The way flash NAND memory of SSDs works makes it possible for an attacker with write access to get root privileges on a system, researchers from IBM demonstrated during the WOOT ’17 conference. The method works similar to that of the ‘Rowhammer’ attack.

Rowhammer is a vulnerability in DRAM memory that allows an attacker to manipulate memory without accessing it. By repeatedly reading a specific memory location somewhere else in memory a bit can ‘flip’. This means that a ‘1’ can flip to a ‘0’ or vice versa. By flipping bits it’s eventually possible to get read and write access to all physical memory after which it’s possible to get kernel rights.

The Rowhammer attack was already demonstrated in 2015. The researchers wanted to check whether a similar attack was also possible against SSD drives with MLC NAND flash memory.

“DRAM is not the only place that holds sensitive data that is essential to the correct working of security primitives implemented in software,” the researchers write in their report. Also through the filesystem used by the operating system it’s possible to gain access to sensitive data.

For their scenario, the researchers assume that the victim runs a filesystem on a SSD disk that consists of MLC NAND flash memory. To perform the attack, an attacker needs to have ‘unprivileged’ rights to the system. The attacker doesn’t need to have physical access to the system,  it could also be a server where users can login with a regular account. This account provides the attacker with limited write access.

Just like with the Rowhammer attack on DRAM memory, also flash chips of SSDs can be manipulated on a similar way and allows an attacker to elevate his rights on the system. To protect against the attack, a SSD can be encrypted. For the future the attackers hope to demonstrate a full system attack.

Several hardware manufacturers such as Apple released updates for their devices in response to the Rowhammer attack. The researchers from IBM don’t state whether they informed hardware manufacturers about their attack.

README.md

yarn add puppeteer
# or "npm i puppeteer"

constpuppeteer=require('puppeteer');

(async() => {constbrowser=awaitpuppeteer.launch();constpage=awaitbrowser.newPage();awaitpage.goto('https://example.com');awaitpage.screenshot({path:'example.png'});browser.close();
})();

constpuppeteer=require('puppeteer');

(async() => {constbrowser=awaitpuppeteer.launch();constpage=awaitbrowser.newPage();awaitpage.goto('https://news.ycombinator.com', {waitUntil:'networkidle'});awaitpage.pdf({path:'hn.pdf', format:'A4'});browser.close();
})();

constbrowser=awaitpuppeteer.launch({headless:false});

constbrowser=awaitpuppeteer.launch({executablePath:'/path/to/Chrome'});

Starting from version 3.11 of ProtonMail, it is now possible to pay for premium ProtonMail secure email account using Bitcoin. We have designed the payment system to work seamlessly so that Bitcoin payments are automatically converted to ProtonMail credits which can be used to pay for upgrades, pay invoices, or top up your account. This feature was long overdue, so we are glad to finally introduce this.

Long time followers of ProtonMail will know that we actually have a deep connection with Bitcoin, going all the way back to the very beginning of ProtonMail’s story. We have always been quite interested in cryptocurrencies and blockchain, as they empower the same principles that inspired us to create ProtonMail. These are the principles of freedom, privacy, and an Internet ecosystem where all have an equal opportunity to thrive, free from many of the artificial constructs that control commerce today.

Our appreciation of cryptocurrencies deepened after we had a first hand experience with the potential of Bitcoin. Back in 2014 when ProtonMail first launched, our first community fundraiser was infamously frozen by PayPal, leaving us without access to the funds necessary to run the service. However, thanks to Bitcoin and the support of the Bitcoin community, we were able to continue to receive funds via Bitcoin ensuring the success of the project.

Three years on, ProtonMail has come a long way, and we are still proud to have many users from the global cryptocurrency community. As we mentioned in our guide on how to buy Bitcoins, secure email can actually play an important role in keeping Bitcoins secure, either as an email address to use with online Bitcoin wallets or exchanges, or for the storage of sensitive data.

Over the past three years, we have had an unofficial way of accepting Bitcoins which involved manually sending BTC to our Bitcoin donation address, and manually confirming the transaction with our support team to receive account credits. However, the general increase in the number of Bitcoin transactions over the years has made that approach unfeasible and made development of an automated system necessary. We feel this is indicative of a broader trend, where the increased mainstream interest in Bitcoin will make it harder for merchants not to support Bitcoin, which will lead to more Bitcoin support, more transactions, and perhaps the continued appreciation of Bitcoin prices.

From a business perspective, we have witnessed the fragility and uncertainty of the traditional financial sector, with PayPal, credit card, and bank account freezes, fraud, or hacks becoming increasingly common. For any operating business, cryptocurrencies are an important form of diversification. Whereas companies in the past might have held multiple fiat currencies distributed cross multiple financial institutions as insurance, ProtonMail is now also holding a significant portion of our reserves in Bitcoin. Ultimately, we believe having a more significant portion of our revenue via Bitcoin or other cryptocurrencies actually reduces our business risk, by providing more redundancy in the event of the failure of more traditional payment methods. While this is fairly progressive thinking today, we believe that with time, more businesses will also adopt this view.

We’re excited to further deepen our connections with the cryptocurrency community with this step, and we look forward to doing our part to ensure that the brighter future promised by blockchain does become a reality. In the coming quarters, we plan to continue improving cryptocurrency support as part of our mission to build the most secure email service ever. Let us know which coins or tokens you would like us to support next on Twitter, Facebook, Reddit or Instagram.

Best Regards,
The ProtonMail Team

We knew that Andrew Ng had more than just a series of deep learning courses up his sleeve when he announced the first phase of his deeplearning.ai last week. It’s clear now that the turn of Ng’s three part act is a $150 million venture capital fund, first noted by PEHub, targeting AI investments.

Ng, who formerly founded Google’s Brain Team and served as chief scientist at Baidu has long evangelized the benefits AI could bring to the world. During an earlier conversation, Ng told me that his personal goal is to help bring about an AI-powered society. It would follow that education via his deep learning classes is one step of that and providing capital and other resources is another.

2017 has been a particularly active year for starting AI-focused venture capital funds. In the last few months we have seen Google roll out Gradient Ventures, Basis Set Ventures hall in $136 million, Element.AI raise $102 million, Microsoft Ventures start its own AI fund and Toyota corral $100 million for AI investment.

It’s unclear at this point how Ng’s AI Fund will differentiate from the pack. Many of these funds are putting time and resources into securing data sets, technical mentors and advanced simulation tools to support the unique needs of AI startups. Of course Ng’s name recognition and network should help ensure solid deal flow and enable Ng to poach and train talent for startups in need of scarce deep learning engineers.

I’ve sent a note to Andrew and we will update this post if and when we get more details.

• The Attention Merchants: From the Daily Newspaper to Social Media, How Our Time and Attention Is Harvested and Sold by Tim Wu
  Atlantic, 416 pp, £20.00, January, ISBN 978 1 78239 482 2
• Chaos Monkeys: Inside the Silicon Valley Money Machine by Antonio García Martínez
  Ebury, 528 pp, £8.99, June, ISBN 978 1 78503 455 8
• Move Fast and Break Things: How Facebook, Google and Amazon have Cornered Culture and What It Means for All of Us by Jonathan Taplin
  Macmillan, 320 pp, £18.99, May, ISBN 978 1 5098 4769 3

At the end of June, Mark Zuckerberg announced that Facebook had hit a new level: two billion monthly active users. That number, the company’s preferred ‘metric’ when measuring its own size, means two billion different people used Facebook in the preceding month. It is hard to grasp just how extraordinary that is. Bear in mind that thefacebook – its original name – was launched exclusively for Harvard students in 2004. No human enterprise, no new technology or utility or service, has ever been adopted so widely so quickly. The speed of uptake far exceeds that of the internet itself, let alone ancient technologies such as television or cinema or radio.

Chris could have become my worst nightmare. He was a key stakeholder and decision maker on the largest active account that my company was dependent upon for its financial stability. That wasn’t the problem. The issue was that we were midway through the initial project deliverables and it was becoming apparent to team members on both sides that the budget specified on the contract was insufficient to deliver a solution that would actually meet the needs of their business. This was a huge problem. I was doing my best to navigate the situation and keep calm on the outside, but on the inside, I was stressed to the max knowing that it was possible that we could lose the account and suffer a significant financial loss.

