The New Feudalism

[The Lawspeaker]

Are Mark Zuckerberg and Jeff Bezos the new feudal elite? Anand Giridharadas talks to INET President Rob Johnson about how the titans of Silicon Valley use “philanthropy” to control more of our lives.

[JamesBond007]

You Have No Control Over Security on the Feudal Internet

Originally published in Harvard Business Review, June 6, 2013

Facebook regularly abuses the privacy of its users. Google has stopped supporting its popular RSS feeder. Apple prohibits all iPhone apps that are political or sexual. Microsoft might be cooperating with some governments to spy on Skype calls, but we don't know which ones. Both Twitter and LinkedIn have recently suffered security breaches that affected the data of hundreds of thousands of their users.

If you've started to think of yourself as a hapless peasant in a Game of Thrones power struggle, you're more right than you may realize. These are not traditional companies, and we are not traditional customers. These are feudal lords, and we are their vassals, peasants, and serfs.

Power has shifted in IT, in favor of both cloud-service providers and closed-platform vendors. This power shift affects many things, and it profoundly affects security.

Traditionally, computer security was the user's responsibility. Users purchased their own antivirus software and firewalls, and any breaches were blamed on their inattentiveness. It's kind of a crazy business model. Normally we expect the products and services we buy to be safe and secure, but in IT we tolerated lousy products and supported an enormous aftermarket for security.

Now that the IT industry has matured, we expect more security “out of the box.” This has become possible largely because of two technology trends: cloud computing and vendor-controlled platforms. The first means that most of our data resides on other networks: Google Docs, Salesforce.com, Facebook, Gmail. The second means that our new Internet devices are both closed and controlled by the vendors, giving us limited configuration control: iPhones, ChromeBooks, Kindles, Blackberries. Meanwhile, our relationship with IT has changed. We used to use our computers to do things. We now use our vendor-controlled computing devices to go places. All of these places are owned by someone.

The new security model is that someone else takes care of it—without telling us any of the details. I have no control over the security of my Gmail or my photos on Flickr. I can't demand greater security for my presentations on Prezi or my task list on Trello, no matter how confidential they are. I can't audit any of these cloud services. I can't delete cookies on my iPad or ensure that files are securely erased. Updates on my Kindle happen automatically, without my knowledge or consent. I have so little visibility into the security of Facebook that I have no idea what operating system they're using.

There are a lot of good reasons why we're all flocking to these cloud services and vendor-controlled platforms. The benefits are enormous, from cost to convenience to reliability to security itself. But it is inherently a feudal relationship. We cede control of our data and computing platforms to these companies and trust that they will treat us well and protect us from harm. And if we pledge complete allegiance to them—if we let them control our email and calendar and address book and photos and everything—we get even more benefits. We become their vassals; or, on a bad day, their serfs.

There are a lot of feudal lords out there. Google and Apple are the obvious ones, but Microsoft is trying to control both user data and the end-user platform as well. Facebook is another lord, controlling much of the socializing we do on the Internet. Other feudal lords are smaller and more specialized—Amazon, Yahoo, Verizon, and so on—but the model is the same.

To be sure, feudal security has its advantages. These companies are much better at security than the average user. Automatic backup has saved a lot of data after hardware failures, user mistakes, and malware infections. Automatic updates have increased security dramatically. This is also true for smallorganizations; they are more secure than they would be if they tried to do it themselves. For large corporations with dedicated IT security departments, the benefits are less clear. Sure, even large companies outsource critical functions like tax preparation and cleaning services, but large companies have specific requirements for security, data retention, audit, and so on—and that's just not possible with most of these feudal lords.

Feudal security also has its risks. Vendors can, and do, make security mistakes affecting hundreds of thousands of people. Vendors can lock people into relationships, making it hard for them to take their data and leave. Vendors can act arbitrarily, against our interests; Facebook regularly does this when it changes peoples' defaults, implements new features, or modifies its privacy policy. Many vendors give our data to the government without notice, consent, or a warrant; almost all sell it for profit. This isn't surprising, really; companies should be expected to act in their own self-interest and not in their users' best interest.

