Finding a Foreign Policy for the Internet

Justin Sherman and Trey Herr have an outstanding essay that clarifies the need for Washington and its allies to build a cohesive foreign policy for the Internet instead of simply opposing the strategies presented by competitors such as China.1 Poignantly, they write:

Washington needs a foreign policy for the internet that advances a vision for the internet that speaks to the language of trust and embraces the need to focus on the role of individuals, grasps the utility of iterating small changes instead of grand bargains, and embraces the reality that the clock cannot be turned back. This strategic product must do more than reject the sovereign and controlled authoritarian internet model, based on principles of tight state control over internet data routing, tight state control over data storage, and limited content freedom. A foreign policy for the internet must build on not just U.S. government agencies but allies and partners overseas, and leverage the influence that the American tech industry has over internet infrastructure. It must realistically address the shortfalls and risks of a free and open internet but seek to maximize and revitalize that internet’s benefits—across everything from speech to commerce. A foreign policy for the internet should rest on three assumptions; there are myriad others but these three are systemically significant.

These strategies absolutely must be developed and cohere given the importance of the Internet for day-to-day life; the Internet underlies everything from trade coordination, military engagements, and is increasingly lifeblood for civic life or organizing. It is time for the West to make clear what it is for, and how it plans to navigate the challenges that the Internet has wrought, without succumbing to fear or abandoning the democratic principles which have undergirded the Internet and its composition for the last several decades.

  1. Should you doubt that China has a cohesive strategy for the Internet, I’d recommend reading about the prospect of a splinternet forming as a result of China and its allies building out competing standards that prioritize placing control in centralized and obedient-to-government hands. ↩︎

VPN and Security Friction

Troy Hunt spent some time over the weekend writing on the relative insecurity of the Internet and how VPNs reduce threats without obviating those threats entirely. The kicker is:

To be clear, using a VPN doesn’t magically solve all these issues, it mitigates them. For example, if a site lacks sufficient HTTPS then there’s still the network segment between the VPN exit node and the site in question to contend with. It’s arguably the least risky segment of the network, but it’s still there. The effectiveness of black-holing DNS queries to known bad domains depends on the domain first being known to be bad. CyberSec is still going to do a much better job of that than your ISP, but it won’t be perfect. And privacy wise, a VPN doesn’t remove DNS or the ability to inspect SNI traffic, it simply removes that ability from your ISP and grants it to NordVPN instead. But then again, I’ve always said I’d much rather trust a reputable VPN to keep my traffic secure, private and not logged, especially one that’s been independently audited to that effect.

Something that security professionals are still not great at communicating—because we’re not asked to and because it’s harder for regular users to use the information—is that security is about adding friction that prevents adversaries from successfully exploiting whomever or whatever they’re targeting. Any such friction, however, can be overcome in the face of a sufficiently well-resourced attacker. But when you read most articles that talk about any given threat mitigation tool what is apparent is that the problems that are faced are systemic; while individuals can undertake some efforts to increase friction the crux of the problem is that individuals are operating in an almost inherently insecure environment.

Security is a community good and, as such, individuals can only do so much to protect themselves. But what’s more is that their individual efforts functionally represent a failing of the security community, and reveals the need for group efforts to reduce the threats faced by individuals everyday when they use the Internet or Internet-connected systems. Sure, some VPNs are a good thing to help individuals but, ideally, these are technologies to be discarded in some distant future after groups of actors successfully have worked to mitigate the threats that lurk all around us. Until then, though, adopting a trusted VPN can be a very good idea if you can afford the costs linked to them.


This dark concept of total distrust was mostly spread via the Internet because it was what the Internet was built for—sharing ideas. Although the Internet is the most democratic means of communicating, it can be also be misused by governments and other groups.

Does this mean we should accept the concept that the Internet carries more threats than benefits?

The creators of the Internet supported the opposite concept. Unlike Putin, they believed in people and built the global network under the assumption that it would be used for sharing something good. They may look naïve these days, but we have our modern linked-up technological world thanks to their concepts, not Putin’s. These days, we all speak the language of suspicion and threats posed by the Internet. In a way, in means we are speaking Kremlin’s language. Do we really need to?


