Linked by Thom Holwerda on Mon 5th Sep 2011 22:26 UTC
Privacy, Security, Encryption So, people from within Iran have hacked the Dutch company DigiNotar, allowing them to issue fake certificates so they could listen in on Iranian dissidents and other organisation within Iran. This is a very simplified version of the story, since it's all quite complicated and I honestly don't even understand all of it. In any case, DigiNotar detected the intrusion July 19, but didn't really do anything with it until it all blew up in their face this past week. Now, the Dutch government has taken over operational management of DigiNotar... But as a Dutch citizen, that doesn't really fill me with confidence, because, well - whenever the Dutch government does anything even remotely related to IT technology, they mess it up. And mess it up bad.
Order by: Score:
Can it really get worse?
by Soulbender on Mon 5th Sep 2011 22:33 UTC
Soulbender
Member since:
2005-08-18

Well, considering how incredibly bad the private company screwed up it's not like it can get much worse.

Reply Score: 5

RE: Can it really get worse?
by Delgarde on Mon 5th Sep 2011 23:43 UTC in reply to "Can it really get worse?"
Delgarde Member since:
2008-08-19

Well, considering how incredibly bad the private company screwed up it's not like it can get much worse.


Don't say that... they'll take it as a challenge... ;)

Reply Score: 6

RE[2]: Can it really get worse?
by mrstep on Tue 6th Sep 2011 19:40 UTC in reply to "RE: Can it really get worse?"
mrstep Member since:
2009-07-18

They didn't screw up - they implemented stuff that doesn't work, and now will get paid even more to get it to actually work. Or maybe they'll get it working in the next upgrade. The execs got some nice bonuses, lawmakers/police now have a way to track people...

Problems? What problems? Thom, you just worry too much!

Reply Score: 1

RE: Can it really get worse?
by Berend de Boer on Tue 6th Sep 2011 09:19 UTC in reply to "Can it really get worse?"
Berend de Boer Member since:
2005-10-19

With private companies you get to chose if you want their services. With the government it's a monopoly, you don't get to chose if you use it, nor if you want to pay for it.

Reply Score: 1

RE[2]: Can it really get worse?
by Soulbender on Tue 6th Sep 2011 14:28 UTC in reply to "RE: Can it really get worse?"
Soulbender Member since:
2005-08-18

Except I haven't read anything about the Dutch government monopolizing the CA business. You're still allowed to start your own CA business if you want to and you're free to not use DigiNotar.

Reply Score: 2

RE[2]: Can it really get worse?
by zima on Mon 12th Sep 2011 23:22 UTC in reply to "RE: Can it really get worse?"
zima Member since:
2005-07-06

Of course you can choose it. And not only by, say, finding large enough like-minded group of people for a peaceful coup and/or shopping for a gov that is to your liking on the world marketplace (and if there isn't any - tough luck, maybe humanity isn't for you*).

It is fairly easy to use hardly any services, and pay for none - being simply below the taxation threshold ...wait, what, you do want to live comfortably in an environment provided by modern society? Then don't escape from what is just the "cost of doing business" - you don't expect the landlord, who makes sure you have a comfortable place to live, to not get his rent money just because you don't feel like it, right? Or likewise with comfortable utilities you're so used to? (which BTW would be a disaster without regulation; not safe, immense waste of incompatibilities and duplication, etc.; with many people unable to choose water, electricity... most areas would be without these services if there were no intervention, as is still the case in many areas around the world)


*If humanity at large isn't willing to fulfil your whims, "deliver you what you want" to use your words elsewhere from this thread, maybe it's time so sign out ...or at least not be a hypocrite, not live where you benefit abundantly from the comforts provided by an integrated society.

Reply Score: 2

RE: Can it really get worse?
by Lennie on Tue 6th Sep 2011 11:14 UTC in reply to "Can it really get worse?"
Lennie Member since:
2007-09-22

If the Dutch government would get only a few things right, they would be doing things better than DigiNotar and would prevent many other attacks.

I think the Dutch government could have one team in one organisation that handle offline signing.

That means it is not in any way connected to the online world like DigiNotar.

They check a number of things (simplified):
- they receive a request by PGP-signed email

- check if they are on the contact-list and PGP checks out.

- look at the name of the request and see if it oesn't have *.google.com or other silly things like municipality X does not need to create a certificate for the website of municipality Y.

- call the people at the other end if they send the email

- check the numbers on the certificate request over the phone.

- create the certificate

- email it back, PGP signed.

Done, much more secure than what they had before.

Edited 2011-09-06 11:15 UTC

Reply Score: 2

Ahh... the "rejsekort"
by dylansmrjones on Mon 5th Sep 2011 22:44 UTC
dylansmrjones
Member since:
2005-10-02

Cool, the Danish government was greatly inspired by the Dutch electronic traveling card... we get to have it too, and it also doesn't work here.

Reply Score: 6

RE: Ahh... the "rejsekort"
by stripe4 on Tue 6th Sep 2011 06:35 UTC in reply to "Ahh... the "rejsekort""
stripe4 Member since:
2007-09-21

Here in Latvia it does work (we only have to check in, not check out) but the maintenance costs are very high.

Reply Score: 1

RE[2]: Ahh... the "rejsekort"
by dsmogor on Tue 6th Sep 2011 13:17 UTC in reply to "RE: Ahh... the "rejsekort""
dsmogor Member since:
2005-09-01

How does the bus know which amount to charge? Do you have to enter it upfront?

Reply Score: 2

RE[3]: Ahh... the "rejsekort"
by Fennec_Fox on Tue 6th Sep 2011 13:51 UTC in reply to "RE[2]: Ahh... the "rejsekort""
Fennec_Fox Member since:
2006-10-30

I've been in Riga (Latvian capital) about a year ago, and as far as I remember, you have a pre-loaded card that you swipe on the reader on entry only.

