Absolute Scale Corrupts Absolutely

&gt; &quot;What is corruption? On the Internet, it&#x27;s botnets and DDoS attacks.&quot;<p>While I don&#x27;t disagree these are problems, it seems like the real corruption is misinformation. To follow the flow of the article, the cheaper and faster information flows, the more likely it is to be wrong. Think of how major news networks having &quot;breaking news&quot; that ends up being flawed or wrong. (I&#x27;m struggling to find it, but someone watched &quot;breaking news&quot; a couple of weeks after it broke, and tried to figure out how accurate news reporting was. Huge eye-opener for me). It used to be a small number of people knew how to make web pages and host them. Now anyone can comment on any number of social media platforms with maybe even more than one account.<p>To quote Dogbert: &quot;Do you know how hard it was to spread rumors before the internet?&quot;<p>And it&#x27;s the people that are spreading the information, although some botnets seed it. People are very diverse, and are a great transmission mechanism, since they change it in any number of ways.<p>Also, I remember DDoS attacks and botnets were around and thriving long before most people knew what they were. Anyone remember WinNuke? This isn&#x27;t some magical new problem, it&#x27;s just that more people are affected, and therefore more people have heard of it.<p>I think the real problem with the internet isn&#x27;t that it&#x27;s too big, or has too many people, but now it basically mirrors the real world. Many people and companies are on the internet, trying to do what they were in the real world on the internet. That invites criminals and troublemakers to also do what they do on the internet.<p>The real problem is human nature, and that system is definitely large enough to be corrupted. And it has been, for a long time.

<i>&gt; Wouldn&#x27;t it be nice though? If you could have servers, like you did in the 1990s, with the same simple architectures as you used in the 1990s, and the same sloppy security policies developer freedom as you had in the 1990s, but somehow reach them from anywhere? Like... a network, but not the Internet. One that isn&#x27;t reachable from the Internet, or even addressable on the Internet. One that uses the Internet as a substrate, but not as a banana.<p>&gt; That&#x27;s what we&#x27;re working on.</i><p>So... They are working on a VPN then...?

&gt; For computer viruses, maybe we can have 10 operating systems, but you still don&#x27;t want to be the unlucky one, and you also don&#x27;t want to be stuck with the 10th best operating system or the 10th best browser. Diversity is how nature defends against corruption, but not how human engineers do.<p>Hold up. I&#x27;m not sure what &quot;the 10th best browser&quot; even means. There isn&#x27;t some absolute scale of browser quality. The web browser that more than half the world uses is kind of lousy in my eyes. That&#x27;s why these alternatives exist.<p>Even if there were a single &quot;best&quot;, you&#x27;d be much less likely to &quot;be the unlucky one&quot;, because if everyone is using a system with tiny market share, you&#x27;re each much less appealing to attackers. And the distribution falls off really fast.<p>What&#x27;s the 10th most popular OS today? NetBSD, maybe. I searched the CVE list for &quot;Microsoft Windows&quot;, and see 61 issues in 2019. &quot;macOS&quot; has 44 this year, and NetBSD hasn&#x27;t had any since 2017. The NetBSD developers are smart and careful, I&#x27;m sure, but at least part of that has got to be because they&#x27;ve got &lt;0.1% market share. Nobody wants to spend time attacking NetBSD because then you&#x27;ve got the problem of <i>finding</i> a NetBSD system to actually attack! I wouldn&#x27;t use obscurity as my only security, but I&#x27;m not going to discount its value, either.<p>&gt; In fact, a major goal of modern engineering is to destroy diversity. As Deming would say, reduce variation. Find the &quot;best&quot; solution, then deploy it consistently everywhere, and keep improving it.<p>I disagree. Software engineering (real engineering, not &quot;I built a webpage over the weekend&quot;) does indeed use diversity as a tactic. Avionics famously has multiple independent implementations, and checks results between the units.<p>&quot;Find the best solution&quot; is great for general problem solving strategies, but not good for sourcing implementations. When I&#x27;m building something, I don&#x27;t want to use a hardware component that was only available from one supplier. Standardize the interfaces and requirements, but then make sure you can meet those in more than one way.

