Re: Proposed data retention law WAS Republicans propose data retention laws etc

[David Farber <dave () farber net>]

Begin forwarded message:

From: "Bob Frankston" <Bob19-0501 () bobf frankston com>
Date: February 23, 2009 10:42:16 AM EST
To: <dave () farber net>, "'ip'" <ip () v2 listbox com>
Subject: RE: [IP] Re: Proposed data retention law  WAS   Republicans  
propose data retention laws etc

I’m still skeptical that this bill can get far – so I do want a  
reality check. I can't help but compare this with laws that regulated  
automobiles as badly behaved horses. Is there anyone in Congress or  
any mechanism to say “this doesn’t make sense”? The real danger here  
is embodying our worst fears and most naïve solutions in legislation.

To what extent can the federal government require we track our own  
activities within our own homes? Is a failure to track and report  
potentially possible criminal activities by ourselves and others a  
crime?

If I use 169.254 self-assignment instead of a DHCP server how would I  
track usage? Remember that access points and devices often allow  
spoofing of MAC addresses. Then there are all sorts of tunneling and  
relaying capabilities.

From a “public good” point of view requiring authentication would  
prevent the growth of a "bit commons" and lock us into the accidental  
properties of a prototype implementation of the Internet that is  
already overly centralized. Would there be a "911" exception to allow  
emergency connections without establishing full authentication? Or  
would we instead have a special purpose emergency works network that  
will work the first time perfectly without any prior experience?

And all this at a time when we want to believe that we can trust  
Congress’ wisdom in solving our other problems.

-----Original Message-----
From: David Farber [mailto:dave () farber net]
Sent: Monday, February 23, 2009 09:57
To: ip
Subject: [IP] Re: osed data retention law WAS Republicans propose data  
retention laws etc



Begin forwarded message:

From: Tom Goltz <tgoltz () quietsoftware com>
Date: February 23, 2009 9:15:47 AM EST
To: Jim Thompson <jim () netgate com>
Cc: David Farber <dave () farber net>, "Steven M. Bellovin" <smb () cs columbia edu
 >
Subject: Re: [IP] Re:   osed data retention law  WAS   Republicans
propose data retention laws etc

At 07:16 AM 2/23/2009, Jim Thompson wrote:
> Note that the government could require an 802.1x/WEP  or WPA  
compliant
> authentication (which could be done semi-anonymously), punting the  
log
> to a machine in a much more stable location.   Most of the half- 
decent
> wireless routers on the market today (including the WRT54 series)  
will
> perform enough 802.1x and RADIUS to allow sufficient logs to be kept
> to comply with the legal requirements of this (not yet a) law.

In my opinion, the solution that you propose is actually HARDER than
modifying the router firmware to perform internal logging, for the
following reasons:

First, it requires each ISP to setup and maintain a RADIUS
authentication server reachable across their entire network.

Second, it requires the ISP to attempt to support literally hundreds
of different consumer routers, each of which support a subtly
different sub-set of RADIUS/802.1x authentication.  Keep in mind that
RADIUS support is NOT a core feature in the consumer market, so it's
far from clear that the claimed support actually WORKS.

Third, it doesn't address the ability of the owner of the router to
reconfigure the router to sneak an unauthorized computer onto the
network.

In order to fully implement remote authentication / logging, you
pretty much have to mandate that ALL routers will be replaced by units
owned, controlled and locked down by the ISP's without the ability for
the end-user to make core configuration changes, or to replace the
firmware.  In other words, you would have to outlaw the use of ALL
existing wireless routers.

> I'm not saying I'm in-favor of the idea, or the law.  I *AM* stating
> that Mr. Goltz (*) is wrong, and that those who espouse that DHCP  
logs
> are (or were, or even are not) the answer are looking "too far down
> the stack".  Its got nothing to do with
> the write-performance of the flash.

Compared to shoehorning log-to-flash into the existing routers, I
believe your proposed solution is MUCH harder to implement.  You
assume that all of these existing routers have/can be fitted with
802.1x/RADIUS authentication that works at all, and functions in
pretty much the same manner across all the various units.  I believe
that assumption to be incorrect.  Talk to someone who's ever tried to
implement centralized authentication for a distributed wireless
network if you want the bad and the ugly - there are GOOD reasons why
such networks usually have a standardized hardware monoculture.

ANY law that attempts to legally mandate logging and monitoring of
people using equipment under the full control of those same users is
going to be problematic (no matter HOW you implement it!).  The
question then becomes: Are we willing as a nation to ban the
possession and use of privately-owned networking equipment in order to
"save the children"?  No doubt to be shortly to be followed by equally
sweeping restrictions on the ownership and operation of computers
themselves.  The USSR licensed and regulated the possession of
photocopiers, why shouldn't we do the same with computers?

The people writing this bill simply do not understand how the Internet
operates, and appear to be thinking in terms of a network more along
the lines of the Bell System of the 1970's, with strong central
control and even stronger control over endpoint equipment.






-------------------------------------------
Archives: https://www.listbox.com/member/archive/247/=now
RSS Feed: https://www.listbox.com/member/archive/rss/247/
Powered by Listbox: http://www.listbox.com




-------------------------------------------
Archives: https://www.listbox.com/member/archive/247/=now
RSS Feed: https://www.listbox.com/member/archive/rss/247/
Powered by Listbox: http://www.listbox.com