The trick is, that unlike similar systems elsewhere in Europe, Latvian transit does not differentiate tarriff - it's exactly the same no matter the distance travelled. And you cannot get a "free" transfer - once you exit the bus/ trolleybus/ tram, you have to swipe it again on the next connection.

Reply Score: 1

RE[4]: Ahh... the "rejsekort"
by Lennie on Tue 6th Sep 2011 14:13 UTC in reply to "RE[3]: Ahh... the "rejsekort""
Lennie Member since:
2007-09-22

That is also how it works in Toronto, Canada when I was there a couple of years ago.

Independently of how you pay ofcourse.

Edited 2011-09-06 14:14 UTC

Reply Score: 2

RE[4]: Ahh... the "rejsekort"
by stripe4 on Thu 8th Sep 2011 09:10 UTC in reply to "RE[3]: Ahh... the "rejsekort""
stripe4 Member since:
2007-09-21

Yeah, that's the way it works. A ride costs the same no matter which bus, trolley bus or tram in Riga you take and how far you go.
I also remembered another issue. One can buy single ride ticket only at the bus driver which is a bit more expensive (approx. 1 EUR) than buying 3 rides ticket at a kiosk (which costs approx 0.7 EUR per ride). The single ride ticket is printed on paper and the higher cost is to discourage people from buying tickets from the driver. The 3 ride ticket, however, is an electronic card which obviously has higher production costs and offering a single ride electronic card just isn't cost effective.

Reply Score: 1

RE: Ahh... the "rejsekort"
by zima on Sun 11th Sep 2011 16:49 UTC in reply to "Ahh... the "rejsekort""
zima Member since:
2005-07-06

Maybe it is to encourage your two places to use bikes even more than is already the case? ;)

(well, from one other example - the real purpose of inner-city parking metering is to discourage people from using cars in the city centres, according to a buddy of mine who works at a public office responsible for it)

Reply Score: 1

High costs, high problems
by dmrio on Mon 5th Sep 2011 22:48 UTC
dmrio
Member since:
2005-08-26

I see so many similarities on government acting that I could call The Netherlands as the european Brazil.

Reply Score: 1

Comment by abstraction
by abstraction on Mon 5th Sep 2011 23:44 UTC
abstraction
Member since:
2008-11-27

Japan has a similar way of paying for travel and one of my friends who stayed their thought it worked perfectly. But they might just be better at implementing things considering the trains are never late. In my country I'm sure we would get the same result as the Netherlands if we did the same.

Edited 2011-09-05 23:44 UTC

Reply Score: 1

RE: Comment by abstraction
by rrijken on Tue 6th Sep 2011 03:00 UTC in reply to "Comment by abstraction"
rrijken Member since:
2011-09-06

Even in Japan the trains run late.... Mostly to suicides or disasters.... The system works perfectly though, even when using a card on another train network or a combination of the above. It also gives you more functionality then just travelling. Buying stuff at kiosk stands etc. can also be paid for with the card...

Reply Score: 1

RE: Comment by abstraction
by Neolander on Tue 6th Sep 2011 06:42 UTC in reply to "Comment by abstraction"
Neolander Member since:
2010-03-08

Your country (or at least Uppsala region) does electronic tickets on an NFC card ;) I know, I was there !

Reply Score: 1

RE[2]: Comment by abstraction
by cyrilleberger on Tue 6th Sep 2011 07:09 UTC in reply to "RE: Comment by abstraction"
cyrilleberger Member since:
2006-02-01

Only for regional transport. For national line, it is paper or sms, bought online or at a shop. And for regional transport, the quality depends on the area, for instance in Göteborg, you have to press a sequence of button in a certain order to get your ticket (with no documentation on board), and if you go out of town, and forget to validate at exit it will charge the full content of your card. And in Östgötaland, the system is not too bad, but it is slow as hell, it can takes more than 10s before the machine validate your ticket.

Reply Score: 2

RE[3]: Comment by abstraction
by Neolander on Tue 6th Sep 2011 07:20 UTC in reply to "RE[2]: Comment by abstraction"
Neolander Member since:
2010-03-08

There's some mysterious ergonomy in Uppsala too. When you enter the bus, you must press a button stating which tarification you use (full tarification, children, etc...). The only thing which labels the buttons is a digit. Thankfully, the driver is here to explain you, but when she doesn't speak English and you don't speak enough Swedish, it remains an awkward moment.

Past this painful learning step, it works perfectly.

In national trains, what does this SJ card (called SJ prio IIRC) do ?

In France too, national trains don't use NFC tickets. Guess it doesn't matter so much, because the regions are so large around here that only few people use national trains frequently. The implementation of regional tickets also varies on a per-region basis, but I have to admit that I haven't travelled enough outside of Ile-de-France to tell you if it changes a lot.

Edited 2011-09-06 07:32 UTC

Reply Score: 1

RE[4]: Comment by abstraction
by Seneca on Tue 6th Sep 2011 10:52 UTC in reply to "RE[3]: Comment by abstraction"
Seneca Member since:
2011-07-12

The Prio card is not an NFC card, only a customer discount card. Lower fares, special offers, free newspapers/coffee in the bistro on sundays.

It doesn't contain any ticket info, but you might need it on your person if you need to validate a discounted ticket bought via that card.

And it's only for regional fares by train and only valid with one carrier (SJ).

Reply Score: 1

RE[5]: Comment by abstraction
by Neolander on Tue 6th Sep 2011 11:46 UTC in reply to "RE[4]: Comment by abstraction"
Neolander Member since:
2010-03-08

Thanks for the explanation. I think I have confused with something else. I remember people just playing with a plastic card in the train, without a paper ticket or a mobile phone. SJ's website mentions Pendlarbiljett and Årskort, perhaps it was that.

