Hi, John: 0) Thanks for sharing your thoughts. The IoT identification (IP address) versus privacy is a rather convoluted topic. It can quickly get distracted and diluted if we look at it by piecemeal. Allow me to go through an overview to convey my logic. 1) It is true that a dynamic IoT identification is harder to track down than a static one, thus providing some sense of privacy or security, theoretically. This went well with the need for dynamic practice due to the limited IPv4 address pool. So, this idea sank deep into most people's mind as inherent for the Internet. 2) It turned out that there were many ways (as you eluded to) to track down an IoT even with a dynamic address. There was a classical research paper that outlined various techniques to do so: https://www.ccsl.carleton.ca/paper-archive/muir-computingsurveys-09.pdf To save your time, I extracted part of its conclusions as below: "6 Concluding Remarks ... while some commercial organizations have claimed that they can do it with 99% accuracy. … It’s meant for the 99 percent of the general public who are just at home surfing. … We note that even if accurate IP geolocation is possible for 99% of IP addresses, if the remaining 1% is fixed and predictable by an adversary, and such that the adversary can place themselves within this subspace, then they can evade geolocation 100% of the time. …" We do not need to check its validity quantitatively, today, because technology has advanced a lot. However, it is probably still pretty accurate qualitatively, judging by how successful "targeted marketing" is, while how hard various perpetrators may be identified, not to mention physically locating one. 3) As long as the general public embrace the Internet technologists' promise of privacy by dynamic addressing, however, the LE (Law Enforcement) agencies have the excuse for exercising mass surveillance that scoops up everything possible from the Internet for offline analysis. Big businesses have been doing the same under the same cover. So, most people end up without privacy anyway. (Remember the news that German Chancellor's phone call was somehow picked up by the NSA of US? For anyone with a little imagination, it was a clear hint for the tip of an iceberg.). 4) Static communication terminal (IoT) identification practice will remove a significant number of entities (the 99%) from LE's monitor operation, enabling them to focus on the 1% as well as requiring them to submit justification for court order before doing so. The last part has disappeared under the Internet environment. See URL below for an example. The static IP address practice will simplify the whole game. That is, the LEs can do their job easier, while the general public will get the legally protected privacy back. https://www.usatoday.com/story/news/2021/12/08/federal-court-upholds-terrori... Regards, Abe (2022-07-27 23:28 EDT) On 2022-07-24 13:57, John Curran wrote:
On 24 Jul 2022, at 10:20 AM, Abraham Y. Chen<aychen@avinta.com> wrote:
Hi, John:
1) "... dynamically assigned IP address space can still be tracked back to a given system ... ": I fully agree with this statement. However, A. You overlooked the critical consideration of the response time. If this can not be done in real time for law enforcement purposes, it is meaningless. Abe -
That’s correct - but that does not require having static addresses to accomplish (as you postulated earlier), rather it just requires having appropriately functioning logging apparatus.
B. Also, the goal is to spot the specific perpetrator, not the "system" which is too general to be meaningful. In fact, this would penalize the innocent users who happen to be on the same implied "system".
Yes, it is quite obvious that a degree of care is necessary.
C. In addition, for your “whack-a-mole” metaphor, the party in charge is the mole, not the party with the mallet. It is a losing game for the mallet right from the beginning.
As with all enforcement, it is a question on changing to breakeven point calculation on incentives & risks for the would be perpetrators, and presently there’s almost nearly no risk involved.
So, the current Internet practices put us way behind the starting line even before the game. Overall, this environment is favored by multi-national businesses with perpetrators riding along in the background. When security is breached, there are more than enough excuses to point the finger to. No wonder the outcome has always been disappointing for the general public.
Indeed.
2) What we need to do is to reverse the roles in every one of the above situations, if we hope for any meaningful result, at all. The starting point is to review the root differences between the Internet and the traditional communication systems. With near half a century of the Internet experience, we should be ready to study each issue from its source, not by perpetuating its misleading manifestations. That’s one possible approach, although before becoming too enamored with it, it is probably worth remembering] that the “traditional communication systems” have also suffered from similar exploits occasion (they’ve been fewer in number, but then again, the number of connected devices was also several orders of magnitude smaller.)
Thanks, /John
Disclaimer: my views alone – use caution - contents may be hot!
...
On 2022-07-24 07:27, John Curran wrote:
Abe -
Static versus dynamic address assignment isn’t the problem - dynamically assigned IP address space can still be tracked back to a given system (reference: RFC6302/BCP162 & RFC6269 for discussion of the requirements and various related issues.)
Tracking back to a particular server doesn’t really matter if all that happens is that the service is terminated (as the culprit will simply appear elsewhere in the Internet with a new connection/server and start over.)
Alas, the situation doesn’t change unless/until there’s a willingness to engage law enforcement and pursue the attackers to prevent recurrence. This is non-trivial, both because of the skills necessary, the volume of attacks, the various jurisdictions involved, etc. – but the greatest obstacle is simply the attitude of “Why bother, that’s just the way it is…”
With zero effective back pressure, we shouldn’t be surprised as frequency of attempts grows without bound.
Thanks, /John
Disclaimers: my views alone – no one else would claim them. Feel free to use/reuse/discard as you see fit.
-- This email has been checked for viruses by Avast antivirus software. https://www.avast.com/antivirus