From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from mail-ej1-x629.google.com (mail-ej1-x629.google.com [IPv6:2a00:1450:4864:20::629]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by lists.bufferbloat.net (Postfix) with ESMTPS id 611683CB37 for ; Wed, 11 Oct 2023 14:20:27 -0400 (EDT) Received: by mail-ej1-x629.google.com with SMTP id a640c23a62f3a-99c3c8adb27so17134466b.1 for ; Wed, 11 Oct 2023 11:20:27 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20230601; t=1697048425; x=1697653225; darn=lists.bufferbloat.net; h=cc:to:subject:message-id:date:from:in-reply-to:references :mime-version:from:to:cc:subject:date:message-id:reply-to; bh=oW7bhYePZ0rG7OoZqcLn4BdGut2qOEuyYIpQD5dsiPU=; b=CSFdbTuJWxQeWA8KBpcusb3RUWujvFAPFW0UnKCSsT2xqoEi8PCGyeup7sCqSPLYVO mlUyxpvl9ExrigL3AjgMozIW9w8wKi7X77wjA4gRwqJ+IWudNISs8vKskUz5V0C0OEbd zTP5Kb3t3M8fR087v8hww+zhyHrrlkeAMsIQbiMNNX/qvTDxTgz6a7QBnWG7nBfTT7Go N1/KEYq9wHdjwmIHAoJtF70C48OJwVKwBJo5HjaGTLtkaXjexGRw62C4A4bWb+2bvCAS dEfEX3WPUzFmP7qEkMZuLUleq3bhaMqqs4QzwTxcf6Jfujwd76NePFKVJWQNaxLokQ7a NOaA== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1697048425; x=1697653225; h=cc:to:subject:message-id:date:from:in-reply-to:references :mime-version:x-gm-message-state:from:to:cc:subject:date:message-id :reply-to; bh=oW7bhYePZ0rG7OoZqcLn4BdGut2qOEuyYIpQD5dsiPU=; b=usv4BaHuMKfGGIOSI0SliFLj0AX4DFpayzUzjyZvdhhW6SZixkDSzxCgCd4cGwFd5H oemNlt47MhZNGAb0e886EXQi1I364bOExNARiVJb0ZRHqfNQC/4Pd/ED5enUqvftiYpy JsxKajMGbPF/YCA8I7B+egDGeiTaGY7CJE0Mjvrsv1FSYKmSXpQ9MY/m4pwmznye/WOW Rzc/kj43NHemcb05chtp3VxxMVWiRKbakIJz56oc1mJ6STWgllOMXnV7jKILDfpT3ygp hk+1yOYQTqcxFM0daC79I8BYPh1ljeU7K5R+YqXONO20BG4IIuACQgZPCLhtLNUIexx3 PpsQ== X-Gm-Message-State: AOJu0YzrBSgPTCmmSMXAMNoYIRCT2kIHv3pia22P/geeJpuULQQb7UkO obDaKA0L3fglztq4euCN71kIM4/s6OUF+PRkxzs= X-Google-Smtp-Source: AGHT+IEmCA7QhZ2rXXsfUoz4gTVz18KEUN58WPNa2quPgpUKhEwW1EbS/vz/0ki8LMqNaz1cb2jFr1DoTZj8llpGaFA= X-Received: by 2002:a17:907:78c7:b0:9b7:2a13:1610 with SMTP id kv7-20020a17090778c700b009b72a131610mr18103218ejc.1.1697048425016; Wed, 11 Oct 2023 11:20:25 -0700 (PDT) MIME-Version: 1.0 References: In-Reply-To: From: "David Bray, PhD" Date: Wed, 11 Oct 2023 14:19:44 -0400 Message-ID: To: Dave Taht Cc: =?UTF-8?Q?Network_Neutrality_is_back=21_Let=C2=B4s_make_the_technical_asp?= =?UTF-8?Q?ects_heard_this_time=21?= , Nick Feamster Content-Type: multipart/alternative; boundary="0000000000008a30f7060774e0f7" Subject: Re: [NNagain] Internet Education for Non-technorati? X-BeenThere: nnagain@lists.bufferbloat.net X-Mailman-Version: 2.1.20 Precedence: list List-Id: =?utf-8?q?Network_Neutrality_is_back!_Let=C2=B4s_make_the_technical_aspects_heard_this_time!?= List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 11 Oct 2023 18:20:27 -0000 --0000000000008a30f7060774e0f7 Content-Type: text/plain; charset="UTF-8" Content-Transfer-Encoding: quoted-printable Are we talking about the one that modelled after the label from CMU (they showed some prototypes, there would be about 10-15 pieces of information on the label followed by a QR code to get the rest), here's a link - and the concerns I have apply to this: https://news.pantheon.cmu.edu/stories/archives/2023/july/cylab-presents-at-= white-houses-launch-of-new-iot-cybersecurity-labeling-system https://www.securityindustry.org/2023/09/12/the-fccs-u-s-cyber-trust-mark-p= roposal-what-it-means-for-the-security-industry/ On Wed, Oct 11, 2023 at 2:06=E2=80=AFPM Dave Taht wro= te: > I think y'all are conflating two different labels here. The nutrition > label was one effort, now being deploye, the other is cybersecurity, > now being discussed. > > On the nutrition front... > We successfully fought against "packet loss" being included on the > nutrition label, but as ghu is my witness, I have no idea if a formal > method for declaring "typical latency" was ever