Also...

And it's only for regional fares by train and only valid with one carrier (SJ).

Sure, but if I get it right SJ owns pretty nearly every national train in Sweden, and you have a good train network (except in the middle of winter), so that's already something.

Edited 2011-09-06 11:49 UTC

Reply Score: 1

RE: Comment by abstraction
by Damnshock on Wed 7th Sep 2011 17:08 UTC in reply to "Comment by abstraction"
Damnshock Member since:
2006-09-15

Japan has a similar way of paying for travel and one of my friends who stayed their thought it worked perfectly. But they might just be better at implementing things considering the trains are never late. In my country I'm sure we would get the same result as the Netherlands if we did the same.

It's not only they are better at implementing things but that their society wouldn't even think for a sec to try to steal from others. Most of Japan doesn't even have locks at home because the idea of someone breaking into your house is... well, they just don't think about that.

They have so much respect for each other that it gets ridiculous many times.

That was something I really loved about the japanese ;)

Reply Score: 1

RE: Comment by abstraction
by trbs on Wed 7th Sep 2011 20:49 UTC in reply to "Comment by abstraction"
trbs Member since:
2011-07-06

The Dutch system is nothing compared to the Japanese system.

Dutch metro's now feel like supermax prisons while Japanese are clean and friendly.

Doing customer service in the Netherland is horrible, me trying to merge three different cards together which I got from one transport agency for three different products was a nightmare. They deal with you like you are some kind of criminal... how dare you try to make your live easier by putting 3 digital products onto 1 digital card.

No give me the Tokyo or Helsinki system any day... and please let us just stop with the foolishness in the Netherlands.. it only will costs us large amounts of cash for a transport service which is not much better then cattle transport.

Like another poster said before... we Dutch will never be so civil as the Japanese are, so this type of system will never work for us...

It will just be a new version of the way we deal with fuel or telco prices... completely non-transparent and very volatile increasing prices... with less and less customer service....

(btw have you ever seen a Japanese gas station ? that is customer service!)

Reply Score: 1

Comment by neticspace
by neticspace on Tue 6th Sep 2011 00:49 UTC
neticspace
Member since:
2009-06-09

whenever the Dutch government does anything even remotely related to IT technology, they mess it up. And mess it up bad.


Sort of like South Korea with a conservative pro-American government right now. Pro-American conservative politicians in the National Assembly in Seoul don't know anything about computers, softwares, and the tech industry.

Reply Score: 2

Nice ratio
by avgalen on Tue 6th Sep 2011 01:01 UTC
avgalen
Member since:
2010-09-23

Almost 1 paragraph of actual content about something that you admit you don't really understand.
Followed by a rant about some failed projects that you have heared all the popular complaints about and wrote them down ad verbatim

Do you really think that standing in line for a trainticket, seeing that train you wanted to get on already leaving is better than the few seconds you have to spend "beeping" yourself through the gate? How much real abuse is taking place now and how much did the old systems get abused?

As far as I had heard of crisis.nl had problems with a person updating the page wrongly, not with "not being able to handle the load".

The new police software not being integrated into normal workflow is a problem of the central government or the local government? Serious question, I don't know .

The software for doing your taxes seems to work quite nicely by the way, even though it relies on certificates that were issued by Diginotar, you know, the company that this article is about.

I am not saying the Dutch government and IT are a good combination, but your examples aren't very good. They are biased and they are not very related to the topic of taking control of a TRUSTED certificate authority

Reply Score: 1

It's not incompetence in IT ...
by MacTO on Tue 6th Sep 2011 01:25 UTC
MacTO
Member since:
2006-09-21

It sounds like the Dutch government's problem doesn't have anything to do with IT. It sounds like they have a problem with how they contract projects out.

Now I don't know how things work in the Netherlands, but there are two problems with how it works in Canada. A huge problem is that bidders underestimate costs, because it is the only way to make a competitive bid. The mentality of outsourcing also means that the government has relatively little technical expertise to evaluate bids, meaning that they are almost dependent upon accepting the bids at face value.

Oh, and thank-you for the transit anecdote. My city is planning to move to a similar system. Ironically, many people can barely figure out how to use the existing system!

Reply Score: 2

RE: It's not incompetence in IT ...
by _txf_ on Tue 6th Sep 2011 09:49 UTC in reply to "It's not incompetence in IT ..."
_txf_ Member since:
2008-03-17

A huge problem is that bidders underestimate costs, because it is the only way to make a competitive bid.


That is a problem not just in IT, but everywhere. Particularly in public projects those in charge favour cheap projects over slightly more expensive (but significantly better projects). Invariably this usually means that the cheaper project is either cutting corners or underestimating the costs which either they raise once granted the project, or, produce shoddy work.

Reply Score: 2

cfgr Member since:
2009-07-18

That is a problem not just in IT, but everywhere. Particularly in public projects those in charge favour cheap projects over slightly more expensive (but significantly better projects).


Unfortunately this is required by law (at least in Belgium, but probably in most countries). Government projects must always choose the cheapest solution that fulfils the requirements. Which makes sense in a way: why waste taxpayer's money on more expensive contracts?

However, in practice, companies abuse this the same way Ryanair cheats on you: hiding costs everywhere or just plain lying about it. It requires a lot of expertise to write a perfect contract and make the right decision in so far the law allows you. Most government workers do not have this expertise, especially not local ones). This results in very poor solutions, often never finished.

There have been a few big cases like this here. The government has now sued several of those companies but meanwhile they don't have the money for an alternative solution (with the same risks) and lawyers aren't exactly cheap either.

