Now Im confused REALLY confused. For a second there, I thought ZKS was actually executing a turnaround to become a real privacy company, what with their recent repositioning towards managed privacy services and all. Companies out there need privacy solutions, and the field is wide open for the taking right now.. There arent many other companies out there with shipping products for the enterprise space yet .. in addition to ZKS (which Im not sure if they REALLY have a product for the enterprise space? although they seem to like to talk about it??) theres PrivacyRight and Privada out in California, and then thats about it.. and from what I can tell, the enterprise market is more than large enough for 3 companies right now.. I mean, if ZKS ever got their head screwed on right (read: fired Austin Hill??), they MIGHT stand a sliver of a chance of actually making some money -- But NOW, ZKS turns around and pulls a NymIP project for the IETF? What does this have to do w/ anything? (or at least, what does it have to do w/ the ZKS repositioning to become a genuine privacy company?) It seems this has more in line w/ what Ive been saying all along: the ZKS is really a free speech company, not a privacy company. Ive perused the (so far short) NymIP mailing lists and even the members agree that the NymIP project shares more in common w/ Fling (http://fling.sourceforge.net/), a free-speech system for the Internet, than it does w/ anything privacy related.. First, Ill go over all the obvious technical flaws w/ NymIP. For this protocol to have any practical applicability, we have to believe the ZKS mantra that IP addresses somehow represents personally identifiable information (PII) that is highly sensitive, and therefore must be encrypted We are asked to believe, in other words, that 1 IP address < == > 1 person.. Notwithstanding the obvious fact that today 60% of the Internet population logs on through AOL where 10,000 users share one IP address at the same time, Id like to ask the NymIP team what they plan to do once IPv6 is rolled out?? The 1 IP address < == > 1 person concept is highly tenuous under IPv4, and altogether laughable under IPv6.. Reading of the Goals of NymIP draft, the project lacks clear definition apparently they want to throw a bunch of academics in a room and see if they can come up w/ some vacuous concept called controlled nymity (< - - what the hell does that mean??) all w/o attempting to set any concrete benchmarks or milestones? The draft also stresses PKI.. Im wondering how much trust ZKS in general places in PKI? Have they read Schneiers 10 risks of PKI?: http://www.counterpane.com/pki-risks-ft.txt You have to wonder about IETF adoption too .. I checked out the agenda for the San Diego meeting and there is no mention of NymIP: http://www.ietf.org/meetings/IETF-49.html Also, just run through the standards that the IETF really does back: LDAP, Kerberos, IP telephony, VoIP, IPSec, and on and on.. these are real applications for have real business uses for enterprises and individuals. Thats why they have the support of the IEFT.. Wheres the real use for nyms? How many people have downloaded Freedom and are using? (I never see anyone I know on the Internet using @freedom.net addresses..) How many businesses are using ZKS? (if in fact they even have a product for businesses?) If nyms were a real thing, technologically + economically, they would have happened by now, but they havent.. (YES Im using a nym to write this email, but I dont use one nym to purchase computer books on Amazon, use a different nym to buy porno books on Amazon, etc.. and THAT is the economic reality that would have to be occurring for ZKS-style nyms to have any real traction yet it does NOT occur..) What irritates me more than anything about ZKS is their belief that cryptography can solve all the worlds privacy problems.. any sophisticated security professional will tell you that cryptography barely solves any security problems, and although good privacy starts w/ good security (since w/o security, information will tend to leak around where you dont want it to), privacy is vastly more complex than security.. 