The title is pretty click-baity and I don&#x27;t necessarily agree with the conclusion. The author raises a lot of good points about large systems being subject to corruption.<p>However, I think the internet is self-regulating. Eventually, users will choose new products, companies, and services that align with their values.<p>I think we&#x27;re at the tail end of the first phase of internet mega-corporations. In the past 15 years we&#x27;ve learned a lot about how people interact on the internet, and how it&#x27;s rife for abuse and misinformation. We&#x27;ve created systems that negatively influence the quality of our lives and relationships.<p>I don&#x27;t believe that this is necessarily the status quo. There&#x27;s certainly momentum and money on the side of existing incumbents, but I think the public is slowly catching on to their negative effects on society.<p>I&#x27;m actively working on what I think is the &quot;second-generation&quot; of social networking and I hope users will eventually vote with their dollars and time.

People intuitively know this. That&#x27;s why they invented gates and exclusivity. Take e.g. rich people who want to have their own exclusive areas or ultra high cost metropoles. These act as natural gatekeepers for outsiders to keep the corruption away. At least that&#x27;s what they hope for.

This is an old argument. In the engineering world, it&#x27;s been long known as SPOF (single point of failure). SPOF exists in many forms. It can be a physical part but can be protocols or people&#x27;s beliefs. Google is kind of a SPOF for many people as well as your ISP. A media is a SPOF in many political systems. Some countries have only one national assembly, which is a SPOF too. I would call Euro (currency) a kind of SPOF, but people might disagree, etc. etc.<p>It&#x27;s an engineer&#x27;s job to reduce SPOFs when it comes to engineering, but people in other fields are doing it too. It&#x27;s just not called SPOF but crafting those systems should be equally respected as engineering.

&gt; A Fire Upon the Deep by Vernor Vinge, where some parts of the universe have much better connectivity than others and it doesn&#x27;t go well at all.<p>That&#x27;s not a particularly accurate description.<p>The problem was the level of technology, and accepting intelligent data packets from infected sources. The suggested way to prevent infection was to convert through a less-powerful intermediate format, still preserving the meaning and amount of messages.

Isn’t there a similar, sort of inverse pattern with laws and enforcement?<p>The name escapes me, but it’s about the fact that once, even though laws were passed, it required personnel to enforce it, so there was a sort of a natural equilibrium between government and citizens. But now that we have all this technology, law enforcement can enforce even the pettiest of laws...?

Great article. A few minor points:<p>“How did the Capital One + AWS hack happen”<p>They didn’t care enough to make it a policy to spend money on mitigations and practices that consistently work across known classes of attacks. Aka they didn’t care about it. They figured they’d litigate it, it wouldn’t cost much, it would happen to the next CEO&#x2F;CIO, etc.<p>“It shouldn’t, in short, be on the Internet. On the other hand, properly authorized users, who are on the Internet, would like to be able to reach it from anywhere. Because requiring all the employees to come to an office location to do their jobs (“physical security”) seems kinda obsolete. That leaves us with a conundrum, doesn’t it? Wouldn’t it be nice though? “<p>High-assurance guards [1] w&#x2F; VPN’s, link encryptors, and&#x2F;or leased lines running separation architectures using older nodes and designs for untrusted interface to beat the hardware vulnerabilities. DiamondTek LAN built them into PCI cards w&#x2F; Ethernet ports. Today, it could be an on-board chip connecting the external interface. Such architectures been doing great in NSA and DOD pentesting for decades. It’s what they use internally for TS&#x2F;SCI at many sensitive sites.<p>Alternatively, simple hardware running OpenBSD on embedded box in front of (device&#x2F;service here) mediating it according to (policy here) with mediation done memory-safe w&#x2F; input validation and fuzzing. That’s the cheapest solution that should stop most attackers. Also, throw them a donation if you do it.<p>[1] <a href="https:&#x2F;&#x2F;en.wikipedia.org&#x2F;wiki&#x2F;Guard_(information_security)" rel="nofollow">https:&#x2F;&#x2F;en.wikipedia.org&#x2F;wiki&#x2F;Guard_(information_security)</a><p>“ the horrors of IPv6, “<p>On Twitter, apenwarr also said:<p>“I had a connectivity problem, so I enabled IPv6. Now I have two connectivity problems.”<p>Haha.