formally derived. > > > https://www.fcc.gov/document/fcc-requires-broadband-providers-display-lab= els-help-consumers > > On Wed, Oct 11, 2023 at 10:39=E2=80=AFAM David Bray, PhD via Nnagain > wrote: > > > > I was at a closed-door event discussing these labels about two weeks ag= o > (right before the potential government shutdown/temporarily averted for > now) - and it was non-attribution, so I can only describe my comments: > > > > (1) the labels risk missing the reality that the Internet and > cybersecurity are not steady state, which begs the question how will they > be updated > > (2) the labels say nothing about how - even if the company promises to > keep your data private and secure - how good their security practices are > internal to the company? Or what if the company is bought in 5 years? > > (3) they use QR-codes to provide additional info, yet we know QR-codes > can be sent to bad links so what if someone replaces a label with a bad > link such that the label itself becomes an exploit? > > > > I think the biggest risks is these we be rolled out, some exploit will > occur that the label didn't consider, consumers will be angry they weren'= t > "protected" and now we are even in worse shape because the public's trust > has gone further down hill, they angry at the government, and the private > sector feels like the time and energy they spent on the labels was for > naught? > > > > There's also the concern about how do startups roll-out such a label fo= r > their tech in the early iteration phase? How do they afford to do the ext= ra > work for the label vs. a big company (does this become a regulatory moat?= ) > > > > And let's say we have these labels. Will only consumers with the money > to purchase the more expensive equipment that has more privacy and securi= ty > features buy that one - leaving those who cannot afford privacy and > security bad alternatives? > > > > On Wed, Oct 11, 2023 at 1:31=E2=80=AFPM Jack Haverty via Nnagain < > nnagain@lists.bufferbloat.net> wrote: > >> > >> A few days ago I made some comments about the idea of "educating" the > >> lawyers, politicians, and other smart, but not necessarily technically > >> adept, decision makers. Today I saw a news story about a recent FCC > >> action, to mandate "nutrition labels" on Internet services offered by > ISPs: > >> > >> > https://cordcuttersnews.com/fcc-says-comcast-spectrum-att-must-start-disp= laying-the-true-cost-and-speed-of-their-internet-service-starting-april-202= 4/ > >> > >> This struck me as anecdotal, but a good example of the need for > >> education. Although it's tempting and natural to look at existing > >> infrastructures as models for regulating a new one, IMHO the Internet > >> does not work like the Food/Agriculture infrastructure does. > >> > >> For example, the new mandates require ISPs to "label" their products > >> with "nutritional" data including "typical" latency, upload, and > >> download speeds. They have until April 2024 to figure it out. I've > >> never encountered an ISP who could answer such questions - even the on= es > >> I was involved in managing. Marketing can of course create an answer, > >> since "typical" is such a vague term. Figuring out how to attach the > >> physical label to their service product may be a problem. > >> > >> Such labels may not be very helpful to the end user struggling to find > >> an ISP that delivers the service needed for some interactive use (audi= o > >> or video conferencing, gaming, home automation, etc.) > >> > >> Performance on the Internet depends on where the two endpoints are, th= e > >> physical path to get from one to the other, as well as the hardware, > >> software, current load, and other aspects of each endpoint, all outsid= e > >> the ISPs' control or vision. Since the two endpoints can be on > >> different ISPs, perhaps