Saturday, December 20, 2014

Ask a nerd

One should probably consult a lawyer on legal questions. Likewise, lawyers should probably consult nerds on technical questions. I point this out because of this crappy Lawfare post. It's on the right side of the debate (FBI's evidence pointing to North Korea is bad), but it's still crap.

For example, it says: "One hears a lot in cybersecurity circles that the government has “solved” the attribution problem". That's not true, you hear the opposite among cybersecurity experts. I suspect he gets this wrong because he's not talking about technical experts, but government circles. What government types in Washington D.C. say about cybersecurity is wholly divorced from reality -- you really ought to consult technical people.

He then says: "it is at least possible that some other nation is spoofing a North Korean attack". This is moronic, accepting most of the FBI's premise that a nation state sponsored the attack, and that we are only looking for which nation state this might be. In reality, the Sony hack is well within the capabilities of teenagers. The evidence is solid that Sony had essentially no internal security -- it required no special sophistication by the hacker. Anybody could've done this.

He then talks about the FBI "admitting that it knew about the tools and signatures that North Korea used in past attacks and exploitations and yet still was either unwilling or unable to stop the attack on Sony". Just because The Phantom leaves behind his signature glove in his cat burglaries doesn't mean police can stop him robbing the Pink Panther diamond. It's perfectly reasonable to find similarities in computer viruses without that information being helpful in stopping future viruses. This is one of those things that seems only plausible to those completely ignorant of technology, which is why you ought to consult a techy first to see if you are off-base.

He then says "There are many, many steps the government will need to take to keep our networks more secure". That's a political line by fascists, like "government needs to keep the trains running on time". Neither is a particular need; both are justifications for police states. A cyber police states is not the appropriate response to the Sony hack.

In summary, while this Lawfare post appears to be on my side (not enough North Korea evidence), it's actually on the opposite side. It accepts all the basic premises by the government but only disagrees with them on one point. In actuality, much more is wrong with the government's argument than the lack of evidence.

Friday, December 19, 2014

Sony hack was the work of SPECTRE

The problem with hacking is that people try to understand it through analogies with things they understand. They try to fit new information into old stories/tropes they are familiar with. This doesn't work -- hacking needs to be understood in its own terms.

But since you persist in doing it this way, let me use the trope of SPECTRE to explain the Sony hack. This is the evil criminal/terrorist organization in the James Bond films that is independent of all governments. Let's imagine that it's SPECTRE who is responsible for the Sony hack, and how that fits within the available evidence.

This trope adequately explains the FBI "evidence" pointing to North Korea. SPECTRE has done work for North Korea, selling them weapons, laundering their money, and conducting hacking for them. While North Korea is one of their many customers, they aren't controlled by North Korea.

The FBI evidence also points to Iran, with the Sony malware similar to that used in the massive Saudi Aramco hack. That would make sense, since an evil organization like SPECTRE does business with all the evil countries. Conversely, the Iranian connection doesn't make sense if the Sony hack were purely the work of the North Koreans.

SPECTRE's organization is highly modular, with different groups doing different things. Indeed, different arms of SPECTRE might be working for both sides of a conflict at the same time without each knowing about it. One arm of SPETRE develops malware. Another arm uses that to break into companies and steal credit card numbers. Another arm converts those credit cards numbers to cash.

It's quite possible that the Sony hack was the work of a single SPECTRE agent. We'll call him #8. Certainly, #8 uses the resources of SPECTRE to carry out the attack, and other resources will be called in to profit from the attack, but it's largely an independent operation. In other words, "Guardians of Peace" can refer to a single guy -- a largely independent operator who is unaware of those parts of SPECTRE who have interacted with Iran and North Korea. Thus, once he got into Sony, other members of SPECTRE contacted their North Korean customers and said "hey, we have an opportunity, give us $1 million and we'll shut down that film you hate". Once they got the cash, they directed #8 to make the threat.

My story of SPECTRE better explains the evidence in the Sony case than the FBI's story of a nation-state attack. In both cases, there are fingerprints leading to North Korea. In my story, North Korea is a customer. In the FBI's story, North Korea is in charge. However, my story better explains how everything is in English, how there are also Iranian fingerprints, and how the threats over The Interview came more than a week after the attack. The FBI's story is weak and full of holes, my story is rock solid.

