Erin leaves the lounge, chasing an ephemeral spurt of happiness. I smile a bittersweet smile of my own and lie back. Vito’s ridiculous 16″ sub is booming Keane, and I’m just a whisper shy of placidity myself. I return to the constant internal narrative stream, to what I was telling Sam earlier this evening. What was it again? Ah. Yes. I was saying, I don’t blog about personal stuff.

I was able to rattle off a laundry list of the possible reasons why in short order, but I don’t know which of them I trust. Maybe I’m suppressing the stuff I no longer feel I have time to handle (thanks to D-Bear and company). Maybe I want to believe it’s immaterial to my readership–forgetting again that this is not a site for would-be employers or future generations of geeks, and forgetting who that leaves. Maybe I’m still engaged in a backlash against my writer’s voice in high school, when I evidently thought everything personal was deep and important, and so I treat all of it as suspect and shallow. Maybe I’m in too much of a rush to save the world, and missing out on fun and personal development as a result. Okay, scratch maybe, I know that’s true; but I’m committed anyway and not regretting it.

Maybe I think (despite my advocacy) of the constant reminder to myself and to others that I’m the resident out-of-closet Aspy on campus as less than sexy? Pish. Two years now I’ve had no sex life. It can’t get worse just by telling the truth. Maybe I just don’t want my mom or my classmates (or for that matter random single female hacklings) to be reminded what strange shades the tapestry of my awareness is woven of when I’m not there in the room to safely guide their understanding and leave them feeling assured. Am I still that much of an egoist?

I should, after all, be thankful for what I’ve got. I know which of my traits could use some improving, and I know I’m improving. I’ve got friends I can discuss just about anything with (though that needn’t cause me to share less with the rest of the world). I’ve had the privilege of attending what I still feel is just about the coolest college anywhere. I’ve had my share of experiences, checked the check marks off my checklist, and all I’ve really got to do is go ahead and graduate, and go out into the great big world and try to do awesome things. I’ll get by anyhow.

One fairly sensible excuse why people like Mel and me blog the way we do is that we like to evangelize, and we like shiny things (see Joss Whedon or any Oliner for the proper definition of “shiny”). We tend to find these things more interesting than the cataloguing of “stuff that happened”. It is fair to say you leave a lot of pettiness behind when you worry less about yourself. I’m reminded of this when I compare my current posts to the older ones and to the stuff I posted on MySpace as recently as June. I’m reminded of how far I’ve come, and how instrumental this “dry academicness” was in my success, when Erin explains she doesn’t blog partly because she doesn’t feel like she’d have enough smart things to say.

Naturally, I felt the same when I started. I have to assume just about everybody does. Starting to blog can be a great experiment in self-directed learning, especially but not only when you’re pursuing technical or otherwise academic subjects. I would encourage just about anybody to try it on something, whatever they think is interesting, for the experience of having had to build up confidence in a subject matter. Really encourages you to get over yourself and start the osmosis. As in so much of life, there’s no right and wrong in the blogosphere–it’s all heuristic, so say something, don’t ask permission. You can always change your mind if it proves impossible to back up.

But yeah, I think what I was trying to say was, I needed the time to prove to myself I’d actually learned something while I’ve been here; and it’s been a glowing success. Only now I’m back to where I need to start paring down the language, emphasizing the relevant parts and making it accessible to a broader audience (like in AP English, where Mr Thornton trained the BS out of us and tried to get us to write like people rather than robots). For that, it might suit me to try and blog more “personal” things. I can be sensitive and appropriate in my choice of topics and still be bold, as long as I recall the admonition of Randall Munroe in XKCD #137, “Dreams”.

For the folks back home:

http://lostinthegroove.net/images/Halloween2k6

I feel… an ardent desire to see knowledge so disseminated through the mass of mankind that it may… reach even the extremes of society: beggars and kings.

Thomas Jefferson, 1808

It’s days like this I get the feeling our founding fathers are turning in their graves to the tune of 1.21 Jigawatts. I sat down today and had a long conversation with Eric Gallimore, IT wunderkind, and he explained to me rather neatly what building my trusted proxy network will actually entail. The list goes something like:

1. Address the problem of trust in hardware and software, as I am currently working to do.
2. Start a business as a tier-three internet service provider, selling last-mile access through DSL or T1 lines.
3. Acquire a number of tier-one and tier-two service providers to obtain the requisite unbroken datapaths (dark fiber doesn’t cover enough ground or meet in enough places to do this) or spend a crapton of money installing new point-to-point connections.
4. Buy enough senators to get congress to repeal CALEA or expect to be shut down in 2007 by the Fed.
5. All this assumes we have some confidence the trusted platform hardware manufacturers haven’t sold us out to the NSA. There’s no way of knowing for certain whether or not they could do this.

Basically, it’s not going to happen as originally described anytime soon. I’m left with a bothersome decision to make–do I continue the paper as originally formulated? Do I adjust it to take infrastructure problems into account? Legality issues? Do I go back to basics and focus on client-based privacy?

