No Such Weblog

I was checking out the ICANN Meetings page and noticed that they've recently added a "ICANN meetings update" mailing list, with a pretty prominent form for subscription.

Of course, just an e-mail address isn't enough for ICANN: Mandatory information for subscribing to the list includes name and company; they also ask for the country. The subscription form claims that "ICANN will not sell or make available any of your information to a third-party without your consent" -- however, the list is actually hosted at Constant Contact, an e-mail marketing company. Of course, no indication is given for what purpose the name, company, and country information will be processed, and what Constant Contact (not ICANN!) will do with the information.

Somehow, it's fitting that the organization that's been dragging along WHOIS policy making for ages behaves that cluelessly when it comes to dealing with community members' data protection.

Last Chance to See by Douglas Adams and Mark Carwardine is an extensive late-1980s trip report: Adams and Carwardine traveled around the world to find species that were about to be extinct, and the people trying to preserve them.

The book is a snapshot of the late 1980s, and interesting alone for the things that have changed (or not!) since then. Consider a Shanghai whose soundtrack consists of Richard Clayderman mixed with bicycle bells (as opposed to Volkswagen clones' horns, and construction noise -- but even that was 5 years ago), at a time when the Baiji is the subject of conservation efforts further up the river, and a favorite local brand for all things from beer to hotels (to fund the conservation effort). Today, the Baiji is functionally extinct, and the conservation efforts focus on the finless porpoise which is only mentioned in passing in "Last Chance to See."

Consider New Zealand's obsession with clean shoes at immigration (no change there as of last year), and the threatened Kakapo -- a species whose entire population is indeed catalogued on Wikipedia, by name; yet, that population has actually doubled since the book was written.

Adams was a master story teller. The stories he tells here -- many of them hilarious, despite the sad subject matter -- are worth being read and remembered.

I got William Gibson's Spook Country at 20% off, in Palo Alto, in the middle of a recent business trip. It provided good entertainment when, later on during that trip, seat pitch was too tight to even open a laptop.

The story that Gibson tells in this book is a fun tale of intricate, expensive, and illegal pranks, spiced with technology, pop culture, politics, and geotagging taken to the extreme ("locative art"). It's an entertaining story well-told.

Gibson knows enough about today's technology (and is a good enough writer) to get away with talking a lot about MacGuffins without making me wince. Unfortunately, however, his prose is ridden with trademark and technology babble: The security guard has one ear Bluetoothed. Hollis hauls around her PowerBook. Tito is told to escape through the restaurant of the W. Bobby doesn't bother to WEP his wi-fi. The cool characters fly Virgin. While all that is preferable to Stephenson's sometimes ridiculous name obfuscation in Cryptonomicon ("Finux", anyone?), it's still annoying this reader. As Joe Gregor puts it, it's like a year of boing-boing, with a plot.

I'd have preferred the plot with a somewhat smaller dose of boing-boing, I guess.

Alex von Tunzelmann's "Indian Summer. The Secret History of the End of an Empire" is a captivating read -- I didn't do much else this Sunday but read it.

This is not a novel: It's an extraordinarily well-written historic narrative of the tragedy, drama, and, yes, farce that surrounded the end of the British Raj and the creation of India and Pakistan as independent states.

Tunzelmann tells this piece of history by often focusing on some of its key players.

There's Gandhi's struggle between political judgment and his personal spirituality, there's Jinnah's career from being a champion of Hindu-Muslim unity to being the father and first governor-general of Pakistan (which Tunzelmann suggests might have been a bargaining chip that Jinnah didn't actually aim to get). There's Nehru, who starts out as a young English gentleman (and English native speaker), to become the country's first Prime Minister -- and who sometimes excels as the author of scathing political polemics against himself, published anonymously.

And there are the Mountbattens: Louis, a gentleman of impeccable courtly manners, high intelligence, but sometimes questionable judgment, known as the "Master of Disaster" in Royal Navy circles during World War II, cousin of the King, last viceroy of the Raj and first governor-general of the Dominion of India, oscillating between political achievements (notably, the accession of the princely states to India), and petty distractions. Edwina, socialite, heiress of an immense fortune, turned into a skilled organizer of humanitarian aid during World War II and in the midst of the catastrophe that the India/Pakistan split was - and, in a politically explosive ménage à trois, Nehru's close friend (and lover?) within weeks of the (often adulterous, never divorced) couple's arrival in Delhi; a political force in her own right.

Despite this colorful cast of historic characters, and despite Tunzelmann's interest in their motives, the personal stories and portraits remain a tool for telling the bigger story and painting the historical picture of Britain, India, and Pakistan. This book is not court reporting, but serious, yet eminently readable historical work.

Don't start "Indian Summer" if you have other plans for the day. It's near impossible to put down.

At hack.lu, the best talk so far is Nitesh Dhanjani's talk Breaking and Securing Web applications.

Random notes below the fold.

