WEBVTT 00:00:00.603 --> 00:00:03.669 So, this book that I have in my hand 00:00:03.669 --> 00:00:07.603 is a directory of everybody who had an email address 00:00:07.603 --> 00:00:11.122 in 1982. (Laughter) 00:00:11.122 --> 00:00:14.807 Actually, it's deceptively large. 00:00:14.807 --> 00:00:18.244 There's actually only about 20 people on each page, 00:00:18.244 --> 00:00:20.134 because we have the name, address 00:00:20.134 --> 00:00:23.227 and telephone number of every single person. 00:00:23.227 --> 00:00:25.410 And, in fact, everybody's listed twice, 00:00:25.410 --> 00:00:29.968 because it's sorted once by name and once by email address. 00:00:29.968 --> 00:00:32.869 Obviously a very small community. 00:00:32.869 --> 00:00:36.300 There were only two other Dannys on the Internet then. 00:00:36.300 --> 00:00:37.900 I knew them both. 00:00:37.900 --> 00:00:39.656 We didn't all know each other, 00:00:39.656 --> 00:00:42.769 but we all kind of trusted each other, 00:00:42.769 --> 00:00:46.567 and that basic feeling of trust 00:00:46.567 --> 00:00:49.154 permeated the whole network, 00:00:49.154 --> 00:00:51.511 and there was a real sense that 00:00:51.511 --> 00:00:54.517 we could depend on each other to do things. NOTE Paragraph 00:00:54.517 --> 00:00:58.092 So just to give you an idea of the level of trust in this community, 00:00:58.092 --> 00:00:59.717 let me tell you what it was like 00:00:59.717 --> 00:01:03.822 to register a domain name in the early days. 00:01:03.822 --> 00:01:06.452 Now, it just so happened that I got to register 00:01:06.452 --> 00:01:08.912 the third domain name on the Internet. 00:01:08.912 --> 00:01:10.560 So I could have anything I wanted 00:01:10.560 --> 00:01:15.005 other than bbn.com and symbolics.com. 00:01:15.005 --> 00:01:18.419 So I picked think.com, but then I thought, 00:01:18.419 --> 00:01:21.405 you know, there's a lot of really interesting names out there. 00:01:21.405 --> 00:01:25.614 Maybe I should register a few extras just in case. 00:01:25.614 --> 00:01:28.898 And then I thought, "Nah, that wouldn't be very nice." NOTE Paragraph 00:01:28.898 --> 00:01:34.593 (Laughter) NOTE Paragraph 00:01:34.593 --> 00:01:38.222 That attitude of only taking what you need 00:01:38.222 --> 00:01:42.266 was really what everybody had on the network in those days, 00:01:42.266 --> 00:01:45.563 and in fact, it wasn't just the people on the network, 00:01:45.563 --> 00:01:48.283 but it was actually kind of built into the protocols 00:01:48.283 --> 00:01:50.227 of the Internet itself. 00:01:50.227 --> 00:01:54.086 So the basic idea of I.P., or Internet protocol, 00:01:54.086 --> 00:01:57.815 and the way that the -- the routing algorithm that used it, 00:01:57.815 --> 00:02:01.944 were fundamentally "from each according to their ability, 00:02:01.944 --> 00:02:04.062 to each according to their need." 00:02:04.062 --> 00:02:07.075 And so, if you had some extra bandwidth, 00:02:07.075 --> 00:02:08.518 you'd deliver a message for someone. 00:02:08.518 --> 00:02:11.511 If they had some extra bandwidth, they would deliver a message for you. 00:02:11.511 --> 00:02:13.525 You'd kind of depend on people to do that, 00:02:13.525 --> 00:02:16.189 and that was the building block. 00:02:16.189 --> 00:02:18.816 It was actually interesting that such a communist principle 00:02:18.816 --> 00:02:21.252 was the basis of a system developed during the Cold War 00:02:21.252 --> 00:02:23.683 by the Defense Department, 00:02:23.683 --> 00:02:26.753 but it obviously worked really well, 00:02:26.753 --> 00:02:30.196 and we all saw what happened with the Internet. 00:02:30.196 --> 00:02:32.468 It was incredibly successful. NOTE Paragraph 00:02:32.468 --> 00:02:35.765 In fact, it was so successful that there's no way 00:02:35.765 --> 00:02:39.353 that these days you could make a book like this. 00:02:39.353 --> 00:02:45.519 My rough calculation is it would be about 25 miles thick. 