I scan the Internet. I find compromised machines all over the place. Hackers have crappy opsec, so that often leads me to their private lairs (i.e. their servers and private IRC chat rooms). There are a lot of SPECTRE-like organizations throughout the world, in Eastern Europe, South America, the Islamic world, and Asia. At the bottom, we see idiot kids defacing websites. The talented move toward the top of the organization, which has nebulous funding likely from intelligence operations or Al Qaeda, though virtually none of their activities are related to intelligence/cyberwar/cyberterror (usually, stealing credit cards for porn sites).

My point is this. Our government has created a single story of "nation state hacking". When that's the only analogy that's available, all the evidence seems to point in that direction. But hacking is more complex than that. In this post, I present a different analogy, one that better accounts for all the evidence, but one in which North Korea is no longer the perpetrator.

The FBI's North Korea evidence is nonsense

The FBI has posted a press release describing why they think it's North Korea. While there may be more things we don't know, on its face it's complete nonsense. It sounds like they've decided on a conclusion and are trying to make the evidence fit. They don't use straight forward language, but confusing weasel words, like saying "North Korea actors" instead of simply "North Korea". They don't give details.

The reason it's nonsense is that the hacker underground shares code. They share everything: tools, techniques, exploits, owned-systems, botnets, and infrastructure. Different groups even share members. It is implausible that North Korea would develop it's own malware from scratch.

Here's the thing with computer evidence: you don't need to keep it secret. It wouldn't harm Sony and wouldn't harm the investigation. It would help anti-virus and security vendors develop signatures to stop it. It would crowd source analysis, to see who it really points to. We don't need to take the FBI's word for it, we should be able to see the evidence ourselves. In other words, instead of saying "IP addresses associated with North Korea", then can tell us what those IP addresses are, like "".

But the FBI won't do that. They aren't in the business of protection but control. The idea that Americans should protect themselves and decide for themselves is anathema to the FBI.

Wednesday, December 17, 2014

I just bought a ticket for The Interview

I care about free speech, a lot. Recently, hackers successfully threatened Sony in order to cancel the movie The Interview. Consequently, I just went online and purchased tickets for the movie -- even though Sony has announced they are going to cancel the premier.

Free speech is only partly a government issue ("1st Amendment"). Throughout the world, speech is chilled more by thugs than by police. It could be youth gangs beating up journalists like in Russia, or Islamists killing cartoonists and movie makers. Even in America, we increasingly have a culture that seeks to silence debate, rather than countering bad speech with more speech.

There is action we can take, and it's this: when some are threatened, they should not stand alone. They can't kill, beat up, or dox all of us when we are many. We should draw pictures of Mohamed. We should criticize the despotic rule of Putin. We should buy tickets to The Interview and brag about it online.

What they miss about Uber/Lyft pay

In this story, writer Timothy B. Lee (@binarybits) becomes a Lyft driver for a week. He focuses on the political questions, such as the controversially low pay. He makes the same mistakes that everyone else makes.

Lyft (and Uber) pay can be low for the same reason McDonalds is open at midnight. In absolute terms, McDonalds loses money staying open late. But, when you take into account all the sunk costs for operating during the day, they would lose even more money by not remaining open late. In other words, staying open late is marginally better.

The same is true of Lyft/Uber drivers. I take Uber/UberX on a regular basis and always interview the drivers. Without exception, it's a side business.

This one time, my UberX driver was a college student. He spent his time between pickups studying. When calculating wait-time plus drive-time, he may have been earning minimum wage. However, when calculating just drive-time, he was earning a great wage for a student -- better than other jobs open to students.

Without exception, all the Uber black-car drivers have their own business. They have fixed contracts with companies to drive employees/clients. Or, they have more personal relationships with rich executives, driving them to/from work on a daily basis. They just use Uber to fill in the gaps. They already in invest in the care and maintenance of the black car, and would be sitting around waiting anyway, so anything they earn from Uber is gravy on the top.

I always ask drivers if they derive 100% of their income from Uber/UberX, and (with the exception of the student) they've all said "no". The same is likely true for Lee. It's unlikely he was just sitting in his car staring out into space while waiting for the next pickup. It's more likely that he writing his next Vox piece, or researching his next Bitcoin/Anonymous book.

Some drivers do earn 100% of their incoming from Lyft/UberX -- right now. Drivers tell me of their friends who are only driving temporarily, while hunting for a new job. In other words, while they are working full time at UberX at the moment, it's only a few months out of the year while between other jobs. They've already invested in buying a car and insurance -- rather than these being difficult costs during a period of unemployment, they are benefits.