In Pwned @ hack.lu, Didier Stevens has a nice screenshot of what a lot of people saw at the conference yesterday. Not trusting the crowd in the room, I had configured my Web browser to go through an SSH tunnel elsewhere, so the software that was affected for me was fetchmail -- which I had fortunately configured paranoid enough that it noticed the wacky certificate that was "shown" by my personal server on port 995, pop3-s, and simply died with a nice error message.

So, what happened? As I said in a spontaneous lightning talk after that session, my diagnosis was that somebody was running a man-in-the-middle attack on a room full of security people. The tool they were using rewrote the TLS certificates that were shown by servers, but tried to keep the human-readable information in the certificate intact. (As Benny K notes in a comment, "the certificate seemed fine".)

The tool used was most likely ettercap.

Incidentally, I don't mind that this prank was played on all of us. Attending a hacking conference means you're fair game to some extent -- there will be packet sniffing, and there will be active attacks. As long as no lasting damage is caused, and as long as the attacks don't interfere with the conference talks, that's fine. What I found disappointing, though, is that the responsible party didn't have the stomach to give a lightning talk about the results gathered. For instance, I'd love to know how many of the (security-minded!) people in the room actually clicked past the errors that their browsers and mail clients showed. That would be first-class input for the Web Security Context Working Group. (Anecdotal evidence suggests that a few people got rather nervous after they heard the lightning talk...)

Now, for the details...

I guess a conference counts as good fun when you go there to listen and end up giving two lightning talks and a not really lightning talk. So, for the record, here we go:

• The MITM diagnosis lightning talk was just xterms on a beamer, no slides there. The files I showed are all in that blog item, though.
• I followed up to Nitesh Dhanjani's talk with a quick overview of the work that W3C's Web Application Formats Working Group is doing on enabling cross-site requests with XMLHttpRequest.
• When one speaker couldn't get to the conference, I found myself helping to fill the void with a quickly updated version of my "what do they think they're doing" talk from the Hungarian Web Conference.

The slides should be linked from the conference program sooner or later.

My long haul travel habit began five years minus a week ago, with the ICANN meetings in Shanghai, and a visit to the Shanghai Museum. Particularly memorable from that trip, the taxis: Plexiglas barriers between drivers (in white gloves) and passengers, spotless white fabric covering the back seat, and recorded messages that would welcome you to Dazhong Taxis when entering the cab, and remind you to not forget your "receipt and belongings" when you left it. To tell the driver where you wanted to go, you'd keep a stack of little pieces of paper, with various destinations for the day written out in Chinese, prepared by the hotel front desk. Very reassuring, then, the English-language signs posted at the highway (right next to a crashed cab), reminding people to drive carefully. Overall, like many ICANN meetings, that week had a strong feeling of life in a bubble. (Lost in Translation only came out later, but, yes, that's the theme movie for these kinds of conferences.) I haven't had an opportunity to get back to China since.

In Ups and Downs, Tim Bray has a hilarious account of his first-time-in-Shanghai experience, and it's good to see that not everything has changed over the last five years. In particular, the taxis seem to be still the same. Including the white cloth that covers these ugly seat belts on the back seat...

ICANN's GNSO council had WHOIS on its agenda for today. The options on the table: (1) Accepting the outcome of years of policy development processes; (2) rejecting that outcome (again?), but calling for some kind of fact-gathering to feed into future policy work, in order to keep the space occupied; (3) acknowledging that there is broad dissent in the Internet community, and calling for a sunset on the WHOIS clauses in current agreements, as these clauses are not backed by community consensus any more.

Not very surprisingly, motions (1) and (3) failed; (2) was accepted; all that after lengthy discussion, with lots of procedural bells and whistles.

In practical terms, this means that the ICANN community's attempt to come to consensus about WHOIS is over for now. It is pretty clear that there is indeed no WHOIS policy that that community can agree on without a change to the political environment that it is operating in; it is also clear that this is not due to a lack of factual knowledge or background research, but because of deeply divergent views on the issues. Maybe taking time out would help. Nevertheless, the GNSO (and ICANN as a whole) also suffers horror vacui: ICANN is, after all, the organization tasked with coming to consensus about these kinds of issues, and ICANN giving up means a big opening for others to step in.

Therefore, ICANN is now trying the "fact finding" excuse: We'll hear that ICANN recognizes the importance of WHOIS policy making and the challenges ahead in this area, and hopes that new models in policy making (which look a bit like a return to very old models for policy making) and more gathering of factual information will help future policy development to yield results where none could be found before.

ICANN staff will be charged with the unenviable task of engaging on this fact-finding mission, again; similar missions happened ca 2001/2002 (anybody remember the WHOIS study?) and 2003/2004 (fond memories of using the ombudsman to get a meeting with staff). Staff will produce a report (I'd guess with some delay), which will then lead to terms of reference which will look a bit like the ones we wrote in summer 2003. The process will then restart. I don't envy those who will be part of this particular round. I'm glad I'm out of this particular rathole.

For some more commentary and links, see Wendy Seltzer's take in Deja Vu Day.