Since there are lots of hobbies that sometimes overlap with community service I'd love to see a club that focuses on being prepared to reestablish intra-community communication in case the Internet goes down. Yes, it'd be great if everyone was self hosting, using distributed services and involved in a mesh network now, but without motivation it won't happen. So this club could focus on developing the resources that a few individuals in a community could use to set these things up after the network is already down. They could have offline caches of Wikipedia and Openstreetmaps, copies of firmware, apps and instructions for attaching consumer routers and other Wi-Fi devices to a mesh network, systems for registering people with a locally functioning email address, etc. User friendly portals could be made that provide the basic instructions for people who stumble on a mesh network access point with their otherwise disconnected smartphones.<p>All of the tech exists in some form or another, but if it were well packaged, it's not hard to see there being a sufficient distribution of members to get people connected easily.
Although Schneier is probably correct in this instance, one of the most exasperating features of his computer security writing is an utter lack of citations or evidence to back up his claims. (His writing about cryptography should require no citations because he is an actual crypto expert.)<p>After the significant inaccuracies and frequent unsubstantiated speculation in <i>Schneier on Security</i>, I don't think credible security researchers can take his analysis at face value. Additionally, the halo effect of his actual expertise, cryptography, convinces people who aren't security experts that his opinions and speculations are correct. Worse, he rarely frames his speculation as such; he states conjecture as fact. This is counterproductive and leads to confusion among journalists and eventually the general public.<p>To the imminent downvoters, I'm not offended; I expect it with an unpopular opinion. I'd prefer you engage with a reply in addition to the downvote so we can have a discourse. I think it's important that I add my dissent to the conversation.
So how exactly is one entity, even a state entity, going to take down all 13 root servers, <i>assuming</i> that that is what Schneier is talking about since the man speaks in mysteries? What would it take to do that?<p>Let's safely assume that these servers, every single one of them, are subject to DDoS attacks all the time and have at least some experience in handling them, and have a backup scenario ready for a serious attack. One of the reasons why the root servers are not centralized is to avoid the kind of disaster that Schneier predicts.<p>Also what if I maintain a list of IP addresses of the websites I visit most and update that list daily. When the "big attack" strikes, I put that list in /etc/hosts. Would I still be able to do my holiday shopping from Amazon? Would I still be able to read the logs on my VPS by ssh'ing to its IP? How long would such an attack sustain before BGP modifications start blackholing the sources? Long enough to let the average TTL cache expire?<p>Would an attack on the root servers really take down the internet? Or in case Schneier isn't talking about that, what kind of attack on the decentralized internet is actually able to take it all down? I'm not saying he is wrong, but I have a hard time thinking about how we should prepare and protect our infrastructure if he doesn't want to share the intel he knows instead of some generic warnings.
This is both unsurprising, and worrying. Unsurprising because it's the job of any nation's military and espionage arms to consider and form plans to cripple or destroy their potential enemy's infrastructure, information included. Worrying, because as far as I can tell most people remain deeply ignorant and/or unconcerned (present company excluded both from that remark, and realistically the descriptor "most people") about 'cybersecurity' in any form.<p>That needs to change, and the author is right that while there seems to be little to do now, people should be aware of it.
This is why I worry about the centralization of all communications as we've done over the entirety of human history. Letting the Internet be centralized as it has been might be make economic sense but as for sustaining the world economy through a potentially global conflict it doesn't make any sense to put all our eggs in one basket here. It's like I mentioned on the "napalm girl" post that we've become too complacent with having ease of use trump reliability of communication. This is just one of the larger consequences of our individual and collective choices coming to bite us in the butt. I hope this spurs people to get smarter and put together p2p solutions that can weather such a conflict at least for regional and/or city-wide communications.
I totally disagree that we can't do anything. With the existing TCP/IP protocol we can't do anything because it's possible to forge the origin IP address or modify the datagram content on its route to destination. A receiving end has no way to verify the validity of the datagram.<p>An IP datagram authentication at the lowest level is required so that anyone on the route can detect forgery, error or tempering with the data. This would allow tracking the real sources of DDOS attack, diagnose the cause and fix it.<p>What's the point of keeping digging deeper trenches ?<p>This should be a top priority change of the Internet. There was no incentive to move to IPv6. Now there is one to move to a more secure Internet.
The Internet is suppose to be decentralized. Yet we have these centralized groups, proving backbone, DNS, certs. Well duh, it's no surprise. Why can't I connect to my neighbor who lives next door without the packet doing a 200 mile trip? The Internet is really only devices that can route packets through at least 2 different gateways. If you only have one route. You are not part of the vision of the Internet.
Can anyone elaborate on what he means when he says that Verisign can 'go down' and take down most of the internet with it? How would a registrar going down affect anything to do with actual hosts?
This
is (one of) the reason(s) I moved my website to the decentralized
web-hosting platform ZeroNet. It is still accessible to regular web
users (through the use of proxies) but is ultimately secure against DDOS
attacks and the like as there is no single server to attack (it could
still be done, but it would take much more effort as you would have to
attack each user of ZeroNet individually).<p>As applicable with all areas of life, association is a security risk. By
depending upon any centralized authority (such as a server or domain
name registrar) you are open to being censored (either by them or an attacker).<p>At this point however, decentralized web-hosting solutions still rely
upon clearnet centralized port checkers, which is (ofcourse) an issue.
The best the community can do is help to raise awareness of
decentralized web hosting in the hopes more people will adopt it leading
to a higher likelihood that the problems will be solved.
<i>>The NSA, which has more surveillance in the Internet backbone than everyone else combined, probably has a better idea, but unless the U.S. decides to make an international incident over this, we won't see any attribution.</i><p>Or unless it's the US itself. Not the most likely possibility I think, but still a possibility.
Blaming China or Russia is lazy writing. It could be just about anyone, including a rogue internal agency doing a spoof-attack to precisely cause the blame to go towards the obvious "state actors".<p>Cyber-warfare is the 'new' war and just like any war, misinformation plays an important role.