As time went on, tensions continued to rise. Additional meetings were scheduled to discuss budgets and contracts. People started to become irritable, dig in their heels, and act in ways that were clear signs of CYA (cover your ass) in progress.

Chris could have crushed me, and yet he didn’t. In fact, he did the exact opposite and taught me an incredibly valuable lesson. Amidst the bickering on one phone call, he asked his colleagues to stop this behavior and to assume positive intent instead. He went on to describe how this is a philosophy he’s adopted in his personal and professional life as a means of being more efficient, effective, and solution focused. After all, approaching any situation with the opposite mindset results in wasted time and energy. Assuming negative intent means you’re spending lots of time second guessing everyone’s motivations, being combative instead of collaborative, and slowing everything down by having to update contracts meticulously instead of going off of a handshake.

What About When…?

No, I wouldn’t recommend applying this advice universally and haphazardly. A few caveats:

1) It’s 100% reasonable to have a high degree of skepticism within a low-trust environment. For example, I would never assume positive intent and allow my daughter to be alone with a registered sex offender just because the person claimed they had changed. I would also never trust an alcoholic with a house full of liquor. Once a person has violated trust against a particular metric, it's OK to take a different position in order not to put yourself in harm's way.

2) This advice is not without risk. Some people will leverage this against you. There are con artists and sociopaths out there. Marth Stout claims 4% of the population falls into this category. In short, if you start from a place of positive intent, you are going to get screwed over by at least one out of 1 out of every 25 people you encounter because they literally have no moral compass. However, in my experience, the rewards outweigh the risks. To invert the statistic by Martha, 24 out of 25 people can feel legitimately bad if they know they’ve caused harm to someone else. Essentially, the vast majority of the population has a conscience that acts as the moral compass to steer them from intentionally causing hurting others. It doesn’t always work, but it’s better than nothing. And given that 96% of people fall into this category, I feel there is a greater risk in approaching those relationships from a place of distrust.

The ROI of Trust

There is an entire book called The Speed of Trust that provides qualitative and quantitative evidence that high trust situations result in massive gains in efficiency and effectiveness in relationships. We know this intuitively. If we are skeptical of an expensive new product or service, we might spend hours of time researching to make sure we’re making the right decision. However, if we get a recommendation from someone we trust, that may be all we need to decide in an instant.

So if trust is so valuable, how can we get there more quickly? Well, there are two different ways. We can start from a place of skepticism until someone has proven themselves worthy to be trusted. Or we can start from a place of positive intent right from the beginning and keep it there until they violate that trust. Both are feasible, but only by extending trust first will most relationships ever get to the place where you can experience the gains outlined in Stephen M. R. Covey’s book.

Just remember there are caveats. It’s all a matter of if you’re willing to accept the risks!

Photo by Charles Deluvio on Unsplash

Reddit is home to more than 100,000 of the internet’s most passionate and engaged communities, and we want to give all of them the best tools to express themselves and engage in deeper conversations. That’s why we’re excited to announce the extended rollout of Reddit video beta, which makes it easier than ever for redditors to capture, upload, and share videos and gifs with all their favorite communities.

This launch is a giant step forward in our efforts to bring rich content to Reddit, following last year’s release of native image hosting and our introduction of native video ads earlier this year.

So what is Reddit video hosting? Here’s everything you need to know:

• You can record video within the official Reddit apps or select a pre-recorded video from your gallery and upload it to Reddit.
• On desktop, you can select a video from your files to upload.
• Allowed video file types are MP4 and MOV, with a maximum length of 15 minutes.
• You can convert uploaded videos into MP4 gifs with our native gif converter.
• On the mobile apps, you can trim uploaded videos and gifs to just the section you want to feature.
• Best of all, you can watch Reddit video while you read comments and engage in conversation. (Check it out by clicking this post and scrolling down.)

Why Native Video?

If you’ve spent any time on r/HighQualityGifs, r/mealtimevideos, or just about any other Reddit community, you know that videos and gifs represent a major proportion of the content shared on our site. But prior to this launch, content creators had to go through a time-consuming, circuitous process to post videos, using third-party hosting platforms, copying URLs, and sharing them as link posts. This inhibited many users, especially those who capture videos on their phones and want to share them quickly with their favorite subreddits.

With native video, we’ve streamlined this process dramatically, allowing both content creators and commenters to focus on the conversation taking place on Reddit. No third-party uploads, new tabs, or back arrows necessary.

Beta Tests and User Feedback

Of course, given Reddit’s scale, implementing video hosting that could support our vast and varied userbase was a massive undertaking. We also wanted to ensure that video would be available to redditors across all our platforms, so we worked to launch hosting on iOS, Android, and desktop at the same time. And to ensure we’re offering our users a best-in-class experience, it was important to roll this out slowly, soliciting feedback from individual redditors, video and gif communities, mod teams, and content creators along the way.

As we began beta testing, we found that the most engaging types of video weren’t coming from popular users trying to establish their individual brands, as you might see on other platforms.Instead, our video adopters so far have been creating and sharing videos to engage within their specific Reddit communities, as an organic extension of conversations already happening on each subreddit. These users don’t need to worry about building a huge subscriber base or posting to an abyss of content because they’re posting directly to the communities that share their passion.

We’ve seen redditors recording videos of their head to ask r/Hair for recommendations before their next haircut:

One user shared a slow-motion shot of his golf swing to ask the pros at r/golf for tips:

Redditors who attended Tesla’s Model 3 launch posted videos of the car’s new features to r/teslamotors:

And of course the pet lovers have already taken to Reddit video to share their adorable doggos with communities like r/aww:

Throughout the beta process, we’ve found that native video doesn’t merely improve the content creating process; it offers a unique new format for expression and interruption-free engagement once the post is live. Because our video platform keeps a small preview window open at the top of the screen as you browse the comments below, you can transition seamlessly between viewing, lurking, and commenting on Reddit videos.

It’s already proving its value to our communities, content creators, publishing partners, and brands, who are eager to start using native video to engage in conversation with Reddit communities in new ways.

Your First Reddit Video

We will continue to evolve Reddit video as we collect additional feedback from our users, so you can expect more updates in the coming months. In the meantime, if you’d like to try out your first video or gif post, here’s a step-by-step guide to uploading:

Desktop:

• Click “Submit Link” on a Reddit video-enabled subreddit
• Click “Choose File”
• Select an MP4 or MOV video file to upload
• Choose a thumbnail for your video
• Add a title
• Click “Submit”

Mobile Apps:

• Click “Post something interesting” at the top of your “Home” feed
  • Or, on a Reddit video-enabled subreddit, click “Post to r/___”
• Select “Image/Video”
• Click “Camera” to record a new video or “Library” to select one you’ve already recorded
• Add a title
• Click “Post” to submit

(Startled cats, sneezing seals, and doggo eye-bleach not included.)

Want to give us feedback? Let us know your thoughts on r/beta and stay tuned for more updates.

#Background

The innovation of serverless compute (FaaS) was huge. It dramatically decreased operational complexity and allowed developers to perform compute more easily than ever.

Then entered the Serverless Framework, which offered an application experience of functions and events around serverless computing. This is now widely known as serverless architecture.

Despite being relatively new, serverless architectures have proven themselves well. Serverless teams consistently exhibit shortened time to market, increased developer productivity and reduced operational overhead.

But there has been a missing piece. Developers have been locked into a single cloud provider, unable to perform service communication between various services. They have been left without a good way to perform service discovery across different teams and applications.

That is exactly why we made Event Gateway.

#Introducing: The Serverless Event Gateway

The Event Gateway is an open-source communication fabric for serverless architectures. It combines both API gateway and pub/sub functionality into a single experience.

Inside the Event Gateway, all data is considered to be an event. This lets developers react to data flows of all their applications in a centralized way, with serverless compute.

This is powerful; when developers can manage those data flows from a single place, they can take events from one provider and trigger functions on another provider. Serverless architectures become truly cross-cloud.

#Features

The Serverless Event Gateway is the missing piece of serverless architectures.

#Cross-cloud

Businesses do not want to be limited by where they can access their data. With Event Gateway, any of your events can have multiple subscribers from any other cloud service. Lambda can talk to Azure can talk to OpenWhisk.

This makes businesses completely flexible. Building an events-first experience that exists cross-cloud and on-premise protects you from lock-in, while also keeping you open for whatever else the future may bring.