00:02:45.519 --> 00:02:46.693 But, of course, you couldn't do it, 00:02:46.693 --> 00:02:48.483 because we don't know the names of all the people 00:02:48.483 --> 00:02:51.557 with Internet or email addresses, 00:02:51.557 --> 00:02:53.089 and even if we did know their names, 00:02:53.089 --> 00:02:55.522 I'm pretty sure that they would not want their name, 00:02:55.522 --> 00:02:59.818 address and telephone number published to everyone. NOTE Paragraph 00:02:59.818 --> 00:03:03.520 So the fact is that there's a lot of bad guys on the Internet these days, 00:03:03.520 --> 00:03:07.691 and so we dealt with that by making 00:03:07.691 --> 00:03:09.590 walled communities, 00:03:09.590 --> 00:03:14.327 secure subnetworks, VPNs, 00:03:14.327 --> 00:03:15.923 little things that aren't really the Internet 00:03:15.923 --> 00:03:17.894 but are made out of the same building blocks, 00:03:17.894 --> 00:03:20.134 but we're still basically building it out of those 00:03:20.134 --> 00:03:24.401 same building blocks with those same assumptions of trust. 00:03:24.401 --> 00:03:27.123 And that means that it's vulnerable 00:03:27.123 --> 00:03:29.519 to certain kinds of mistakes that can happen, 00:03:29.519 --> 00:03:31.380 or certain kinds of deliberate attacks, 00:03:31.380 --> 00:03:34.485 but even the mistakes can be bad. NOTE Paragraph 00:03:34.485 --> 00:03:37.434 So, for instance, 00:03:37.434 --> 00:03:39.387 in all of Asia recently, 00:03:39.387 --> 00:03:42.820 it was impossible to get YouTube for a little while 00:03:42.820 --> 00:03:45.100 because Pakistan made some mistakes 00:03:45.100 --> 00:03:48.835 in how it was censoring YouTube in its internal network. 00:03:48.835 --> 00:03:51.929 They didn't intend to screw up Asia, but they did 00:03:51.929 --> 00:03:54.833 because of the way that the protocols work. 00:03:54.833 --> 00:03:58.057 Another example that may have affected many of you in this audience is, 00:03:58.057 --> 00:04:00.648 you may remember a couple of years ago, 00:04:00.648 --> 00:04:03.461 all the planes west of the Mississippi were grounded 00:04:03.461 --> 00:04:06.353 because a single routing card in Salt Lake City 00:04:06.353 --> 00:04:08.715 had a bug in it. 00:04:08.715 --> 00:04:10.988 Now, you don't really think 00:04:10.988 --> 00:04:14.014 that our airplane system depends on the Internet, 00:04:14.014 --> 00:04:15.020 and in some sense it doesn't. 00:04:15.020 --> 00:04:16.636 I'll come back to that later. 00:04:16.636 --> 00:04:18.886 But the fact is that people couldn't take off 00:04:18.886 --> 00:04:21.161 because something was going wrong on the Internet, 00:04:21.161 --> 00:04:23.736 and the router card was down. NOTE Paragraph 00:04:23.736 --> 00:04:27.515 And so, there are many of those things that start to happen. 00:04:27.515 --> 00:04:30.654 Now, there was an interesting thing that happened last April. 00:04:30.654 --> 00:04:32.180 All of a sudden, 00:04:32.180 --> 00:04:35.512 a very large percentage of the traffic on the whole Internet, 00:04:35.512 --> 00:04:39.643 including a lot of the traffic between U.S. military installations, 00:04:39.643 --> 00:04:42.411 started getting re-routed through China. 00:04:42.411 --> 00:04:45.133 So for a few hours, it all passed through China. 00:04:45.133 --> 00:04:49.707 Now, China Telecom says it was just an honest mistake, 00:04:49.707 --> 00:04:53.564 and it is actually possible that it was, the way things work, 00:04:53.564 --> 00:04:55.599 but certainly somebody could make 00:04:55.599 --> 00:04:58.872 a dishonest mistake of that sort if they wanted to, 00:04:58.872 --> 00:05:02.230 and it shows you how vulnerable the system is even to mistakes. 00:05:02.230 --> 00:05:07.151 Imagine how vulnerable the system is to deliberate attacks. NOTE Paragraph 00:05:07.151 --> 00:05:10.549 So if somebody really wanted to attack the United States 00:05:10.549 --> 00:05:12.641 or Western civilization these days, 00:05:12.641 --> 00:05:14.830 they're not going to do it with tanks. 