Paul Snively: Identity, Privacy, and Security

From John Robb's Radio Weblog:

Howard Rheingold: "Smart Mobs" This is an interesting twist. I have watched this take off too. It happens in the blog world with regularity (I still wish that people would get off of these automated reputation systems -- a blog is a reputation system, it works via a "I trust you, you trust him/her, etc," and scales extremely well. The difference is that there are real people making decisions vs anonymous voters.).

It's a shame to see this in the midst of a rather lengthy run of excellent analysis by John, because it contains simple errors of fact that people unfamiliar with reputation systems might believe to be true. To begin with, if it's a reputation system, then it doesn't have anonymous voters by definition. If a system allows anonymous voters, it's not a reputation system. Reputation systems deal with identity by definition; if they allow anonymity then by definition they are not attack-resistant and cannot be trusted. Sierra is a reputation system. Advogato employs a reputation system—one of only two known attack-resistant trust metric systems in the world today. The other is Google's PageRank system. PageRank is not itself a reputation system because it doesn't deal with identity, only authority of web pages. So it points up the need to distinguish between authority metrics and trust metrics, although there is obviously some overlap there that would be interesting to capture. Why aren't authority and reputation the same? Because authority is only expressed positively (you either have a lot of links pointing at you or you don't, but if you don't, it doesn't mean you don't know your subject) whereas reputation systems treat both positive and negative explicitly (that is, it's a three-valued logic: positive, negative, and unknown are all treated explicitly). Weblogs are not a reputation system for the same reason that PageRank isn't, and this is significant because if you do conflate authority with reputation, then weblogs obviously would be a reputation system using Google and PageRank as its metric. It's already been noted elsewhere (I'll have to find a link later) that blogrolling has a disproportionate impact on PageRank due to blogrolls typically crossing domains—an important component of PageRank's attack-resistance being to attempt to ensure that links aren't coming from "the same entity" as the page being linked to. Once again, we see the need for cryptographically strong identity. There isn't even a way to query a weblog as to who wrote it (but there should be; see Aaron Swartz' essay on how to sign your page). The bottom line is that reputation metrics are becoming increasingly important, not less so. Simply handwaving the issues away and claiming that individual human assessment of trust is sufficient for the Internet is a fatally flawed outlook. The responsible thing for the COO of a popular blogging tool to do would be to ensure with all due haste that his company's product trivially supported at least the digital signature of the pages that it generates and, if at all possible, supported an attack-resistant trust metric that could easily be queried by anyone through an XML-RPC or SOAP or REST or whatever call to their product.

New York Times - Editorial Op-Ed: free registration required An Erosion of Civil Liberties.
Attorney General John Ashcroft has a gift for making the most draconian policy changes sound seductively innocuous. He was at it again yesterday, describing new domestic spying powers for the Federal Bureau of Investigation as nothing more than the authority to surf the Internet or attend a public gathering. That is profoundly misleading. In reality Mr. Ashcroft, in the name of fighting terrorism, was giving F.B.I. agents nearly unbridled power to poke into the affairs of anyone in the United States, even when there is no evidence of illegal activity... Before it was brought under control, the F.B.I. routinely infiltrated peace groups, electronically monitored civil rights leaders, including Martin Luther King Jr., and generally engaged in spying against Americans who were critical of the government. [Privacy Digest]

This is the problem with any desire on the part of the government to expand its powers: it insists that we trust it. Well, Americans of my parents' generation did that, and what we ended up with was the Bay of Pigs, MK-ULTRA, the Kennedy Assassination, the Vietnam War, Watergate, the Iran-Contra scandal, Whitewater, Ruby Ridge, Waco... and all of this is ignoring Hoover's FBI, an institutional evil that I'd certainly felt we'd successfully sent to its grave. Apparently I was mistaken. The government doesn't need more power in the domestic arena. On the contrary; it already has too much and should be curtailed. If the government wants to help make us more secure, it can cease its multi-generational interventionist foreign policy and concentrate on defending our borders and our rights here at home. Oh, and stay the hell out of our public assemblies, our phone conversations, and our mail, electronic or otherwise.