#Open Source

The Event Gateway is open-source and platform agnostic. Use it to create the cohesive nervous system of your digital business.

Run it on all the major cloud providers, on-premise or in a hybrid architecture. Unify events from all over your system. Even teams who are working on separate applications can easily share resources that shave time and overhead.

#Tightly integrates with Serverless Framework

The Event Gateway ties right into the Serverless Framework and is available for developers to use locally today.

#Get started

Use the Event Gateway to start taking full advantage of the serverless cloud. Serverless architectures just got their missing backbone.

The Event Gateway is currently in beta, and is available to use locally via the Serverless Framework. To check out the code, see the repo here and walk through the example app.

The Matasano Crypto Challenges

I recently took some time to work through the Matasano crypto challenges, a set of 48 practical programming exercises that Thomas Ptacek and his team at Matasano Security have developed as a kind of teaching tool (and baited hook).

Much of what I know (or think I know) about security has come from reading tptacek's comments on Hacker News, so I was intrigued when I first saw him mention the security challenges a few months ago. At the same time, I worried that I'd be way out of my depth attempting them.

As a programmer, my core strengths have always been knowing how to apologize to users, and composing funny tweets. While I can hook up a web template to a database and make the squigglies come out right, I cannot efficiently sort something for you on a whiteboard, or tell you where to get a monad. From my vantage point, crypto looms as high as Mount Olympus.

To my delight, though, I was able to get through the entire sequence. It took diligence, coffee, and a lot of graph paper, but the problems were tractable. And having completed them, I've become convinced that anyone whose job it is to run a production website should try them, particularly if you have no experience with application security.

Since the challenges aren't really documented anywhere, I wanted to describe what they're like in the hopes of persuading busy people to take the plunge.

You get the challenges in batches of eight by emailing cryptopals at Matasano, and solve them at your own pace, in the programming language of your choice. Once you finish a set, you send in the solutions and Sean unlocks the next eight. (Curiously, after the third set, Gmail started rejecting my tarball as malware.)

Most of the challenges take the form of practical attacks against common vulnerabilities, many of which will be sadly familiar to you from your own web apps. To keep things fun and fair for everyone, they ask you not to post the questions or answers online. (I cleared this post with Thomas to make sure it was spoiler-free.)

The challenges start with some basic string manipulation tasks, but after that they are grouped by theme. In most cases, you first implement something, then break it in several enlightening ways. The constructions you use will be familiar to any web programmer, but this may be the first time you have ever taken off the lid and looked at the moving parts inside.

Here are the cryptographic topics covered:

Going into the challenges, I worried that my math wouldn't be up to the task. My impression of Serious Crypto was that it required all kinds of group theory, abstract algebra, elliptic curves, vector spaces, and other scary stuff. But while this may be true, the math content for the practical challenges was much gentler:

While the math concepts weren't hard, getting a real feel for them took work (and this was the point of the exercise).

If you're an experienced programmer, the Matasano challenges are also a terrific excuse to try a new programming language. It's always much more fun to solve real problems than it is to write a Manager object that inherits from Employee.

Here are the language features I found myself using most:

• string manipulation (ranges, substrings)
• bitwise operators
• lookup hashes
• conversion between string and number formats
• big integer operations
• packing and unpacking binary data
• pattern matching
• url manipulation
• client/server interaction over a socket

Altogether it took me about three weeks to do the full cycle, working pretty intensively. Skilled programmers will find the going much faster, especially if you're comfortable with bit twiddling. Very few of the problems were downright hard, though some required several hours of work. I spent most of my time stepping through algorithms in pursuit of bugs, and in the process really got a feel for the moving parts in various cryptographic constructions.

I would compare the experience to having only ever read cookbooks and watched cooking shows, and then being asked to fry an egg. You know exactly what to do... in principle.

Some of the challenges have a payoff, in that you decrypt a short bit of secret text. This is incredibly fun. Seeing a cracked message come up on the screen after an evening of bug chasing reminded me of how it felt to be a kid in front of my Apple ][, finally getting it to beep or draw a circle or print DONGS all over the screen. Some of the later challenges even display the answer 'Hollywood style', where you get to see it decrypt one letter at a time in a cascade of print statements.

While the rules don't stipulate it, I think it's a good idea not to look at anyone's code if you try the challenges. The goal here is to convert message-board levels of understanding into actual knowledge, and the only way that works is if you bang your head on the task without seeing how anyone else has done it. Sean was really helpful in helping me navigate difficult spots, and the challenges are not set up to intentionally trick you. But you will need the kind of graph paper with the small squares.

What surprised me most:

1. How practical these attacks were. A lot of stuff that I knew was weak in principle (like re-using a nonce or using a timestamp as a 'random' seed) turns out to be crackable within seconds by an art major writing crappy Python.

2. There is no difference, from the attacker's point of view, between gross and tiny errors. Both of them are equally exploitable. In at least three challenges, the mere fact of getting distinguishable error messages was enough to recover the entire message.

This lesson is very hard to internalize. In the real world, if you build a bookshelf and forget to tighten one of the screws all the way, it does not burn down your house

3. Timing attacks are much more effective than I imagined.

4. Someone who can muck with your ciphertext is halfway to reading it, possibly with your secret key for dessert.

5. Some mistakes are incredibly non-obvious. I had no idea you had to super-carefully pad RSA, for example.

6. Even on a laptop, in 10 minutes you can do a terrifying amount of computation. It really is 2013.

I mentioned earlier that I thought every web programmer should try their hand at these. It is very illuminating to look at your own web app from the vantage point of an attacker actually writing code. At the very least, you will never be confused about cipher block modes again, or have to worry that someone will ask you to explain how a public key works in an interview. And there is a whole slew of dumb mistakes you will now avoid (replacing them with smarter mistakes that will become the subject matter of challenges 48-96).

The best part, from a web app developer's perspective, is that you never once write a SQL statement or HTML tag.

Here are some specific lessons from the challenges that I will apply to my own work:

1. Keep meaningful data out of tokens (like cookies) that I hand out to clients. Use random values keyed against a database, memory store, or wherever.

2. If I have to put data in tokens, include an integrity check, and pay a real crypto person to vet it.

3. I must never seed a PRNG with a timestamp. I used to do this with microsecond precision thinking I was being clever. Then I went ahead and wrote a script that guessed the seed value in just a few seconds, and now I will never do that again.

4. Use constant-time string comparisons when testing incoming data against some target value for authentication purposes. This is easy enough to do in most languages to make it cheap insurance.

5. Anything related to authentication should only fail in one way. I must not provide distinguishable errors to the user.

6. If possible, find a way to log the fact that someone is making a lot of weird queries against my site. For extra points, try not to make the logger itself hackable.

7. No third-party javascript. I hated it already, now I hate it more.

8. Cut off one of my fingers each time I re-use a nonce.

Having read this post, you can go to Hacker News and comment in Talmudic detail about what is right or wrong in the conclusions I drew. But a much better idea is to just email Sean and have a crack at the challenges yourself. You will have a good time!

One final observation. Crypto is like catnip for programmers. It is hard to keep us away from it, because it's challenging and fun to play with. And programmers respond very badly to the insinuation that they're not clever enough to do something. We see the F-16 just sitting there, keys in the ignition, no one watching, lights blinking, ladder extended. And some infosec nerd is telling us we're can't climb in there, even though we just want to taxi around a little and we've totally read the manual.

Doing these challenges is a great way to 'shake your sillies out', as Raffi might say, without hurting yourself or your users. You get to put on the flight suit, climb into the simulator, and crash that plane in every conceivable way.

I would like to sincerely thank Thomas and Sean and everyone at Matasano who worked on these challenges, and implore people in other technical fields to consider offering something similar. It's the most fun I've had programming in years!

—maciej on April 18, 2013

If the Web and the Net can be viewed as spaces in which we will increasingly live our lives, the economic laws we will live under have to be natural to this new space. These laws turn out to be quite different from what the old economics teaches, or what rubrics such as "the information age" suggest. What counts most is what is most scarce now, namely attention. The attention economy brings with it its own kind of wealth, its own class divisions - stars vs. fans - and its own forms of property, all of which make it incompatible with the industrial-money-market based economy it bids fair to replace. Success will come to those who best accommodate to this new reality.