requiring one or more additional internediate > >> ISPs, specifying a "typical" performance from all Points A to all Poin= ts > >> B is even more challenging. > >> > >> Switching to the transportation analogy, one might ask your local bus = or > >> rail company what their typical time is to get from one city to > >> another. If the two cities involved happen to be on their rail or bu= s > >> network, perhaps you can get an answer, but it will still depend on > >> where the two endpoints are. If one or both cities are not on their > >> rail network, the travel time might have to include use of other > >> "networks" - bus, rental car, airplane, ship, etc. How long does it > >> typically take for you to get from any city on the planet to any other > >> city on the planet? > >> > >> IMHO, rules and regulations for the Internet need to reflect how the > >> Internet actually works. That's why I suggested a focus on education > >> for the decision makers. > >> > >> Jack Haverty > >> > >> _______________________________________________ > >> Nnagain mailing list > >> Nnagain@lists.bufferbloat.net > >> https://lists.bufferbloat.net/listinfo/nnagain > > > > _______________________________________________ > > Nnagain mailing list > > Nnagain@lists.bufferbloat.net > > https://lists.bufferbloat.net/listinfo/nnagain > > > > -- > Oct 30: > https://netdevconf.info/0x17/news/the-maestro-and-the-music-bof.html > Dave T=C3=A4ht CSO, LibreQos > --0000000000008a30f7060774e0f7 Content-Type: text/html; charset="UTF-8" Content-Transfer-Encoding: quoted-printable
Are we talking about the one that modelled after the = label from CMU (they showed some prototypes, there would be about 10-15 pie= ces of information on the label followed by a QR code to get the rest), her= e's a link - and the concerns I have apply to this:

=
https://news.pantheon.cmu.edu/stories/archives/2023/july/cylab-pre= sents-at-white-houses-launch-of-new-iot-cybersecurity-labeling-system


On Wed, Oct 1= 1, 2023 at 2:06=E2=80=AFPM Dave Taht <dave.taht@gmail.com> wrote:
I think y'all are conflating two different labe= ls here. The nutrition
label was one effort, now being deploye, the other is cybersecurity,
now being discussed.

On the nutrition front...
We successfully fought against "packet loss" being included on th= e
nutrition label, but as ghu is my witness, I have no idea if a formal
method for declaring "typical latency" was ever formally derived.=

https://w= ww.fcc.gov/document/fcc-requires-broadband-providers-display-labels-help-co= nsumers

On Wed, Oct 11, 2023 at 10:39=E2=80=AFAM David Bray, PhD via Nnagain
<nnag= ain@lists.bufferbloat.net> wrote:
>
> I was at a closed-door event discussing these labels about two weeks a= go (right before the potential government shutdown/temporarily averted for = now) - and it was non-attribution, so I can only describe my comments:
>
> (1) the labels risk missing the reality that the Internet and cybersec= urity are not steady state, which begs the question how will they be update= d
> (2) the labels say nothing about how - even if the company promises to= keep your data private and secure - how good their security practices are = internal to the company? Or what if the company is bought in 5 years?
> (3) they use QR-codes to provide additional info, yet we know QR-codes= can be sent to bad links so what if someone replaces a label with a bad li= nk such that the label itself becomes an exploit?
>
> I think the biggest risks is these we be rolled out, some exploit will= occur that the label didn't consider, consumers will be angry they wer= en't "protected" and now we are even in worse shape because t= he public's trust has gone further down hill, they angry at the governm= ent, and the private sector feels like the time and energy they spent on th= e labels was for naught?