WashTech.com part of the Washington Post - Minnesota Gov. Signs Internet Privacy Bill .
Minnesota Gov. Jesse Ventura signed a bill yesterday that lets Internet users decide whether Internet service providers can share their personal data.

Ventura signed the bill despite opposition from Internet giants like America Online and Yahoo, which say that the law will hamper the fight against cybercrime and impose new liabilities on ISPs.

The law requires ISPs - no matter where they are based - to tell Minnesota consumers when and why they plan to disclose personal information such as which Web sites users have visited, their e-mail or home addresses and their telephone numbers.
[Privacy Digest]

Hmmm. I grew up in Indiana. Moving to Minnesota wouldn't be that much of a stretch. Nice to know Gov. Ventura is offering his constituents real political leadership!

via [John Robb's Radio Weblog]:

Jon hists it. Certification isn't worth doody. "Garbage in, garbage out."

and:

NYT. Friedman is just starting to get the paradox of the "global village" enabled by the Internet. He decries the potential for disharmony in emerging societies due to cacophonous messaging from the west (primarily) over the Internet and cable. His premise: the Internet and multi-channel cable makes it possible for "untrusted" news sources to gain an audience world-wide, and that people in emerging societies aren't sophisticated enough to understand that Fox news and Internet sites managed by untrusted authors aren't reliable sources of news and opinion. >>>What's frightening him, he added, is that there is an insidious digital divide in Jogjakarta: "Internet users are only 5 percent of the population — but these 5 percent spread rumors to everyone else. They say, `He got it from the Internet.' They think it's the Bible."<<< Hey. Get over it.

via [Scripting News]:

Thomas Friedman writing in the NY Times complains that the third world believes everything they read on the Internet. Now with all due respect, they shouldn't believe everything they read in the NY Times either. And Ed Cone reports that the US is still part of the third world. He lives in one of the Carolinas, where they're debating evolution, on the Internet, of course, where most of this day's discourse takes place. The solution is lower the barriers to participation, so more lies can spread faster, and develop in our species the introspection and skepticism it needs to survive the challenges ahead.

These posts are all of a piece inasmuch as they all deal with trust. Trust is hard to define, hence hard to discuss. Nevertheless, let me attempt to come up with one sentence that I strongly feel needs to guide all such definition and discussion: Trust is a function, not a constant. There's a corrolary: By definition, you cannot centralize trust. At best you can centralize and attempt to earn trust. That's the thinking behind "branding" in marketing. But the trust still must be earned; it can't be assigned or presumed. The reason the web is such a deeply subversive space with respect to traditional marketing is that the marketers can't drown out the "oh yeah?" voices because, for a change, their megaphone is no bigger than anyone else's. But right now the web is a cacophony, more "bizarre" than "bazaar." Rock the Casbah, indeed. To paraphrase the late, great SRV, the Casbah's a rockin', don't come a-knockin', just come on in. But the Casbah and the bazaar are built on webs of trust. The same people buy the same produce from the same stands because there's a relationship there that has, to a first approximation, never been violated. This regular then tells their family and friends about the great kumquats they got from Sahib, you should go see him, he's there every day when he's not at prayers. Conversely, you should stay away from Zahir; his scales are rigged and I can never feed my family on what he puts in my basket. The next thing you know, Zahir is out of business for lack of customers. That's how it works on a small scale. How does it work on Internet scales? I don't know the answer, but I do have some strong ideas about components. Take a look at Sierra and E and EROS. The ultimate goal is a robust Idea Futures Market and the elimination of poverty by providing financial trust hubs to low-trust regions of the world. Some more underpinnings-oriented stuff is an excellent site regarding Bayesian Belief Nets. BBN's help us answer the question "given a set of interrelated probabilities, how do those probabilities change in the face of new information?" Of related interest is Tim Berners-Lee's Semantic Web. When TBL talks about the "Oh, Yeah?" button, he's talking about an automatic query of the web of trust surrounding the page you're reading. Why should you trust what you're reading? The Semantic Web could help answer the question, which is why I consider the work in the Semantic Web foundational in the same sense that HTTP and HTML are foundational. There's a tremendous amount of work to be done yet. An excellent, low-tech place to start is to sign your page. I expect to automate this process for Radio Userland within the next couple of months. Stay tuned.

