise have been wiped out.
The internet has no circuit breaker; no way to attenuate positive feedback cycles amplifying a signal (whatever that signal might be).
I'm no economist, but it seems to me that free market economics has the same weakness: unfettered amplification without counterbalancing isolation removes diversity. And leads to the small number of dominant monopolies in given industry sectors. FANMAG[0] in the tech sector being just the latest example.
That's probably also why we shouldn't be hopeful about the author's proposal as it's likely to end in one of two results:
1. A failure
2. A new monopoly
The idea of a "network of networks" is intuitively appealing at first sight, but it's difficult to see how that serves society well if one company runs them all. Another reason, perhaps, to treat the underlying network as a utility.
Reading or writing about things in depth (and thus slowly) used to be a virtue. Society used to look down on unsubstantiated gossip, and up on the people that read long texts.
That changed when the stock markets became fast, by the 70's and 80's. Quick access to gossip started to mean money, and gossip reading or writing became virtuous.
I have no idea what to fix, but any solution probably involves restoring that one value to its previous state.
> Wouldn't it be nice though? If you could have servers, like you did in the 1990s, with the same simple architectures as you used in the 1990s, and the same sloppy security policies developer freedom as you had in the 1990s, but somehow reach them from anywhere? Like... a network, but not the Internet. One that isn't reachable from the Internet, or even addressable on the Internet. One that uses the Internet as a substrate, but not as a banana.
> For computer viruses, maybe we can have 10 operating systems, but you still don't want to be the unlucky one, and you also don't want to be stuck with the 10th best operating system or the 10th best browser. Diversity is how nature defends against corruption, but not how human engineers do.
Hold up. I'm not sure what "the 10th best browser" even means. There isn't some absolute scale of browser quality. The web browser that more than half the world uses is kind of lousy in my eyes. That's why these alternatives exist.
Even if there were a single "best", you'd be much less likely to "be the unlucky one", because if everyone is using a system with tiny market share, you're each much less appealing to attackers. And the distribution falls off really fast.
What's the 10th most popular OS today? NetBSD, maybe. I searched the CVE list for "Microsoft Windows", and see 61 issues in 2019. "macOS" has 44 this year, and NetBSD hasn't had any since 2017. The NetBSD developers are smart and careful, I'm sure, but at least part of that has got to be because they've got <0.1% market share. Nobody wants to spend time attacking NetBSD because then you've got the problem of finding a NetBSD system to actually attack! I wouldn't use obscurity as my only security, but I'm not going to discount its value, either.
> In fact, a major goal of modern engineering is to destroy diversity. As Deming would say, reduce variation. Find the "best" solution, then deploy it consistently everywhere, and keep improving it.
I disagree. Software engineering (real engineering, not "I built a webpage over the weekend") does indeed use diversity as a tactic. Avionics famously has multiple independent implementations, and checks results between the units.
"Find the best solution" is great for general problem solving strategies, but not good for sourcing implementations. When I'm building something, I don't want to use a hardware component that was only available from one supplier. Standardize the interfaces and requirements, but then make sure you can meet those in more than one way.
> Avionics famously has multiple independent implementations, and checks results between the units.
We studied this at university and it turns out even independent implementations tended to have the same errors. So it’s even more work than expected, and non-intuitively, they should be slightly less independent for that reason.
The title is pretty click-baity and I don't necessarily agree with the conclusion. The author raises a lot of good points about large systems being subject to corruption.
However, I think the internet is self-regulating. Eventually, users will choose new products, companies, and services that align with their values.
I think we're at the tail end of the first phase of internet mega-corporations. In the past 15 years we've learned a lot about how people interact on the internet, and how it's rife for abuse and misinformation. We've created systems that negatively influence the quality of our lives and relationships.
I don't believe that this is necessarily the status quo. There's certainly momentum and money on the side of existing incumbents, but I think the public is slowly catching on to their negative effects on society.
I'm actively working on what I think is the "second-generation" of social networking and I hope users will eventually vote with their dollars and time.
People intuitively know this. That's why they invented gates and exclusivity. Take e.g. rich people who want to have their own exclusive areas or ultra high cost metropoles. These act as natural gatekeepers for outsiders to keep the corruption away. At least that's what they hope for.