Scale reduces diversity which increases vulnerability. Darwin would interrogate this potentiality in the following way(essentially articulating the characteristics and benefits conferred by his evolutionary model) : reproduction can essentially be viewed as scale in this kind of context: a turtle&#x27;s reproduction produces lots of turtles, rather than a random assortment of lifeforms such as snails and rabbits, etc. In this sense, biological reproduction results in the &#x27;scale&#x27; of some particular thing, i.e., &#x27;more of the same&#x27;, rather than &#x27;different every time&#x27;, i.e., differentiation, or diversity. The vulnerability produced by scale in this context is that some peril resulting from a change could render all instances of the scaled thing extict. Nature produces the differentiation required to increase survival chances in such circumstances by mutation taking place in the course of reproduction. What the OP&#x27;s concern seems to introduce, at least from my perspective, is an argument for exploring the options and practicalities for considering the possibility of somehow contriving something akin to a &#x27;mutation imperative&#x27; into the design policy leading up to the development of scaling processes, in order to introduce at least some potential for the level of differentiation to constitute a potential for adaptation and thereby confer a potential for survival in the face of what might otherwise be an extinction level event. It&#x27;s kind of like advocating applying some kind of &#x27;resilience theory&#x27; to &#x27;scalable innovations&#x27;, no? I don&#x27;t know if anyone has already proposed or even implemented this approach elsewhere.

Very good thoughts, although I feel a little weird about it subtly being a plug.<p>Also, re: the plugged company, I don&#x27;t really see how this product is different from a VPN.

I take some issue at calling natural predatory animals like Lions, Sharks etc. a Cancer - ecosystems collapse without a predator.

Galactic-scale corruption: <a href="https:&#x2F;&#x2F;en.wikipedia.org&#x2F;wiki&#x2F;A_Fire_Upon_the_Deep" rel="nofollow">https:&#x2F;&#x2F;en.wikipedia.org&#x2F;wiki&#x2F;A_Fire_Upon_the_Deep</a> The story introduces The Net Of A Million Lies, but the large-scale corruption I&#x27;m really thinking of is The Blight.

Frictionless systems run open-loop.<p>Lacking feedback, they go unstable.<p>Nothing about the Information Age makes it immune.<p>The sun also rises on the east.

I don&#x27;t get the message. Is it &quot;Problems scale up when something is growing&quot;? It&#x27;s not new by any means. So do Solutions. Is there evidence that Problems scale faster than Solutions?

&gt;It&#x27;s also why you shouldn&#x27;t allow foreigners to buy political ads in your country.<p>Apparently, the author still needs to learn a thing, or two about the internet.

It&#x27;s not fair to put predators (and diseases) in the same bucket as deliberate abuse of a security vulnerability. Lions and plagues cannot be &quot;good&quot; or &quot;bad&quot;.<p>Only humans (and data) can be corrupt. Nature is the system operating at the most massive scale and as far as we know nobody has breached gravity or friction.

<a href="https:&#x2F;&#x2F;www.youtube.com&#x2F;watch?v=V8GXw6IQJgY" rel="nofollow">https:&#x2F;&#x2F;www.youtube.com&#x2F;watch?v=V8GXw6IQJgY</a>

Security by obscurity works.

&gt; most interactions should not be Internet scale<p>Metcalfe law&#x27;s shadow: the risks in a network are proportional to the square number of people connected to the network.

Wow, i never really thought of this before, it took me two seconds to understand it.

Reading the elevator pitch on the product website (tailscale.io), it&#x27;s just an undeveloped version of Cloudflare Access. (or, name your equivalent product)<p>It doesn&#x27;t stand a chance.<p>Also, being the proxy between the user and internal applications isn&#x27;t the hard part of zero-trust.