My short writeup of the NymIP effort
auto110413 at hushmail.com
auto110413 at hushmail.com
Tue Dec 12 22:06:10 PST 2000
Now Im confused REALLY confused. For a second there, I thought ZKS was
actually executing a turnaround to become a real privacy company, what
with their recent repositioning towards managed privacy services and all.
Companies out there need privacy solutions, and the field is wide open for
the taking right now.. There arent many other companies out there with
shipping products for the enterprise space yet .. in addition to ZKS (which
Im not sure if they REALLY have a product for the enterprise space? although
they seem to like to talk about it??) theres PrivacyRight and Privada out
in California, and then thats about it.. and from what I can tell, the
enterprise market is more than large enough for 3 companies right now..
I mean, if ZKS ever got their head screwed on right (read: fired Austin
Hill??), they MIGHT stand a sliver of a chance of actually making some money
--
But NOW, ZKS turns around and pulls a NymIP project for the IETF? What
does this have to do w/ anything? (or at least, what does it have to do
w/ the ZKS repositioning to become a genuine privacy company?) It seems
this has more in line w/ what Ive been saying all along: the ZKS is really
a free speech company, not a privacy company. Ive perused the (so far short)
NymIP mailing lists and even the members agree that the NymIP project shares
more in common w/ Fling (http://fling.sourceforge.net/), a free-speech system
for the Internet, than it does w/ anything privacy related..
First, Ill go over all the obvious technical flaws w/ NymIP. For this protocol
to have any practical applicability, we have to believe the ZKS mantra that
IP addresses somehow represents personally identifiable information (PII)
that is highly sensitive, and therefore must be encrypted
We are asked
to believe, in other words, that 1 IP address < == > 1 person.. Notwithstanding
the obvious fact that today 60% of the Internet population logs on through
AOL where 10,000 users share one IP address at the same time, Id like to
ask the NymIP team what they plan to do once IPv6 is rolled out?? The 1
IP address < == > 1 person concept is highly tenuous under IPv4, and altogether
laughable under IPv6..
Reading of the Goals of NymIP draft, the project lacks clear definition
apparently they want to throw a bunch of academics in a room and see if
they can come up w/ some vacuous concept called controlled nymity (< -
- what the hell does that mean??) all w/o attempting to set any concrete
benchmarks or milestones? The draft also stresses PKI.. Im wondering how
much trust ZKS in general places in PKI? Have they read Schneiers 10 risks
of PKI?:
http://www.counterpane.com/pki-risks-ft.txt
You have to wonder about IETF adoption too .. I checked out the agenda for
the San Diego meeting and there is no mention of NymIP:
http://www.ietf.org/meetings/IETF-49.html
Also, just run through the standards that the IETF really does back: LDAP,
Kerberos, IP telephony, VoIP, IPSec, and on and on.. these are real applications
for have real business uses for enterprises and individuals. Thats why
they have the support of the IEFT.. Wheres the real use for nyms? How
many people have downloaded Freedom and are using? (I never see anyone I
know on the Internet using @freedom.net addresses..) How many businesses
are using ZKS? (if in fact they even have a product for businesses?) If
nyms were a real thing, technologically + economically, they would have
happened by now, but they havent..
(YES Im using a nym to write this email, but I dont use one nym to purchase
computer books on Amazon, use a different nym to buy porno books on Amazon,
etc.. and THAT is the economic reality that would have to be occurring
for ZKS-style nyms to have any real traction yet it does NOT occur..)
What irritates me more than anything about ZKS is their belief that cryptography
can solve all the worlds privacy problems.. any sophisticated security professional
will tell you that cryptography barely solves any security problems, and
although good privacy starts w/ good security (since w/o security, information
will tend to leak around where you dont want it to), privacy is vastly
more complex than security..
10 years ago you had people like Schneier talking about the role of cryptography
in security. Since then, these people have moved beyond the algorithms and
protocols, into the products, then into the policies and procedures, and
today you have people like Schneier basically advising companies to just
buy insurance to cover computer security risks after all, the whole security
game is just a risk management game, and what better way to manage risk
than via insurance?