The feudal relationship is inherently based on power. In Medieval Europe, people would pledge their allegiance to a feudal lord in exchange for that lord's protection. This arrangement changed as the lords realized that they had all the power and could do whatever they wanted. Vassals were used and abused; peasants were tied to their land and became serfs.

It's the Internet lords' popularity and ubiquity that enable them to profit; laws and government relationships make it easier for them to hold onto power. These lords are vying with each other for profits and power. By spending time on their sites and giving them our personal information—whether through search queries, e-mails, status updates, likes, or simply our behavioral characteristics—we are providing the raw material for that struggle. In this way we are like serfs, toiling the land for our feudal lords. If you don't believe me, try to take your data with you when you leave Facebook. And when war breaks out among the giants, we become collateral damage.

So how do we survive? Increasingly, we have little alternative but to trust someone, so we need to decide who we trust—and who we don't—and then act accordingly. This isn't easy; our feudal lords go out of their way not to be transparent about their actions, their security, or much of anything. Use whatever power you have—as individuals, none; as large corporations, more—to negotiate with your lords. And, finally, don't be extreme in any way: politically, socially, culturally. Yes, you can be shut down without recourse, but it's usually those on the edges that are affected. Not much solace, I agree, but it's something.

On the policy side, we have an action plan. In the short term, we need to keep circumvention—the ability to modify our hardware, software, and data files—legal and preserve net neutrality. Both of these things limit how much the lords can take advantage of us, and they increase the possibility that the market will force them to be more benevolent. The last thing we want is the government—that's us—spending resources to enforce one particular business model over another and stifling competition.

In the longer term, we all need to work to reduce the power imbalance. Medieval feudalism evolved into a more balanced relationship in which lords had responsibilities as well as rights. Today's Internet feudalism is both ad-hoc and one-sided. We have no choice but to trust the lords, but we receive very few assurances in return. The lords have a lot of rights, but few responsibilities or limits. We need to balance this relationship, and government intervention is the only way we're going to get it. In medieval Europe, the rise of the centralized state and the rule of law provided the stability that feudalism lacked. The Magna Carta first forced responsibilities on governments and put humans on the long road toward government by the people and for the people.

We need a similar process to rein in our Internet lords, and it's not something that market forces are likely to provide. The very definition of power is changing, and the issues are far bigger than the Internet and our relationships with our IT providers.

JULIAN: I posed the question of what the most positive trajectory for the future would look like. Self-knowledge, diversity, and networks of self-determination. A highly educated global population—I do not mean formal education, but highly educated in their understanding of how human civilization works at the political, industrial, scientific and psychological levels—as a result of the free exchange of communication, also stimulating vibrant new cultures and the maximal diversification of individual thought, increased regional self-determination, and the self-determination of interest groups that are able to network quickly and exchange value rapidly over geographic boundaries. And perhaps that has been expressed in the Arab Spring and the pan-Arab activism which was potentiated by the internet. In our work with Nawaat.org, who created Tunileaks, pushing the State Department cables past the regime’s censorship into pre-revolutionary Tunisia, we saw first-hand the terrific power of the network for moving information to where it is needed, and it was tremendously rewarding to have been in a position, because of our efforts, to contribute to what was starting to happen there.129 I do not perceive that struggle for self-determination as distinct from our own.

This positive trajectory would entail the self-knowing of human civilization because the past cannot be destroyed. It would mean the inability of neo-totalitarian states to arise in practice because of the free movement of information, the ability for people to speak to each other privately and conspire against such tendencies, and the ability for micro-capital to move without control away from such places which are inhospitable to human beings.

From those underpinnings you can build a wide variety of political systems. Utopia to me would be a dystopia if there was just one. I think Utopian ideals must mean the diversity of systems and models of interaction. If you look at the churning development of new cultural products and even language drift, and sub-cultures forming their own mechanisms of interaction potentiated by the internet, then yes I can see that that does open this possible positive path.

