[IP] more on Free Speech fading at UC Berkeley

To: Ip <ip@xxxxxxxxxxxxxx>
Subject: [IP] more on Free Speech fading at UC Berkeley
From: David Farber <dave@xxxxxxxxxx>
Date: Wed, 4 May 2005 18:57:02 -0400
List-help: <http://v2.listbox.com/doc/help_sub?list_name=ip@v2.listbox.com>
List-id: <ip@xxxxxxxxxxxxxx>
List-software: listbox.com v2.0
List-subscribe: <mailto:subscribe-ip@v2.listbox.com>, <http://v2.listbox.com/subscribe/?listname=ip@v2.listbox.com>
List-unsubscribe: <mailto:unsubscribe-ip@v2.listbox.com>, <http://v2.listbox.com/member/unsubscribe/?listname=ip@v2.listbox.com>
References: <42793BC8.6020304@xxxxxxxx>
Reply-to: dave@xxxxxxxxxx
Sender: owner-ip@xxxxxxxxxxxxxx



Begin forwarded message:

From: "David P. Reed" <dpreed@xxxxxxxx>
Date: May 4, 2005 5:16:56 PM EDT
To: Paul Biggar <paul.biggar@xxxxxxxxx>
Cc: dave@xxxxxxxxxx
Subject: Re: [IP] Free Speech fading at UC Berkeley

Dave - no need to post this unless you think it adds to thediscussion. I am not sure.

Paul - I have in the past objected to firewalls, just in case that issurprising to you. (for an example from 1996, see http://www.reed.com/Thoughts%20and%20comments/CDAe2e.html) You may find that absurd, it'syour right. But in fact it breaks a fundamental principle of theInternet, creating "walled gardens".

Now if there were a real danger, and no cost, that would be at leastreasonable. However, firewalls do NOT achieve security, and whatthey do achieve is achievable other ways (as I alluded in the blogposting, the end user can authenticate every packet, given anappropriate operating system). The fact is that end-to-end securesystems have been possible since 1976, whereas firewalls have beenknown not to provide security ever since Bellovin and Cheswick'sfirst book on the subject.

Making an analogy with putting the police on every corner provesnothing. The policemen cannot read intent - their positioning onthe corner is merely another symbol of an applicable legalstructure. If the police viewed their job as stopping and searchingeverybody who enters a town (all actions forbidden unless explicitlyauthorized), the analogy would be closer. Similarly, the advancepermission (whether it is asking for permission to publish a book, orto make a speech in a public square) may be granted routinely, butits requirement is noxious.

Berkeley CS's policy does not block only port 80, but *all* TCP andUDP ports, 0-65535 inclusive. This means that if I send a packetadvertising a private address, which I will authenticate by a cryptokey, I *still* have to ask permission first.

The interposition of a firewall is only one possible response toproblems - as I suggested in my carefully written, but brief, piece,in my opinion, it is the wrong one. And coming from a leadingacademic CS department, including people who should know better,choosing the wrong answer shows lack of care and verges on dangerousas it will surely be a small precedent for others who have lesstechnical skill.





-------------------------------------
You are subscribed as roessler@xxxxxxxxxxxxxxxxxx
To manage your subscription, go to
 http://v2.listbox.com/member/?listname=ip

Archives at: http://www.interesting-people.org/archives/interesting-people/

Prev by Date: [IP] more on Free Speech fading at UC Berkeley
Next by Date: Anti-piracy campaign from BSA finds first university participant [ip]
Previous by thread: [IP] more on Free Speech fading at UC Berkeley
Next by thread: [IP] more on "TCP Port Lock-down" & Free-speech @ UCB]
Index(es):
- Date
- Thread