Leftists wanting to ban unregulated innovation focus on "wages", but that's nonsense. If wages were as bad as claimed, drivers wouldn't be doing it. If drivers had a better alternative, they'd be doing it. Indeed, as I mentioned above, that's what some were doing: driving while looking for better jobs. Thus, the argument that drivers don't earn enough wages is false on its face.

Instead, what's going on is that the "sharing" economy is really the "marginal" economy. You can't report on its as if it's a replacement for a full time job -- you have to report on it as it fits within other jobs or lifestyle. Great marginal wages may suck when compared against full time wages, but that completely misses the point of this innovation.

Monday, December 15, 2014

Notes on the CIA light-torture report

I'm reading through the Senate report on the CIA's light-torture program, and I came across this giggly bit:

#10: The CIA coordinated the release of classified information to the media, including inaccurate information concerning the effectiveness of the CIA's enhanced interrogation techniques. The CIA's Office of Public Affairs and senior CIA officials coordinated to share classified information on the CIA's Detention and Interrogation Program to select members of the media to counter public criticism, shape public opinion
Of course they did, but then so did the Senate committee itself. They've been selectively leaking bits of the report for over a year. Their description of the "CIA hacking" scandal was completely inaccurate.

Moreover, this Executive Summary wasn't simply published, but given to select people in the media beforehand in order to shape the message.

There's no doubt that the CIA's brutal treatment of prisoners is evil, a stain on the nation's honor, and something that should be prosecuted. But Senator Feinstein and her colleagues are as guilty of this as anybody else. This report is political garbage designed to shield Feinstein from the blame she shares.

All malware defeats 90% of defenses

When the FBI speaks, you can tell they don't know anything about hacking. An example of this quote by Joseph Demarest, the assistant director of the FBI’s cyberdivision:

"The malware that was used would have slipped, probably would have gotten past 90% of the net defenses that are out there today in private industry, and I would challenge to even say government”

He's trying to show how sophisticated, organized, and unprecedented the hackers were.

This is nonsense. All malware defeats 90% of defenses. Hackers need do nothing terribly sophisticated in order to do what they did to Sony.

Take, for example, a pentest we did of a Fortune 500 financial firm. We had some USB drives made with the logo of the corporation we were pen-testing. We grabbed a flash game off the Internet, changed the graphics so that they were punching the logo of their main competitor, and put text in the Final Score screen suggesting "email this to your friends and see what they get". We then added some malware components to it. We then dropped the USB drives in the parking lot.

This gave us everything in the company as people passed the game around. The CEO and many high-level executives ran it on their machines. Sysadmins ran it. Once we got control of the central domain controller, we got access to everything: all files, all emails, ... everything.

The point I'm trying to make here is that we used relatively unsophisticated means to hack an extremely secure company. Crafting malware to get past their anti-virus defenses is trivially easy. Everything we did was easy.

The problem isn't that hackers are sophisticated but that company are insecure. Companies believe that anti-virus stops viruses when it doesn't, for example. The FBI perpetuates this myth, claiming Sony hackers were sophisticated, able to get around anti-virus, when the truth is that Sony relied too much on anti-virus, so even teenagers could get around it.

The FBI perpetuates these myths because they want power. If the problem is sophisticated hackers, then there is nothing you can do to stop them. You are then helpless to defend yourself, so you need the FBI to defend you. Conversely, if the problem is crappy defense, then you you can defend yourself by fixing your defenses.

Update: Here is a previous post where I add a Metasploit exploit to a PDF containing a legal brief that gets past anti-virus.

Friday, December 12, 2014

FYI: Snowden made things worse

Snowden appeared at a #CatoSpyCon, and cited evidence of how things have improved since his disclosures (dislaimer: as Libertarian, I'm a fan of both CATO and Snowden). He cited some pretty compelling graphs, such as a sharp increase of SSL encryption. However, at the moment, I'm pretty sure he's made things worse.

The thing is, governments didn't know such surveillance was possible. Now that Snowden showed what the NSA was doing, governments around the world are following that blueprint, dramatically increasing their Internet surveillance. Not only do they now know how to do it, they are given good justifications. If the United States (the moral leader in "freedoms") says it's okay, then it must be okay for more repressive governments (like France). There is also the sense of competition, that if the NSA knows what's going on across the Internet, then they need to know, too.

