12 comments

[ 4.4 ms ] story [ 38.6 ms ] thread
The Internet simply ended up having to swallow far more than it was designed to handle. The dot-com boom paved the way for it becoming essential and inseparable to our livelihoods.

Michal Zalewski's The Tangled Web is an excellent technical book on how the technologies that power the web are interconnected, and how they're all a vulnerable mess of hacks. On the surface, it looks like everything is running smoothly, but on the inside, everything we've architected is subpar for our current needs. It's amazing that the web is hanging by its nooks and crannies, but the constant series of gaffes that is infosec and most people's refusal to accept it, speaks for itself.

Who knew that one day, a handful of nerds and social outcasts would end up maintaining core infrastructure that the entire Western economy depends on so dearly?

Of course, people have realized this and have been hard at work building new protocols, abstractions and mechanisms on top of current cruft. It's still a mad, mad, mad, mad ecosystem out there, though.

The author's sentiments go completely off rails by the end of this, however. It's almost eery. What is there to possibly trust?

...nerds and social outcasts...maintaining core infrastructure...

You say that like it's a bad thing?

Alan Kay made an excellent point. In order not to dilute it, I quote him verbatim.

"The Internet was done so well that most people think of it as a natural resource like the Pacific Ocean, rather than something that was man-made. When was the last time a technology with a scale like that was so error-free? The Web, in comparison, is a joke. The Web was done by amateurs."-- Alan Kay.

Tim Berners Lee was trained to be a physicist. He wasn't aware of the things computer scientists had learned in the last few decades. He was a clever man who came up with a clever idea, but it wasn't engineered to scale.

I think Kay is right, and more ambitious tech firms are definitely running up against this wall. The fact that Google wrote a new Javascript engine tells me that Kay's proposal, where the web should have been like an operating system on which you could run programs in a separate address space and with limited access to underlying system calls - is coming to pass, except in this OS the assembly is Javascript.

The www is fine. TBL shouldn't be blamed for the horrible mess that it turned into as people kludged it to do things stupidly and inelegantly.

Yenc binaries on Usenet are stupid an inelegant yet petabytes of stuff have been shifted around on Usenet servers.

Humans are creative and capable of trashing almost any RFC no matter how well written it was.

It's alarming to me just how many supposedly "secure" websites follow such awful practices, such as:

- Using HTTPS only for the login or purchase page, and sending the user to plain-old HTTP for everything else

- And to make the above even worse, storing passwords in plain text in a cookie

- Disallowing certain characters in passwords, or forcing passwords to be under a certain length

- Allowing people to reset passwords from the browser with just one answer to a security question, i.e. not even sending a confirmation email

- Not supporting any form of two-factor authentication

The question I keep asking myself lately is, is there a better method to authentication than just plain ole' passwords? There are other systems that we're starting to see now being used more often in consumer devices, such as RFID and fingerprint/face scanners, but those have some obvious weaknesses as well.

OpenID?
Let's not get started on those who implement that poorly.

I was signing up for a site that took openid the other day- and then after confirming access - I was returned to the site. There, I was prompted for email, first/last name, and 2x password to use on the site, in order to complete my registration. (This email and password would be my future login.)

Nothing quite like implementing a buzzword while missing the point completely...

OpenID is not quite good enough.

Persona on the other hand is what you want, long term. Mozilla did everything right.

That is, everything except marketing it properly. And abandoning it... sigh.

Ultimately, we'll probably have to adjust our culture to the fact that the combination of technology and capitalism sooner or later leads to the end of privacy. It's going to be a long, difficult and certainly painful path and there will be victims. But if the current trend continues, there will be a time where everybody will be able to know almost anything about anybody, anytime.

Edit: And if we really have a problem with this, we better start our engines.

It doesn't have to mean that. Think of war. Defense is often developed in response to offense. Medicine is developed in response to injury. Sometimes in history, defense & medicine lag far behind weapons. Sometimes the gap is much smaller.

Privacy is impacted because we are rushing ahead, advancing our sharing & social & etc technologies. We aren't developing privacy & security fast enough to keep pace. So while it is that way right now, must it be?

The problem is that sharing and social technologies attract more resources than privacy technologies because it's easier to make money when you know as much as possible about your users.
If that's truly what the implication of mixing technology and capitalism is, I'd much rather have my privacy. Even if you don't care about privacy, enabling people who don't have the decency to respect the rights of others is a very slippery slope; it could expand to more things very quickly.