BlackHat: making the news while reporting it

DefCon attendees always knew that using the wireless network at the conference is living on the dangerous side– even on the rare occasions a few packets managed to route their way across the congested airwaves with thousands competing for the scarce bandwidth. (This blogger has been depending on his Novatel CDMA modem compliments of Sprint to continue writing.) If there is a real-life incarnation of the proverbial “untrusted network” this is it, and The Wall of Sheep has been the favored tradition for publicly embarassing those using weak protocols that transmit credentials in the clear.

This year the tradition expanded to Blackhat, putting attendees– a much different crowd than DefCon, it goes without saying– on notice that their name could be next on the hall of shame.

Journalists had a better deal: they got their own wired, private network in the press room, free from the shenanigans of creative researchers.

It did not work out. As reported by CNet, French journalists decided to step up to plate and impress their colleagues with their “l33t credentials.” Exact details are unclear but it appears that they managed to take control over the router and capture traffic from other journalists. For anyone not using VPN, that included the stories their they were filing. So much for good sportmanship– why bother attending the conference sessions or interviewing speakers when you can “rephrase” your colleagues’ dispatches instead? The French crew were so proud of their achievements that they wanted to get the spoils displayed on the Wall of Sheep. Conference organizers were not impressed by what they viewed as illegal wiretapping and interception. Neither were fellow members of press, when they were briefed on the incident. The proto-hackers were booted off the conference, which was not enough to appease the irate journalists. The reaction reportedly included at least one person from ZDNet going through the roof.

cemp

CFP 2008: Network neutrality and the end of flat pricing models

(Reflections on the past Computers, Freedom and Privacy conference.)

The event had no coherent theme this year unlike the relevance of copyright in 2002, electronic voting in 2004 at Berkeley, the panopticon of commercial surveillance in 2005 at Seattle and the corresponding questions around intelligence in 2006 in DC. Network neutrality and the recent overtures from Comcast, British Telecom and Charter may have been the closest to a shared preoccupation with the crisis-of-the-day.

One welcome development is that the audience on the whole had moved beyond the particulars of Comcast blocking BitTorrent, discussed earlier here. Many people including Paul Ohm and David Reed (who coined Reed’s law describing the value of collaborative networks) made the point that the purported goal of managing scarce upstream bandwidth could have been managed by much less intrusive means including metering usage regardless of the protocol involved. Network neutrality principle rules out any justification for picking on one protocol or application– even if Comcast network engineers decided empirically that one protocol was responsible for the lion’s share of bandwidth usage. And there is no excuse for injecting bogus network traffic (forged reset packets) in response to perceived usurping of bandwidth. Comcast to its credit had a recent moment of clarity and announced a more nuanced approach for managing its available capacity, emphasizing “protocol agnostic.”

As the CFP discussion made clear, BitTorrent and its alleged use for sharing copyrighted content is a red herring, a distraction from the core issue that is purely economical. It is the question of who is paying for bandwidth and exactly how much. Throughout much of the 1990s residential Internet access remain slow, primitive and uncommon. Dial-up connections were the norm and subscribers paid for amount of bandwidth used. In this environment bits were precious, applications were designed to eke out the greatest utilization from the modest bandwidth available and spam literally cost money by driving up usage charges. Eventually as the amount of capacity expanded everywhere, from the massive amounts of fiber underground bulking up the backbone to upgrades in the so-called last mile to the home, it became possible for ISPs to enter the market with a disruptive business model: flat monthly fee for unlimited usage. When AOL switched over to this structure in 1996, it was overwhelmed by the response.

During the transition from dial-up to broadband this tradition of all-you-can-eat pricing was inherited. Granted, service tiers still existed and greater bandwidth could be purchased for higher monthly fees. Within a particular tier it made no difference if the subscriber surfed the web all day along or rarely powered up her computer. This was either the realization of an old prediction made about nuclear energy (“electricity to cheap to meter”) realized in the context of bandwidth, or a sign that everyone was on board with the arrangement of infrequent users subsidizing the high-demand households. It would not have been the first time: similar subsidies occur all the time in technology, including for example different SKUs for software where enterprises pay far above cost to enable consumer versions to be sold at deep discounts.

Either way, the tacit agreement between subscribers and ISPs has continued. Until now. As predictable as the post World War II euphoria over nuclear energy making electricity essentially free disappeared in the Cold War anxiety as the long term problems were better understood, the visions of exponentially improving bandwidth quickly disappeared. Unlike CPU and memory, it proved surprisingly resilient to Moore’s law. Broadband access by DSL or cable still costs comparable to what it did several years ago, and while available network speeds increased gradually, it was a far cry from the doubling every 18 months rate that other components of the PC experienced.

The major disruption instead was the rise of new bandwidth hungry applications, particularly those clamoring for upstream bandwidth. Peterson’s law says that work expands to fill the time available. Internet applications did the same thing for bandwidth. Streaming video may have brought us to an inflection point. All-you-can-eat makes sense when the subsidies are reasonable; in other words the expected range of consumption lies in a narrow band, where the difference between heaviest users and less demanding ones is small. (That is a proxy for the amount of subsidization going on. Less frequent users are missing out on that much value and the heavy users get a corresponding free ride.) In the good old days of narrowband, the difference between the Internet addicts and infrequent users may have been insignificant. Today the difference between checking email and streaming a Netflix movie can be two orders of magnitude.