This is a problem within the United Sates, too. The NSA collected everyone's phone records over the last 7 years. Before Snowden, that database was accessed rarely, and really for only terrorism purposes. However, now that everyone else in government knows the database exists, they are showing up at the NSA with warrants to get the data. It's not just the FBI, but any department within the government who thinks they have a need for that data (e.g. the IRS). Recently, an amendment was added to the Intelligence Authorization bill to codify the process. We don't have any transparency into this, but it's a good bet that the database has been accessed to retrieve American information more often in the year since Snowden than the 7 years before.

Snowden did the right thing in exposing phone surveillance, of course. My point isn't to say he's wrong. Instead, my point is that we aren't winning the war against surveillance. Activists are focussing on the good news, cherry picking the parts where we win. They are ignoring the bad news, that we are losing the war. The Intelligence Authorization bill is an excellent example of that.

EFF: We've always been at war with EastAsia

As a populist organization, the EFF is frequently Orwellian. That's demonstrated in their recent post about the "Declaration of Independence of Cyberspace", where they say:

"The Declaration resounds eerily today. We live in an era where net neutrality is threatened by corporations that want to remove competition and force customers to pay more to have equal access to some sites."

This is self-contradictory. The Declaration says, unequivocally, that governments should not regulate cyberspace ("You have no sovereignty where we gather"), and should not make it into a public utility. The current EFF position is exactly the opposite, that government needs to regulate cyberspace as a public utility.

It is like that bit in 1984 where Orwell's government changes allegiances, going from being an ally with Eastasia to becoming their enemy, and then claim that they had always been at war with Eastasia. They made the change in mid-rally. Orwell describes how the mob quickly switched their beliefs, agreeing that they'd always been at war with Eastasia.

When I read 1984, I thought this was a bit over the top, that the mob would not behave so illogically. But we see the EFF mob today acts exactly that way today. The EFF mob truly believes "The Declaration resounds eerily today" despite all evidence to the contrary. That Declaration was about "Governments", yet the EFF mob will now easily believe "we've always been at war against Corporations".

Thursday, November 27, 2014

The Pando Tor conspiracy troll

Tor, also known as The Onion Router, bounces your traffic through several random Internet servers, thus hiding the source. It means you can surf a website without them knowing who you are. Your IP address may appear to be coming from Germany when in fact you live in San Francisco. When used correctly, it prevents eavesdropping by law enforcement, the NSA, and so on. It's used by people wanting to hide their actions from prying eyes, from political dissidents, to CIA operatives, to child pornographers.

Recently, Pando (an Internet infotainment site) released a story accusing Tor of being some sort of government conspiracy.

This is nonsense, of course. Pando's tell-all exposé of the conspiracy contains nothing that isn't already widely known. We in the community have long joked about this. We often pretend there is a conspiracy in order to annoy uptight Tor activists like Jacob Appelbaum, but we know there isn't any truth to it. This really annoys me -- how can I troll about Tor's government connections when Pando claims there's actually truth to the conspiracy?

The military and government throws research money around with reckless abandon. That no more means they created Tor than it means they created the Internet back in the 1970s. A lot of that research is pure research, intended to help people. Not everything the military funds is designed to kill people.

There is no single "government". We know, for example, that while some in government paid Jacob Appelbaum's salary, others investigated him for his Wikileaks connections. Different groups are often working at cross purposes -- even within a single department.

A lot of people have ties to the government, including working for the NSA. The NSA isn't some secret police designed to spy on Americans, so a lot of former NSA employees aren't people who want to bust privacy. Instead, most NSA employees are sincere in making the world a better place -- which includes preventing evil governments from spying on dissidents. As Snowden himself says, the NSA is full of honest people doing good work for good reasons. (That they've overstepped their bounds is a problem -- but that doesn't mean they are the devil).

Tor is based on open code and math. It really doesn't matter what conspiracy lies behind it, because we can see the code. It's like BitCoin -- we know there is a secret conspiracy behind it, with the secretive Satoshi Nakamoto owning a billion dollars worth of the coins. But that still doesn't shake our faith in the code and the math.

Dissidents use Tor -- successfully. We know that because the dissidents are still alive. Even if it's a secret conspiracy by the U.S. government, it still does what its supporters want, helping dissidents fight oppressive regimes. In any case, Edward Snowden, who had access to NSA secrets, trusts his own life to Tor.