Edited 2011-09-06 12:22 UTC

Reply Score: 1

mrstep Member since:
2009-07-18

That's just par for the course. Bids are lowered to look good, and companies are hired based on how much money will be saved. Imagine the shock of the government (or corporate) users when they discover that things aren't to spec and will now cost significantly more to support or change than expected. But hey, it looked cheaper.

(I had the pleasure of watching this on some outsourcing projects where vendors promised all sorts of wonderful savings - and the end users ended up shocked when making changes actually turned out to cost more and take longer than when they were in-house - and now they had a new stand-alone external system that didn't even integrate as well with the other apps anymore. On the other hand, I had the foresight to get out while it was happening and didn't have to be the IT chump picking up the pieces of a bad contract and broken system. ;) )

Reply Score: 1

Smartrider
by 3rdalbum on Tue 6th Sep 2011 02:20 UTC
3rdalbum
Member since:
2008-05-26

We have a similar public transport ticketing system here (Perth, Australia), and it rocks.

You don't have to worry about how many zones you're going to be travelling; the smartcard system works it out when you tag off. If you change your plans and decide to go further than you originally intended, you don't have to get off the train and buy another 2-zone ticket and then wait for the next train; you still just tag off as normal at your new destination.

If you're catching a bus, it's even better; you don't need to know how many zones it is to your particular bus stop. The smartcard reader works it out when you tag off and handles it all transparently.

It even works out the cheapest fare for you; if you travel three zones into town and then three zones out of town, the system knows that an All Day fare is cheaper than the two three-zone fares, and charges you for the All Day fare.

The Smartrider system can even be used to pay for parking at train stations and for unlocking the bike sheds at train stations. It is linked to the universities, so students automatically get a concession fare when studying full time, and as soon as they drop to part time or leave university they get charged full fare again.

If you load a larger value onto your card (for instance, $50) you get some discount off your fares too.

Oh: And the system works perfectly every single time.

Please don't say "The paper tickets worked fine, why are they replacing it with a smartcard system". When done properly, smartcard tickets are awesome because they make life a lot easier for travellers, and are a lot more flexible. They cut down on fare evasion and concession fare fraud (where students enroll full-time, get a concession card and then drop back to part time; that trick doesn't work anymore with the Smartrider).

In short, smartcard ticketing is so good, you won't realise how much you love it until you think about the olden days with paper tickets :-)

Unfortunately, you hear a lot about countries where it hasn't been done properly and there have been problems. But that's a government problem for choosing the wrong company, not an inherent flaw in the idea.

Reply Score: 4

RE: Smartrider
by Neolander on Tue 6th Sep 2011 06:46 UTC in reply to "Smartrider"
Neolander Member since:
2010-03-08

Heh, gone back to paper tickets atm because my university is stupid, so I have to agree : contactless tickets with nicely picked plans are just awesome. You go wherever you want, without worrying, and you enter/exit the station much faster.

Reply Score: 1

Comment by OSbunny
by OSbunny on Tue 6th Sep 2011 02:21 UTC
OSbunny
Member since:
2009-05-23

So what has Iran got to do with any of this? Is it just a convenient scapegoat? According to the BBC the vast majority of certs were issued to Dutch companies and individuals. Hell the govt. takeover is also because the Netherlands govt. was using this CA.

Reply Score: 2

Comment by clasqm
by clasqm on Tue 6th Sep 2011 02:23 UTC
clasqm
Member since:
2010-09-23

The old Dutch system for buses, with its strange folding-up tickets, probably worked well enough for locals. To tourists it was beyond baffling. Considering the size of your tourist industry, maybe a change was called for.

Reply Score: 2

RE: Comment by clasqm
by Lennie on Tue 6th Sep 2011 14:16 UTC in reply to "Comment by clasqm"
Lennie Member since:
2007-09-22

Well, the system is pretty much the same. It is just electronic now.

Reply Score: 2

Comment by Berend de Boer
by Berend de Boer on Tue 6th Sep 2011 03:16 UTC
Berend de Boer
Member since:
2005-10-19

Thom: Well - whenever the Dutch government does anything even remotely related to IT technology, they mess it up. And mess it up bad.

Except when they regulate mobile phone companies!

What a success that was...

I vaguely remember Thom pushing that here, so do I hear some buyers remorse?

Reply Score: 2

RE: Comment by Berend de Boer
by Neolander on Tue 6th Sep 2011 07:10 UTC in reply to "Comment by Berend de Boer"
Neolander Member since:
2010-03-08

Knowing your love of free market theories, I guess what you advocate instead is a public transportation network, without any form of government backing, or even regulations to make sure that they cover the majority of the inhabited territory with decent service.

Or perhaps no public transportation at all. After all, stuff which can't work well in a free market is not interesting, right ?

Reply Score: 1

Berend de Boer Member since:
2005-10-19

Neolander: After all, stuff which can't work well in a free market is not interesting, right ?

I wouldn't say not interesting, it might be. Certain things are necessary of course, i.e. the government has the monopoly on coercive force.

But for your particular example: if the free market doesn't provide it, it means it can't do it, either because it is forbidden by the government, or it cannot provide it at an acceptable cost.

So if the government provides that service, you incur a cost. At minimum the public should be aware that if the government steps it, the cost might potentially be draconian. If the government should do it, is obviously a political item.

A good reason to object is that the government uses coercive force to extract the money from its citizens. Coercion is generally bad IMO.

Reply Score: 1

Neolander Member since:
2010-03-08

Thanks for this more precise and open-minded comment. I owe you one, will try to do my best.

In my opinion, every service which at the same time is expensive to provide and requires a universal reach to be useful, needs some form of government backing and/or regulation to work in a fashion that is socially and morally acceptable. Services in this category include :
-Public transportation
-Postal service
-Water
-Electricity
-Telecommunication networks

If one of these services is left to a free market, then the laws of financial rentability will do their job and the areas of high wealth/population density will get a high-quality service while the areas of low wealth/population density will get little to no service.