00:05:14.830 --> 00:05:17.243 That will not succeed. 00:05:17.243 --> 00:05:19.246 What they'll probably do is something 00:05:19.246 --> 00:05:22.537 very much like the attack that happened 00:05:22.537 --> 00:05:25.244 on the Iranian nuclear facility. 00:05:25.244 --> 00:05:27.518 Nobody has claimed credit for that. 00:05:27.518 --> 00:05:31.025 There was basically a factory of industrial machines. 00:05:31.025 --> 00:05:33.602 It didn't think of itself as being on the Internet. 00:05:33.602 --> 00:05:36.189 It thought of itself as being disconnected from the Internet, 00:05:36.189 --> 00:05:38.136 but it was possible for somebody to smuggle 00:05:38.136 --> 00:05:40.668 a USB drive in there, or something like that, 00:05:40.668 --> 00:05:44.064 and software got in there that causes the centrifuges, 00:05:44.064 --> 00:05:47.057 in that case, to actually destroy themselves. 00:05:47.057 --> 00:05:49.723 Now that same kind of software could destroy an oil refinery 00:05:49.723 --> 00:05:54.145 or a pharmaceutical factory or a semiconductor plant. 00:05:54.145 --> 00:05:57.411 And so there's a lot of -- I'm sure you've read a lot in papers, 00:05:57.411 --> 00:05:59.602 about worries about cyberattacks 00:05:59.602 --> 00:06:02.212 and defenses against those. NOTE Paragraph 00:06:02.212 --> 00:06:04.192 But the fact is, people are mostly focused on 00:06:04.192 --> 00:06:06.475 defending the computers on the Internet, 00:06:06.475 --> 00:06:08.861 and there's been surprisingly little attention 00:06:08.861 --> 00:06:13.226 to defending the Internet itself as a communications medium. 00:06:13.226 --> 00:06:15.089 And I think we probably do need to pay 00:06:15.089 --> 00:06:18.177 some more attention to that, because it's actually kind of fragile. 00:06:18.177 --> 00:06:21.104 So actually, in the early days, 00:06:21.104 --> 00:06:22.828 back when it was the ARPANET, 00:06:22.828 --> 00:06:26.417 there were actually times -- there was a particular time it failed completely 00:06:26.417 --> 00:06:29.702 because one single message processor 00:06:29.702 --> 00:06:32.178 actually got a bug in it. 00:06:32.178 --> 00:06:34.450 And the way the Internet works is 00:06:34.450 --> 00:06:38.017 the routers are basically exchanging information 00:06:38.017 --> 00:06:40.607 about how they can get messages to places, 00:06:40.607 --> 00:06:44.505 and this one processor, because of a broken card, 00:06:44.505 --> 00:06:46.514 decided it could actually get a message 00:06:46.514 --> 00:06:49.202 to some place in negative time. 00:06:49.202 --> 00:06:53.185 So, in other words, it claimed it could deliver a message before you sent it. 00:06:53.185 --> 00:06:56.335 So of course, the fastest way to get a message anywhere 00:06:56.335 --> 00:06:58.211 was to send it to this guy, 00:06:58.211 --> 00:07:01.758 who would send it back in time and get it there super early, 00:07:01.758 --> 00:07:04.614 so every message in the Internet 00:07:04.614 --> 00:07:07.856 started getting switched through this one node, 00:07:07.856 --> 00:07:09.372 and of course that clogged everything up. 00:07:09.372 --> 00:07:11.527 Everything started breaking. 00:07:11.527 --> 00:07:13.567 The interesting thing was, though, 00:07:13.567 --> 00:07:15.407 that the sysadmins were able to fix it, 00:07:15.407 --> 00:07:20.189 but they had to basically turn every single thing on the Internet off. 00:07:20.189 --> 00:07:21.587 Now, of course you couldn't do that today. 00:07:21.587 --> 00:07:23.981 I mean, everything off, it's like 00:07:23.981 --> 00:07:26.213 the service call you get from the cable company, 00:07:26.213 --> 00:07:29.974 except for the whole world. NOTE Paragraph 00:07:29.974 --> 00:07:32.033 Now, in fact, they couldn't do it for a lot of reasons today. 