Zooko. Zooko discovered that he's been Shirkified. [Hack the Planet]

I'm super-bummed because I can't make the O'Reilly Conference, even though I'd kinda made plans to over a month ago. But housing never came through, and money's tight at the moment, plus I would have had to have begged time off from the job I've only had for about five months. Not a good combination of things. Anyway, Zooko's "distnames" is brilliant, but I have to agree with his assessment that Clay Shirky's take might reach a different audience, and that this different audience probably has checkbooks. "qbullet.sidesmiley" Zooko's also right to be happy and excited that the ideas are getting broader exposure, because, as I told MarkM, I do think of them as absolutely fundamental (in the same sense that capability security discipline is fundamental) to secure distributed systems.

An eBay for cluefullness
Google has relaunched its Google Answers service. Originally, Answers used a staff of paid researchers to answer questions posed by visitors who ponied up a buck for the privelege. This model is pretty obviously non-scalable.

The new Answers is much, much neater. Google is hosting a marketplace for answers. Visitors post questions and offer up a sum between $4 and $50. Any registered user can proffer their opinions on the question (which the poser gets to look at for free), and the researcher distills the wisdom and provides a definitive answer.

The next step, I hope, is cutting in kibbitzers for a share of the bounty if their input is used in the answer. It's amazing how systems that rely on blessed "experts" are hard to scale, while systems that just provide a place for people to do their thing and figure out a way to extract some cash (i.e., eBay) scale fantastically well and make giant oodles of money.

Can't wait to see where this is going. [BoingBoing] Hey Cory! You do realize that you just reinvented Idea Futures Markets, right? With the OpenCola connection, I figured you'd be familiar with the E language and thence Idea Futures. Helluva idea, ain't it?

Wow, there's so much to write about. Let me just spit stuff out in no particular order, as I don't have time to do much more than recapitulate:

