Now I’m confused – REALLY confused. For a second there, I thought ZKS was actually executing a turnaround to become a “real” privacy company, what with their recent repositioning towards “managed privacy services” and all. Companies out there need privacy solutions, and the field is wide open for the taking right now.. There aren’t many other companies out there with shipping products for the enterprise space yet .. in addition to ZKS (which I’m not sure if they REALLY have a product for the enterprise space? although they seem to like to talk about it??) there’s PrivacyRight and Privada out in California, and then that’s about it.. and from what I can tell, the enterprise market is more than large enough for 3 companies right now.. I mean, if ZKS ever got their head screwed on right (read: fired Austin Hill??), they MIGHT stand a sliver of a chance of actually making some money -- But NOW, ZKS turns around and pulls a “NymIP” project for the IETF? What does this have to do w/ anything? (or at least, what does it have to do w/ the ZKS repositioning to become a genuine privacy company?) It seems this has more in line w/ what I’ve been saying all along: the ZKS is really a free speech company, not a privacy company. I’ve perused the (so far short) NymIP mailing lists and even the members agree that the NymIP project shares more in common w/ Fling (http://fling.sourceforge.net/), a free-speech system for the Internet, than it does w/ anything privacy related.. First, I’ll go over all the obvious technical flaws w/ NymIP. For this protocol to have any practical applicability, we have to believe the ZKS mantra that IP addresses somehow represents “personally identifiable information” (PII) that is highly sensitive, and therefore must be encrypted… We are asked to believe, in other words, that 1 IP address < == > 1 person.. Notwithstanding the obvious fact that today 60% of the Internet population logs on through AOL where 10,000 users share one IP address at the same time, I’d like to ask the NymIP team what they plan to do once IPv6 is rolled out?? The 1 IP address < == > 1 person concept is highly tenuous under IPv4, and altogether laughable under IPv6.. Reading of the Goals of NymIP draft, the project lacks clear definition – apparently they want to throw a bunch of academics in a room and see if they can come up w/ some vacuous concept called “controlled nymity” (< - - what the hell does that mean??) all w/o attempting to set any concrete benchmarks or milestones? The draft also stresses PKI.. I’m wondering how much trust ZKS in general places in PKI? Have they read Schneier’s 10 risks of PKI?: http://www.counterpane.com/pki-risks-ft.txt You have to wonder about IETF adoption too .. I checked out the agenda for the San Diego meeting and there is no mention of NymIP: http://www.ietf.org/meetings/IETF-49.html Also, just run through the standards that the IETF really does back: LDAP, Kerberos, IP telephony, VoIP, IPSec, and on and on.. these are real applications for have real business uses for enterprises and individuals. That’s why they have the support of the IEFT.. Where’s the “real” use for nyms? How many people have downloaded Freedom and are using? (I never see anyone I know on the Internet using @freedom.net addresses..) How many businesses are using ZKS? (if in fact they even have a product for businesses?) If nyms were a “real” thing, technologically + economically, they would have happened by now, but they haven’t.. (YES – I’m using a nym to write this email, but I don’t use one nym to purchase computer books on Amazon, use a different nym to buy porno books on Amazon, etc.. and THAT is the economic reality that would have to be occurring for ZKS-style nyms to have any real traction – yet it does NOT occur..) What irritates me more than anything about ZKS is their belief that cryptography can solve all the worlds privacy problems.. any sophisticated security professional will tell you that cryptography barely solves any security problems, and although good privacy starts w/ good security (since w/o security, information will tend to leak around where you don’t want it to), privacy is vastly more complex than security.. 