>
> There's also the concern about how do startups roll-out such a lab= el for their tech in the early iteration phase? How do they afford to do th= e extra work for the label vs. a big company (does this become a regulatory= moat?)
>
> And let's say we have these labels. Will only consumers with the m= oney to purchase the more expensive equipment that has more privacy and sec= urity features buy that one - leaving those who cannot afford privacy and s= ecurity bad alternatives?
>
> On Wed, Oct 11, 2023 at 1:31=E2=80=AFPM Jack Haverty via Nnagain <<= a href=3D"mailto:nnagain@lists.bufferbloat.net" target=3D"_blank">nnagain@l= ists.bufferbloat.net> wrote:
>>
>> A few days ago I made some comments about the idea of "educat= ing" the
>> lawyers, politicians, and other smart, but not necessarily technic= ally
>> adept, decision makers.=C2=A0 Today I saw a news story about a rec= ent FCC
>> action, to mandate "nutrition labels" on Internet servic= es offered by ISPs:
>>
>> https://cordcutt= ersnews.com/fcc-says-comcast-spectrum-att-must-start-displaying-the-true-co= st-and-speed-of-their-internet-service-starting-april-2024/
>>
>> This struck me as anecdotal, but a good example of the need for >> education.=C2=A0 Although it's tempting and natural to look at= existing
>> infrastructures as models for regulating a new one, IMHO the Inter= net
>> does not work like the Food/Agriculture infrastructure does.
>>
>> For example, the new mandates require ISPs to "label" th= eir products
>> with "nutritional" data including "typical" la= tency, upload, and
>> download speeds.=C2=A0 =C2=A0They have until April 2024 to figure = it out. I've
>> never encountered an ISP who could answer such questions - even th= e ones
>> I was involved in managing.=C2=A0 Marketing can of course create a= n answer,
>> since "typical" is such a vague term.=C2=A0 Figuring out= how to attach the
>> physical label to their service product may be a problem.
>>
>> Such labels may not be very helpful to the end user struggling to = find
>> an ISP that delivers the service needed for some interactive use (= audio
>> or video conferencing, gaming, home automation, etc.)
>>
>> Performance on the Internet depends on where the two endpoints are= , the
>> physical path to get from one to the other, as well as the hardwar= e,
>> software, current load, and other aspects of each endpoint, all ou= tside
>> the ISPs' control or vision.=C2=A0 =C2=A0Since the two endpoin= ts can be on
>> different ISPs, perhaps requiring one or more additional internedi= ate
>> ISPs, specifying a "typical" performance from all Points= A to all Points
>> B is even more challenging.
>>
>> Switching to the transportation analogy, one might ask your local = bus or
>> rail company what their typical time is to get from one city to >> another.=C2=A0 =C2=A0If the two cities involved happen to be on th= eir rail or bus
>> network, perhaps you can get an answer, but it will still depend o= n
>> where the two endpoints are.=C2=A0 If one or both cities are not o= n their
>> rail network, the travel time might have to include use of other >> "networks" - bus, rental car, airplane, ship, etc.=C2=A0= =C2=A0How long does it
>> typically take for you to get from any city on the planet to any o= ther
>> city on the planet?
>>
>> IMHO, rules and regulations for the Internet need to reflect how t= he
>> Internet actually works.=C2=A0 That's why I suggested a focus = on education
>> for the decision makers.
>>
>> Jack Haverty
>>
>> _______________________________________________
>> Nnagain mailing list
>> Nnagain@lists.bufferbloat.net
>> https://lists.bufferbloat.net/listinfo/nnagai= n
>
> _______________________________________________
> Nnagain mailing list
> Nna= gain@lists.bufferbloat.net
> https://lists.bufferbloat.net/listinfo/nnagain



--
Oct 30: https://netdevconf.info/= 0x17/news/the-maestro-and-the-music-bof.html
Dave T=C3=A4ht CSO, LibreQos
--0000000000008a30f7060774e0f7--