Sjoerd Visscher beat me to the draw in scraping David McCusker's weblog, so now I have even more blogrolling to fall behind on.
DigiTool just dropped the price on Macintosh Common Lisp to $95. If you have a Macintosh and want to do cool stuff beyond the wildest dreams of your peers, drop the $95 and also get Paradigms of Artificial Intelligence Programming and Artificial Intelligence: A Modern Approach. Peter Norvig and Lisp will have you doing things you didn't know were possible.
Speaking of David McCusker, I guess I can say now, some months after the fact, that I interviewed at Pivia, where he works, and they turned me down. They were probably right to do so, but I do want to get back to Silicon Valley some day and David's one of the major reasons for that.
I registered the coolest Mac OS X shareware tool recently, LaunchBar. Briefly, there's a hotkey that activates it, at which point you type two or three characters to identify something to launch: an app, a document, an e-mail address, a URL... and in best Peter-Norvig-adaptive-software form, you only have to correct ambiguities once or twice before the adjustment takes place automagically. Sound simple, even simplistic? It is—which is one of the major reasons that it's also brilliant.
Apparently there was a new Tk snapshot for Mac OS X released on January 31st. Unfortunately, it breaks the binary package for Oz for Mac OS X, and I haven't had the temerity, given my recent travails, to attempt to rebuild Oz from source.
As noted earlier, OpenCyc shipped. Given that it's only for Linux at this point, I'm not as excited as I would be otherwise. Besides, Cyc's inferencing sounds too scruffy to me these days, after exposure to John Pollock and OSCAR.
Smart Contracts and the Electronic Rights Transfer Protocol and Simon Peyton-Jones and colleagues' work on a combinator library for financial instruments desperately need marrying, in order to hasten the fulfillment of God's work as described in The Digital Path. And I've never been more serious in my life.
Once my Windows gag reflex abates, I realize that the OQO is probably the best device so far to tackle the hardware side of The Digital Path.
Looking around for a decent shared calendar/to-do list for the Mac really reveals only Chronos Group Organizer and Now Up-To-Date and Contact. Everything else is corporate overkill. So naturally I find myself wondering how long developing a good shared calendar/to-do list program in Cocoa would take, especially since vCard and iCalendar are out there, and there are great launching-off infrastructure points like the C++ Internet Server Framework and e4Graph to build on.
As I think about calendars, to-do lists, and excellent software like LaunchBar, I begin to wonder if the desktop isn't now an underutilized resource. I think about Dave Winer asking why Google can't index his desktop, Jon Udell saying that there will be a semantic web, and tools like e4Graph, and I wonder if there isn't an opportunity there. Then I realize that I've probably just reinvented SixDegrees, and badly.
Oh, and there's Aaron Swartz's terrific sign-your-page essaylet. I should have automated this in Radio Userland by now. I need to make Wei Dai's wonderful Crypto++ library a Carbon DLL.
ICS-FORTH's RDFSuite is rockin', but their RQL interpreter needs significant optimization. The C++ source is virtually impenetrable. Thankfully their EBNF grammar, type system, and semantics are pretty clear, so I'm thinking that Spirit and Phoenix would make an excellent launching-off point.
Man, I wish I didn't feel Seppuku had to be cross-platform! Coin3D, an Open Inventor 2.1 clone, recently released a sample showing how to integrate Coin3D into Cocoa. But I already looked, and there isn't a good Constructive Solid Geometry action/operation extension for Coin3D, so I'd need to develop that anyway. So I guess it's back to Whisper 2 and Quesa for Seppuku. No regrets; Quesa is shaping up very nicely, and as soon as I get JadeTeX built, I'll help document Whisper.
I still can't build JadeTeX, and I'm not even sure where to post to ask about it. That bothers me.
Sometimes this referers thing is good. I'm extremely flattered to be blogrolled from Daniel Ericsson's WebTransmission, both in personal and Seppuku form, and wow: on SaladWithSteve I'm in a list of "elpoep" that includes John Wiseman, Joel Spolsky, David McCusker, John Carmack, Tom Tomorrow, Dave Winer, and Justin Hall. I'd best get off my ass and do something to earn such stature!
And I still have to make time to learn Oz.
And I still have to make time to do Python examples for the 2nd. ed. of AIAMA. But it's already becoming clear to me that my heart's not in Python despite the recommendations of several folks I respect greatly.

In respect to yesterday's thinking-out-loud about identity, readers are pointing me to cypherpunk thinking on anonymity and pseudonymous systems as means for achieving personal control over identity, among other things. One writer adds, If PingID was a microsoft service, would you be happy? How do you know it won't become one by acquisition? By the way, I should point to PingID's Rights and Principles of Digital Identity draft, which deals with anonymity, among other things. Also, it's new. The PingID folks invite input, obviously. [Doc Searls Weblog] I'm glad this came up: I also have issues with PingID as a service, apparently with a corporate entity attached. And it makes me nervous when I read digital identity specs that feel compelled to include a notion of a "notary" or any other name for the concept of a trusted third party. I've asked it before, but I'll ask it again: why should I trust the Liberty Alliance? Why should I trust PingID? What do Liberty or PingID do/buy me that the OpenPrivacy initiative doesn't? What's the relationship between any of these and the ERights project, and if there isn't one, why not? The ERights crew have been on this stuff in one form or another for literally decades, have been published in peer-reviewed journals, not only on cryptography, but on finance; anyone dealing with identity and privacy ignores their work at their peril. Sorry if this sounds pedantic, but the subject is far too important to screw up or to leave in the hands of a corporate entity. Discussion of the topic is not merely welcome, not merely encouraged, but actively begged for on hands and knees. Not a pretty sight, I assure you.

To say the least

A friend just said to me "I don't think stenography is the best use of your talents."

[Doc Searls Weblog] In the current commerciopolitical climate, however, steganography might be.

