Overlay Networks: Research Improvements and Attacks [was: planetlab butterfly relays]

grarpamp grarpamp at gmail.com
Wed Jan 23 16:25:20 PST 2019

        In the life sciences, researchers and security officials
hadn't much history
        of working together. After 9/11, tensions threatened to grow between
        them. Neither group understood how the other operated and each thought
        the other was basically clueless.
               Gerald Epstein, Director AAAS Center for Science, Technology and

Security Policy
        In 2012, a company called Defense Distributed became the first
producer of a 3D-
printed firearm, called the Liberator. Intended by the group to be a
political statement
concerning the protection of constitutional freedoms online and to
send a message to
global governments about the regulation of digital technologies, the
project was quickly
misinterpreted as a significant threat to security. The State
Department officially
requested that Defense Distributed remove the designs from their
website, indicating that
the files may be subject to the International Traffic in Arms
Regulations (ITAR), a policy
responsible for regulating weapons and certain kinds of technical
data. The group
complied, but not before over a hundred thousand downloads of the
design had been
recorded.94 Today, it is easy to find and download the original files
from numerous online
locations. A second statement by the State Department issued in June 2015 took a
stronger stance on the issue of 3D gun design, declaring the intent to
restrict specific
types of designs and to require developers to obtain approval before
"online publication
of any technical data that . . . would allow for the creation of
weapons . . ."95

         This is one example of many in which a cultural
misunderstanding complicated a
situation that could have been resolved in a much simpler fashion.
Understanding that
Defense Distributed is an outgrowth of an online cultural group known as the
cypherpunks, who are dedicated to the protection of individual user
rights online,
especially freedom of speech and expression, may have influenced the
State Department
to take a different approach. The case studies in this chapter will
underscore three
primary themes of attempts to utilize traditional methods of
regulation against this
problem set: 1) a lack of understanding of cultural norms and moral
issues will negate
applied legal measures, 2) a failure to understand and incorporate the
cultures of the
regulatees will lead to failed policy, and 3) the negative effects of
applying quick policy
fixes to RLT and online OSCs can cause nations to be less secure and
grant a foothold for
rogue actors.
         While the State Department's intentions were to enhance
public safety, the effect
achieved was the opposite. Within days of the June announcement,
online groups that had
been openly discussing 3D printing firearms suddenly instituted
private chat rooms,
deleted comments on how to meet existing gun laws or ways to
circumvent the law, and
began looking to encryption programs or Dark Web servers sponsored by
foreign entities
to escape US jurisdiction. Any visibility that open-source analysts
had on this particular
technological evolution, how quickly the technology was diffusing, and
which groups
might be willing to collaborate with the government to conduct
self-policing or threat
warning disappeared overnight. This phenomenon is not new, yet it
continues to pose a
stumbling block to regulators. As in the battle by MGM to stop illegal
music sharing, the
danger of making a moral issue into a market issue means that legal
measures, especially
measures that are likely to have little to no impact, generally result
in anonymizing
behaviors, high rates of diffusion via digital means, and isolation of
user groups,
restricting participation in constructive, collaborative solution
forums. The technology
evolves in exactly the manner the regulator had hoped to avoid.96 One
reporter did a good
job of summing up the ill-conceived regulation strategy:

        Even those who do not feel that everyone should have the
ability to print
        their own guns have to see the lopsided logic at blocking
access to the 3D
        printable gun instructions when directions on how to craft
fertilizer bombs
        and make poisons [are] still readily available.97
        Technological change can be daunting. But it is important to
recognize when that
change is occurring and then take the time to formulate an appropriate
response. Failure
to do so can make a simple political statement into a much bigger problem.98 The
Liberator demonstrates the impact the lack of understanding of the
"foreign" culture of
OSCs and the influence (or lack thereof) that cookie-cutter policies
and outdated
regulations can have. While cultural training is stressed for military
and diplomats
operating in foreign nations, it is seldom discussed in terms of cyber
and technology
policy. This shortsightedness has a cost: alienated and radicalized
OSCs, an online
community that fails to report apparent threats to national security
or public safety, stifled
innovation that damages the US economy and military, and the creation
of dangerous
blind spots that can function as cyber safe havens for nefarious
actors. The most
important factor in the development of policy is understanding the culture and
environment in which that policy needs to operate. This chapter will
be devoted to
identifying successful and failed attempts to engage with OSCs, to provide an
understanding of some of the critical nuances explicit to policy and
regulation in the
digital dimension. Without this grounding, RLT policy development will
at best have
limited success or at worst be a total failure that results in
enhanced operational security
for threat actors.99
        This chapter will provide an introduction to the online
open-source culture. While
groups may have their own unique personalities, all online groups
embrace a shared
cyber culture and (with the exception of a radical minority) obey its
mandates. The case-
study segment will follow, with five examples of negative interactions between
government or corporate actors and OSCs (to include individual
actors), highlighting
what went wrong, why, and the end results (costs) of the interaction.
A look at existing
policy and identified shortfalls using 3D printing as an example will
be included. Then,
five positive case-study interactions will be examined with a focus on why these
interactions were successful and what government and corporate
entities did differently
to make them a success. Finally, the chapter will conclude with a
discussion of elements
that can help to craft smart policy for the digital environment while
avoiding known
pitfalls that can lead to the "compliance without effect" problem experienced by
policymakers grappling with RLT today.100

More information about the cypherpunks mailing list