This is an old argument. In the engineering world, it's been long known as SPOF (single point of failure). SPOF exists in many forms. It can be a physical part but can be protocols or people's beliefs. Google is kind of a SPOF for many people as well as your ISP. A media is a SPOF in many political systems. Some countries have only one national assembly, which is a SPOF too. I would call Euro (currency) a kind of SPOF, but people might disagree, etc. etc.
It's an engineer's job to reduce SPOFs when it comes to engineering, but people in other fields are doing it too. It's just not called SPOF but crafting those systems should be equally respected as engineering.
> A Fire Upon the Deep by Vernor Vinge, where some parts of the universe have much better connectivity than others and it doesn't go well at all.
That's not a particularly accurate description.
The problem was the level of technology, and accepting intelligent data packets from infected sources. The suggested way to prevent infection was to convert through a less-powerful intermediate format, still preserving the meaning and amount of messages.
Isn’t there a similar, sort of inverse pattern with laws and enforcement?
The name escapes me, but it’s about the fact that once, even though laws were passed, it required personnel to enforce it, so there was a sort of a natural equilibrium between government and citizens. But now that we have all this technology, law enforcement can enforce even the pettiest of laws...?
That's not always true though, the answer is to be judicious and only to restrict things that really matter. For instance, the rivers used to literally be on fire, and thanks to regulation, they're not! I'd call that a win for regulation. I think we're all on the same page (except for the current administration) that dumping things that make people sick into the river is bad. I'm fine with omniscient enforcement of that kind of thing.
On the other hand, some things are illegal not for proactive enforcement purposes but to ascribe liability, like jaywalking. That kind of stuff really shouldn't be enforced. But should it be legal? Probably not. Sounds like there's room for a third class of "legal."
I feel like the history of the United States is a fairly stark counter-example to this thought. The chances of dying or getting robbed in the 1800s Wild West were much higher than they are today. The standard of living and safety has improved more or less monotonically since then, mostly due to more laws and regulations. Even recent history in the last 50 years has seen violence and crime decrease while laws grow.
While crime rates have certainly changed, I'm not sure you can easily say that it's because we have more laws. If anything, it seems like a lot of laws are enforced with huge bias to race/class/wealth.
If it was proven that more laws = less crime, then I don't think we would have seen the expanse of crime in the 80's and 90's. Think of the war on drugs, the 3 strikes laws, etc. If anything, I think getting more people out of poverty reduces the crime rate (and also adds safety).
The Wild West I don't think so much was a lack of laws, but the lack of law enforcement.
You're right, I can't say more laws are causing less crime. But I can say more laws and less crime are correllated in the US, which is still a counter-example to your Tao Te Ching quote, that claims more laws cause more crime. We know that's not true.
The quote might be true in ancient or modern China, where the laws and restrictions are being made in a dictatorial regime to censor the populace. But that would mean this isn't a quote about the nature of laws, it's a quote about the nature of China in a specific context, and can't really be applied to situations outside that context.
In the U.S., despite the temporary uptick in property crimes in the 80s, it went away again, and on the whole, on average, violent crimes have been in decline for 300 years while the number of laws and restrictions has gone up.
I wouldn't call the war on drugs or 3 strikes to be examples of crime expanding, those are both examples of government campaigns to fight crime. They are both controversial, with a loud and large contingent of citizens who believe those campaigns exaggerated the problems and are wasting vast amounts of tax money without reducing crime rates.
> I think getting more people out of poverty reduces the crime rate (and also adds safety).
We have so many laws that basically the legal system can find something wrong you've done, which makes everyone criminals. It's only a question of if they will charge you with it. You can't have a crime without a law, because a crime is when you break a law.
The war on drugs I would definitely say is crime expanding, as we are taking things that was legal, or more legal (even while dangerous or stupid) and are making them illegal. Now a substance abuse problem is also a criminal problem.
Same for three strikes, because many times you're taking a simple crime and over penalizing it. If the US's crime rate has been dropping so quickly, why do we have such a high prison population?
They didn’t care enough to make it a policy to spend money on mitigations and practices that consistently work across known classes of attacks. Aka they didn’t care about it. They figured they’d litigate it, it wouldn’t cost much, it would happen to the next CEO/CIO, etc.