00:07:32.033 --> 00:07:34.655 One of the reasons is a lot of their telephones 00:07:34.655 --> 00:07:37.624 use IP protocol and use things like Skype and so on 00:07:37.624 --> 00:07:39.693 that go through the Internet right now, 00:07:39.693 --> 00:07:42.975 and so in fact we're becoming dependent on it 00:07:42.975 --> 00:07:44.767 for more and more different things, 00:07:44.767 --> 00:07:47.705 like when you take off from LAX, 00:07:47.705 --> 00:07:49.586 you're really not thinking you're using the Internet. 00:07:49.586 --> 00:07:53.702 When you pump gas, you really don't think you're using the Internet. 00:07:53.702 --> 00:07:55.827 What's happening increasingly, though, is these systems 00:07:55.827 --> 00:07:57.694 are beginning to use the Internet. 00:07:57.694 --> 00:08:00.744 Most of them aren't based on the Internet yet, 00:08:00.744 --> 00:08:03.280 but they're starting to use the Internet for service functions, 00:08:03.280 --> 00:08:05.185 for administrative functions, 00:08:05.185 --> 00:08:08.248 and so if you take something like the cell phone system, 00:08:08.248 --> 00:08:12.568 which is still relatively independent of the Internet for the most part, 00:08:12.568 --> 00:08:15.527 Internet pieces are beginning to sneak into it 00:08:15.527 --> 00:08:19.331 in terms of some of the control and administrative functions, 00:08:19.331 --> 00:08:21.661 and it's so tempting to use these same building blocks 00:08:21.661 --> 00:08:23.925 because they work so well, they're cheap, 00:08:23.925 --> 00:08:25.025 they're repeated, and so on. 00:08:25.025 --> 00:08:27.797 So all of our systems, more and more, 00:08:27.797 --> 00:08:29.577 are starting to use the same technology 00:08:29.577 --> 00:08:31.644 and starting to depend on this technology. 00:08:31.644 --> 00:08:34.069 And so even a modern rocket ship these days 00:08:34.069 --> 00:08:36.795 actually uses Internet protocol to talk 00:08:36.795 --> 00:08:38.611 from one end of the rocket ship to the other. 00:08:38.611 --> 00:08:41.797 That's crazy. It was never designed to do things like that. NOTE Paragraph 00:08:41.797 --> 00:08:44.914 So we've built this system 00:08:44.914 --> 00:08:48.024 where we understand all the parts of it, 00:08:48.024 --> 00:08:51.722 but we're using it in a very, very different way than we expected to use it, 00:08:51.722 --> 00:08:54.161 and it's gotten a very, very different scale 00:08:54.161 --> 00:08:56.332 than it was designed for. 00:08:56.332 --> 00:08:59.008 And in fact, nobody really exactly understands 00:08:59.008 --> 00:09:01.271 all the things it's being used for right now. 00:09:01.271 --> 00:09:03.774 It's turning into one of these big emergent systems 00:09:03.774 --> 00:09:07.255 like the financial system, where we've designed all the parts 00:09:07.255 --> 00:09:09.861 but nobody really exactly understands 00:09:09.861 --> 00:09:13.088 how it operates and all the little details of it 00:09:13.088 --> 00:09:15.807 and what kinds of emergent behaviors it can have. 00:09:15.807 --> 00:09:18.940 And so if you hear an expert talking about the Internet 00:09:18.940 --> 00:09:21.635 and saying it can do this, or it does do this, or it will do that, 00:09:21.635 --> 00:09:24.096 you should treat it with the same skepticism 00:09:24.096 --> 00:09:28.511 that you might treat the comments of an economist about the economy 00:09:28.511 --> 00:09:30.778 or a weatherman about the weather, or something like that. 00:09:30.778 --> 00:09:33.426 They have an informed opinion, 00:09:33.426 --> 00:09:35.967 but it's changing so quickly that even the experts 00:09:35.967 --> 00:09:37.785 don't know exactly what's going on. 00:09:37.785 --> 00:09:40.477 So if you see one of these maps of the Internet, 00:09:40.477 --> 00:09:42.143 it's just somebody's guess. 