If we consider that every human being in a country has a right to a minimal level of service in one of these areas, then regulation must be introduced, as a force that makes sure market actors will provide this level to everyone, even when it economically means a loss.

This does not mean that the government has to own the company and dictate every single decision. Only a limited number of objectives must be ensured, and the company is left free to take care of other aspects of the situation. It's not the color or brand of a bus that matters, it's how much people it can carry, where it goes, and how often.

The drawback is that as you say, sometimes governments may abuse their power. Which is why justice must work in a fashion that's roughly independent from the government (as is the case in many countries), and why governments must be regularly renewed through elections in order to ensure that they still match the demand of most.

Besides this "stick" side of things, governments also have a "carrot" at hand : they have a budget, fairly collected among the population, which may be used to provide backing when companies can't realistically meet an economic objective alone. As an example, high-speed trains are often operated at a loss, and require financial backing from the whole population to become profitable while still remaining accessible to most travellers.

Fundamental research is another example of service which requires government backing to be operated optimally. It's financially too risky for most companies to provide significant backing to it, even though in the end that work may benefit everyone.

Globally, government backing and regulation is necessary to meet demand for a higher quality of service than what is financially optimal.

Edited 2011-09-06 11:53 UTC

Reply Score: 1

RE[3]: Comment by Berend de Boer
by zima on Mon 12th Sep 2011 23:57 UTC in reply to "RE[2]: Comment by Berend de Boer"
zima Member since:
2005-07-06

Coercion is generally bad IMO.

In a truly free market, what's to stop somebody from coercion via economical domination?

IT ACTUALLY HAPPENED NUMEROUS TIMES, the economically advantaged group can use free market to enforce tyranny on others, for example: White Citizens Councils ( http://en.wikipedia.org/wiki/White_Citizens'_Council ), you can't rewrite history. Fact: White people used the power of the free market to destroy the lives of middle class black business people without having to resort to violence.

Thankfully, the government stepped in and stopped the oppression. Do you want the clock turned back on that one?

Again, it actually happened, the free market was used to oppress and destroy people, you can't simply rewrite or overlook history to agree with your political/economic theories, to make your cherished ideologies seem more plausible. It's astounding that people can discuss "market forces" and, nearly in the same breath, deny that the market has any kind of ("bad") force.

Yes, yes, "harm" would be illegal, but what is harm? Does it harm me if you pollute? What if you use child labour and my moral code prohibits it, when you undercut me in the market, is that harm? What if you decide to form some White Citizens Councils and drive all blacks out of business? Certainly that would be considered harm, right? Or would it just be the free market at work? What would keep somebody from economically coercing and dominating others? Or is that considered OK, as long as that somebody uses market forces to oppress others, to destroy their lives?

Who regulates what is harm? Maybe, hm, we should form some central entities handling such stuff on our behalf?

Edited 2011-09-13 00:12 UTC

Reply Score: 2

RE: Comment by Berend de Boer
by Thom_Holwerda on Tue 6th Sep 2011 07:25 UTC in reply to "Comment by Berend de Boer"
Thom_Holwerda Member since:
2005-06-29

Unlike you, I don't perceive the world as black and white. I can understand that what works in some cases, does not work in others. Government intervention can be both good and bad. In the case of mobile phones, it worked out okay. In the case of anything related to implementing actual technology (as opposed to just regulating said technology), things generally go wrong.

In the end, you still haven't answered the question I posed you so many months ago: point me to a truly free market which works. Any luck with that yet?

Reply Score: 1

Berend de Boer Member since:
2005-10-19

Thom: point me to a truly free market which works.

Sorry, missed that. Your question is probably: point me to a free market that delivers me what I want.

But that's not what markets are. Markets are purely the free and non-coercive exchange of private citizens. They might not produce you an outcome you'd like (mobile phone calls for 1 cent per hour for example).

I would offer food markets as a market that is pretty unregulated. The outcome might be that we got too many obese poeple, but probably better than people starving.

If you had lived only 400 years ago, you would have been a peasant bound to the land. Market economies have improved lived drastically.

Reply Score: 1

Thom_Holwerda Member since:
2005-06-29

I would offer food markets as a market that is pretty unregulated. The outcome might be that we got too many obese poeple, but probably better than people starving.


This is what you come up with? The food market is probably one of the most strictly regulated markets in existence today! Everything from ingredients, to packaging, to information provided about the products, to the production process, to the kind of gloves and protective gear workers have to wear, and much, much more than that, is strictly regulated by the law. I don't think there is any industry that is more strictly governed by laws and regulations than the food industry.

More and more I'm getting the idea that you read some fancy theoretical book cited in Economics 101 at university about the ideals of the free market, without really understanding what it means. If you cite the food market as an example of an unregulated free market... Holy cow.

Edited 2011-09-06 09:43 UTC

Reply Score: 1

RE[3]: Comment by Berend de Boer
by mrstep on Tue 6th Sep 2011 20:04 UTC in reply to "RE[2]: Comment by Berend de Boer"
mrstep Member since:
2009-07-18

While $.01 calls might sound great, it's the lack of regulation that can lead to $5 per minute phone calls if monopolies / price fixing aren't controlled.

There's a lot that free markets are great for (let's produce X number of phones as dictated by a central planning committee isn't such a great plan), but certainly protecting people from environmental health issues, setting safety standards, or preventing price gouging by unscrupulous mega-corps aren't amongst those items.