“It shouldn’t, in short, be on the Internet. On the other hand, properly authorized users, who are on the Internet, would like to be able to reach it from anywhere. Because requiring all the employees to come to an office location to do their jobs (“physical security”) seems kinda obsolete. That leaves us with a conundrum, doesn’t it? Wouldn’t it be nice though? “
High-assurance guards [1] w/ VPN’s, link encryptors, and/or leased lines running separation architectures using older nodes and designs for untrusted interface to beat the hardware vulnerabilities. DiamondTek LAN built them into PCI cards w/ Ethernet ports. Today, it could be an on-board chip connecting the external interface. Such architectures been doing great in NSA and DOD pentesting for decades. It’s what they use internally for TS/SCI at many sensitive sites.
Alternatively, simple hardware running OpenBSD on embedded box in front of (device/service here) mediating it according to (policy here) with mediation done memory-safe w/ input validation and fuzzing. That’s the cheapest solution that should stop most attackers. Also, throw them a donation if you do it.
Scale reduces diversity which increases vulnerability. Darwin would interrogate this potentiality in the following way(essentially articulating the characteristics and benefits conferred by his evolutionary model) : reproduction can essentially be viewed as scale in this kind of context: a turtle's reproduction produces lots of turtles, rather than a random assortment of lifeforms such as snails and rabbits, etc. In this sense, biological reproduction results in the 'scale' of some particular thing, i.e., 'more of the same', rather than 'different every time', i.e., differentiation, or diversity. The vulnerability produced by scale in this context is that some peril resulting from a change could render all instances of the scaled thing extict. Nature produces the differentiation required to increase survival chances in such circumstances by mutation taking place in the course of reproduction. What the OP's concern seems to introduce, at least from my perspective, is an argument for exploring the options and practicalities for considering the possibility of somehow contriving something akin to a 'mutation imperative' into the design policy leading up to the development of scaling processes, in order to introduce at least some potential for the level of differentiation to constitute a potential for adaptation and thereby confer a potential for survival in the face of what might otherwise be an extinction level event. It's kind of like advocating applying some kind of 'resilience theory' to 'scalable innovations', no? I don't know if anyone has already proposed or even implemented this approach elsewhere.
It's different from a VPN because it includes a notion of identity (you don't just know I'm on the corporate network, you know I'm asdfhero). It is very similar to Google's BeyondCorp strategy though.
Given that the team are Xooglers, that's presumably not a coincidence.
I don't get the message. Is it "Problems scale up when something is growing"? It's not new by any means. So do Solutions. Is there evidence that Problems scale faster than Solutions?
It's not fair to put predators (and diseases) in the same bucket as deliberate abuse of a security vulnerability. Lions and plagues cannot be "good" or "bad".
Only humans (and data) can be corrupt. Nature is the system operating at the most massive scale and as far as we know nobody has breached gravity or friction.
Reading the elevator pitch on the product website (tailscale.io), it's just an undeveloped version of Cloudflare Access. (or, name your equivalent product)
It doesn't stand a chance.
Also, being the proxy between the user and internal applications isn't the hard part of zero-trust.
While I don't disagree these are problems, it seems like the real corruption is misinformation. To follow the flow of the article, the cheaper and faster information flows, the more likely it is to be wrong. Think of how major news networks having "breaking news" that ends up being flawed or wrong. (I'm struggling to find it, but someone watched "breaking news" a couple of weeks after it broke, and tried to figure out how accurate news reporting was. Huge eye-opener for me). It used to be a small number of people knew how to make web pages and host them. Now anyone can comment on any number of social media platforms with maybe even more than one account.
To quote Dogbert: "Do you know how hard it was to spread rumors before the internet?"
And it's the people that are spreading the information, although some botnets seed it. People are very diverse, and are a great transmission mechanism, since they change it in any number of ways.
Also, I remember DDoS attacks and botnets were around and thriving long before most people knew what they were. Anyone remember WinNuke? This isn't some magical new problem, it's just that more people are affected, and therefore more people have heard of it.
I think the real problem with the internet isn't that it's too big, or has too many people, but now it basically mirrors the real world. Many people and companies are on the internet, trying to do what they were in the real world on the internet. That invites criminals and troublemakers to also do what they do on the internet.
The real problem is human nature, and that system is definitely large enough to be corrupted. And it has been, for a long time.