Wednesday, March 29, 2017

Stewart Baker with Michael Daniel on ze Podcasts

I want to put a quick note out about the latest Steptoe Cyber Law podcast, which is usually interesting because Stewart Baker is a much better interviewer than most against people like this. He's informed, of course, as the US's best known high power lawyer in the space. But also, he's willing to push back against the people on his show and ask harder questions than almost any other public interviewer.

TFW: "I know shit and I have opinions"

The whole interview is good, and Michael Daniel's skillset is very much (and always was) managing and understanding the physics of moving large government organizations around for the better. His comments on the interview are totally on point when it comes to how to handle moving government agencies to the cloud. Well worth the time!

More to the point of this blog however: 47 minutes into podcast Stewart Baker says, basically, that he thinks the VEP is bullshit, and everyone he knows (which is everyone) thinks the VEP is bullshit. Daniels says about VEP not that it works in any particular way, but that he is a "believer", and, to be fair, his position is "moderate" in some ways. In particular, he acknowledges that there is a legitimate national security interest in exploitation. But he cannot address any of the real issues with the VEP at a technical level. In summary: He has no cogent defense of the VEP other than a nebulous ideology.

Wednesday, March 1, 2017

Control of DNS versus the Security of DNS

"We're getting beat up by kids, captain!"

So instead of futile and counterproductive efforts trying to regulate all vulnerabilities out of the IoT market, we need to understand that our policies for national cybersecurity may have to let go of certain control points we have, in order to build a resilient internet.

In particular, central points of failure like DNS are massive weak points for attacks run by 19 year olds in charge of botnets.

But why is DNS still so centralized when decentralized versions like Convergence have been built? The answer is: Control.

Having DNS centralized means big businesses and governments can fight over trademarked DNS names, it means can be seized by the FBI. It is a huge boon for monitoring of global internet activity.

None of the replacements offer these "features". So we as a government have to decide: Do we want a controllable naming system on the internet, or a system resistant to attack from 19 year olds? It's hard to admit it, but DNSSec solved the wrong problem.