10 years ago you had people like Schneier talking about the role of cryptography in security. Since then, these people have moved beyond the algorithms and protocols, into the products, then into the policies and procedures, and today you have people like Schneier basically advising companies to just buy insurance to cover computer security risks after all, the whole security game is just a risk management game, and what better way to manage risk than via insurance? But at ZKS, theyre still living in a world where cryptography solves everything, completely ignoring the human element.. (which is really the most important) (and while we're on the subject on cryptography, what exactly is wrong w/ SSL? And don't tell me that SSL still lets you see IP addresses (perfectly in line w/ the TCP/IP spec) b/c that has NOTHING to do w/ privacy) When I look for the human element in a company, I look to the marketing department its the job of these guys to make sure that what the company is working on actually HAS a market. As soon as I heard about the NymIP project, my gut instinct was to fire the marketing VP over at ZKS it was like, this is the last straw the company has completely failed to position itself as ANYTHING. First youre selling this thingie called Freedom that is supposed to protect privacy but of course doesnt, then youre transitioning into the enterprise space, but you still leave 100 engineers working on Freedom on payroll, and then you start talking about being a consulting company even though PriceWaterhouseCooper will be better than you because they have actually broadened their knowledge base beyond crypto-anarchy and you havent and you then have Stefan Brands do a dog and pony show about building privacy into PKI, w/ applications in m-commerce, e-commerce, electronic voting, location-based services, age/gender verification, DRM, identity management and frequent flier miles (< -- NONE OF WHICH, by the way, are anything that any of the previously mentioned ZKS units are focusing on) and finally you come FULL CIRCLE and decide that youre going to work on this NymIP thing, which most closely resembled your initial Freedom product, which is actually a free speech thingie anyway and not a privacy thingie.. Wow NO FUCKING FOCUS.. and they must be burning at least $2.5 mil every month w/ basically nothing to show in revenues (Im guessing Freedom just isnt the cash cow they though it might be?? I mean, how many people do I see on the Internet using @freedom.net addresses??) But, back to what I was talking about I was about to recommend firing their marketing VP when I looked at their Web site and realized ZKS HAS NO MARKETING VP!! Then I thought: THATS THE PROBLEM!! Most modern high tech companies believe in the mantra that your customers drive your business, and will hire a marketing VP usually as employee, say, #3 or #4 so that he can go out and validate that there really IS a market for what you are proposing.. if not, its back to the drawing board until you CAN find some customers somewhere for what youre peddling.. Apparently ZKS does not choose to operate in this manner (listen to customers, ship products to market, etc..) And thats when I realized they likely have no marketing VP b/c its impossible to market a product as crappy as Freedom! Catch22.. In Silicon Valley, most VCs will not fund a company w/ market validation and w/o a marketing VP.. apparently this does not hold true in Canada.. I guess in the end, do I really care that much that Im surfing anonymously? Do I really care that much that Im surfing w/ a non-encrypted IP address? (this is, after all, how TCP/IP was designed to work). Im still SEARCHING for a business case here.. SOMEBODY HELP ME.. If I fill out a form and engage in a commercial transaction, then yes I want all that and related information to remain private (between me and the merchant), but does this really mean that I want all my info hidden from the merchant (maybe Im a sucker for frequent flier miles) and does it mean that Ill swim against the flow and drop $30 million++ into trying to redesign TCP/IP from the ground up so it has anonymity built-in?? Declan btw I appreciate the fact that your blurb in Wired about NymIP makes no mention of the word privacy I think its incredibly important that the concept of privacy be divorced from the concept of anonymity in the popular media (where oftentimes these two concepts blur together into one..) .. they are clearly not even remotely similar.. And dont get me wrong I firmly believe the Internet should have an anonymous safe haven, so to speak, if only for free speech if nothing else however, I have serious problems w/ a privacy company attempting to deliver on this, since its technically impossible, economically unmanageable and ultimately only confuses the an already befuddled marketplace (quite severely, in fact..)..
http://www.wired.com/news/politics/0,1283,40582,00.html
Devising Invisible Ink by Declan McCullagh (declan@wired.com) 2:00 a.m. Dec. 9, 2000 PST
WASHINGTON -- An ambitious effort to protect online anonymity will kick off this weekend.
A working group of about a dozen technologists, called NymIP, is gathering before the Internet Engineering Task Force's meeting to take the very first steps toward devising a standard that will foster untraceable communications and Web browsing for Internet users.