Tor doesn't work by magic. I mention this because the Pando article lists lots of cases where Tor failed to protect people. The reasons were unlikely to have been flaws in Tor itself, but appear to have been other more natural causes. For example, the Silk Road server configuration proves it was open to the Internet as well as through Tor, a rookie mistake that revealed its location. The perfect concealment system can't work if you sometimes ignore it. It's like blaming the Pill for not preventing pregnancy because you took it only on some days but not others. Thus, for those of us who know technically how things work, none of the cases cited by Pando shake our trust in Tor.

I'm reasonably technical. I've read the Tor spec (though not the code). I play with things like hostile exit nodes. I fully know Tor's history and ties to the government. I find nothing in the Pando article that is credible, and much that is laughable. I suppose I'm guilty of getting trolled by this guy, but seriously, Pando pretends not to be a bunch of trolls, so maybe this deserves a response.

Monday, November 24, 2014

That wraps it up for end-to-end

The defining feature of the Internet back in 1980 was "end-to-end", the idea that all the intelligence was on the "ends" of the network, and not in middle. This feature is becoming increasingly obsolete.

This was a radical design at the time. Big corporations and big government still believed in the opposite model, with all the intelligence in big "mainframe" computers at the core of the network. Users would just interact with "dumb terminals" on the ends.

The reason the Internet was radical was the way it gave power to the users. Take video phones, for example. AT&T had been promising this since the 1960s, as the short segment in "2001 A Space Odyssey" showed. However, getting that feature to work meant replacing all the equipment inside the telephone network. Telephone switches would need to know the difference between a normal phone call and a video call. Moreover, there could be only one standard, world wide, so that calling Japan or Europe would work with their video telephone systems. Users were powerless to develop video calling on their own -- they would have to wait for the big telcom monopolies to develop it, however long it took.

That changed with the Internet. The Internet carries packets without knowing their content. Video calling with Facetime or Skype or LINE is just an app, from your iPhone or Android or PC. People keep imagining new applications for the Internet every day, and implement them, without having to change anything in core Internet routing hardware.

I've used Facetime, Skype, and LINE to talk to people in Japan. That's because there is no real international standard for video calling. Each person I call requires me to install whichever app they are using. Traditional thinking is that government ought to create standards, so that every app would be compatible with every other app, so that I could Skype from Windows to somebody's iPhone using Facetime. This tradition is nonsense. If we waited for government standards, it'd take forever. Teenagers who heavily use video today would be grown up with kids of their own before government got around to creating the right standard. Lack of standards means freedom to innovate.

Such freedom was almost not the case. You may have heard of something called the "OSI 7 Layer Model". Everything you know about that model is wrong. It was an attempt by Big Corporations and Big Government to enforce their model of core-centric networking. It demanded such things as a "connection oriented network protocol", meaning smart routers rather than the dumbs ones we have today. It demanded that applications be standardized, so that there would be only one video conferencing standard, for example. Governments in US, Japan, and Europe mandated that the computers they bought supporting OSI conformant protocols. (The Internet's TCP/IP protocols do not conform to the OSI model.) Such rules were on the book through into the late 1990s dot-com era, when many in government still believed that the TCP/IP Internet was just a brief experiment on the way to a Glorious Government OSI Internetwork.

The Internet did have standards, of course, but they were developed in the opposite manner. Individuals innovated first, on the ends of the network, developing apps. Only when such apps became popular did they finally get documented as a "standard'. In other words, Internet standards we more de facto than de jure. People innovated first, on their own ends of the network, and the infrastructure and standards caught up later.

But here's the thing: the Internet ideal of end-to-end isn't perfect, either. There are reasons why not all innovation happens on the ends.

Take your home network as an example. The way your home likely works is that you have a single home router with cable/fiber/DSL on one side talking to the Internet, and WiFi on the other side talking to the devices in your home. Attached to your router you have a desktop computer, a couple notebooks, an iPad, your phones, an Xbox/Playstation, and your TV.

In the true end-to-end model, all these devices would be on the Internet directly -- that they could be "pinged" from the Internet. In today's reality, though, that's not the way things work. Your home router is a firewall. It blocks incoming connections, so that devices in your home can connect outwards, but nothing on the Internet can connect inwards. This fundamentally breaks the ideal of end-to-end, as a smart device sits in the network controlling access to the ends.

This is done for two reasons. The first is security, so that hackers can't hack the devices in your home. Blocking inbound traffic blocks 99% of hacker attacks against devices.

