Hi, John:
0) Thanks for sharing your thoughts. The IoT identification (IP address)
versus privacy is a rather convoluted topic. It can quickly get
distracted and diluted if we look at it by piecemeal. Allow me to go
through an overview to convey my logic.
1) It is true that a dynamic IoT identification is harder to track down
than a static one, thus providing some sense of privacy or security,
theoretically. This went well with the need for dynamic practice due to
the limited IPv4 address pool. So, this idea sank deep into most
people's mind as inherent for the Internet.
2) It turned out that there were many ways (as you eluded to) to track
down an IoT even with a dynamic address. There was a classical research
paper that outlined various techniques to do so:
https://www.ccsl.carleton.ca/paper-archive/muir-computingsurveys-09.pdf
To save your time, I extracted part of its conclusions as below:
"6 Concluding Remarks ... while some commercial organizations have
claimed that they can do it with 99% accuracy. … It’s meant for the 99
percent of the general public who are just at home surfing. … We note
that even if accurate IP geolocation is possible for 99% of IP
addresses, if the remaining 1% is fixed and predictable by an adversary,
and such that the adversary can place themselves within this subspace,
then they can evade geolocation 100% of the time. …"
We do not need to check its validity quantitatively, today, because
technology has advanced a lot. However, it is probably still pretty
accurate qualitatively, judging by how successful "targeted marketing"
is, while how hard various perpetrators may be identified, not to
mention physically locating one.
3) As long as the general public embrace the Internet technologists'
promise of privacy by dynamic addressing, however, the LE (Law
Enforcement) agencies have the excuse for exercising mass surveillance
that scoops up everything possible from the Internet for offline
analysis. Big businesses have been doing the same under the same cover.
So, most people end up without privacy anyway. (Remember the news that
German Chancellor's phone call was somehow picked up by the NSA of US?
For anyone with a little imagination, it was a clear hint for the tip of
an iceberg.).
4) Static communication terminal (IoT) identification practice will
remove a significant number of entities (the 99%) from LE's monitor
operation, enabling them to focus on the 1% as well as requiring them to
submit justification for court order before doing so. The last part has
disappeared under the Internet environment. See URL below for an
example. The static IP address practice will simplify the whole game.
That is, the LEs can do their job easier, while the general public will
get the legally protected privacy back.
https://www.usatoday.com/story/news/2021/12/08/federal-court-upholds-terrorism-conviction-mass-surveillance-case/6440325001/
Regards,
Abe (2022-07-27 23:28 EDT)
On 2022-07-24 13:57, John Curran wrote:
On 24 Jul 2022, at 10:20 AM, Abraham Y. Chen<[email protected]> wrote:
Hi, John:
1) "... dynamically assigned IP address space can still be tracked back to a given
system ... ": I fully agree with this statement. However,
A. You overlooked the critical consideration of the response time. If this
can not be done in real time for law enforcement purposes, it is meaningless.
Abe -
That’s correct - but that does not require having static addresses to
accomplish (as you postulated earlier),
rather it just requires having appropriately functioning logging apparatus.
B. Also, the goal is to spot the specific perpetrator, not the "system" which is too
general to be meaningful. In fact, this would penalize the innocent users who happen to be on the
same implied "system".
Yes, it is quite obvious that a degree of care is necessary.
C. In addition, for your “whack-a-mole” metaphor, the party in charge is
the mole, not the party with the mallet. It is a losing game for the mallet
right from the beginning.
As with all enforcement, it is a question on changing to breakeven point
calculation on incentives & risks
for the would be perpetrators, and presently there’s almost nearly no risk
involved.
So, the current Internet practices put us way behind the starting line even
before the game. Overall, this environment is favored by multi-national
businesses with perpetrators riding along in the background. When security is
breached, there are more than enough excuses to point the finger to. No wonder
the outcome has always been disappointing for the general public.
Indeed.
2) What we need to do is to reverse the roles in every one of the above
situations, if we hope for any meaningful result, at all. The starting point is
to review the root differences between the Internet and the traditional
communication systems. With near half a century of the Internet experience, we
should be ready to study each issue from its source, not by perpetuating its
misleading manifestations.
That’s one possible approach, although before becoming too enamored with it, it
is probably worth remembering]
that the “traditional communication systems” have also suffered from similar
exploits occasion (they’ve been fewer
in number, but then again, the number of connected devices was also several
orders of magnitude smaller.)
Thanks,
/John
Disclaimer: my views alone – use caution - contents may be hot!
...
On 2022-07-24 07:27, John Curran wrote:
Abe -
Static versus dynamic address assignment isn’t the problem - dynamically
assigned IP address space can
still be tracked back to a given system (reference: RFC6302/BCP162 & RFC6269
for discussion of the
requirements and various related issues.)
Tracking back to a particular server doesn’t really matter if all that happens
is that the service is terminated
(as the culprit will simply appear elsewhere in the Internet with a new
connection/server and start over.)
Alas, the situation doesn’t change unless/until there’s a willingness to engage
law enforcement and pursue
the attackers to prevent recurrence. This is non-trivial, both because of the
skills necessary, the volume of
attacks, the various jurisdictions involved, etc. – but the greatest obstacle
is simply the attitude of “Why bother,
that’s just the way it is…”
With zero effective back pressure, we shouldn’t be surprised as frequency of
attempts grows without bound.
Thanks,
/John
Disclaimers: my views alone – no one else would claim them. Feel free to
use/reuse/discard as you see fit.
--
This email has been checked for viruses by Avast antivirus software.
https://www.avast.com/antivirus