For anyone who would say 'well, if Company X is charging too much, Company Y will show up and offer a better priced service", keep in mind that in a TRUE free economy, Company X may be large enough to implement unfair agreements with distribution / access channels, litigate, or buy out Company Y and never have to worry about competing on lower prices.

Reply Score: 1

Soulbender Member since:
2005-08-18

but certainly protecting people from environmental health issues, setting safety standards, or preventing price gouging by unscrupulous mega-corps aren't amongst those items.


Oh come on, don't you know this stuff sorts itself out in the long run and if some poor sods die in the meantime, well, that's just the price of freedom.

Reply Score: 2

RE[3]: Comment by Berend de Boer
by zima on Mon 12th Sep 2011 23:41 UTC in reply to "RE[2]: Comment by Berend de Boer"
zima Member since:
2005-07-06

Regulated market economies have improved lived[sic] drastically.

How easily you ignore many starving or malnourished (or with unsafe food and water) people around the world; mostly in places without functional administrations... It really doesn't put in you in a good light.

In some truly unregulated markets, there is a hunger epidemic right about now. People DIE. Warlords capture aid, it's more profitable for their free enterprises.

Glance at least once at a packaging of some of the gorged (to feed that obesity) food; contemplate how can you believe what they write about contents. And, somehow, we don't really die regularly from food poisoning or food-borne pathogens any more... why is that? If a dozen or so would die in each city every week, it would lead to better efficiencies! It would self-regulate, promote the best providers of the month!

Look how nicely unregulated capitalism works: www.rootsweb.ancestry.com/~belghist/Flanders/Pages/phossy.htm ...so efficient, profitable and rational to not bother about the lesser people around.

Oh, and our agriculture runs on fossil fuels ( http://en.wikipedia.org/wiki/File:Human_welfare_and_ecological_foot... ) ...we certainly want to regulate that crap.

Reply Score: 2

NFC cards
by Neolander on Tue 6th Sep 2011 06:38 UTC
Neolander
Member since:
2010-03-08

They put electronic tickets on NFC cards around London (Oyster Card), Paris (Navigo Découverte), and Uppsala (Uppsalakort), and they work just fine, except for a early card death from time to time...

However, I don't remember these systems ever being directly controlled by the government. In all three cases, it is a state-owned company, but this essentially means that it gets a big chunk of its funding from it and must work with it on some infrastructure projects in exchange, otherwise remaining basically independent. As good public transportations networks, for all their technical awesomeness, are unprofitable in essence, this sounds fair enough.

The only case where government has to actually strongly step in is when several transport companies can't agree on a common transport pass standard, and it generally goes fine.

Edited 2011-09-06 06:49 UTC

Reply Score: 1

v Oh so now you are upset?
by jefro on Tue 6th Sep 2011 12:08 UTC
RE: Oh so now you are upset?
by Soulbender on Tue 6th Sep 2011 14:30 UTC in reply to "Oh so now you are upset?"
Soulbender Member since:
2005-08-18

Dude, seek professional help.

Reply Score: 1

This isn't the worst.
by dsmogor on Tue 6th Sep 2011 13:24 UTC
dsmogor
Member since:
2005-09-01

Once this holliday I was stuck in Rotterdam trying to get out. The ferry have had already left. It was 21, I had a bike and cash to pay for the ticket.
You know what, I couldn't buy it!
The freacking ticket machines woudln't accept neither paper money nor my non-pin bank card. The ticket for me + bike ended up being 20+ euro. Who in the world carries around that abount of change?
I had was literally at mercy of the train director, who as it appears couldn't sell me the tickek anyway (cause the bike I guess).

Edited 2011-09-06 13:30 UTC

Reply Score: 2

Bill Shooter of Bul
Member since:
2006-07-14

I and several others I know at large companies have removed them as a trusted ca root. You'll find that the internet is much better at granting initial trust than restoring it to someone found unworthy of that trust.

Reply Score: 2

Lennie Member since:
2007-09-22

That would have been kind of a problem if the CA is used by your government and you want to make use of their services. Most people also have no idea how the system works they just rely on others getting it right.

Reply Score: 2

Bill Shooter of Bul Member since:
2006-07-14

A ssl cert CA's business is based on trust. Others must trust them to at a minimum keep their cert issuing authority out of the hands of bad guys. If they don't as in the case of DigiNotar, then people like me stop trusting them. Then people who expect things to work, find they don't and blame the company they are trying to connect with. Then that company switches CA roots to someone who is trusted. And they system works for everyone again.

Reply Score: 2

Lennie Member since:
2007-09-22

So I guess you also removed Comodo, last time ?

To bad you can't use a quarter of the whole HTTPS sites on the internet.

You see, it isn't that simple. :-(

Reply Score: 2

Alfman Member since:
2011-01-28

I didn't even know Comodo was hit.

http://www.infoworld.com/t/authentication/weaknesses-in-ssl-certifi...


You can't reasonably block them without breaking most HTTPS sites. If I'm not mistaken, microsoft has also chosen them to do code signing certificates in win vista+.

Reply Score: 2

Bill Shooter of Bul Member since:
2006-07-14

I was referring to a different use of HTTPS other than the www. Which, I'd prefer not to delve into. But rest assured Comodo is blacklisted as is DigiNotar. In fact, we're in the process of switching to our own white list, rather than the default ones you see in browsers.

But actually, I did personally remove it from all of my browsers. It hasn't been a problem yet. Are there any big sites that actually use Comodo as a cert? Most I see are GeoTrust, Verisign,Thawte, Net Sol, TrustWave.

Reply Score: 2

LB06 Member since:
2005-07-06

So, what do you do when you need to electronically communicate with some websites that use a certificate signed by some CA you don't trust?

Reply Score: 2

Alfman Member since:
2011-01-28

Bill Shooter of Bul,

"Then that company switches CA roots to someone who is trusted. And they system works for everyone again."