Explanatory note: This article began as a draft of a conference[ * ] presentation, and has been left pretty much in that form. Another version was actually presented.

My vantage point is quite different. What we mean by economics cannot be taken for granted if what we are talking about is the economics which applies, say, to the Internet, or more generally to cyberspace, or more generally still, to life in the foreseeable future. We are moving into a period wholly different from the past era of factory-based mass production of material items when talk of money, prices, returns on investment, laws of supply and demand, and so on all made excellent sense. We now have to think in wholly new economic terms, for we are entering an entirely new kind of economy. The old concepts will just not have value in that new context.

Of course, there is nothing so new about the insight that the Internet is part of a revolutionary change in the way we do things and also in why we do them. Many names for the new era have been invoked: the information age, the Third Wave, the move towards cyberspace, all of which point, vaguely at least to the fact that new patterns of activity and of interrelationships among people are now emerging. The trouble with that insight is that it is so vague that you can easily agree with it without feeling the necessity of changing your economic thinking in the least. My effort over the past several years - it's embarrassing to admit how many - has been to overcome that vagueness, to come up with specifics about what this revolution actually implies. My conclusions are that we are headed into what I call the attention economy.

Before offering any details about the new economy itself I want to deal with a feeling you no doubt have. "Economics is economics; it really can't change." Even if you are not saying that in so many words, I feel fairly confident it is somewhere in your mind at this point. To try to convince you at least to have some doubts about that certainty, let me invoke two different analogies. (Since it is obviously beyond my capabilities to explain the full workings of an entire new economy in the brief time available here, getting you to take the thought of it seriously would not be a useless accomplishment.) The first analogy comes from science. Most scientists would agree that early in its existence, the planet Earth held no life. There were various kinds of minerals, volcanoes, sea water, chemicals in solution - lots going on, but all of it understandable in terms of the laws of physics, chemistry, geology. Then, fairly suddenly, some chemical molecules began to commingle in a new way, capable of growing and reproducing. Life had emerged, and, in its tremendous variety, grew and flourished according to completely new laws, the laws of molecular biology, of physiology, of ecology and so on.

To try to understand life solely on the basis of the old laws of physics and chemistry, would be an enormous, crippling mistake; you couldn't talk about the most obvious things, like sex or aging or digestion or species or parasites, since those are all biological concepts that have no place in physics or chemistry. The parallel I want to draw is that the new kinds of connection that the Net and cyberspace make possible also demand a whole new way of thinking if you are to understand what is going on between people, the kinds of organized effort that are now possible, the motivations that most matter, and a host of other facets of life.

This analogy is imperfect in one way though. I don't mean to imply that the new concepts of economics we need come on top of or in addition to the old concepts. Rather, economics is about the overall patterns of effort and motivation that shape our lives, and it is these patterns and motivations that are changing. That implies a wholly new set of economic laws that replace the ones we all have learned.

My second analogy should make this point more clearly. It also involves looking back to an earlier time, but, instead of billions of years ago we now must think back a mere five centuries. The expansion into cyberspace now underway parallels the expansion of European civilization into North and South America that followed Columbus's discoveries, exactly 498 years before Tim Berners-Lee discovered, or rather invented, the Web. Europe back then in the 15th century was still ruled pretty much on feudal lines, and the feudal lords took it for granted that the new world would be a space for more of a feudal economy, with dukes and counts and barons and earls ruling over serfs throughout the newly discovered continents. They did in fact begin to set up that system, but it was not what turned out to flourish in the new space. Instead, the capitalist, market-based industrial economy, then just starting out, found the new soil much more congenial. Eventually it grew so strong in North America that, when it re-crossed the ocean, it finally completed its move to dominance in Western Europe and then elsewhere in the world [ 1 ].

Contemporary economic ideas stem from that selfsame market-based industrialism, which was thoroughly different from the feudal, subsistence-farming-based economy that preceded it. We tend to think, as we are taught, that economic laws are timeless. That is plain wrong. Those laws hold true in particular periods and in a particular kind of space. The characteristic landscape of feudalism, dotted with small fields, walled villages, and castles, differs markedly from the industrial landscape of cities, smokestack factories and railroads, canals, or superhighways. The "landscape" of cyberspace exists only in our minds, perhaps, but even so it is where we are increasingly coming to live, and it looks nothing like either of those others. If cyberspace grows to encompass interactions between the billions of people now on the planet, those kinds of interaction will be utterly different from what prevailed for the last few centuries, or ever before [ 2 ].

If you want to thrive in this new world, it behooves you not to mistake it for a place where the dukes and earls of today will naturally continue to prosper, but rather to learn to think in terms of the economy natural to it [ 3 ].

Well, my title gives it away, of course. There is something else that moves through the Net, flowing in the opposite direction from information, namely attention. So seeking attention could be the very incentive we are looking for. Parenthetically, I have now rejected both parts of the conference title; no economics in the conventional sense, and not digital information either. You might conclude I am speaking at the wrong conference. I would rather say it has the wrong title. Except the title did serve its purpose. It did get your attention, and that was something, in fact a lot.

Attention, at least the kind we care about, is an intrinsically scarce resource [ 4 ]. Consider yours, right now. You are reading this paper, or more likely, since it is intended to be delivered at a conference, listening to me speaking it. You have a certain stock of attention at your disposal, and right now, a large proportion of the stock available to you is going to me, or to my words. Note that if I am standing in front of you it is difficult to distinguish between paying attention to me and paying attention to my words or thoughts; you can hardly do one without doing the other. If you are just reading this, assuming it gets printed in a book, the fact that your attention is going to me and not just to what I write may be slightly less obvious. So it is convenient to think of being in the audience at this conference in order to consider what attention economics is all about.

First of all, if this talk is not a total bust, at this moment I am getting attention from a considerable audience. There is a net flow of attention towards me. If this is a reasonably polite group, there may be no great competition for your attention at the moment, but nonetheless, if there were, you would have to choose, or someone else, say the chair, would. The assembled audience cannot really pay attention to very many people speaking at once, usually not to more than one, in fact. Which is another way to say that the scarcity of attention is real and limiting.

Now this might not matter if attention were not desirable and valuable in itself, but it is. In fact, it is a very nice feeling to have respectful attention from everybody within earshot, no matter how many people that may include. We have a word to describe a very attentive audience, and that word is "enthralled." A thrall is basically a slave. If, for instance, I should take it in my head to mention panda bears, you who are paying attention are forced to think "panda bears," a thought you had no inkling would come up when you decided to listen to this talk. Now let me ask, how many of you, on hearing the word "panda" saw a glimpse of a panda in your imagination? Raise your hands, please. Thank you. ... A ha.

What just happened? I had your attention and I was able to convert it into a physical action on some of your parts, raising your hands. It comes with the territory. That is part of the power that goes with having attention, a point I will have reason to return to. Right now, it should be evident that having your attention means that I have the power to bend your minds and your bodies to my will, within limits that in turn have to do with how good I am at enthralling you. This can be a remarkable power. When you have superb control over your own body, so that you can perform great athletic feats, it feels great; likewise, it feels good when your mind feels focused and powerful; how much more wonderful then to be able to have the minds and bodies of others at your disposal! On the rather rare occasions when I have felt I was holding an audience "in the palm of my hand, hanging on my every word," I have very much enjoyed the feeling, and of course others who have felt the same have reported their feelings in the same terms. The elation is independent of what you happen to be talking about, even if it is to decry something you think is horrible.

Of course, not everybody necessarily wants a great deal of attention, just as in a money economy not everybody wants a great deal of money or many of the material goods that money can buy. But, just as in a money economy practically everyone must have some money to survive, so attention in some quantities is pretty much a prerequisite for survival, and attention is actually far more basic. This has always been the case for tiny babies. About the only thing they can get for themselves, or can give, is attention, which they begin to do within a half hour of birth, by smiling at those who smile at them. Without attention an infant could never satisfy its material needs, for food, warmth, fresh diapers, being burped, and so on. At a slightly later stage infants and toddlers need attention if they are to develop any sense of themselves as persons, and neither of those needs ever completely goes away. So even if you do not especially make a point of reaching for attention, even if you are very shy and reclusive, you still probably cannot do without some minimum, which however reluctantly, you may have to fight for. And no matter how humble you now may be, at some time in your own childhood you certainly sought attention, or you wouldn't be here.

