[pdkl95]

> If each one requires knowledge of the entire system

The general problem is the growing number of dependencies. James Burke in "Connections" warned that civilization is an interconnected web of technology traps[1]. We survive as long as everything works (or "mostly" works), but there is a risk of cascade failure.

More recently, Dan Geer warned[2] about the same type of problem:

    In the last couple of years, I've found that institutions that I more
    or less must use [...] no longer accept paper letter they each only
    accept digital delivery of such instructions.  This means that each of
    them has created a critical dependence on an Internet swarming with
    men in the middle and, which is more, they have doubtlessly given
    up their own ability to fall back to what worked for a century before.
    [...]
    Everything in meatspace we give over to cyberspace replaces
    dependencies that are local and manageable with dependencies that are
    certainly not local and I would argue much less manageable because
    they are much less secure.  I say that because the root cause of risk
    is dependence, and most especially dependence on expectations of
    system state.
    [...]
    Accommodating old methods and Internet rejectionists preserves
    alternate, less complex, more durable means and therefore bounds
    dependence. Bounding dependence is *the* core of rational risk
    management.

[1] https://www.youtube.com/watch?v=lKELMR6wACw

[2] http://geer.tinho.net/geer.blackhat.6viii14.txt

[kqr2]

But a paper system which uses mail also has huge dependencies. You rely on a transportation and post office infrastructure that can also have problems.

In fact, the internet was funded by DARPA to deal with disruption of the conventional communication network.

[pdkl95]

> also has huge dependencies

True, but they are different dependencies. One of the goals is to eliminate the risk of common-mode failure[1]. One failure that makes the internet inoperable also takes out everything that depended on it, which shouldn't be "everything".

[1] https://en.wikipedia.org/wiki/Common_cause_and_special_cause...

[dragonwriter]

> One failure that makes the internet inoperable also takes out everything that depended on it, which shouldn't be "everything".

While the current structure may not reflect this (and, to the extent it doesn't, this is a problem), a central part of the idea of the internet is that it should be structured so that a single failure would at most make a minor part of the internet unusable, and perhaps cause a two-way partition between remaining usable parts, not make "the internet" unusable in a general way.

[pdkl95]

> a minor part of the internet

> a two-way partition

These are localized problems, not common-mode failures. I'm talking about a problem with something that takes out a significant portion of the internet. This isn't about a simple network partition; a common-mode failure is a problem in something that is common to an entire class of devices.

A totally contrived example might be a worm that bricks routers (we've seen a few router vulnerabilities recently) and spreads with the speed of the fastest worms. Good luck finding "usable parts" of the internet when a large part of the routing capability needs to be physically replaced and reconfigured. This risk has grown in the recent past with the centralization of many services.

[lobf]

What about a simpler idea, like sudden, widespread lack of electricity?

[saryant]

Diesel generators?

[kansface]

I don't think it matters too much that most institutions no longer accept paper since paper is just the external interface. You get no more reliability if they did when all critical processes rely on technology.

In other words, you aren't walking your check to the IRS, the postal service couldn't deliver it, your bank couldn't cash it even if they did, and WTF would the IRS do with a billion checks?

[pdkl95]

The point isn't really that paper is better. It's that we had systems that worked for a long time and we removed them. We shouldn't need to walk lots of checks to the IRS, that's the point of modern tech.

However, the IRS maintaining the capability of using old, simpler methods should be retained because it serves as a backup for (hopefully rare) situations where the primary infrastructure fails.

[dragonwriter]

> The point isn't really that paper is better. It's that we had systems that worked for a long time and we removed them.

Because we have better ones, that are less expensive, in many (but not all, due to excessive design rigidity in some cases) cases cheaper to adapt to change, and provide more value. That benefit is significantly limited if you bear the cost of maintaining (across requirement changes) the old processes (or analogs to them reliant on similar infrastructure) as well as the new processes, especially if you have to maintain the infrastructure (including the human infrastructure -- e.g., for the IRS, of people trained to process tax returns by hand) they rely on.

> However, the IRS maintaining the capability of using old, simpler methods should be retained because it serves as a backup for (hopefully rare) situations where the primary infrastructure fails.

Certainly, functions that are short-term critical need some fallback. Functions that aren't, it may be more efficient to devote resources to restoring the primary infrastructure rather than burning them executing inefficient backup processes in the absence of primary infrastructure.

[restalis]

"WTF would the IRS do with a billion checks?"

You just pointed out a reliance on banking system. IRS can not function without it and that may be considered a problem. For a fail-safe measure, other means of payment or taxation should be devised/allowed, like paying with gold (or other valuable assets) or provision of services for local/national authorities.

[nradov]

It might have been reasonable to maintain backup paper workflows years ago when those paper workflows already existed and institutions were just starting to offer digital alternatives. But new institutions and workflows have arisen that never had paper alternatives in the first place. And it's unreasonable to expect institutions to build and test paper alternatives just as a backup. No one's going to pay for that, regardless of potential consequences.

[pdkl95]

I agree that new institutions that never had pre-internet systems are a harder problem.

> it's unreasonable to expect institutions to build and test paper alternatives just as a backup.

Some type of backup is necessary for anything critically important. From my previous [2]:

    In sum, as a matter of policy everything that is officially
    categorized as a critical infrastructure must conclusively
    show how it can operate in the absence of the Internet.
    

Depending on a single source for mission critical features has been popular since at least the dot com era. Maybe some people can live with the risk that e.g. Twitter can shut their business down at any time by banning their API key, but some institutions need to be reliable. In the past, this need for reliability lead to the agreement where Intel licensed AMD to second-source[3] the 8086 and other parts.

[3] https://en.wikipedia.org/wiki/Second_source

[int_19h]

Some type of backup is undeniably useful, but why does it have to be paper? The problem with paper vs electronic is that they're largely incompatible, requiring manual labor for interoperability. A backup system should be as drop-in as possible, so for digital systems, it should be another digital system.

[int_19h]

Making communications digital doesn't mean that they necessarily rely on the Internet. For local dependencies, you can just as well use a local intranet, which could even be a decentralized mesh network - and the use of common protocols like TCP would allow for something like http://www.broadband-hamnet.org/ to be nearly a drop-in replacement for the whole stack above.

And for dependencies that aren't local to begin with, mail doesn't offer any advantages in terms of cascade failure - you're still relying on some centralized infrastructure that can't really be maintained just locally, and if it goes, your connectivity breaks down all the same.

[restalis]

Interesting! I used to wonder myself about such a dependency pushed on money. There are a lot of efforts to get all the society cashless, and it's understandable because there are upsides for many involved parties, but the downside is the reliance on its infrastructure that can fail or be attacked. I also used to wonder if people will consider this vulnerability without a precedent or not. I see this state of things persists in a lot of other systems too.

[TheSpiceIsLife]

Indented text is replicated verbatim and intended for quoting code.

It's a pain in the left kidney to read on mobile.

Just use asterics around the text to italicise it to indicate it's take from elsewhere.

This has been a public service announcement.