But I think in all probability tendencies to homogenization, universality, the whole of human civilization being turned into one market, mean you will have normal market factors such as one market leader, one second, a third niche player, and then stragglers that don’t make any difference at all, for every service and product. I think it will perhaps mean massive language homogenization, massive cultural homogenization, massive standardization in order to make these rapid interchanges efficient. So I think the pessimistic scenario is also quite probable and the transnational surveillance state and endless drone wars are almost upon us.

Actually I’m reminded of a time when I smuggled myself into Sydney Opera House to see Faust. Sydney Opera House is very beautiful at night, its grand interiors and lights beaming out over the water and into the night sky. Afterwards I came out and I heard three women talking together, leaning on the railing overlooking the darkened bay. The older woman was describing how she was having problems with her job, which turned out to be working for the CIA as an intelligence agent, and she had previously complained to the Senate Select Committee for Intelligence and so on, and she was telling this in hushed tones to her niece and another woman. I thought, “So it is true then. CIA agents really do hang out at the Sydney opera!” And then I looked inside the Opera House through the massive glass panels at the front, and there in all this lonely palatial refinement was a water rat that had crawled up in to the Opera House interior, and was scurrying back and forth, leaping on to the fine linen-covered tables and eating the Opera House food, jumping on to the counter with all the tickets and having a really great time. And actually I think that is the most probable scenario for the future: an extremely confining, homogenized, postmodern transnational totalitarian structure with incredible complexity, absurdities and debasements, and within that incredible complexity a space where only the smart rats can go.

That’s a positive angle on the negative trajectory, the negative trajectory being a transnational surveillance state, drone-riddled, the networked neo-feudalism of the transnational elite—not in a classical sense, but a complex multi-party interaction that has come about as a result of various elites in their own national countries lifting up together, off their respective population bases, and merging. All communications will be surveilled, permanently recorded, permanently tracked, each individual in all their interactions permanently identified as that individual to this new Establishment, from birth to death. That’s a major shift from even ten years ago and we’re already practically there. I think that can only produce a very controlling atmosphere. If all the collected information about the world was public that might rebalance the power dynamic and let us, as a global civilization, shape our destiny. But without dramatic change it will not. Mass surveillance applies disproportionately to most of us, transferring power to those in on the scheme who nonetheless, I think, will not enjoy this brave new world much either. This system will also coincide with a drones arms race that will eliminate clearly defined borders as we know them, since such borders are produced by the contestation of physical lines, resulting in a state of perpetual war as the winning influence-networks start to shake down the world for concessions. And alongside this people are going to just be buried under the impossible math of bureaucracy.

How can a normal person be free within that system? They simply cannot, it’s impossible. Not that anyone can ever be completely free, within any system, but the freedoms that we have biologically evolved for, and the freedoms that we have become culturally accustomed to, will be almost entirely eliminated. So I think the only people who will be able to keep the freedom that we had, say, twenty years ago—because the surveillance state has already eliminated quite a lot of that, we just don’t realize it yet—are those who are highly educated in the internals of this system. So it will only be a high-tech rebel elite that is free, these clever rats running around the opera house.

https://www.openbsd.org/

Security

See also: OpenBSD security features

Shortly after OpenBSD was created, De Raadt was contacted by a local security software company named Secure Networks (later acquired by McAfee).[28][29] They were developing a network security auditing tool called Ballista,[n 2] which was intended to find and exploit software security flaws. This coincided with De Raadt's interest in security, so the two cooperated leading up to the release of OpenBSD 2.3.[30] This collaboration helped to define security as the focus of the OpenBSD project.[31]

OpenBSD includes numerous features designed to improve security, such as:

Secure alternatives to POSIX functions in the C standard library, such as strlcat for strcat and strlcpy for strcpy[32]
Toolchain alterations, including a static bounds checker[33]
Memory protection techniques to guard against invalid accesses, such as ProPolice and the W^X page protection feature
Strong cryptography and randomization[34]
System call and filesystem access restrictions to limit process capabilities[4]