As we move towards an attention economy in a fuller sense, the ethos of the old economy which makes it often bad taste or a poor strategy to consciously seek attention seems to be giving way to an attitude that makes having a lot of attention rather admirable and seeking it not at all to be frowned upon. Think of the sorts of things people are now willing to admit about themselves just to get on the likes of Oprah or the Sally Jesse Raphael show. Even the President of the United States is willing to discuss his underwear on nationwide television.

Consider an ordinary conversation. You could describe it as the exchange of information, but except in a highly technical sense that is rarely a very accurate description of what takes place. A conversation is primarily an exchange of attention. When you say "how are you?" for instance, you don't really want to know, as a rule, but if whomever you're talking with chooses to say how he or she is, it is more to get attention from you than to convey information. Even if this person genuinely thought you did want to know about her/his health, in answering, s/he would be attempting to pay attention to you. And even if you, in turn genuinely did want to know, the usual reason would be to pay attention to her/him.

Information, in the sense of something not previously known to one of the parties or another is secondary, if present at all. If I want your attention for any reason, I might begin by asking you for information, such as who you are and what you do, not necessarily because that is of great interest to me, but because it is a good way to get your attention. Children ask countless questions with this motive often patently obvious, and adults are not necessarily any different. Even if I am desperately searching for some fact that you happen to know, to get it from you I first have to get your attention. So what really matters in every conversation is the exchange of attention -- an exchange that normally must be kept more or less equal if one party or the other isn't likely to lose interest.

What I am trying to get at here is that while you would normally want a conversation to involve a more or less equal exchange of attention, in the special circumstances that you are listening to a speaker, your feelings about what is a fair exchange are altered. What I would suggest is going on is less that I am providing you with information that you deem in advance will be of value, than that I am offering you individually the illusion of my full attention. I don't claim to be very good at this, but what I have done to some extent is to set up some expectations in you about what I will get to by the time the talk is finished, and any sense of progress towards that goal then feels as if I am filling your need, even though it is a need I have subtly created. (Any speaker must somehow do this, of course, to hold attention.)

If rhetoric is the art of persuasive speech, then anyone who speaks or writes or seeks attention in any way has to become something of a success in the special rhetoric of persuading listeners, readers, and so on, that he or she is meeting their individual needs, when in fact some of these needs have been artfully set up in advance [ 5 ]. You want to know what I am driving at, for instance, because I have already provided clues galore that I am driving at something that should matter to you.

My success, if any, in meeting these expectations I have myself set up in you will appear to be attention - call it illusory attention - that flows from me to you. That helps create an apparent equality of attention, and it can in fact go beyond that to create a feeling of obligation on your part or the part of other readers or listeners. The audience members can each feel they have not paid as much attention to a speaker as the speaker has paid personally to them, even though, in a very real sense the reverse is closer to the truth. The speaker may still not know them from Adam though they have the speaker's visage, voice, and thoughts permanently etched in memory.

Now, the fact that attention can be passed on from someone who has it to someone else, and on and on, is of course a vital feature if there is to be anything resembling an economy. We will return to this general point. But right now, I want to combine the idea that I could pass the whole audience's attention on to you with the thought I introduced before that you can feel in a certain sense that I am paying attention to you specifically - what I referred to as illusory attention. Since I observably do have at least a good fraction of the whole audience's attention, if I were to pay attention specifically to you in reality, by singling you out, I would of course be paying not only my own attention but that of everyone else here, and yet, it would seem to be arriving at you through me.

It bears repeating: We are living a temporary attention economy in miniature right at this moment. It should be evident by now that everyone has always lived with some degree of an attention economy, but through most of human history it hasn't been primary. Material needs and the production of material goods or the provision of purely material and basically impersonal services such as railways held sway. Even fifty years ago, the percentage of the American population that could take basic material needs for granted and didn't work directly in factories or on farms was much smaller than it is today.

If you look at how you live your life when you are not attending this conference, you will probably see that quite a bit of what you personally do is better characterized as involving attention transactions than monetary transactions. You most likely make many more decisions every day about where and towards whom your attention should now go than about where your or anyone else's money should go. It is an issue every time you get a phone call, receive a memo, see someone you know waving at you, decide whether to go to a movie, or surf the Web, to list just a few examples. You are probably quite concerned too with getting attention in one way or another, or perhaps helping someone else get it. In this you are typical of a growing proportion of our society, and indeed of almost every sizable society on this globe now.

Yet strangely, we are all busier than ever. In fact, in the light of what I have been saying so far, that is not so odd. It is precisely because material needs at the creature comfort level are fairly well satisfied for all those in a position to demand them that the need for attention, or what is closely related to attention, meaning or meaningfulness of life, takes on increasing importance. In other words, the energies set free by the successes of what I refer to as the money-industrial economy go more and more in the direction of obtaining attention. And that leads to growing competition for what is increasingly scarce, which is of course attention. It sets up an unending scramble, a scramble that also increases the demands on each of us to pay what scarce attention we can.

And because we all need some attention, as competition for it rises, the effort begins to take on still more importance. When real attention of the right sort is unavailable, one has to make do to make do with the illusory kind, which comes through an increasing variety of media: paperback books, sound recordings, movies, radio, magazines, TV, video, and most recently computer software, CD-ROMs and the Web.

So it is no coincidence that some of the most popular uses of computers, fax machines, networks, phone systems, etc., have more to do with getting attention than with directly aiding what they are supposedly about, increasing productivity of an organization or society as a whole [ 6 ]. For an important truth is getting attention is of primary value to individuals rather than organizations, and attention also flows from individuals. This conference is sponsored by several organizations, most notably Harvard University, and quite possibly additional organizations have sent more than one attendee apiece. However, within the confines of the conference, attention flows primarily irrespective of organizational affiliation.

If you are after attention, you use whatever organization you are part of as a stage upon which to perform for as wide an audience as you can manage. The Web and the Internet fit well in this model. The physical walls and barriers that might once have defined a university, a government bureau or an industrial corporation, making outside and inside sharply distinct, are pretty much no barriers at all on the Web or the Internet, or even on a phone system equipped not with a central switchboard allowing an operator to direct every incoming call but, as most are today, with direct inward dialing. You often don't even know what organization goes with the number you are dialing, the e-mail message you are responding to or the particular Web site you have been linked to.

In a full attention economy practically all organizations will be basically temporary, either communities in which attention is shared around pretty equally, or, more often, entourages of fans who form around one or a few stars to help them achieve the performances they are attempting. Think of the groups that come together to make a movie or to create a new piece of software, etc. More often than not, a few stars dominate the process; in the case of a movie, it is not only the main actors, but the directors, writer, producer, and possibly the cinematographer, the chief editor, and a few others. If the movie is to be made, everyone else involved focuses their attention on these stars; afterwards, the stars usually go their separate ways, bringing together different entourages for their next performance.

With the endless originality and diversity of the attention economy, that kind of exchange is no longer possible. Even though one can loosely compare amounts of attention paid to different performances, attention does not come in precise, indistinguishable units, and neither does the illusory attention for which it is exchanged.

This transparency will even more be the case in the very near future, and, as a result, organizations will diminish in importance at rapid pace, relative to the importance of the individuals who are temporarily in them. Even as stable and long-lasting an institution as Harvard will be less its familiar buildings and more the people in the buildings, and the networks of attention among them. And whether these people are physically at Harvard or somewhere else will matter less and less, until the institution loses all coherence, all distinctness from other universities or from any one of hundreds of other organizations which have audiences in common.

In a full-fledged attention economy the goal is simply to get either enough attention or as much as possible. Recall now what I pointed out earlier: if you have a person's full attention, you can get them to perform physical acts, ranging from moving their eyes to follow you, to raising their hands, to applauding, to bringing you a glass of water, to handing you a sandwich, or, as is not uncommon in the case of rock groupies or sports fans, having sex with you (to cite a notorious example). Just as a parent paying attention to a child fills its material wants and desires, so a fan, that is anyone paying attention can feel an obligation or a desire to do the same for whomever they are paying attention to.

Wealth that can endure and sometimes be added to is what we mean by property. Thus, in the new economy attention itself is property. Where is it? Primarily it is located in the minds of those who have paid you attention in the past, whether years ago or seconds ago. You may have forgotten all about some children's author whose books you had read to you as a child, but if you come across the book again, your memory will very likely be reawakened. Likewise you will remember actors you saw on television, sports figures who captured your attention in the past, professors, teachers, politicians, business leaders, etc. Thus, attention wealth can apparently decline, only to revive later. It is rarely entirely lost.