Intro to Mitigating Contemporary DDOS Attacks

From Cloudflare:

As the capacity of networks like Cloudflare continue to grow, attackers move from attempting DDoS attacks at the network layer to performing DDoS attacks targeted at applications themselves.

For applications to be resilient to DDoS attacks, it is no longer enough to use a large network. A large network must be complemented with tooling that is able to filter malicious Application Layer attack traffic, even when attackers are able to make such attacks look near-legitimate.

The pace of change in how DDOS attacks are being conducted, and efforts to use best and worst security practices alike to threaten Internet-connected resources, is a serious and generally under appreciated problem.


US-CERT: Stop using your remotely exploitable Netgear routers

From Network World:

In case you are wondering, that firmware for the R7000 – Nighthawk AC1900 smart router – is the newest firmware available by Netgear. Here are Netgear’s links to the R8000 – Nighthawk AC3200 tri-band gigabit router and the R6400. Hopefully those – and any other vulnerable models – will soon be updated with less insecure firmware.

Hopefully less insecure firmware will be provided to turn a burning dumpster fire into a merely-smouldering-mess. Hurray for (possible, but don’t bet on it) progress.


Why DDoS attacks matter for journalists

Two reasons that journalists should be concerned about DDoS attacks:

First, while the use of common household devices to execute the attacks against Krebs and Dyn was novel, the hackers got control of those devices using one of the oldest and easiest methods out there: bad passwords, a vulnerability most journalists share.

The second reason journalists should attend to these attacks is that strategic use of both DDoS attacks (for example, recent attacks on Newsweek and the BBC) and DNS manipulation are common tools for censorship. This is in part because they are cheap, easy (the software credited with Friday’s attack was posted openly just a few weeks ago), and highly effective in preventing some or all internet users from accessing the content they target.

We’re at the edge of a particularly bad security chasm we’re just about to fall into (if we haven’t already!). The question is whether we can actually avoid the fall or whether the best we can do right now is lessen the hurt on the way down.


The cyberpunk dystopia we were warned about is already here – Versions

The cyberpunk dystopia we were warned about is already here:

It seems that what companies like Cisco and app developers and startups seem to forget is that people can tell the difference between transformative innovation and shopping. Bogost adds: “It’s time to admit that the Internet of Things is really just the colonization of formerly non-computational devices for no other reason than to bring them into the fold of computation. […] Operational benefit is deemphasized in favor of computational grandstanding, data collection, and centralization.”

The best definition of the Internet of Things I’ve come across in a while.


Hackers Hijack a Big Rig Truck’s Accelerator and Brakes

Hackers Hijack a Big Rig Truck’s Accelerator and Brakes:

When WIRED reached out to trucking industry body the National Motor Freight Traffic Association about the Michigan research, the NMFTA’s chief technology officer Urban Jonson said the group is taking the researchers’ work seriously, and even funding future research from the same team. And Jonson acknowledged that the possibility of the nightmare scenario they present, of a remote attack on heavy vehicles, is real. “A lot of these systems were designed to be isolated,” says Jonson. “As automobile manufacturers are increasingly connecting vehicles with telematics systems, some of these issues need to be addressed.”

That the Association’s reaction is to work with researchers instead of trying to sue them is a very good sign.


And then there’s the sheer randomness of it all. Some services you can’t access for no apparent reason, others are so slow that you can’t figure out if they’re blocked or just snail-paced. And as I experience this, I wish some of our politicians and media people, those who see net neutrality as the enemy, I wish they’d come here and experience what a radical version of non-neutrality is. Again, I have a VPN service to overcome most of this (at the cost of speed) but most people don’t and/or can’t afford one.

Don’t get me wrong, I’m not suggesting that not enshrining net neutrality is the equivalent of doing what the Chinese (or Iranian, or Indian) government does. But I look at the UK’s blocking mechanisms supposed to protect children but really targeting just about any kind of site for arcane reasons that no one can figure out, and I think that what I have here is an extreme version of the same thing.

* Benoit Felton, “Behind the Great Firewall