Running untrusted code. Olegs recommended this newsgroup posting, which lucidly explains the issues of running untrusted code. I agree that this has a great deal to do with programming languages. Indeed, we mentioned some of the theory concerned in the past (e.g., PCC). [Lambda the Ultimate]

A sandbox is a good idea. But do problems occur when the system has not been designed for sandboxes from the bottom up? I should be able to take some code and run it in a VM that is completely trusted. Full CPU, full filesystem, full reflection, etc. Then I should be able to take that same code and run it in a more restricted VM: the "CPU" is governed, the filesystem is restricted or even in-memory for read/write, reflection cannot access or change sensitive information.

Are there problems with sandboxes in general, or with retrofitted implementations? Applying a sandbox to some code is just another kind of lambda. I haven't read about this yet, but will get to it.

[Patrick Logan's Radio Weblog] Ah, Patrick, so you're about to discover Capability Security. Excellent. The short answer to the question "can I run untrusted code" is "yes," and the surprising thing is that this answer has been known for around 30 years! Your intuition that you're going to need "sandboxing" to be pervasive is correct. There are some other qualifications as well, such as the need for an abstract store with unforgeable references, lexical scoping, and first-class functions. If you want this security to work in a distributed fashion, you need some interesting crypto protocols on the wire. The best place to learn about this at the language level is at the E project. The best place to learn about it at the OS level is at the EROS project. The bottom line is that in an era when every new e-mail trojan horse/virus/worm is worse than the one before, we desperately need people to take this material seriously, learn it, understand it, and implement it. Otherwise people will demand that we revert the Internet to a balkanized set of barely-connected islands to avoid these attacks. Finally, it's important to note that Capability Security is the only way to perform certain important functions, such as implementing Smart Contracts, across trust boundaries on the Internet.

Something has been bothering me in all of the reporting about the Morpheus/FastTrack broughaha, but it hasn't been until today that I could put my finger on it. Finally, it occurred to me that there are really two issues: first, people had assumed that Morpheus was fully distributed, including, presumably, in how it does authentication. Secondly, people had assumed for some reason that Morpheus was impervious to having some of its core code changed out from under it. I don't know how to address the latter—you either get it or you don't—but the former is addressed wonderfully in an essay by Zooko: Names: Distributed, Secure, Human-Memorizable: Choose Two. Of particular interest is this passage:

The current state of the art, as far as I have seen, tends to fall into one of two traps.

First trap:

Assume that you need arbitrary keys including non-self-authenticating ones.

Think about the problem of crossing trust boundaries, and solve by delegating to a "trusted third party".

Forever after you will be vulnerable to MicrosoftNSIVerisignICANNUSGovInc. and anyone who can subvert one of their servers (including their employees). When this bloated monopoly screws something up, your system will pay the price for their incompetence. You will not be able to choose a different name authority, because everyone else will also be tied to the central monopoly and you will need their service in order to interoperate with the wider world. (Does this scenario sound familiar to any sysadmins out there?) In addition, they will charge you a tax on every packet for the privilege of continued service.

Morpheus didn't pay the "tax" to FastTrack, so FastTrack was able to shut Morpheus down by leveraging the fact that their naming system was centralized. Oops. Straight into the first trap. As Zooko points out, all effective human UIs to secure distributed naming systems end up being implementations of the Pet Names Markup Language, a mechanism for associating (local) human-readable names with self-authenticating tokens in a distributed system. I hope Morpheus is paying attention.

SourceForge: Initial release of Linux ACL support.

Somethings to dig your security teeth into: ACL support for the Linux kernel.

Access Control Lists allow fine grained access control to filesystem objects, by attaching a list of permissions to grant or deny specific capabilities to users or groups.

[Privacy Digest] Too bad ACL's demonstrably don't work. And what they grant or deny are not "capabilities," a technical term of art in secure computing that has a specific, well-defined meaning that is being corrupted in this context.

The more time I spend thinking about P2P architectures, the more I think that IM is the solution. Here is how they stack up:

1) Proven scalability. Compare the ~3 m simultaneous users online at AIM and ICQ with the ~1.5 m Napster and Morpheus (at their peaks).