Seeing this kind of wealth as property suggests a strategy for maintaining and enlarging what you have that is far different from what is usually considered to be the case when dealing with ideas or information. Suppose you get attention through some text you send out over the Internet. Would you want your audience to copy this and pass it on to others who might pay attention in turn? Of course you would. It would be insane to want to stop or restrain such copying, since that would deprive you of much attention you could otherwise get. This is an area, clearly, where the new economy and the old are at sharp odds. Thus the fight over intellectual property and rights to make copies is actually a struggle between the outlooks of the new economy and the old, a reason why they cannot both coexist forever, and thus a feature of the period of transition from old to new.

Within the framework I have suggested, there is little mystery as to why this should be. If fans are willing to do anything up to some limit for stars, such as wait in long lines to see them perform, avidly make sure to be there when they come to town, applaud them and sing their praises however they can, often paying more attention to stars than to members of their own families and so on, then it should come as no surprise that fans are also willing to pay out money at the stars' behest. It is just one more way to follow a star's wishes.

In other words, money now flows along with attention, or, to put this in more general terms, when there is a transition between economies, the old kind of wealth easily flows to the holders of the new. Thus, when the market-based, proto-industrial economy first began to replace the feudal system of Western Europe, in which the prime form of wealth was aristocratic lineage and inheritance of land, both the noble titles and the lands that went with them soon ended up disproportionately in the hands of those who were good at obtaining what was then the new kind of wealth, namely money.

With considerable ease, the rising merchant and industrialist class could buy old titles, induce governments to grant them brand new ones, or marry into the old impoverished gentry. The parallel today, again, is that possessors of today's rising kind of wealth, which is attention, and whom we label stars of every sort, have an easy time getting money.

But now let me point out that the other way round doesn't work nearly as easily. Contrary to what you are sometimes urged to believe, money cannot reliably buy attention. Suppose it did work that way. Then you could have been paid to sit here and listen closely even if I were to read you something as boring as the phone book or an unabridged dictionary. Presumably it wouldn't even matter if I kept repeating the same few syllables over and over. If money could reliably buy attention, all I would have to do is pay you the required amount and you would keep listening carefully through all that, not falling asleep en masse, nor allowing your minds to wander. In truth, even if you had been paid a huge sum, this would be most difficult, and if you did it, it would be a testament more to your own deep sense of principle than to a general condition in which another roomful of similar people could be expected to do equally well.

Someone who wants your attention just can't rely on paying you money to get it, but has to do more, has to be interesting, that is must offer you illusory attention, in just about the same amounts as they would if you had instead been paying money to listen to them -- which by the way is closer to the case here. Money flows to attention, and much less well does attention flow to money.

Bill Gates is also a good example of how even monetary fortunes of his magnitude are in larger and larger measure just covers for stardom. A century ago, Gates' analog would have been John D. Rockefeller, leader and chief owner of the Standard Oil Trust. His wealth consisted chiefly of oil fields, oil wells, tanker cars, refineries, and so on -- material things that would have been worth just as much if someone else bought him out. Rockefeller could have sold his interests and still kept about the same net worth, which is what monetary net worth is supposed to mean. But the share value of a company such as Microsoft is already far more a result of attention-getting and the star process. Its future sales, for instance, largely depend on software that is yet to be completely designed.

If Gates were to decide to sell out and buy control of the XYZ Corp. instead of staying at the helm of Microsoft, as soon as he let this be known, his Microsoft stock would fall precipitously and XYZ's would rise. His own net worth would plummet, at least temporarily, but such is the attention wealth he has, that as soon as he began to issue pronouncements from his new stage, XYZ's stock would probably rise further, and Gates' former monetary wealth might magically reappear. Despite the fact that the arena in which he made his mark happens to be business, it is already true that Gates' actual wealth, and that of many like him, is less in money or shares of stock than in attention.

• A continuing rapid rise in the number of people attached to the Web and trying to get attention through it.
• A continuing growth in the capacity of those on the Web to send out multimedia or virtual reality signals, and thus to capture attention through all these means. Say you are primarily a writer of mere words, i.e. text; still, on the Web you will be able to supplement your writings with your picture, with video images, with recordings of your voice, with interviews or pieces of autobiography. The advantage of doing that is that by offering potential readers a more vivid and rounded sense of who you are, you can both increase their sense of who it is who is offering them illusory attention, and have them have a clearer and more definite feeling than otherwise of what it is like to pay attention to you, rather than to some other writer of similar sounding words. Both these effects can help you hold their attention better. This of course helps explain why authors' pictures are so commonly stuck on book jackets, and increasingly on the front cover rather than the back.
• All this and more will make the Web a better and better means of transmitting and circulating attention, a circulation that is essential for a full-fledged economy to emerge. To show that most strikingly, consider an author in the distant past, say the ancient Greek philosopher Aristotle. Over the past than two thousand years and more, his writings have gotten the direct attention of probably millions of readers. Still, except for contributing to his "immortality," the vast majority of that attention did him little personal good, since it came when he, along with all known descendants, had been long dead. Very few of today's attention getters can expect to remain in the public eye for thousands of years, but they do have a far better shot at reaping the benefits of attention from millions of people through the Web while they are still alive. Thus they can live, and live well, in the new economy.
• Individual attention getters of all sorts will find it ever easier to get attention directly through the Web, without any corporate packaging necessary. They will also find diminishing advantage in trying to make use of money, since attention in a wider and wider a variety of forms, filling more and more of their needs will be able to flow to them either directly through the Web, or as a kind of adjunct to it.
• Companies of all kinds will have less definite and fixed structures, since they will be structured not by physical walls and buildings, but through the Net itself, and more and more of their proceedings will be done in the full glare of Web attention, as temporary and rapidly re-forming projects. This means that companies will be unable to provide even what loyalty they do now to their employees, or say, in the case of publishers, to authors who have signed with them. Just as baseball stars move around from team to team or TV stars from network to network, so employee loyalties to companies will decrease as well. What will matter more for everyone is the stars one has particular loyalty to, or the Net communities of which one is a part and through which one gets attention.
• Attention transactions, which already are far more numerous than monetary transactions will come to dominate even further. So even if you have lots of money, you will find it less and less convenient or worthwhile to bother to use it. As a result, our deeply ingrained desire for monetary recompense will begin to fade as well.

Say for example you work for a book publisher today. If you have any sense, you understand your employer as temporary. You will either strive to achieve stardom through what you do in your current job directly - say by being a great editor, a great marketer of books, a very visible cover designer or something of the sort - or (and this is not an exclusive but an inclusive or) you will want to be as visible and indispensable a part of what I call the entourages of bigger stars, so that through them you can get indirect attention. Your interest in your company's success as such is like a Major League baseball player's interest in his current team's success, something that can help him shine, and valuable to the extent that it does, but less valuable if it keeps him from displaying what he does best.

Simply amassing money (say by investing a large chunk of your salary in stocks) is not necessarily the best strategy if you believe you can do that without bothering to capture and in some way maintain some attention of your own. Even if the stock market never goes down, money, like the aristocratic titles of the past, may turn out to be less and less meaningful in the future.

A publisher also has to decide how to deal with the Internet. At present, for instance, it is impractical to distribute books directly over the Net, though it is easy to foresee that need not be the case for long. We still do understand material things as objects that generally are to be bought and sold in exchange for money, but we also understand that more people are likely to pay attention to a book if they find out about it than if they don't. So in the case of a book, the Internet should now be viewed as a useful and free publicity mechanism. Let passages be freely copied and circulated on the Net, because most of the time, the more of copying that takes place, the more customers there will be for the physical printed version. If you have a Web site, don't charge for it, because that will only reduce the attention it gets. If you can't figure out how to afford it without charging, you may be doing something wrong.

In due time, publishing companies as such will hardly be necessary, for actual physical books will be seen as cumbersome and quaint. Still, many of the kinds of tasks once performed by publishing company employees such as acquisition and line editors, designers, publicists, and so, will still be done, but on much more ad hoc and free-lance, eventually even unpaid basis. All of this will take place over the Web. No one will earn monetary profits from it. And this disappearance of the involvement of capital will be equally the case for attention-getting objects of just about any sort.