00:09:42.143 --> 00:09:44.341 Nobody really knows what the Internet is right now 00:09:44.341 --> 00:09:47.082 because it's different than it was an hour ago. 00:09:47.082 --> 00:09:49.883 It's constantly changing. It's constantly reconfiguring. NOTE Paragraph 00:09:49.883 --> 00:09:51.397 And the problem with it is, 00:09:51.397 --> 00:09:54.738 I think we are setting ourselves up for a kind of disaster 00:09:54.738 --> 00:09:57.533 like the disaster we had in the financial system, 00:09:57.533 --> 00:10:02.877 where we take a system that's basically built on trust, 00:10:02.877 --> 00:10:05.498 was basically built for a smaller-scale system, 00:10:05.498 --> 00:10:08.407 and we've kind of expanded it way beyond the limits 00:10:08.407 --> 00:10:10.403 of how it was meant to operate. 00:10:10.403 --> 00:10:13.671 And so right now, I think it's literally true 00:10:13.671 --> 00:10:17.176 that we don't know what the consequences 00:10:17.176 --> 00:10:19.610 of an effective denial-of-service attack 00:10:19.610 --> 00:10:21.383 on the Internet would be, 00:10:21.383 --> 00:10:23.257 and whatever it would be is going to be worse next year, 00:10:23.257 --> 00:10:24.665 and worse next year, and so on. NOTE Paragraph 00:10:24.665 --> 00:10:27.214 But so what we need is a plan B. 00:10:27.214 --> 00:10:28.846 There is no plan B right now. 00:10:28.846 --> 00:10:32.349 There's no clear backup system that we've very carefully kept 00:10:32.349 --> 00:10:34.295 to be independent of the Internet, 00:10:34.295 --> 00:10:37.361 made out of completely different sets of building blocks. 00:10:37.361 --> 00:10:40.374 So what we need is something that doesn't necessarily 00:10:40.374 --> 00:10:43.108 have to have the performance of the Internet, 00:10:43.108 --> 00:10:44.625 but the police department has to be able 00:10:44.625 --> 00:10:47.148 to call up the fire department even without the Internet, 00:10:47.148 --> 00:10:49.713 or the hospitals have to order fuel oil. 00:10:49.713 --> 00:10:54.327 This doesn't need to be a multi-billion-dollar government project. 00:10:54.327 --> 00:10:57.075 It's actually relatively simple to do, technically, 00:10:57.075 --> 00:11:00.877 because it can use existing fibers that are in the ground, 00:11:00.877 --> 00:11:02.836 existing wireless infrastructure. 00:11:02.836 --> 00:11:05.601 It's basically a matter of deciding to do it. NOTE Paragraph 00:11:05.601 --> 00:11:08.085 But people won't decide to do it 00:11:08.085 --> 00:11:10.464 until they recognize the need for it, 00:11:10.464 --> 00:11:11.962 and that's the problem that we have right now. 00:11:11.962 --> 00:11:14.745 So there's been plenty of people, 00:11:14.745 --> 00:11:17.789 plenty of us have been quietly arguing 00:11:17.789 --> 00:11:20.707 that we should have this independent system for years, 00:11:20.707 --> 00:11:23.716 but it's very hard to get people focused on plan B 00:11:23.716 --> 00:11:27.390 when plan A seems to be working so well. NOTE Paragraph 00:11:27.390 --> 00:11:30.819 So I think that, if people understand 00:11:30.819 --> 00:11:33.873 how much we're starting to depend on the Internet, 00:11:33.873 --> 00:11:35.850 and how vulnerable it is, 00:11:35.850 --> 00:11:37.956 we could get focused on 00:11:37.956 --> 00:11:40.980 just wanting this other system to exist, 00:11:40.980 --> 00:11:44.057 and I think if enough people say, "Yeah, I would like to use it, 00:11:44.057 --> 00:11:47.067 I'd like to have such a system," then it will get built. 00:11:47.067 --> 00:11:48.490 It's not that hard a problem. 00:11:48.490 --> 00:11:51.725 It could definitely be done by people in this room. NOTE Paragraph 00:11:51.725 --> 00:11:56.084 And so I think that this is actually, 00:11:56.084 --> 00:11:59.263 of all the problems you're going to hear about at the conference, 00:11:59.263 --> 00:12:01.941 this is probably one of the very easiest to fix. 00:12:01.941 --> 00:12:04.708 So I'm happy to get a chance to tell you about it. NOTE Paragraph 00:12:04.708 --> 00:12:07.319 Thank you very much. NOTE Paragraph 00:12:07.319 --> 00:12:11.173 (Applause)