Interesting People mailing list archives
Re: Proposed data retention law WAS Republicans propose data retention laws etc
From: David Farber <dave () farber net>
Date: Mon, 23 Feb 2009 12:25:32 -0500
Begin forwarded message: From: "Bob Frankston" <Bob19-0501 () bobf frankston com> Date: February 23, 2009 10:42:16 AM EST To: <dave () farber net>, "'ip'" <ip () v2 listbox com>Subject: RE: [IP] Re: Proposed data retention law WAS Republicans propose data retention laws etc
I’m still skeptical that this bill can get far – so I do want a reality check. I can't help but compare this with laws that regulated automobiles as badly behaved horses. Is there anyone in Congress or any mechanism to say “this doesn’t make sense”? The real danger here is embodying our worst fears and most naïve solutions in legislation.
To what extent can the federal government require we track our own activities within our own homes? Is a failure to track and report potentially possible criminal activities by ourselves and others a crime?
If I use 169.254 self-assignment instead of a DHCP server how would I track usage? Remember that access points and devices often allow spoofing of MAC addresses. Then there are all sorts of tunneling and relaying capabilities.
From a “public good” point of view requiring authentication would prevent the growth of a "bit commons" and lock us into the accidental properties of a prototype implementation of the Internet that is already overly centralized. Would there be a "911" exception to allow emergency connections without establishing full authentication? Or would we instead have a special purpose emergency works network that will work the first time perfectly without any prior experience?
And all this at a time when we want to believe that we can trust Congress’ wisdom in solving our other problems.
-----Original Message----- From: David Farber [mailto:dave () farber net] Sent: Monday, February 23, 2009 09:57 To: ipSubject: [IP] Re: osed data retention law WAS Republicans propose data retention laws etc
Begin forwarded message: From: Tom Goltz <tgoltz () quietsoftware com> Date: February 23, 2009 9:15:47 AM EST To: Jim Thompson <jim () netgate com> Cc: David Farber <dave () farber net>, "Steven M. Bellovin" <smb () cs columbia edu > Subject: Re: [IP] Re: osed data retention law WAS Republicans propose data retention laws etc At 07:16 AM 2/23/2009, Jim Thompson wrote:> Note that the government could require an 802.1x/WEP or WPA compliant > authentication (which could be done semi-anonymously), punting the log > to a machine in a much more stable location. Most of the half- decent > wireless routers on the market today (including the WRT54 series) will
> perform enough 802.1x and RADIUS to allow sufficient logs to be kept > to comply with the legal requirements of this (not yet a) law. In my opinion, the solution that you propose is actually HARDER than modifying the router firmware to perform internal logging, for the following reasons: First, it requires each ISP to setup and maintain a RADIUS authentication server reachable across their entire network. Second, it requires the ISP to attempt to support literally hundreds of different consumer routers, each of which support a subtly different sub-set of RADIUS/802.1x authentication. Keep in mind that RADIUS support is NOT a core feature in the consumer market, so it's far from clear that the claimed support actually WORKS. Third, it doesn't address the ability of the owner of the router to reconfigure the router to sneak an unauthorized computer onto the network. In order to fully implement remote authentication / logging, you pretty much have to mandate that ALL routers will be replaced by units owned, controlled and locked down by the ISP's without the ability for the end-user to make core configuration changes, or to replace the firmware. In other words, you would have to outlaw the use of ALL existing wireless routers. > I'm not saying I'm in-favor of the idea, or the law. I *AM* stating> that Mr. Goltz (*) is wrong, and that those who espouse that DHCP logs
> are (or were, or even are not) the answer are looking "too far down > the stack". Its got nothing to do with > the write-performance of the flash. Compared to shoehorning log-to-flash into the existing routers, I believe your proposed solution is MUCH harder to implement. You assume that all of these existing routers have/can be fitted with 802.1x/RADIUS authentication that works at all, and functions in pretty much the same manner across all the various units. I believe that assumption to be incorrect. Talk to someone who's ever tried to implement centralized authentication for a distributed wireless network if you want the bad and the ugly - there are GOOD reasons why such networks usually have a standardized hardware monoculture. ANY law that attempts to legally mandate logging and monitoring of people using equipment under the full control of those same users is going to be problematic (no matter HOW you implement it!). The question then becomes: Are we willing as a nation to ban the possession and use of privately-owned networking equipment in order to "save the children"? No doubt to be shortly to be followed by equally sweeping restrictions on the ownership and operation of computers themselves. The USSR licensed and regulated the possession of photocopiers, why shouldn't we do the same with computers? The people writing this bill simply do not understand how the Internet operates, and appear to be thinking in terms of a network more along the lines of the Bell System of the 1970's, with strong central control and even stronger control over endpoint equipment. ------------------------------------------- Archives: https://www.listbox.com/member/archive/247/=now RSS Feed: https://www.listbox.com/member/archive/rss/247/ Powered by Listbox: http://www.listbox.com ------------------------------------------- Archives: https://www.listbox.com/member/archive/247/=now RSS Feed: https://www.listbox.com/member/archive/rss/247/ Powered by Listbox: http://www.listbox.com
Current thread:
- Re: Proposed data retention law WAS Republicans propose data retention laws etc David Farber (Feb 20)
- <Possible follow-ups>
- Re: Proposed data retention law WAS Republicans propose data retention laws etc David Farber (Feb 21)
- Re: Proposed data retention law WAS Republicans propose data retention laws etc David Farber (Feb 21)
- Re: Proposed data retention law WAS Republicans propose data retention laws etc David Farber (Feb 23)
- Re: Proposed data retention law WAS Republicans propose data retention laws etc David Farber (Feb 23)