Am I speaking about the far future? I think not. Already, if you are reading this, you are probably involved in far more organized person-to-person or audience-type situations where what is being exchanged is attention, real and illusory, than you are in direct monetary transactions or the direct production of material goods. The fraction of time spent in pursuits more closely tied to the new economy is, even now, well above fifty per cent and rising. The new practices are already almost fully functioning for some, and more and more in place for others.

At the end of the feudal period, the pomp and display of the nobility reached a level never before attained; the most gorgeous armor, the most magnificent tournaments of knights, the most elaborate ceremonies between rival nobles, the most brilliant marriages, the greatest interest in noble lineage. But by then it had lost all real function or importance. So today, when the stock market goes up and up, when money wealth itself seems a source of fame more than ever, when being number one on Forbes 400 list seems the height of perfection, when every basketball superstar wants a contract that is at least a million more than the last record one, we seem to be more dazzled by money than ever, just as we seem to be more intrigued by material goods than ever. But these interests are superficial and faddish. They are signs of decadence not of a glorious future for the money economy. Even in themselves they speak to the growing desire for attention, the need for it as well. Money is now little more numbers, one number among many, and as a source of lasting attention it can fade in an instant. The attention economy is already here, and more completely so every day.

His Web site is http://www.well.com/user/mgoldh/ E-mail: mgoldh@well.com
©Michael H. Goldhaber, 1997

The conference was on "Economics of Digital Information," hosted by the Kennedy School of Government , Harvard University, Cambridge, Mass., January 23-26, 1997.

1. To be more exact, in Western Europe as whole, feudalism as an economic system reached its high point around the eleventh or twelfth century (i.e. between 1000 and 1200). After that the market economy began its slow rise. But the outward forms and ways of thinking long remained feudal, certainly in the Iberian peninsula whence the first explorers came. In the Americas, where feudal systems hadn't previously existed, they were unable to compete with the new economic ways that most of the settlers brought with them. As is most obvious in the case of the Puritan colonists in New England, many of these settlers quite consciously had come to escape the old forms of rule. The "Puritan Ethic" they brought with them was much more suitable to a capitalistic, market economy than to feudalism. The great text that argues the last point (though ignoring earlier economic history) is Max Weber, 1958. The Protestant Ethic and the Spirit of Capitalism. New York: Scribner.

2. Just as settlers in the Americas fashioned the geography they found to fit their purposes and values, so cyberspace is being shaped largely by those who want a space for their own new purposes. As I suggest elsewhere (Michael Goldhaber, 1986. Reinventing Technology. New York: Routledge & Kegan Paul) technology (such as that which goes into cyberspace) is shaped by the values of those who create it and it then helps promote those values, in the main, as it allows certain actions and not others. In the case of the kinds of technology (such as software) that make up cyberspace, the users play a very large role in deciding in what directions the technology as a whole will advance, and their underlying purposes and values are more in the direction of the new economy I will outline than the old.

3. Despite its seeming generality, the following definition, (Paul Samuelson, 1973. Economics. New York: McGraw-Hill, p. 3) as read by millions of students of basic economics, shows why this new thinking must be very basic:

Economics is the study of how men and society end up choosing, with or without the use of money, to employ scarce productive resources that could have alternate uses, to produce various commodities and distribute them for consumption, now or in the future among various people and groups in society. It analyzes the costs and benefits of improving patterns of resource allocation.

As will become evident, "employing scarce productive resources," "produc[ing] various commodities and distributing them for consumption" and "improving patterns of resource allocation" are simply not relevant for what I will argue is unfolding. Nor is this a particularly perspicacious way of examining older economies, .e.g. feudalism.

4. On attention's scarcity and its economic importance, see also Michael H. Goldhaber, 1989. "Equality and Education in America Now," In: Education and the American Dream, H. Holtz, I. Marcus, J. Dougherty, J. Michaels, and R. Peduzzi (eds.), Granby, Mass.: Bergin & Garvey, Chapter 6, pp. 70-76; Michael H. Goldhaber, 1992. "The Attention Society," Release 1.0, ( 26 March), No. 3, E. Dyson (ed.), New York, EDventure Holdings, pp. 1-20; Michael H. Goldhaber, 1992. "Attention: The System of Post Industrialism?" Z papers, Vol. 1, No. 2 (April-June); and, Michael H. Goldhaber, 1996-97, Web site: http://www.well.com/user/mgoldh/

I still remember the thunderclap of insight that attention, not information is the key to the new system, a thought that struck me in 1984. While the details I present about the new economy stem from my own explorations, the fact that the following people, among others, have independently arrived at similar conclusions about the economic centrality of attention scarcity adds weight to the argument. See, for example, Richard Lanham, 1994. "The Economics of Attention," Proceedings of 124th Annual Meeting, Association of Research Librarians, Austin, Texas, http://sunsite.berkeley.edu/ARL/Proceedings/124/ps2econ.html or W. Thorngate, 1988. "On Paying Attention." In: Recent Trends in Theoretical Psychology, W. Baker, L. Mos, H. VanRappard, and H. Stam (eds.), New York: Springer-Verlag, (pp. 247-264), or W. Thorngate, 1990. "The Economy of Attention and the Development of Psychology," Canadian Psychology/Psychologie Canadienne, Vol. 31, pp. 262-271.

5. The rhetorician Kenneth Burke (in his 1931 book Counter-Statement, New York: Harcourt, Brace, p. 157) describes literary form in a very similar manner: "Form in literature is an arousing and fulfilling of desires."

6. Controversy continues to swirl around this point. It is argued at length by Thomas K. Landauer ( in his 1995 book The Trouble with Computers, Cambridge, Mass.: MIT Press) among others. Erik Brynjolfsson and Lorin Hitt (1995, "Information Technology as a Factor of Production: The Role of Differences Among Firms," Econ. Innov. New Techn., Vol. 3, pp. 183-199) present data revealing an overall positive correlation between total amounts of spending on information technology and total output for Fortune 500 companies. However, they do not show an increase in labor productivity per se, as is commonly presumed to be the case. What is indisputable is in the two decades since the introduction of the personal computer and related technologies, national measured productivity growth was lower than in the two decades following World War II, when such technology was either non-existent or much more limited. That is totally the opposite from what intuitive estimates of the value of these technologies would suggest and what has repeatedly been predicted.

While it would be impossible to thank everyone who has contributed to this lengthy project, I would like especially to thank Anatole Anton, Sandra Braman, Erik Brynjolfsson, Esther Dyson, Rishab Ghosh, William Gladstone, Nat Goldhaber, Peter Oppenheimer, Bruce Sterling, Edward Valauskas, and Terry Winograd for comments and/or encouragement that aided in the writing of this article. In addition I would like to thank Ilene Philipson. No one on this list should be held responsible for anything said here, however.

Copyright © 1997, First Monday

The Attention Economy and the Net by Michael H. Goldhaber
First Monday, Volume 2, Number 4 - 7 April 1997
http://firstmonday.org/ojs/index.php/fm/article/view/519/440

A Great Cities Initiative of the University of Illinois at Chicago University Library.

© First Monday, 1995-2017. ISSN 1396-0466.

J'fais des trous, des petits trous
toujours des petits trous
     - S. Gainsbourg

Abstract:

Network Address Translation (NAT) causes well-known difficulties for peer-to-peer (P2P) communication, since the peers involved may not be reachable at any globally valid IP address. Several NAT traversal techniques are known, but their documentation is slim, and data about their robustness or relative merits is slimmer. This paper documents and analyzes one of the simplest but most robust and practical NAT traversal techniques, commonly known as “hole punching.” Hole punching is moderately well-understood for UDP communication, but we show how it can be reliably used to set up peer-to-peer TCP streams as well. After gathering data on the reliability of this technique on a wide variety of deployed NATs, we find that about 82% of the NATs tested support hole punching for UDP, and about 64% support hole punching for TCP streams. As NAT vendors become increasingly conscious of the needs of important P2P applications such as Voice over IP and online gaming protocols, support for hole punching is likely to increase in the future.