10 years ago you had people like Schneier talking about the role of cryptography in security. Since then, these people have moved beyond the algorithms and protocols, into the products, then into the policies and procedures, and today you have people like Schneier basically advising companies to just buy insurance to cover computer security risks – after all, the whole security game is just a risk management game, and what better way to manage risk than via insurance? But at ZKS, they’re still living in a world where cryptography solves everything, completely ignoring the human element.. (which is really the most important) (and while we're on the subject on cryptography, what exactly is wrong w/ SSL? And don't tell me that SSL still lets you see IP addresses (perfectly in line w/ the TCP/IP spec) b/c that has NOTHING to do w/ privacy) When I look for the “human” element in a company, I look to the marketing department – it’s the job of these guys to make sure that what the company is working on actually HAS a market. As soon as I heard about the NymIP project, my gut instinct was to fire the marketing VP over at ZKS – it was like, this is the last straw – the company has completely failed to position itself as ANYTHING. First you’re selling this thingie called Freedom that is supposed to protect privacy but of course doesn’t, then you’re transitioning into the enterprise space, but you still leave 100 engineers working on Freedom on payroll, and then you start talking about being a consulting company even though PriceWaterhouseCooper will be better than you because they have actually broadened their knowledge base beyond “crypto-anarchy” and you haven’t and you then have Stefan Brands do a dog and pony show about building privacy into PKI, w/ applications in m-commerce, e-commerce, electronic voting, location-based services, age/gender verification, DRM, identity management and frequent flier miles (< -- NONE OF WHICH, by the way, are anything that any of the previously mentioned ZKS units are focusing on) and finally you come FULL CIRCLE and decide that you’re going to work on this NymIP thing, which most closely resembled your initial Freedom product, which is actually a free speech thingie anyway and not a privacy thingie.. Wow – NO FUCKING FOCUS.. and they must be burning at least $2.5 mil every month w/ basically nothing to show in revenues (I’m guessing Freedom just isn’t the cash cow they though it might be?? I mean, how many people do I see on the Internet using @freedom.net addresses??) But, back to what I was talking about – I was about to recommend firing their marketing VP when I looked at their Web site and realized ZKS HAS NO MARKETING VP!! Then I thought: THAT’S THE PROBLEM!! Most “modern” high tech companies believe in the mantra that your customers drive your business, and will hire a marketing VP usually as employee, say, #3 or #4 so that he can go out and validate that there really IS a market for what you are proposing.. if not, it’s back to the drawing board until you CAN find some customers somewhere for what you’re peddling.. Apparently ZKS does not choose to operate in this manner (listen to customers, ship products to market, etc..) And that’s when I realized they likely have no marketing VP b/c it’s impossible to market a product as crappy as Freedom! Catch22.. In Silicon Valley, most VCs will not fund a company w/ market validation and w/o a marketing VP.. apparently this does not hold true in Canada.. I guess in the end, do I really care that much that I’m surfing anonymously? Do I really care that much that I’m surfing w/ a non-encrypted IP address? (this is, after all, how TCP/IP was designed to work). I’m still SEARCHING for a business case here.. SOMEBODY HELP ME.. If I fill out a form and engage in a commercial transaction, then yes I want all that and related information to remain private (between me and the merchant), but does this really mean that I want all my info hidden from the merchant (maybe I’m a sucker for frequent flier miles) and does it mean that I’ll swim against the flow and drop $30 million++ into trying to redesign TCP/IP from the ground up so it has anonymity built-in?? Declan – btw I appreciate the fact that your blurb in Wired about NymIP makes no mention of the word “privacy” – I think it’s incredibly important that the concept of “privacy” be divorced from the concept of “anonymity” in the popular media (where oftentimes these two concepts blur together into one..) .. they are clearly not even remotely similar.. And don’t get me wrong – I firmly believe the Internet should have an “anonymous safe haven”, so to speak, if only for free speech if nothing else – however, I have serious problems w/ a privacy company attempting to deliver on this, since it’s technically impossible, economically unmanageable and ultimately only confuses the an already befuddled marketplace (quite severely, in fact..).. >http://www.wired.com/news/politics/0,1283,40582,00.html > > Devising Invisible Ink > by Declan McCullagh ([EMAIL PROTECTED]) > 2:00 a.m. Dec. 9, 2000 PST > > WASHINGTON -- An ambitious effort to protect online anonymity > will kick off this weekend. > > A working group of about a dozen technologists, called NymIP, is > gathering before the Internet Engineering Task Force's meeting to take > the very first steps toward devising a standard that will foster > untraceable communications and Web browsing for Internet users.