O'Reilly Network Weblogs: O'Reilly Emerging Technology conference: breaking old regulations and old habits

Published on The O'Reilly Network (http://www.oreillynet.com/)
http://www.oreillynet.com/pub/wlg/1417

O'Reilly Emerging Technology conference: breaking old regulations and old habits

by Andy Oram
May. 16, 2002
URL: http://www.oreillynet.com/etcon

Here's a quote uttered by Internet engineering expert David Reed today that everyone concerned with emerging technology (and wireless Internet in particular) should hear: "Under the current regulatory regime, 802.11 would never have been legalized."

Scary observations like this led me to help organize a Birds-of-a-Feather session on telecom policy tonight. In several forums today at the O'Reilly Emerging Technology conference, we heard that emerging technologies depend on changing old regulations, old rules, old habits.

Bruce Schneier lays out a feasible future

Renowned author and cryptography expert Bruce Schneier offered an extremely lively and surprisingly fun keynote, updating his Secrets and Lies book and suggesting some concrete steps toward better security. As readers of Schneier's book and Cryptogram columns know, he moved beyond technical fixes long ago and now looks for social ways to improve Internet security.

Schneier started by saying that, despite all the technical advances in computing, security is still a problem because of complexity. I would rather say--and I believe this to be the true lesson of Schneier's talk--that security is still a problem because it is not purely technical, but involves an ongoing battle between human beings. It is a matter of sociology and psychology; technology is merely a vehicle.

As Schneier said, "Security is a people problem, not a technical problem." Actually, the people he was referring to at that moment were not the malicious crackers themselves, but the crowds of negligent programmers, managers, data centers, and policy-makers who tolerate weak security.

His proposals for improving the situation included:

The oft-heard suggestion to make software manufacturers liable for defects. This was acknowledged to embody several problems, especially concerning small software developers, free software, and innovation in general. (Note: software companies are doing their damnedest to move in the opposite direction, by pushing UCITA laws that would let them get away with releasing known defects.)
Making other companies liable for their own systems as well. They'd act differently if they knew they could be sued when their customers' social security numbers were released.
Requiring insurance for data protection and integrity. Insurance companies, along with regulations, push companies to make all manner of socially beneficial expenditures, from smoke alarms to environmental clean-ups.
Detection and response--rational prosecution and punishment.

"The limits of security," said Schneier, "are the limits of the Internet." He compared the current situation to the rule of warlords, and concluded, "We need to turn the Internet into a lawful society." Schneier is a really neat person, despite his illusion that a Gore administration would have protected civil liberties more than the Bush administration does.

Immune to attack

The following talk, as a colleague told me, was an antidote to Schneier's pessimism. Steven Hofmeyr described an adaptive, largely self-regulating system of intrusion detection inspired by the workings of immune systems in biological organisms. Amazingly enough, in his tests, it really works.

I have read of research into distributed network intrusion detection systems, but what Hofmeyr proposed went several steps beyond what I'd seen. One starts by creating random patterns. Those that match the expected behavior of the system (as seen in logfiles, etc.) are discarded; others are kept around for a while to see whether they succeed in detecting anomalies. When one of them matches something new on the network, a human administrator is notified. For new patterns, therefore, some manual intervention is required to determine whether the anomaly is OK.

But when a certain number of patterns are installed and have proven their worth, they are remarkably good at detecting intrusions quickly. The bigger the network you're monitoring, the more useful and effective they are. But as one audience member pointed out, the system is meant for relatively stable and predictable networks with internal traffic, not for open systems like public Web servers.

Both Schneier and Hofmeyr believe diversity is useful to minimize the damage of attacks, but Hofmeyr has more faith that diversity is achievable. As he pointed out, a single patch to an operating system can change the attacks that work or fail.

Making policy through the back door

I started this weblog with the shocking observation by David Reed that the wireless networks at the heart of this conference might have been illegal in the United States, save for some historical luck. The idea was meant to shake up the typical hacker out of his or her apolitical bliss.

One wireless provider had enough insight yesterday to ask me for a report on tonight's policy BOF, but admitted, "I'd rather just build networks without having to worry about policy." And among the fifteen people who showed up at the BOF, one queried me, "Why are you asking the government for help?" These questions are reasonable but show the crying need for education even among practitioners of wireless. Imagine how much greater is the ignorance among the media, the general public--and even the policy-makers themselves!

The fact is that wireless rests on very shaky legal ground. There are no less than four types of devices that are licensed to operate in the spectrum used by 802.11, and anyone operating one of these devices has a right to shut down someone who runs an 802.11 network in the same space. This is not widely known (the manufacturers of 802.11 devices certainly don't want to talk about it).

Now what do you think? Which is more important to the economy and to social progress in general: digital broadband or ham radio? The truth is that ham radio trumps digital broadband, just because ham radio has been around longer and therefore is sanctified with a license to use the spectrum. (Yes, it's happened--a ham radio operator has actually shut down an 802.11 network.)

The solution is not to license 802.11 providers--that would just hamper them with bureaucracy--but to find some new common spectrum where unlicensed operators could put up their networks without interference. (They could interfere with each other, but if we get this far we can start to find technical and political solutions to that problem.)

The FCC has expressed interest in packet radio over the years, sponsors groups to find ways to make it work (some people who have worked with these groups came to the meeting tonight), and has even started proceedings to implement proposals--but both the search for better spectrum and the potential for ultra-wideband (UWB) are terminally stalled.

