Let me set the stage. First, Internet governance.
Too often the Internet governance debate is reduced to the following. One side is characterized as "multi-stakeholder," consisting of various nongovernmental parties with overlapping agendas, like ICANN, IANA, IETF, etc. This side is often referred to as "the West" (thanks to the US, Canada, Europe, etc. being on this side), and is considered a proponent of an "open" Internet. The other side aligns with state governments and made its presence felt at the monumental December 2012 ITU World Conference on International Telecommunications (WCIT) meeting. This side is often referred to as "the East" (thanks to Russia, China, the Middle East, etc.), and is considered a proponent of a "closed" or "controlled" Internet.
Continuing to set the stage, let me now mention theft of secret documents.
One of the critiques of Edward Snowden involves the following. He stole documents on his own accord, claiming he had the right to do so by the "egregious" nature of what he found (or was sent to find). Critics reply that "no one elected Edward Snowden," but that the programs he exposed were authorized by all three branches of the US government. Because that government is elected by the people, one could say the government is speaking on behalf of the people, while Snowden is acting only on his behalf.
Here's the problem.
If you believe that elected governments are the proper forum for expressing the wishes of their people, you should have a difficult time defending a "multi-stakeholder" model that puts groups like ICANN, IANA, IETF, etc. on equal footing (or even above) representatives of elected governments. If you believe in the primacy of the democratic system, you should also believe forums of elected representatives are the proper place to debate and decide Internet governance.
That chain of logic means Western democracies who support representative government should view government-centric bodies like the ITU in more favorable light than they do presently. After all, who created the UN? Where is the organizations headquarters? Who pays its bills?
You probably detect the "escape hatch" for the multi-stakeholder proponents: my use of the term "elected governments." If a regime was not properly elected by its people, it should not have the right to speak for them. This applies to governments such as those in the People's Republic of China. Depending on your view of the legitimacy of the Russian election process, it may or may not apply to Russia. You can extend the argument as necessary to other countries.
The bottom line is this: be careful promoting multi-stakeholder Internet governance at the expense of representation by elected governments, if you also feel that Edward Snowden has no right to contravene the decision of a properly elected American government.
PS: If you want to know more about WCIT, try reading Summary Report of the ITU-T World Conference on International Telecommunications by Robert Pepper and Chip Sharp.
Tweet
But the latest revelations scare me. It's one thing to find and exploit vulnerabilities in software; there's a lot of software out there which was written by developers with very little understanding of cryptography or software security, and it shows. If you care about security, we reasoned, stick to software written by people who know what they're doing — indeed, when I talk to users of Tarsnap, my online backup service, one of the most common things I hear is "you're good at security, so we know your code will keep our data safe". That reasoning is now clearly flawed: We now have evidence that the NSA is deliberately sabotaging online security — influencing (and weakening) cryptographic standards, bribing companies to insert "back doors" into their software, and even sending developers to "accidentally" insert bugs into products. It's not enough to trust that I know what I'm doing: You have to trust that I'm not secretly working for the NSA.
The folks at BSDNow interview Benedict Reuschling of FreeBSD and provide their take on the week's BSD news.
[Video|HD Video|MP3 Audio|OGG Audio|Torrent]
The vulnerability known as CVE-2014-3956 could allow local users to interfere with open SMTP connections, and it is strongly advised that any sendmail users out there patch their systems without undue delay.
Patches are available for OpenBSD 5.4 and OpenBSD 5.5 as patch 011 and patch 007 respectively.
It is worth noting that from OpenBSD 5.6 onwards (to be released November 1st, 2014), OpenSD's own OpenSMTPD will be the default MTA.
Earlier today the OpenSSL project released multiple upgrade versions with fixes for several recently reported bugs in their code base.
The most noteworthy thing is not that the OpenSSL project fixes bugs, but rather that information about the bugs had been privately communicated to a list of vendors that did not include OpenBSD. A seclist discussion reveals the full timeline, while the OpenBSD community's reaction can be gauged by this thread on misc@.
Otto Moerbeek (otto@) continues his mastery of all things memory allocation, extending some of the libc malloc features to ld.so(1):
ld.so has a very basic malloc. This diff changes it to use a (somewhat stripped) libc malloc with all the randomization and other goodness.