2) The ability to connect to specific individuals on an IM system vs. the fractional network approach on the current P2P systems.

3) Authorization and buddy lists. IM has it. P2P systems offer the ability to ban only.

4) QoS (Quality of Service) is much higher on IM than the current P2P systems. [John Robb's Radio Weblog] IM would indeed make an excellent P2P application, but let's remember that that's what it is—an application—and you can tell practically nothing about the underlying architecture of any given IM system from using it. Some points about the comments above:

First, going from ~1.5m to ~3m users (who in neither case were actually simultaneous) isn't a scalability accomplishment. Going from ~1.5m to ~15m (that is, an order of magnitude) would be. And it's important to understand that the chosen examples, AIM and ICQ, are both owned and operated by AOL on—you guessed it—mind-bogglingly enormous server farms. Nary a whiff of P2P in the house.
It's a good thing John said "current." I get the impression that what John is really contrasting are two different categories of applications, either of which may or may not be P2P-based: file-sharing vs. IM. If your app is file-sharing, chances are you're interested in getting a file, not connecting directly to someone named X. By contrast, if you want to send someone an IM, then by definition you're interested in connecting to them! Once again, this has nothing whatsoever to do with P2P.
There are several P2P infrastructure pieces that deal with authorization ([sic]; John almost certainly means "authentication" here, although good P2P systems treat both). These same systems typically have some notion of "trusted users," i.e. buddies. Check out JXTA, MNet, Spread, Ensemble, Spinglass, OpenPrivacy, and E.
Another blanket statement that overlooks that the problem being solved in one case (sending truly tiny snippets of text and/or a little audio point-to-point) is utterly trivial in terms of bandwidth consumption compared to the other (distributed large-file-sharing across an arbitrary number of peers). It's not hard to have high QoS when you aren't providing much service.

Don't get me wrong; IM can definitely be an excellent example of a P2P application. It's just extremely dangerous to think of IM's application characteristics as defining anything about a P2P architecture.

P2P systems don't need to be totally decentralized, nor will any successful system ever be. It is neither reasonably efficient nor is it desirable from a commercial standpoint. Total decentralization was and is only a goal due to legal issues associated with copyright infringement. Remember, Morpheus didn't break due to technical issues associated with FastTrack's centralization, it failed due to business issues between partners.

The keys to a next generation P2P system that makes money and delights users are subnets, publishing, and service driven apps. P2P has been mostly focused on transport protocols to date. That needs to change. [John Robb's Radio Weblog] Yes and no. The protocol issues are important to issues of authentication, scalability, reliability, and even routing itself (especially, for example, in the presence of firewalls). It's a bit too early yet to call this a solved problem (but keep watching Ensemble, Spinglass, Spread, and JXTA). P2P won't really be interesting until there's a workable P2P economy. The only folks I know of who are seriously working on this are either directly or indirectly connected to the ERights project.

What is a peer in P2P? In my view, a true peer can connect to another specific peer at will. Anything else (like what you see today on the P2P networks) is collective BS. I am not a peer on Morpheus or Gnutella. I am a storage resource for a specific file. Today P2P = shared disk. [John Robb's Radio Weblog] I'm not sure I follow this: this makes it sound as if all P2P needs is for everyone to use dyndns or something so their machine can be looked up and connected to. Unfortunately, without talking about specific applications like file-sharing, it's tough to talk about P2P in a meaningful way—unless you go to the other extreme and start talking about pure infrastructure, which does indeed tend to be the other kind of P2P conversation that takes place.

It seems that John Robb has removed the post on his weblog that led to my previous post. I have to say that I think that was the wisest course of action, and to reflect that belief, I am also deleting my response to it.

No more Liberty?.

Doing a diff of the Liberty Alliance charter members and the latest released member list, shows that the following organizations have for some reason or another left Liberty.

American Airlines, the Apache Software Foundation, Cingular Wireless, CollabNet, Dun & Bradstreet, eBay, Global Crossing, i2, Liberate Technologies, O'Reilly & Associates, Sprint, Travelocity.