The thing is, it’s so tempting to envision internet services without CALEA because the current administration’s interpretation of CALEA is so broken and so inappropriate in a democratic society. The act was passed at a time when my generation of hacklings was too young and most of America too ignorant of telecommunications to comprehend what might go wrong.

Starting in 2007, however, CALEA compliance will be enforced on all “facilities-based broadband Internet access providers and providers of interconnected voice-over-Internet-Protocol”. In Eric’s opinion it won’t be long before they try to extend it to things like proxy servers and mix networks (*gag*), and there goes OpenTrustNet, dead in the water. If there is a more canonical way to bring 1984 to fruition than the combination of CALEA and DMCA, I cannot think of it.

Is what I’m proposing illegal? No. But under an executive who so loosely defines “law”, and a senate that woefully misunderstands the Internet, I don’t expect it to last. What I’ve been trying to describe is no less than a straightforward plan to build comprehensive privacy policy into telecom from the ground up. What they propose is just the opposite. Americans deserve privacy. We need a place we can go about our business such that telecoms won’t gleefully allow private investigators to pretext us on behalf of our bosses. We need a place where we can express dissent and not wind up on a TSA obligatory-harrassment list.

We need webspaces more wild and free than the President or the MPAA can comprehend, for the very reason for which they are seeking take freedom away: safeguarding liberty and rule of law.

I recently sent out draft zero of my thesis description to Allen. Figured I’d CC it here (with minor updates) for comment. My apologies, it’s pretty thick with jargon–I’ll have to work on that. Like it? Think it’s full of holes? Care to help me start a business?

OpenTrustNet is a model for low-latency, high-throughput trusted networks; it is intended to address the small worlds problem, and to a lesser extent the Sybil attack, for dark networks. The idea is intimately tied with both my AHS capstone (a study in the things new-school geeks value and how to promulgate them) and a business concept I’m interested in developing post-graduation—that of extensible commercial trust nets.

Properly marketed (as application-optimized ISPs rather than data havens) and properly built, I wonder if these couldn’t drastically accelerate the spread of safer networking, tipping the industry away from its current position where it is vulnerable to (and evidently subject to) massive surveillance and traffic analysis.

A commercial trusted network has the following properties:

It is built on an infrastructure of dedicated fiber joined by dedicated gateway/routers at carrier hotels in multiple states (with no peering links in the core network, so AT&T can’t snoop on us). It may also use symmetric crypto and random padding to further assure no one can eavesdrop and get meaningful results. Some fixed integer number of lambdas and cables is entirely consumed on any given day for any given link.

The dedicated routers cache frequently requested things wherever possible (using application-layer protocols like BitTorrent and FTP). In order for this to work, the core network routers are trusted with important information, such as request headers. This trust comes in part from the reputation of the network maintainers, but my intent is to reinforce it with cryptographic coprocessing (a la Trusted Computing) and protect it from hostile third parties by any means necessary.

Only subscribers, with some amount of dedicated bandwidth, are allowed to talk to the core network gateways. Subscribers are expected to maintain a constant rate of traffic by adding garbage (to disguise the actual data rate). For their own protection and that of the users, subscriber traffic rates are audited. Where possible, the spare bandwidth will be spent on useful work (such as cache prefetches using some intelligent algorithm).

Remote attestation and public key infrastructure checks will be used at the startup of each gateway or intranet link prior to obtaining access to routing and caching information. Subscriber machines are not globally trusted, so their knowledge is limited.

Instead, subscriber machines are locally trusted to forward requests from child-nodes anonymously or pseudonymously (at the discretion of the client application) and to maintain TLS sessions with child-nodes. This, in combination with proper caching architecture, makes protecting seeds and hidden services easy. Note that parent and child do not have to share a network or subnet, although that makes things run a lot faster and enhances privacy.

The source code and checksums of trusted gateway and subscriber software are prominently displayed on the web, along with public keys to current servers and source code for the recommended client. Clients should demand an attestation from the local subscriber at the beginning of a TLS session.

With some slight modifications, this model can be extended to allow secondary and tertiary subscription. Subscription still requires Trusted Computing (and is permitted or denied at the discretion of the next higher link in the tree). Nodes with ample dependent connections can run hidden servers safely; alternatively, people can pay to have hidden services hosted on the core network for better secrecy and availability.

Advantages:

Traffic on the core network mesh does not have to perform extraneous hops, eliminating a major source of bandwidth drain.

Persistent direct links (router-router and to a lesser extent router-subscriber) minimize the load from TLS initialization, while the lightweight server minimizes trusted platform hardware load associated with paging sensitive data to the disk.

Tiered infrastructure provides the needed mid- and long-range linkages for small-world networks, while keeping local traffic local and putting the biggest financial and computational burden on big-pocket customers (those with tier-one subscriptions).

I think the killer app for trusted networks would be an efficient distributed media library—imagine having the ease and privacy of an internal DC++ hub with a library bigger than the largest BitTorrent tracker and speed comparable to the rest of the internet. With resources like that, I could just stream things, and save a good deal of hard drive space.

Problems:

I was initially a bit confused regarding the cheapness of dark fibers. In terms of one-time purchase cost and even maintenance, they’re pretty cheap per kilometer-gigabit; it’s the fiber-optics and telecom-grade router hardware that are obnoxiously expensive.

