SKS Keyserver Network Under Attack

[Mark Rousell]

On 01/07/2019 10:54, Robert J. Hansen wrote:
>> I think not.
> Thankfully we live in free societies where dissent is allowed: on good
> days, even tolerated and encouraged.  You're wrong, of course, but
> please understand I encourage you to be wrong.  :)
>
> Also, if it isn't clear: although I emphatically disagree with you, this
> is not a personal dispute.  I plan on turning your idea into a pinata,
> but on a personal level as far as I'm concerned there's nothing but
> peace between us.

I can see that you are (rightly and understandably) very, very angry
that this has been done and that you have been personally targetted but
it nevertheless seems to me that it is not a childish act. Its very
carefully targetted nature strongly suggests to me that is was done to
produce specific results (which should actually be beneficial for the
community as a whole).

This does not mean that I condone the act. I do not! It was a bad thing
to do in this form.

>
>> You yourself say that the SKS system has had known problems for well 
>> over a decade and yet nothing has been done about it.
> No.  No.  No.  I have not said that.  In the last ten years the
> sks-devel at nongnu.org community has explored pretty thoroughly the
> problem space and concluded it cannot be solved at the SKS level, given
> the community's level of manpower and funding.

And yet, despite this, SKS is still in use and not currently fully
replaceable, as I understand it.

Is that not a problem of inertia? It certainly seems like it to me. No
natter what the issue of lack of manpower or lack of funding, if these
have not been overcome in 10+ years despite there being widely
recognised problems then that's inertia. (No, this is not
"victim-blaming". Read on for why not).

However, all is not so dark as it might seem. You go to say...

> In a very real sense, WKD, Autocrypt, Hagrid, dkg's work in
> abuse-resistant keyservers, and so forth, all sprang from the sks-devel
> community's recognition of the problem and the inability of SKS to
> effectively fix it.  If SKS were in better shape it's likely none of
> those projects would have ever started.

But this is good. It means that, in large part, inertia has in fact been
overcome from new directions. People have contributed to improving
things through innovation and new approaches.

It just needs to go that little bit further, it seems.

> There is a line of thinking which I find to be morally appalling, and
> you describe it quite clearly in your footnote:
>
>> 1: You referred to this inertia as "powerful technical and social 
>> factors" which is true but they still represent a bug, not a
>> feature. These factors are in effect societal excuses, not legitimate
>> reasons for lack of action.
> If the sks-devel community has repeatedly made it clear over the course
> of a decade that "we lack both the manpower and the financial resources
> to fix this problem", never receives manpower or financial resources,
> and then ten years later this happens... our reward is to be
> victim-blamed?  "If you were really serious you would've done something
> by now"?

Don't be silly. I was merely pointing out how change is sometimes needed
to overcome roadblocks. In corporate circles they (annoyingly enough)
call it "thinking out of the box".

Furthermore, I am not "victim-blaming" as you claim. Lack of manpower
and funding is not what I regard as victimhood. Lack of manpower and/or
finding is just normal life for many, many projects or human endeavours
and is a natural and normal issue that needs to be overcome somehow for
any project or endeavour of almost any type to initially succeed and
then to be maintained.

In my own case, I am involved in a project that I would dearly like to
do better and it is in fact held back by lack of both manpower and
funding. However, when people tell me that I need to overcome these
issues, no matter how difficult they are to overcome, I do not claim
victimhood or say that my critic is "victim-blaming" me. Instead I agree
and ask my critic for possible sources of manpower or funding, or for
other ways to address the issues that the project is intended to solve.
And you will note in the footnote I did in fact mention an initiative
that Eric S. Raymond is working on that might, at least in part, address
issues of funding. So I have not made the mistake of criticising without
at least offering some possible solution to the obvious problem.

>
>> of this community, they have brought absolutely unavoidable attention
>> to the fact that something needs to be done *now*.
> At a tremendous price.  A price that I, and many others, think is
> morally appalling.  These people are not our friends and have done us no
> favors.

Time will tell. Do you think that something substantive will now be done
that could not be done before because of previous lack of manpower or
funding?

Sometimes, the obvious and undeniable existence and public highlighting
of an egregious flaw prompts the new availability of manpower and/or
funding that was not available before because the flaw was too easy to
ignore. It does look to me as if this is what might now happen.

You (and others) should not have been the victims to make this happen,
of course. That was unfair, wrong, and criminal.

>
>> Good can come of this attack on you and DKG.
> I seem to recall people saying the same after 9/11: that yes it was a
> horrific thing, but that "good can come of this tragedy".

I think that this is something of an extreme comparison, and extreme
comparisons always stretch reason. Nevertheless, I'll go along with it
for now: In truth, some good did come of 911. But, yes, the world would
certainly have been better off if 911 had never happened.

However, the issue at hand here is a little different. There has been no
widespread attack. It's been targetted. I say again that the attack
being targetted does not excuse it but it does mean that the dynamics of
the situation are very different. In this case, unlike 911, a very
specific and very longstanding (you did say that it has been very
longstanding) flaw has been publicly and undeniably highlighted. This
could provide, and most certainly *should* provide, the catalyst for
something new to be done; a new incentive, new motivation, new urgency.

> But it is also barbarous to claim the good
> that may come out of a horror should be counted to the horror's credit.

I did not "credit" the horror. In fact I said that it was probably
criminal! It was a bad thing to do to you!

And yet, no matter how bad it was, it does seem that the attacker's
motivation is blindingly obvious and that good things definitely can and
*should* come of this shock to the system. The inertia to which I
referred was and is real.

And, let's face it, it's not as bad as either 911 or a suicide. This is
bad, but it's not a disaster. And a disaster *can* still be avoided in
this context. At risk of sounding like a politician, this is a wakeup call.


-- 
Mark Rousell

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.gnupg.org/pipermail/gnupg-users/attachments/20190701/e532d25e/attachment.html>