But at ZKS, theyre still living in a world where cryptography solves everything,
completely ignoring the human element.. (which is really the most important)
(and while we're on the subject on cryptography, what exactly is wrong w/
SSL? And don't tell me that SSL still lets you see IP addresses (perfectly
in line w/ the TCP/IP spec) b/c that has NOTHING to do w/ privacy)
When I look for the human element in a company, I look to the marketing
department its the job of these guys to make sure that what the company
is working on actually HAS a market. As soon as I heard about the NymIP
project, my gut instinct was to fire the marketing VP over at ZKS it was
like, this is the last straw the company has completely failed to position
itself as ANYTHING. First youre selling this thingie called Freedom that
is supposed to protect privacy but of course doesnt, then youre transitioning
into the enterprise space, but you still leave 100 engineers working on
Freedom on payroll, and then you start talking about being a consulting
company even though PriceWaterhouseCooper will be better than you because
they have actually broadened their knowledge base beyond crypto-anarchy
and you havent and you then have Stefan Brands do a dog and pony show about
building privacy into PKI, w/ applications in m-commerce, e-commerce, electronic
voting, location-based services, age/gender verification, DRM, identity
management and frequent flier miles (< -- NONE OF WHICH, by the way, are
anything that any of the previously mentioned ZKS units are focusing on)
and finally you come FULL CIRCLE and decide that youre going to work on
this NymIP thing, which most closely resembled your initial Freedom product,
which is actually a free speech thingie anyway and not a privacy thingie..
Wow NO FUCKING FOCUS.. and they must be burning at least $2.5 mil every
month w/ basically nothing to show in revenues (Im guessing Freedom just
isnt the cash cow they though it might be?? I mean, how many people do
I see on the Internet using @freedom.net addresses??)
But, back to what I was talking about I was about to recommend firing
their marketing VP when I looked at their Web site and realized ZKS HAS
NO MARKETING VP!! Then I thought: THATS THE PROBLEM!! Most modern high
tech companies believe in the mantra that your customers drive your business,
and will hire a marketing VP usually as employee, say, #3 or #4 so that
he can go out and validate that there really IS a market for what you are
proposing.. if not, its back to the drawing board until you CAN find some
customers somewhere for what youre peddling..
Apparently ZKS does not choose to operate in this manner (listen to customers,
ship products to market, etc..) And thats when I realized they likely
have no marketing VP b/c its impossible to market a product as crappy as
Freedom! Catch22..
In Silicon Valley, most VCs will not fund a company w/ market validation
and w/o a marketing VP.. apparently this does not hold true in Canada..
I guess in the end, do I really care that much that Im surfing anonymously?
Do I really care that much that Im surfing w/ a non-encrypted IP address?
(this is, after all, how TCP/IP was designed to work). Im still SEARCHING
for a business case here.. SOMEBODY HELP ME.. If I fill out a form and engage
in a commercial transaction, then yes I want all that and related information
to remain private (between me and the merchant), but does this really mean
that I want all my info hidden from the merchant (maybe Im a sucker for
frequent flier miles) and does it mean that Ill swim against the flow and
drop $30 million++ into trying to redesign TCP/IP from the ground up so
it has anonymity built-in??
Declan btw I appreciate the fact that your blurb in Wired about NymIP
makes no mention of the word privacy I think its incredibly important
that the concept of privacy be divorced from the concept of anonymity
in the popular media (where oftentimes these two concepts blur together
into one..) .. they are clearly not even remotely similar..
And dont get me wrong I firmly believe the Internet should have an anonymous
safe haven, so to speak, if only for free speech if nothing else however,
I have serious problems w/ a privacy company attempting to deliver on this,
since its technically impossible, economically unmanageable and ultimately
only confuses the an already befuddled marketplace (quite severely, in fact..)..
>http://www.wired.com/news/politics/0,1283,40582,00.html
>
> Devising Invisible Ink
> by Declan McCullagh (declan at wired.com)
> 2:00 a.m. Dec. 9, 2000 PST
>
> WASHINGTON -- An ambitious effort to protect online anonymity
> will kick off this weekend.
>
> A working group of about a dozen technologists, called NymIP, is
> gathering before the Internet Engineering Task Force's meeting to take
> the very first steps toward devising a standard that will foster
> untraceable communications and Web browsing for Internet users.
More information about the cypherpunks-legacy
mailing list