It’s clear that ISP networks are over provisioned: there is not enough capacity to deliver 10Mbps to every user at the same time even though that is the advertised service level. As long as the average demand works out to below some threshold, everyone is happy. That situation calls for a mix of connection profiles: some idling, others engaged in low bandwidth-intensive tasks and another fraction going full throttle. When more subscribers start maxing out their usage and disparities in consumption grows, the flat pricing model can not survive. Not surprising for a telco, Comcast tried to solve this problem in the most crude and heavy-handed way by trying to “take out” one protocol and suppress demand. Equally predictably, it just dug itself into a deeper hole, sparking a new round of debate on network neutrality and even stirring government into action.

Future predictions? Instituting pay-as-you-go may be a challenge, even when it is most efficient allocation of bandwidth. Customers are used to the flat fee structure. Instead we might expect two things. First is a global cap on amount of bandwidth available per month, similar to wireless plans, with overcharges or reduced service levels when the cap is reached. The second response would be an increasing number of service tiers: for example a “file-sharing plan”  (obviously named something more acceptable) may offer higher upstream bandwidth and greater caps. All of these are consistent with network neutrality: the subscriber gets an allotment of bandwidth in terms of maximum available, sustained over a period of time and perhaps for the duration of a month. The user is free to exercise this bandwidth any way they choose: any protocol, any website, any time etc. without interference from the ISP. Limitations imposed on exceeding the expected demand level are transparent and fixed in advance. More importantly the customer can decide to opt for the next service tier when necessary.

cemp

Clean coal, 2+2=5 and other delusions

The public relations salvo against global warming legislation is already underway, even before any concrete proposals were introduced in either the House or Senate. Washington Post notes that a group backed by the coal industry is spending $35M on a new ad campaign in primary and caucus states to spread the message that coal is a clean fuel. With the appropriately Orwellian name of Balanced Energy Choices (similar to how the campaigns against raising fuel economy standards used to be called  “Concerned/Anguished/Distraught Citizens for Vehicle Choice”) the TV spots use the catchy image of a power cable being plugged into a lump of coal. True enough considering that 50% of US power generation capacity comes from coal, and it is the one fuel that the world is not in any danger of running out anytime soon. The remainder is at best disingenuous: as the Post article points out, the definition of “clean” conveniently excludes carbon emissions.

Strangely the message has not made it very far online: Googling for clean coal will not return any top matches related to the slick campaign website and the commercial itself that praises the virtues of energy security. Not even a sponsored result. Instead the collective wisdom of the web responds with a balanced perspective on technologies such as IGCC that promise to extract comparable energy with a fraction of the emissions associated with directly burning the fuel. One of the hits points to an article from last year’s Sierra Club magazine and another one on the second page finds a blistering indictment of the concept from Washington Post op-ed side. That’s not exactly a success story, considering the commercial spots were produced by the same company responsible for the “what-happens-here-stays-here” themed advertising for Las Vegas.

cemp

E-voting: how not to save money with IT

White-papers are full of case studies on how the judicious use of information technology can help organizations achieve more with fewer resources. Unfortunately for the state of Maryland, their brief experiment with electronic voting and Diebold touchscreen devices will not be one of them. My friend Kim Zetter has recently published a new article over at the Threat Level blog about the aftermath of the Maryland debacle. Sanity prevailed after a brief experiment with touch-screen voting that basically catalyzed the movement against direct recording electronic (DRE) machines and catapulted Diebold into the national limelight as the #1 enemy of fair elections. The state has gone back to optical scan machines, while the expensive equipment gathers dust but Diebold continues to collect on the maintenance contracts for equipment that is only trustworthy enough for electing the high-school mascot.

One of the interesting points in the article is that the machines are high maintenance. Quoting Rebecca Wilson of the Maryland based advocacy group SaveOurVotes.Org:

“They take up huge amounts of warehouse space in warehouses that need to be air-conditioned,” she continues. “They have to recharge the batteries every six months. And (yet) we only haul them out about once a year (for elections).”

According to their estimates, the state will have spent close to $100M of taxpayer money by the the time the dust settles. This is on average an increase of over 150% percent per voter across the board. For certain sparsely populated counties, it is close to an order of magnitude higher. Here is one IT deployment aspiring MBA students will not be reading about in their case-studies on cost cutting.

cemp

Upcoming conference: She’s Geeky

An unconference that my colleague Kaliya, aka the Identity Woman, is helping organize:

She’s Geeky (http://www.shesgeeky.org)

A Women’s Tech (un)conference

October 22-23 in Mountain View, CA.

 

This event is designed to bring together women from a range of technology-focused disciplines who self identify as geeky. Our goal is to support skill exchange and learning between women working in diverse fields and to create a space for networking and to talk about issues faced by women in technology.

 

Not coincidentally perhaps, She’s So Geeky is the title of a collection of essays my friend Annalee Newitz edited. Here is the video of her appearance at Google’s Mountain View campus in July.

 

On another tangent and speaking of identity, Digital ID World 2007 is going on right now.

cemp