More definitively a problem is the current state of Trusted Computing hardware. Despite its steadily increasing ubiquity even (and perhaps especially) in consumer equipment, the current specification is clumsy and dependent on a strongly access-controlled OS (properly configured, Fedora Core counts). Worse, it does not guard against hardware-bus-measuring attacks. The latter imposes severe limits on what can be done with complete confidentiality, since data evicted from cache travels naked on the memory bus.

Assuming the eventual development of a fully trusted server architecture (such as XOM) capable of running at telecom speeds, these are not absolute problems. Whether the service is capable of paying its own operating costs is a bigger question mark. The fact that it can be bundled with fast general-purpose internet services will help, but it’s still going to look like highway robbery in terms of the cost per megabit. Adding second and third tiers will help the first tier pay for itself—but there must be no pyramid-scheme-like illusions about system throughput. Some theoretical cost & performance analysis is needed.

At this point I haven’t proved to myself whether public gateways into the system can ever really be trusted. You might trust the head of IEEE or ACM at your school to properly run a subscribed server, maybe, but can you trust freeproxy.example.com to do the same? Bear in mind that just by routing your packets they can begin to know things about you. Unless your client is sending them a constant stream of garbage as well, Sybil attacks can still happen at the local level.

Other things to look at:

As a more constrained and testable example, I’ve considered playing with small-scale trusted peering as a way of expanding small-world nets (think wired mesh as opposed to wireless mesh), as in the proposal for GAIM buddylist-linked filesharing. This and does not address the important problem of establishing long-and-fast connections, but it does drastically expand the library available to the average person with decent security over existing connections–if the feature shipped with the standard client and was enabled by default, it would join a significant fraction of the user base into one massive media library, albeit with lousy latency and iffy bandwidth.

I’ve considered extending the simple tree model of the trust network in a number of ways. In particular, I draw inspiration from essays by Allen Downey and Ian Clarke (which are influenced by a 1998 Watts & Strogatz paper, which in turn springs directly from Milgram’s famous “6 degrees” experiment). They point out that the most efficiently structured darknets in terms of the requisite number of “blind jumps” are those with (I think?) Zipf’s Law distribution of link distances. In most cases, a regular, locally connected structure (for instance a grid) will suffice to keep the scaling logarithmic, provided there is a random sprinkling of long pathways. How to establish those pathways for best efficiency, and what the security consequences of doing so may be, are things I haven’t fully explored yet. What I do know is that the current link structure relies on a handful of definitely-not-random long links, the scaling properties of which are not great.

2 Comments

Okay, so the above idiom’s officially washed out.

Never you mind; I was going to say something in response to this lengthy blog post by Aaron Swartz, roving citizen journalist and apparently co-creator of Really Simple Syndication. He’s a big wig in the open-source world, so his post caught our attention particularly quickly (and he says this isn’t a place for hackers. Piffle, I say). I wanted to say my piece here, rather than add to the large pile of comments on Aaron’s site, not because I am afraid of getting my boots dirty but because it’s only going to make particular sense to other Oliners. Firstly, a comment on our comments on Aaron’s post:

“Lex and her circle” ARE Olin cultists, in a way.

Hey, they’re not cultists, they’re MechE’s!* Seriously, though, as much as it fails to surprise me at this point how un-cohesive Olin’s becoming now that at we’re at capacity (it is in fact a sociological inevitability), the conflict in views held by my classmates here made me feel a bit sad. That we could already be too big to remain synch’d and pluralistic is a big part of our growing pains. We weren’t a fascist cult, you see, but a family–more like a hackers’ commune. The above quotation is particularly poignant, moreover, because those who know Lex well know there is absolutely nothing wrong with her circle.

When I think ‘pro-Olin zealot’ they aren’t even the people that come to mind, and so I wonder could people be jumping to conclusions? (not you, Sean–but the young’ns, and perhaps Aaron) I’m sorry, but Oliners who claim to love fun and insanity can’t have their cake and eat it too–you gotta recognize, nub. The outside world would like to project all these utterly ridiculous traits onto Lex because of attributes that are skin-deep and/or beyond her physical control*, so have a care, you who have a chance to do better.

Also, the whole time I was reading people’s posts I kept thinking how easily we could change Aaron’s mind if we just handed him a torrent of Yellow Lights insisting that that is how the college looks to equally many of us. I can only assume KTTK would frown on this practice as they made the film on very little money with their own blood, sweat, and tears–pity, though, it’d make great admissions material (and would be a much more appropriate venue for espousing Olin’s values than, say, the yearbook. I’m not even gonna get started on that shit).

*UPDATE: not terribly important, but it points out some flaws in the above statements. “Lex” outed herself in the course of internal discussions, and was not actually who I was thinking of. A lot of the same points hold; some do not (not a MechE, not by any stretch of the imagination). And here I thought I’d nailed it, from the prominent mention of the rootbeer kegger. She is something of a memetic guru, though–in somebody’s world I suppose that might translate into “Olin cultist”. Now I’m much more bothered instead by the fact that he was able to look right past her and not see a kindred spirit.