It's become painfully obvious that, since 802.11 proponents lack a major commercial presence with millions of dollars to throw around in lobbying and contributions, neither Congress nor the FCC has incentives to improve the environment for it. Indeed, the disincentives are very strong. The lobbying sharks of traditional telecom companies have smelled 802.11 blood and are beginning to converge on it.

The apolitical radio operator who approached me today asked, "Can some policy shift actually shut me down?" It is indeed possible. And even though it probably won't get that bad (the public and the media know enough about wireless to provoke protest) the attention of Congress and the FCC are focused on pulling the monopoly telephone and cable companies out of the worst depression they've ever had. The last thing these forces want is a cheap, user-controlled alternative to their low-quality, overpriced services.

The hope forward may lie in doing what we're already doing--building the networks wherever we can--in combination with some creative digital-divide initiatives. We discussed:

Using Community Development Block Grant (CDBG) money to install wireless networks in disadvantaged neighborhoods and train residents to maintain them
Promoting wireless as a way to save money right now--for instance, to replace the expensive police radio systems that suck up huge amounts of money in monthly fees
State-level bills that would bring together municipal leaders so they can plan to build hybrid municipal networks of fiber and wireless, and that would fund needy communities with the goal of upgrading their telecom infrastructure
Promoting the use of wireless in initiatives started by other federal agencies, such as for rural communications

Fiber definitely has a role to play too. Cities could provide neutral access points where end-users could hook up with ISPs, bypassing the sclerotic incumbent players. At first, fiber would be an institutional solution, or a luxury item for the affluent. But a $3,000 dollar investment for something that will provide shockingly high bandwidth for 30 years is not an unreasonable investment for individuals.

Meanwhile, there are defensive measures we must take, too. Both Congress and the FCC are poised to close the regulatory doors that would let small, competing telephone companies coexist with the local monopolies in telephone and cable service. (This battle may already be lost, and in the opinion of some people at tonight's meeting was not worth fighting.) The notorious CBDTPA--which even Bruce Schneier singled out as a threat in this afternoon's keynote--would suppress innovative technology as well as the market for broadband. Municipalities that try to create networks are routinely sued by incumbent companies on a variety of pretexts. And a bevy of regulations could nickel-and-dime wireless Internet providers.

That was about as far as the BOF got by ten o'clock, when people began to rustle around and let conversations drop. I believe they were unconsciusly reacting to my shutting down my laptop. But the only reason I shut down my laptop was that I saw a message telling me my battery was low. I guess that's what it means to be a technology-driven policy group.

Don't forget 3G

While analysts are increasing declaring "3G is dead," it's actually been successful in some parts of the world. Nowhere is it more successful than the Philippines, where wirelines are expensive and use is metered. This was the subject of the talk by entrepreneur and journalist Janette Toral.

While only 3 million people have access to fixed Internet access (and most of these go to Internet cafes to use it) 11 million get the Internet over cell phones. One of the most popular activities is SMS messaging, for which a variety of fun and user-friendly applications have sprung up. It has serious uses, too--farmers can access a service call B2BPriceNow.com, for instance, to determine fair prices for their commodities moment-by-moment.

Most U.S. observers are skeptical of SMS, but Toral thinks it could become more popular here and around the world. She recommends:

Instituting a caller-pays cell phone policy
Offering SMS for free to start with, and educating the market as to its value
Encouraging interconnection between providers

Who will blog the bloggers?

I unfortunately missed most of the morning keynote by Steven Johnson, author of the popular book "Convergence," because I was busy in a conference call, saving the world. I made it to some of the following panel, where weblogs were heavily discussed. Weblogs seemed to be a theme running through the day. They played a big role in a talk about new journalism by San Jose Mercury News author Dan Gillmor, Most of which I also had to miss. And there was a BOF on blogging in the evening, but it adjourned to the bar and dissolved into chaos, appropriately enough.

The upshot is that a lot happened today concerning blogs, but I happened to be away for most of it. Which does not prevent me from gleefully abusing the medium right now.

File-sharing futures

Kelly Truelove offered a talk about trends in P2P file-sharing systems. His focus was different from a talk given yesterday on the same subject by Lucas Gonze. Whereas Gonze traced theoretical work being done to create new distributed file systems, Truelove dealt with practical extensions to the two protocols that are currently most popular: Gnutella and FastTrack. (The latter is the basis of KaZaA and used to be employed also by Morpheus, which switched to Gnutella this past February.)

An ideal file-sharing system would be as fast as possible, use a reputation system to ensure that good data is returned, and would be massively scalable, anonymous, autonomous (that is, lack centralized points that could be shut down, and sensitive to different pricing of ISPs. Many of these goals are conflicting, of course.

In reality, systems that embody guarantees of robustness are also less efficient that others and impose extra burdens on the user. So those do not become as popular as systems that are more vulnerable. Even though today's systems lack the centralized indexes that Napster used, there is still a vulnerable centralization in boostrapping (finding other users to connect to).

Some ISPs forbid file-sharing systems under terms-of-service clauses that rule out running a server. Few block traffic from file-sharing systems unless forced to do so by copyright owners. But there is growing impatience with the loads generated by such systems. There is little appreciation for the notion that such systems can drive the adoption of high-bandwidth networking.

After Truelove's talk, I queried him about initiatives to provide special classes of low-priority traffic on the Internet. Researchers are suggesting that applications could voluntarily label themselves as second-class citizens and slow down when normal applications are active. If applications and network providers cooperate, a lot of the pressure on campus networks and other points would be relieved.

Andy Oram is an editor for O'Reilly Media, specializing in Linux and free software books, and a member of Computer Professionals for Social Responsibility. His web site is www.praxagora.com/andyo.