Besides having critique on DNS I also try to improve things, both for DNS as well as for the Internet as a whole. Just a few weeks ago I contacted the Dnsmasq community to improve it. The new release is available now for testing and hopefully released soon.
The original specification of DNSSEC is from 1997: RFC 2065. This means that it is now over 17 years ago since its initial appearance. Sure, it has a turbulent history, and has undergone some big changes. Even the ‘final’ specification (RFC 4033) is over 9 years old. Yet I am going to argue that it has failed.
Cory Doctorow argues that security engineering should be public, like public health:
I think there’s a good case to be made for security as an exercise in public health. It sounds weird at first, but the parallels are fascinating and deep and instructive.
Last year, when I finished that talk in Seattle, a talk about all the ways that insecure computers put us all at risk, a woman in the audience put up her hand and said, “Well, you’ve scared the hell out of me. Now what do I do? How do I make my computers secure?”
And I had to answer: “You can’t. No one of us can. I was a systems administrator 15 years ago. That means that I’m barely qualified to plug in a WiFi router today. I can’t make my devices secure and neither can you. Not when our governments are buying up information about flaws in our computers and weaponising them as part of their crime-fighting and anti-terrorism strategies. Not when it is illegal to tell people if there are flaws in their computers, where such a disclosure might compromise someone’s anti-copying strategy.
I agree that security these days is harder than ever. The Internet has become a hostile environment and there are many actors actively trying to break anything connected to it.
Public health is a service because it is in everybody’s general interest, and there is not much else we can do about it. Making security a public service creates exactly the wrong kind of incentive. Companies release broken products, and rely on consumers not knowing or caring about it. We have to create more awareness and public outrage, so that consumers actually care about this and can make an informed decision.
Informing the public about security related issues, now that I can agree with as a public service.
Dan Geer presented a keynote presentation to the RSA conference which raises many excellent questions that I see also.
Digitalisering is handig, want dat is efficient en zorgt voor besparing, dit is al een tijdje een dogma in de Nederlandse politiek. In de praktijk blijkt dat lang niet altijd zo te zijn, maar dat houdt de politiek niet tegen. Dit zien we aan het weinig populaire Elektronisch Patiënten Dossier, maar ook bij Jeugdgezondheidszorg wordt dit dogma al een tijdje met veel moeite toegepast.
Hackers have been an important part of the Internet since its creation. They are the ones who try to take the technology just over the edge to see what happens. This may mean that things break, or other interesting things happen. Sometimes this means new products are created, new ways of using technology becomes available to users, and sometimes things break. Many hackers feel an obligation to share their insights so that technology can be improved upon, this leads to public disclosures. Continue reading
In the Netherlands we have a law on net neutrality, and we’re trying to defend this in Europe as well. Our law has been in effect since 2012. About one year after that, ISOC-NL received reports that some providers were breaking net neutrality. This was discussed in the Internet Transparency WG of which I’m also a member. The group worked together with the university of Dhaka to create a mobile app to test net neutrality on mobile providers, Open Internet. Continue reading