I know you understand what is going on. However what you view as working system, I view as a broken model.

3rd party authentication, as with the CAs, is inherently problematic when the CA's security is lower than that of the websites using SSL. As it stands, any CA has the technical ability to create a fraudulent certificate for any website. No matter what precautions SSL users/websites take, they are dependent upon *ALL* CA's to not screw up.

The CIA probably was not a client of DigiNotar, and yet they were a victim of the leak. DigiNotar didn't even bother to tell anyone about the leak for several weeks - if there are more leaked keys out there, we'd have no idea.

I don't want to sensationalize this and blow the risks out of proportion, but 3rd party trust is a disturbing requirement of SSL.

I'd be a bigger proponent of a secure DNS based solution which guaranties that we are communicating with the registered owner of a domain name. Everyone with a domain name would be entitled to publish their own certificate in their DNS records and not have to use a CA for the privilege.

This would still require trust in one's hosting provider to supply the legit certificate via secure DNS, however since trusting a hosting provider is implicit anyways, it doesn't increase the scope of trust and it can be insourced to increase security.

Reply Score: 2

Bill Shooter of Bul Member since:
2006-07-14

You raise some good points. I would be in favor of a better system that wouldn't allow any trusted CA to issue a cert for any site.

Given the current system that we have, the best bet is to restrict the number of CA's that you trust.

Reply Score: 2

Alfman Member since:
2011-01-28

Bill Shooter of Bul,

"Given the current system that we have, the best bet is to restrict the number of CA's that you trust."

Well yes, but that only applies to what you can control. There are problems with managing CA's personally:


1. As a website owner, your choice of CAs doesn't increase your security. The authentication of your website is validated by the list of CAs in your user's web browsers.

2. As a user, it's reasonable to want to trust only specific CAs where I can attest to their security. However in reality real websites will use CAs who's security I cannot attest to. So, this may not be an option.

2b. Obviously you're talking about blacklisting a select group rather than whitelisting a select group. But the problem remains that you are trusting CAs who's security procedures haven't really been attested to and could in fact be as bad as DigiNotar.

I'm not even sure how bad DigiNotar's procedures actually were. All CAs are vulnerable to things like zero day exploits and disgruntled employees even when they do follow best practices.

Reply Score: 2

Bill Shooter of Bul Member since:
2006-07-14

1) As a website owner, you choose a CA that is used by large companies that your customers would want to use. If they are likely to trust those large websites, they'll be likely to trust al certs signed by the same CA.

2) As a website user, the number of SSL enabled sites that I use are limited to a few, those few do use reputable large CA's. Its actually quite easy, and with minimum side effects. If a site is signed with a ca root you do not allow, you examine the cert closely and determine if its really worth the effort to verify the identity of the website or to use a different website that provides the same features.

2b) Yes, this may be trusting CA's that have just as poor security as DigiNotar's, but reducing the number of ones that you do trust reduces your vulnerabilities, I think. In any case there are CA's that are trusted by browser makers, that I do not trust who also do not sign any certs of any of the websites I use over SSL. Removing them is an obvious choice.

Reply Score: 2

Alfman Member since:
2011-01-28

Bill Shooter of Bul,


1 - I think you missed my point. A bank/commerce site can choose whatever CA they want, but it doesn't matter when 99% of their customers (purely made up) have default CAs in their browsers. It may not be the site's fault, but users are never the less vulnerable through the weakest CAs in their browser. There is absolutely nothing you can do as a website owner to protect your users.

2 - That's quite a hassle. Even for people who have the extra time and expertise to do it, it's bad that they'd need to give up their online choices due to shortcomings of HTTPS.


2b - Even if we assume that it's possible to audit the internal security of a CAs in a comparatively meaningful way, that knowledge is not really public. I certainly can't tell if vendor X is more secure than vendor Y, so on what basis should I white/black list them? Popularity?


So, I don't think it's reasonable or helpful to ask normal users to manage their own CAs. If anything, CAs should be licensed and audited to ensure some kind of compliance with security protocols. Better yet, transition to technologies which take third party CAs out of the loop.

Edit: I guess another possibility would be to change HTTPS validation to require two valid certificates from two independent CAs. This would significantly reduce the attack windows when one CA is compromised.

This would be pretty good from a security robustness standpoint...I don't think it'd be popular though.

Edited 2011-09-06 21:52 UTC

Reply Score: 2

Lennie Member since:
2007-09-22

(sorry, the whole thing became a bit large)

A long time ago there was one CA and people were not all that happy about that either.

DNSSEC (crypto keys for DNS) with DANE (which is a proposed RFC) would be the closest thing to what you talk about, is in a way a single CA-system.

DNS is a hierarchy, it starts at the 'root'.

With ICANN at the top (root) and operations of the crypto handled by ICANN/IANA and Verisign.

The DNS root-servers however are handled by different organisations around the world. One is a large ISP (Cogent), one again is Verisign, one is the RIPE (European IP-addresses organisation), an other is the US department of defense. The list is here: http://www.root-servers.org/

The money to run ICANN comes from the US department of commerce (if I'm not mistaken). Although the department did sign a contract saying they don't interfere with technical operations.

The money from IANA and RIPE comes mostly from the people that need the IP-addresses. IANA is like RIPE, they 'lease IP-addresses' to organisations like ISP's that need them.

While they normally only tell DNS-servers where to find the DNS-servers for .com (which is Verisign) they could in theory point it somewhere else.

However DNSSEC adds crypto in the mix and access to the crypto keys is limited to a bunch of people from around the world.

As you can see it is complicated. ;-)

But there is a root and thus it is kind of similair to a single-CA-system. But a lot of different people and organisations have a say in different parts of it.