I would be especially sad about losing Apache Foundation, CollabNet, O'Reilly and eBay. The three former represent developer community outreach, while the latter is apparently fully commited to it's .NET My Services alliance with Microsoft.

Indeed, another interesting observation is that Brian Behlendorf, Apache co-founder and president and CollabNet co-founder and CTO, has joined the PingID advisory board.

[Digital Identity] Can someone please explain to me again why we need a Liberty Alliance and PingID and OpenPrivacy? What security paradigm will the Liberty Alliance and PingID implement? How do Liberty Alliance and PingID model reputation and trust? Where's the code for the Liberty Alliance? With PingID initially being written in C, how long will it take before the first buffer-overrun exploit is unearthed? Frankly, it sounds to me like .NET and Hailstorm engendered a panic in the non-Microsoft community and now the ants are scrambling to build a new anthill. Wonder who'll end up owning it?

EarthWeb by Marc Stiegler. Marc Stiegler's Earthweb (price check, Amazon) is an answer to his last final exam question in the form of a... [Aaron Swartz: The Weblog] Aaron beats me to the punch yet again! Here's hoping that Aaron's anger is an effective motivator to his work. I need to set up some links in my navbar to the important pages/projects in this arena. *sigh*

CodeCon!. The long-awaited CodeCon (Advogato, The Register) starts today at jwz's DNA Lounge. CodeCon, started and run in large part by... [Aaron Swartz: The Weblog] Somehow this didn't show up on my radar until it was too late, otherwise I'd have made the 400+ mile drive for the weekend. Next time!

PayPal: IPO Omen or Anomaly?. Disproving the skeptics, online-payment firm PayPal pulls off an initial stock offering and actually does very, very well in first-day trading. Experts say it's a tentative sign investors are warming up to Internet firms. By Joanna Glasner. [Wired News] Talk about backing the wrong horse.

Apache XML Security 1.0.0 released. The Apache XML Project have released the first stable version of their XML Security project, implementing Canonical XML and XML Signature. [xmlhack] This is excellent news, with immediate applicability. Very pragmatic and very welcome.

heregister.co.uk/">The Register (UK) - Freedom Network source code now available .

CodeCon Source code for "ZeroKnowledge Systems"' discontinued anonymous Internet service has leaked onto the Web, apparently with the blessing of ZKS' Chief Scientist Ian Goldman.

The announcement was made on Goldman's behalf at the CodeCon conference by Len Sassaman, co-organizer of the three day grassroots P2P and crypto conference .

[ ... ]

According to the README, "Zero-Knowledge is releasing this code under an RSAREF style license, to encourage academic research and other non-commercial use." Other licenses are respected, and the release is entirely unsupported.

The main tarballs is a 12.5MB download, PGP encrypted with the "traditional magic words" (one of which is a big bird). You can find it here

[Privacy Digest] Excellent! I wonder if the community can make Freedom robust against the attacks that Wei Dai came up with? I see that one of the requirements of the attacks is either a global observer or the cooperation of at least one of the routers. Perhaps Michael Reiter's work on Rampart would be helpful here. Of course, we could just revise Freedom to use Dai's PipeNet protocol, at least in theory.

PayPal's IPO Woes Continue. The online payment company is facing new troubles in the form of a lawsuit and an order from the state of Louisiana to stop doing business there. By Joanna Glasner. [Wired News] Heh. Heh, heh. Heh, heh, heh.

SafeWeb's Holes Contradict Claims. The once-ballyhooed anonymizing Web service that received CIA funding is shown to have flaws. The company downplayed the recent discovery. Declan McCullagh reports from Washington. [Wired News] Astounding. I particularly love the "all anonymizers have bugs" bit. "We're no worse than anyone else." Um, OK. How many exploits of Freedom have been documented?

And who are they, anyway? they, anyway?' in archive.">

Dr. Weinberger further compounds the confounding issue of identity that Andre is tackling.

Slam Jab

Eric Norlin thinks smacking down spam is the killer app for Jabber.

