sloth unleashed

“It’s an urban legend that the government launched the Internet,” writes L. Gordon Crovitz in Monday’s Wall Street Journal, launching into just one of a myriad of problems with his short opinion piece.

While he concedes that the military’s Defense Advanced Research Projects Agency (DARPA) program funded the creation of the ARPAnet, the first large-scale packet-switched network, he argues that the government doesn’t deserve credit for the creation of the Internet:

If the government didn’t invent the Internet, who did? Vinton Cerf developed the TCP/IP protocol, the Internet’s backbone, and Tim Berners-Lee gets credit for hyperlinks.

But full credit goes to the company where [Robert Taylor] worked after leaving ARPA: Xerox. It was at the Xerox PARC labs in Silicon Valley in the 1970s that the Ethernet was developed to link different computer networks. Researchers there also developed the first personal computer (the Xerox Alto) and the graphical user interface that still drives computer usage today.

Crovitz is right that Vinton Cerf, along with Bob Kahn, invented the TCP/IP protocol that is the foundation of the modern Internet. But he neglects to mention that Cerf’s early work on the protocol was funded by the US military through its DARPA program.

“Hyperlinks” are not the Internet, and Tim Berners-Lee didn’t invent them. Nor is the World Wide Web the Internet, although the Web has become such a popular Internet application that many people confuse the two. But more to the point, Berners-Lee was working at CERN, a research organization funded by European governments, when he invented the World Wide Web in the early 1990s.

Xerox is indeed a private company, and Xerox PARC researchers did develop some important computing technologies, including Ethernet and the graphical user interface. But it’s not accurate to say that “the Ethernet was developed to link different computer networks.” Ethernet was designed primarily as a local networking technology to connect computers in a home or office. The point of the Internet’s TCP/IP protocol was to allow networks using different standards, including Ethernet, to communicate with each other. Many of the networks that now comprise the Internet use the Ethernet protocol, but what makes the Internet the Internet is TCP/IP, not Ethernet.

Indeed, not only is Crovitz confused about the origins of the Internet, he also seems not to understand the conventions of the World Wide Web. He quotes George Mason University economist Tyler Cowen as saying that “The Internet, in fact, reaffirms the basic free market critique of large government.” But that quote wasn’t written by Cowen. It was quoted by Cowen in a 2005 blog post.The page Cowen was quoting has succumbed to bitrot, but the Internet Archive has a copy.

The Wall Street Journal has earned a reputation for producing in-depth and meticulously fact-checked news coverage. Unfortunately, it doesn’t always apply that same high standard of quality to their editorial page.

CISPA at a Glance
In broad terms, CISPA is about information sharing. It creates broad legal exemptions that allow the government to share “cyber threat intelligence” with private companies, and companies to share “cyber threat information” with the government, for the purposes of enhancing cybersecurity. The problems arise from the definitions of these terms, especially when it comes to companies sharing data with the feds.

Is CISPA the new SOPA?
This is the notion that the reps behind the bill are most desperate to kill. Their primary response is that CISPA has nothing to do with seizing domains or censoring websites, but that’s only true on the surface. The bill defines “cybersecurity systems” and “cyber threat information” as anything to do with protecting a network from:

‘(A) efforts to degrade, disrupt, or destroy such system or network; or 

‘(B) theft or misappropriation of private or government information, intellectual property, or personally identifiable information.

It’s easy to see how that definition could be interpreted to include things that go way beyond network security—specifically, copyright policing systems at virtually any point along a network could easily qualify. And since one of the recipients of the shared information would be Homeland Security—the department that includes ICE and its ongoing domain seizures—CISPA creates the very real possibility for this information to be used as part of a SOPA-like crusade to lock down the internet. So while the bill itself has nothing to do with domain seizures, it gives the people behind such seizures a potentially powerful new weapon…

We’ve pointed out for years that the whole structure of SSL certificate-based security is open to attack via man-in-the-middle attacks… if you can somehow get a certificate authority to grant you a fake certificate. Of course, the protection against that was supposed to be that a certificate authority wouldn’t do that. But what if one did? Certificate authority Trustwave has admitted that it issued a certificate to a company that allowed it to issue “valid” certs for any server. Basically, it gave a company the ability to do any kind of man-in-the-middle attack it wanted on employees. Trustwave has admitted to all this after revoking the certificate. They insist that the structure was limited so that it could only be used internally on the network. But, while it was out there, it basically allowed this company to effectively spy on employee activities, allowing the company to do man-in-the-middle attacks, as employees logged into private (“encrypted”) accounts from their own devices, and see what they were doing. Considering this certificate was issued for “loss prevention,” it’s not hard to guess how it was used. 

Either way, it’s pretty scary that Trustwave would think it was a reasonable move to allow this kind of activity, no matter how carefully the company believes it was set up. In a world where people have perfectly valid reasons for using private personal internet services from the workplace, they should be able to trust that those connections are secure. Thanks to Trustwave’s deal with this (unnamed) company, that was not the case. On top of that, there’s no telling if other certificate authorities are doing the same thing elsewhere, significantly compromising SSL security. 

In the end, this is a significant reminder that certificate-based security systems have serious weaknesses, and that the certificate authorities might not always be trustworthy…

[un-fucking-believable…]