The second reason for smart home routers is the well-known limitation on Internet addresses: there are only 4 billion of them. However, there are more than 4 billion devices connected to the Internet. This fix this, your home router does address translation. Your router has only a single public Internet address. All the devices in your home have private addresses that wouldn't work on the Internet. As packets flow in/out of your home, your router transparently changes the private addresses in the packets into the single public address.

Thus, when you google "what's my IP address", you'll get a different address than your local machine. Your machine will have a private address like 10.x.x.x or 192.168.x.x, but servers on the Internet won't see that -- they'll see the public address you've been assigned by your ISP.

According to Gartner, nearly billion smarthphones were sold in 2013. These are all on the Internet. That represents a quarter of the Internet address space used up in only a single year. Yet, virtually none of them are assigned real Internet addresses. Almost all of them are behind address translators -- not the small devices like you have in your home, but massive translators that can handle millions of simultaneous devices.

The consequence is this: there are more devices with private addresses, that must go through translators, than there are devices with public addresses. In other words, less than 50% of the Internet is end-to-end.

The "address space exhaustion" of tradition Internet addresses inspired an update to the protocol to use larger addresses, known as IPv6. It uses 128-bit addresses, or 4 billion times 4 billion times 4 billion times 4 billion. This is enough to assign a unique address to all the grains of sand on all the beaches on Earth. It's enough to restore end-to-end access to every device on the Internet, times billions and billlions.

My one conversation with Vint Cerf (one of the key Internet creators) was over this address space issue. Back in 1992, every Internet engineer knew for certain that the Internet would run out of addresses by around the year 2000. Every engineer knew this would cause the Internet to collapse. At the IETF meeting, I tried to argue otherwise. I used the Simon-Ehrlich Wager as an analogy. Namely, the 4 billion addresses weren't a fixed resource, because we would become increasingly efficient at using them. For example, "dynamic" addresses would use space more efficiently, and translation would reuse addresses.

Cerf's response was the tautology "but that would break the end-to-end principle".

Well, yes, but no such principle should be a straightjacket. The end-to-end principle is already broken by hackers. Even with IPv6, when all your home devices have a public rather than private address on the Internet, you still want a firewall breaking the end-to-end principle blocking inbound connections. Once you've decided to firewall a network, it no longer matters whether it's using IPv6 or address translation of private addresses. Indeed, address translation is better for firewalling, as it defaults to "fail close". That means if a failure occurs, all communication is blocked. With IPv6, firewalls become "fail open", where failures allow communication to continue.

Firewalls are only the start in breaking end-to-end. It's the "cloud" where we see a radical reversion back to old principles.

Your phone is no longer a true "end" of the network. Sure, your phone has a powerful processor that's faster than supercomputers of the last decade, but that power is used primarily for display not for computation. Your data and computation is instead done in the cloud. Indeed, when you lose or destroy your phone, you simply buy a new one and "restore" it form the cloud.

Thus, we are right back to the old world of smart core network with "mainframes", and "dumb terminals" on the ends. That your phone has supercomputer power doesn't matter -- it still does just what it's told by the cloud.

But the last nail in the coffin to the "end-to-end" principle is the idea of "net neutrality". While many claim it's a technical concept, it's just a meaningless political slogan. Congestion is an inherent problem of the Internet, and no matter how objectively you try to solve it, it'll end up adversely affecting somebody -- somebody who will then lobby politicians to rule in their favor. The Comcast-NetFlix issue is a good example where the true technical details are at odds with the way this congestion issue has been politicized. Things like "fast-lanes" are everywhere, from content-delivery-networks to channelized cable/fiber. Rhetoric creates political distinctions among various "fast-lanes" when there are no technical distinctions.

This politicization of the Internet ends the personal control over the Internet that was promised by end-to-end. Instead of being able to act first and asking for forgiveness later, you must first wait for permission from Big Government. Instead of being able to create your own services, you must wait for Big Corporations (the only ones that can afford lawyers to lobby government) to deliver those services to you.


We aren't going to regress completely to the days of mainframes, of course, but we've given up much of the territory of individualistic computing. In some ways, this is a good thing. I don't want to manage my own data, losing it when a hard drive crashes because I forgot to back it up. In other ways, it's a bad thing. The more we regulate the Internet to insure good things, the more we stop innovations that don't fit within our preconceived notions. Worse, the more it's regulated, the more companies have to invest in lobbying the government for favorable regulation, rather than developing new technology..