To reduce the risk of a vulnerability or misconfiguration allowing privilege escalation, many programs have been written or adapted to make use of privilege separation, privilege revocation and chrooting. Privilege separation is a technique, pioneered on OpenBSD and inspired by the principle of least privilege, where a program is split into two or more parts, one of which performs privileged operations and the other—almost always the bulk of the code—runs without privilege.[35] Privilege revocation is similar and involves a program performing any necessary operations with the privileges it starts with then dropping them. Chrooting involves restricting an application to one section of the file system, prohibiting it from accessing areas that contain private or system files. Developers have applied these enhancements to OpenBSD versions of many common applications, such as tcpdump, file, tmux, smtpd, and syslogd.[36]

OpenBSD developers were instrumental in the creation and development of OpenSSH, which is developed in the OpenBSD CVS repositories. OpenSSH is based on the original SSH.[37] It first appeared in OpenBSD 2.6 and is now by far the most popular SSH client and server, available on many operating systems.[38]

The project has a policy of continually auditing source code for problems, work that developer Marc Espie has described as "never finished ... more a question of process than of a specific bug being hunted." He went on to list several typical steps once a bug is found, including examining the entire source tree for the same and similar issues, "try[ing] to find out whether the documentation ought to be amended", and investigating whether "it's possible to augment the compiler to warn against this specific problem."

https://en.m.wikipedia.org/wiki/OpenBSD

Anonym.OS was a Live CD operating system based on OpenBSD 3.8 with strong encryption and anonymization tools. The goal of the project was to provide secure, anonymous web browsing access to everyday users. The operating system was OpenBSD 3.8, although many packages have been added to facilitate its goal. It used Fluxbox as its window manager.

The TAILs speciations :

https://tails.boum.org/contribute/design/

Running OpenBSD off a USB Stick

Introduction

This document describes how OpenBSD (obsd) can be installed and run off a USB stick without the need for a hard drive. Write operations to the USB stick are avoided.

We assume that the USB stick has a capacity of 512MB or more. In this case, the base installation fits well onto the stick and no pruning is required.

http://www.volkerroth.com/tecn-obsd-diskless.html



lladdr etheraddr|random

Change the link layer address (MAC address) of the interface. This should be specified as six colon-separated hex values, or can be chosen randomly :

NAME

ifconfig — configure network interface parameters
SYNOPSIS
ifconfig [-AaC] [interface] [address_family] [address [dest_address]] [parameters]
DESCRIPTION
....

https://man.openbsd.org/ifconfig

[JamesBond007]

[pulstar]

Somehow I missed that book, although I have Liar and Outliers and Click Here to Kill Everybody.

[JamesBond007]

Somehow I missed that book, although I have Liar and Outliers and Click Here to Kill Everybody.

Yeah, it is pretty good. It is a bunch of essays he wrote all on security so the book does have to be read in linear fashion and is bit sized articles for the internet age where people have short attention spans. The other stuff posted about OpenBSD is esoteric and assumes a lot of knowledge , to fill in the gaps , that people here simply do not have.

Therefore, a book for people here would be :

[pulstar]

Yeah, it is pretty good. It is a bunch of essays he wrote all on security so the book does have to be read in linear fashion and is bit sized articles for the internet age where people have short attention spans. The other stuff posted about OpenBSD is esoteric and assumes a lot of knowledge , to fill in the gaps , that people here simply do not have.

Therefore, a book for people here would be :

Yes, I know he's cryptography expert and an author of some block ciphers such as Twofish and Threefish. Now regarding more user-centric OS such as OpenBSD, Tails, Gentoo, or some others, I agree that most of the people around here won't find interest in it but I got to say technical knowledge/interest shown by some forum members already exceeded my expectations by an anthropological forum, as I was expected more normies not CS folks. Regarding Mitnicks book I also highly recommended it in another thread a couple of months ago. Its a good starting point.