He likes 'em

Here's Alan Reiter on John Dvorak on blogs

[Doc Searls Weblog] There's only one way to know whether we can reasonably associate someone's "voice" with the "someone" we believe that voice to belong to. Time. The joker in the deck is that there's no actual consistency to someone's physical make-up anyway. We're all constantly tossing off and taking on the random stray particle; long term, we toss off and take on different ones. The result is called "aging" and, ultimately, "death." Physical identity is just a convenient shorthand. If I have good reason to believe that I'm talking to Doc Searls, then I can get away with making a set of assumptions about what he's going to "sound like." But those assumptions are themselves approximations. When they are violated outside some slop factor that I have in my head, I might say, "hey, Doc, what's on your mind? You don't seem like yourself today!" I don't mean that Doc has taken on one too many free radicals. "qbullet.sidesmiley" I mean that Doc doesn't sound like he's sounded before. Aha. "Before." Time. The assumption is that I know what Doc used to sound like. That is, I have a record of what he's said before. At the moment, that record is in my head. Granted, it's largely based on stuff "Doc" has said in print, but good grief, I've never even met "Doc Searls." How do I know he exists? How do I know he isn't a small army of hired flacks? Well, I don't. I trust that his weblog is the work of one guy who wrote all the stuff attributed to "Doc Searls;" I trust that The Linux Journal isn't pulling a fast one. But these are unenforceable social contracts. Besides, even if none of the participants knowingly, deliberately violated the social contracts, unscrupulous individuals could hack and deface Docs' weblog. More sophisticated people could hack into The Linux Journal's workflow system and quietly replace Doc's work with their own. Doc wouldn't sound like himself (i.e. like he used to sound), but for reasons that have nothing to do with Doc. This is the reason that unforgeable pseudonyms with digitally-signed reputation trails are necessary. They're the only rigorous analog we have to the informal process that we have historically enjoyed. That informal process worked sufficiently well when most interaction that had value to the participants was face-to-face and a handshake was as binding a signature on a contract as there could be. This worked because, modulo plastic surgery, it was hard to change your face, and besides, a new face in town wouldn't be trusted on a handshake either. This reminds me that the most heart-rending moment in the recent "The Lord of the Rings" was, of course, at the very end, when Sam Gamgee demonstrated that he would literally rather drown than break a promise. I can imagine that, in a town like Hobbiton, a promise-breaker would find themselves in considerable trouble; everyone would know your name and your face. Of course, even by Hobbiton standards Sam is unusually steadfast, and those who have read the books know well how this steadfastness plays out in Sam's adventures with the Fellowship. But less and less of our valuable interaction is face-to-face; less and less of it can be closed on a handshake with both participants knowing that, if they violated the terms of that handshake, they'd likely never be able to conduct another such transaction again. This is why some commentators who either misunderstand the description of the technology or latch onto accurate descriptions of the wrong technology are critical of "anonymity." And they're right. It's not anonymity we need. Far from it; part of the problem is precisely that we are anonymous, at least in the sense that we're just another face in the crowd. Most "identity" online is an e-mail address change away from being someone else. It's pseudonymity that we need. A pseudonym that persists through time and that accumulates reputation through time. A pseudonym that is associated with our values—the things that we believe to be inviolate—and our value—the unit of exchange for goods and services. A pseudonym without a reputation trail shouldn't be trusted much, although they might just be a newcomer. A pseudonym with a long, trustworthy reputation trail would be worth its weight in gold (interestingly, the Judeo-Christian Bible already says that a good reputation is worth its weight in gold). The pseudonym cannot be associated with its holder's physical being, leaving whistleblowers free of the fear of violent reprisals or even the threat of violent reprisals. And the whistleblower has their own reputation to either lend them credibility or not. Likewise, presumably, the target of the whistleblowing. Think of it as built-in character witnessing. It's a leap. It's a stretch. But it's one that we have to make sooner or later in an increasingly-distributed world. The OpenPrivacy initiative has it right. We need to develop, field, and enhance this architecture and these protocols with as many concrete, easy-to-use implementations as we can come up with. Now's the time.