OpenBSD version: Not relevant here...
Arch:            ?
NSFP:            Well...

« Read proposition 1 <> Read proposition 3 »

So, the first proposition was about how we need more care in running systems. This one is about where a lack of care has lead us: The increasing centralization of the Internet, with just a handfull of large platforms (Google, Amazon, MS Azure et al.) hosting the majority of infrastructure, or–like cloudflare–being a shield in front of that infrastructure. In turn, we find power centralizing along content into the hands of these few corporations, which may threaten core values of an open society.

Proposition 2

“The centralization of the Internet has been promoted by a lack of care.”

So, what is this about? Why did a lack of care lead to everyone running into the arms of a few big platforms?

In general, the early Internet used to be a rather collaborative network, and that also showed in the protocols that were developed for it. For example, initial visions of SMTP assumed open relays being the default, and DNS–as a UDP based protocol–neglected the issue of spoofing. Over time, with the Internet becoming a more hostile, more _‘one’s own benefit’_focused place, these features turned from useful to dangerous. Especially the abuse of DNS and similar protocols from the same era gave rise to large-scale Denial-of-Serivce (DoS) attacks.

Now, preventing large scale amplification attacks is technically surprsingly simple: You just have to make sure noone runs systems on the Internet that can be used as amplifiers, and people should prevent spoofing from their networks. The problem there is that running an amplifier usually does not have significant impact on ones own network. It is the conglomerate of thousands of amplifiers sending packets that takes down networks. Operators have to care for the impact their own stuff has on others. Similarly, letting some spoofed packets out does not really harm yourself. After all, the idea behind amplification attacks is that the packets going out are… well, small.

Similarly, in the case of IoT devices and CPE’s that can serve as amplifiers vendors have to care about fixing something that does not necessarily impact their customers. If your IoT camera participates in a DoS, you will most likely not even notice it. Why should you care if it does not affect you? Why should the vendor care, if the entity that pays them is not affected?

Well, obviously, everyone should care because, on a larger scale, this affects the infrastructure we all rely on. But… that is the issue with caring. You have to do it, usually without directly visible benefit for yourself. It is ‘just’ about doing the right thing.

This prevalence of high-bandwidth DoS attacks–arisen from a lack of care–then essentially made it impossible to reliably run a service that is not shielded by the ‘just having a bigger pipe’ of a hypergiant (like Cloudflare, Amazon or Google). If you don’t want to be impacted by others’ lack of care (and potentially your own), you now have to make the decission to follow the path of migrating behind a hypergiant that shields you from that lack of care. And this is besides all the existing economic incentives of centralization and cloudification.

So, in summary, as DoS attacks are enabled by careless system administration, like operators that leave amplifiers readily connected to the Internet and allow spoofing addresses on their network, or vendors that roll out carelessly thrown together IoT devices, shipped with default credentials. It has become common to provide services and run infrastructure without taking responsibility and caring for its impact on others. And we are all paying the price in the form of centralization, with all its implications.