A lot of the organisations are US companies (because of historic reasons ofcourse) and thus the US has some power of those organisations.

Not everyone likes that, the Internet should be 'owned' by everyone.

DANE depends on DNSSEC being deployed and that deployment has been slow. Some currently deployed software and firewalls are not compatible. After all it is the largest change to DNS since it was created almost 30 years ago. Just an example, some operating systems and DSL-routers need to be fixed before everyone can use it.

Edited 2011-09-07 10:53 UTC

Reply Score: 2

Alfman Member since:
2011-01-28

Lennie,

Wow thank you for the informative posts. Yes I am aware upgrades would be necessary and that DANE is one of the proposals.

I don't actually think it's that complicated, but then again I study this stuff closely.

"Many home users have a DSL-router that is not capable of handling DNSSEC. Operating systems like Windows XP do not support it."

Really? That'd be a surprise to me since DNSSEC is just the existence of more records on top of DNS. If DNSSEC doesn't work across a router, it implies that the router isn't truly compliant with the DNS protocol. Not to say it's untrue, but why would a manufacturer go out of their way to break their DNS stack like this?


"Also some people think DNSSEC is to much like a one-CA-system. For example if something breaks everyone will have problems:"

Well, the main difference would be that the root keys would not be vouching for people's identity, only vouching for the accuracy of the DNS database, which we already implicitly rely on for the web to work anyways.

From my understanding of DNSSEC, verisign has zone-signing keys for the .com domain (with a relatively brief lifetime), but someone else can hold the key-signing keys - so it would require attacks to be successful on two fronts (in other words a completely broken DNSSEC would still be no worse than today's DNS).

Personally I would have three independent DNSSEC key signing organizations with three master KSKs - and require that at least two of them agree in order for "verisign's" ZSK to be valid. Cryptography redundancy schemes like this are very secure in practice.


Edit: In case it wasn't clear, the intention of the 3 keys is that the corruption of one entity (say by the US government) is insufficient to corrupting the whole system.

We could make DNSSEC KSKs arbitrarily redundant: 7 KSKs world wide, and require that 4 of them agree on ZSKs in order to be valid.

Edited 2011-09-07 17:09 UTC

Reply Score: 2

Lennie Member since:
2007-09-22

(as you liked informed posts, here some more ;-))

Well, DNSSEC isn't just new types, certain types belong with each other. Which are the signatures and the data and flags. Which changes how the basic protocol works. The signatures also make the packets larger, a lot of the times larger than the old DNS limit.

The operating system change is an extra API-call (or change) to allow an application to request signed-answers.

So the operating system will request signed answers from the nameservers. Obviously the nameservers need to be upgraded to understand it to respond with signed answers if available as well.

On this page there is a presentation "DNSSEC Support by Home Routers", which might give you an idea about what the problems are with DSL-routers:

http://ripe60.ripe.net/archives.php?day=thursday

This is the PDF:

http://ripe60.ripe.net/presentations/Dietrich-DNSSEC_Support_by_Hom...

Basicely they can't handle the DNSSEC flags, they don't have large DNS-UDP-packet-support and can't handle the fallback method: TCP. It pretty much was never needed for regular DNS.

As you may know many of these DSL-routers have their own DNS-server and that is what is communicated over DHCP to the hosts behind the DSL-router. So they use the DNS-server and that is usually the one that can't handle all this.
____

The root keys are both, in a locked machine called an 'HSM' which can be used for signing.

And for safety a copy of the key has been split up in 7 slightly overlapping parts and is kept by different people from around the world (Paul Kane (Great Britain) Dan Kaminsky (United States), Jiankang Yao (China), Moussa Guebre (Burkina Faso), Bevil Wooding (Trinidad and Tobago), Ondrej Sury (Czech Republic), Norm Ritchie (Canada)).

New keys are generated every few years, anyway have a look here:

http://www.root-dnssec.org/wp-content/uploads/2010/06/draft-icann-d...
http://www.root-dnssec.org/documentation/

It probably explains it better than I do. I just type what I think is right from memory. :-)

And the video and documentation of the Key-singing are here:

https://data.iana.org/ksk-ceremony/

__________

Anyway a possible solution might be to use Convergence:

http://www.youtube.com/watch?v=Z7Wl2FW2TcA
http://convergence.io/

This basis system is where the browser asks others on the Internet if they see the same certificate.

With Convergence however the browser can ask for other information as well. So DNSSEC could be one of the things it asks about.

Even when you are in a network or on an operating system that does not support DNSSEC.

Edited 2011-09-07 22:56 UTC

Reply Score: 2

Alfman Member since:
2011-01-28

Lennie,

Wow, how did you hear about convergence?

The convergence website is unfortunately void of details. However the youtube clip seems to tackle everything we've talked about here... great find! Definitely a very interesting approach, and I am very impressed overall - it's a great look at the CS theory to see what's possible.

He says you can configure notaries to verify the CA signatures cryptographically as normal, but I'm honestly not sure what this mode buys us. What difference does it make whether the CA cert is validated in my browser or on a trusted notary server?

The concept which I find most novel is the "perspective verification", which verifies that my notaries are seeing the same (unverified) SSL certificate as myself. If I am the target of a middle man attack where the SSL certs in my traffic are forged, then the discrepancy would be detected with my notaries.

Hypothetically though, it could be pretty easy for a backbone provider or a country like china to do a man-in-the-middle such that all the notaries I have access to are compromised in the same way. This problem does not exist today with CA SSL.

Reply Score: 2

Bill Shooter of Bul Member since:
2006-07-14

http://threatpost.com/en_us/blogs/microsoft-revokes-trust-five-digi...

FYI,I'm not the only one who no longer trusts them.

Edited 2011-09-07 20:13 UTC

Reply Score: 2