The combined pressures of tremendous growth and massive security challenges have forced the Internet to evolve in ways that make life difficult for many applications. The Internet's original uniform address architecture, in which every node has a globally unique IP address and can communicate directly with every other node, has been replaced with a new de facto Internet address architecture, consisting of a global address realm and many private address realms interconnected by Network Address Translators (NAT). In this new address architecture, illustrated in Figure 1, only nodes in the “main,” global address realm can be easily contacted from anywhere in the network, because only they have unique, globally routable IP addresses. Nodes on private networks can connect to other nodes on the same private network, and they can usually open TCP or UDP connections to “well-known” nodes in the global address realm. NATs on the path allocate temporary public endpoints for outgoing connections, and translate the addresses and port numbers in packets comprising those sessions, while generally blocking all incoming traffic unless otherwise specifically configured.

The Internet's new de facto address architecture is suitable for client/server communication in the typical case when the client is on a private network and the server is in the global address realm. The architecture makes it difficult for two nodes on different private networks to contact each other directly, however, which is often important to the “peer-to-peer” communication protocols used in applications such as teleconferencing and online gaming. We clearly need a way to make such protocols function smoothly in the presence of NAT.

One of the most effective methods of establishing peer-to-peer communication between hosts on different private networks is known as “hole punching.” This technique is widely used already in UDP-based applications, but essentially the same technique also works for TCP. Contrary to what its name may suggest, hole punching does not compromise the security of a private network. Instead, hole punching enables applications to function within the the default security policy of most NATs, effectively signaling to NATs on the path that peer-to-peer communication sessions are “solicited” and thus should be accepted. This paper documents hole punching for both UDP and TCP, and details the crucial aspects of both application and NAT behavior that make hole punching work.

Unfortunately, no traversal technique works with all existing NATs, because NAT behavior is not standardized. This paper presents some experimental results evaluating hole punching support in current NATs. Our data is derived from results submitted by users throughout the Internet by running our “NAT Check” tool over a wide variety of NATs by different vendors. While the data points were gathered from a “self-selecting” user community and may not be representative of the true distribution of NAT implementations deployed on the Internet, the results are nevertheless generally encouraging.

While evaluating basic hole punching, we also point out variations that can make hole punching work on a wider variety of existing NATs at the cost of greater complexity. Our primary focus, however, is on developing the simplest hole punching technique that works cleanly and robustly in the presence of “well-behaved” NATs in any reasonable network topology. We deliberately avoid excessively clever tricks that may increase compatibility with some existing “broken” NATs in the short term, but which only work some of the time and may cause additional unpredictability and network brittleness in the long term.

Although the larger address space of IPv6 [3] may eventually reduce the need for NAT, in the short term IPv6 is increasing the demand for NAT, because NAT itself provides the easiest way to achieve interoperability between IPv4 and IPv6 address domains [24]. Further, the anonymity and inaccessibility of hosts on private networks has widely perceived security and privacy benefits. Firewalls are unlikely to go away even when there are enough IP addresses: IPv6 firewalls will still commonly block unsolicited incoming traffic by default, making hole punching useful even to IPv6 applications.

The rest of this paper is organized as follows. Section 2 introduces basic terminology and NAT traversal concepts. Section 3 details hole punching for UDP, and Section 4 introduces hole punching for TCP. Section 5 summarizes important properties a NAT must have in order to enable hole punching. Section 6 presents our experimental results on hole punching support in popular NATs, Section 7 discusses related work, and Section 8 concludes.

This section introduces basic NAT terminology used throughout the paper, and then outlines general NAT traversal techniques that apply equally to TCP and UDP.

This paper adopts the NAT terminology and taxonomy defined in RFC 2663 [21], as well as additional terms defined more recently in RFC 3489 [19].

Of particular importance is the notion of session. A session endpoint for TCP or UDP is an (IP address, port number) pair, and a particular session is uniquely identified by its two session endpoints. From the perspective of one of the hosts involved, a session is effectively identified by the 4-tuple (local IP, local port, remote IP, remote port). The direction of a session is normally the flow direction of the packet that initiates the session: the initial SYN packet for TCP, or the first user datagram for UDP.

Of the various flavors of NAT, the most common type is traditional or outbound NAT, which provides an asymmetric bridge between a private network and a public network. Outbound NAT by default allows only outbound sessions to traverse the NAT: incoming packets are dropped unless the NAT identifies them as being part of an existing session initiated from within the private network. Outbound NAT conflicts with peer-to-peer protocols because when both peers desiring to communicate are “behind” (on the private network side of) two different NATs, whichever peer tries to initiate a session, the other peer's NAT rejects it. NAT traversal entails making P2P sessions look like “outbound” sessions to both NATs.

Outbound NAT has two sub-varieties:Basic NAT, which only translates IP addresses, and Network Address/Port Translation (NAPT), which translates entire session endpoints. NAPT, the more general variety, has also become the most common because it enables the hosts on a private network to share the use of a single public IP address. Throughout this paper we assume NAPT, though the principles and techniques we discuss apply equally well (if sometimes trivially) to Basic NAT.

The most reliable--but least efficient--method of P2P communication across NAT is simply to make the communication look to the network like standard client/server communication, through relaying. Suppose two client hosts and have each initiated TCP or UDP connections to a well-known server , at 's global IP address 18.181.0.31 and port number 1234. As shown in Figure 2, the clients reside on separate private networks, and their respective NATs prevent either client from directly initiating a connection to the other. Instead of attempting a direct connection, the two clients can simply use the server to relay messages between them. For example, to send a message to client , client simply sends the message to server along its already-established client/server connection, and server forwards the message on to client using its existing client/server connection with .

Relaying always works as long as both clients can connect to the server. Its disadvantages are that it consumes the server's processing power and network bandwidth, and communication latency between the peering clients is likely increased even if the server is well-connected. Nevertheless, since there is no more efficient technique that works reliably on all existing NATs, relaying is a useful fall-back strategy if maximum robustness is desired. The TURN protocol [18] defines a method of implementing relaying in a relatively secure fashion.

Some P2P applications use a straightforward but limited technique, known as connection reversal, to enable communication when both hosts have connections to a well-known rendezvous server and only one of the peers is behind a NAT, as shown in Figure 3. If wants to initiate a connection to , then a direct connection attempt works automatically, because is not behind a NAT and 's NAT interprets the connection as an outgoing session. If wants to initiate a connection to , however, any direct connection attempt to is blocked by 's NAT. can instead relay a connection request to through a well-known server , asking to attempt a “reverse” connection back to . Despite the obvious limitations of this technique, the central idea of using a well-known rendezvous server as an intermediary to help set up direct peer-to-peer connections is fundamental to the more general hole punching techniques described next.

UDP hole punching enables two clients to set up a direct peer-to-peer UDP session with the help of a well-known rendezvous server, even if the clients are both behind NATs. This technique was mentioned in section 5.1 of RFC 3027 [10], documented more thoroughly elsewhere on the Web [13], and used in recent experimental Internet protocols [17,11]. Various proprietary protocols, such as those for on-line gaming, also use UDP hole punching.

Hole punching assumes that the two clients, and , already have active UDP sessions with a rendezvous server . When a client registers with , the server records two endpoints for that client: the (IP address, UDP port) pair that the client believes itself to be using to talk with , and the (IP address, UDP port) pair that the server observes the client to be using to talk with it. We refer to the first pair as the client's private endpoint and the second as the client's public endpoint. The server might obtain the client's private endpoint from the client itself in a field in the body of the client's registration message, and obtain the client's public endpoint from the source IP address and source UDP port fields in the IP and UDP headers of that registration message. If the client is not behind a NAT, then its private and public endpoints should be identical.

A few poorly behaved NATs are known to scan the body of UDP datagrams for 4-byte fields that look like IP addresses, and translate them as they would the IP address fields in the IP header. To be robust against such behavior, applications may wish to obfuscate IP addresses in messages bodies slightly, for example by transmitting the one's complement of the IP address instead of the IP address itself. Of course, if the application is encrypting its messages, then this behavior is not likely to be a problem.

Suppose client wants to establish a UDP session directly with client . Hole punching proceeds as follows:

1. initially does not know how to reach , so asks for help establishing a UDP session with .
2. replies to with a message containing 's public and private endpoints. At the same time, uses its UDP session with to send a connection request message containing 's public and private endpoints. Once these messages are received, and know each other's public and private endpoints.
3. When receives 's public and private endpoints from , starts sending UDP packets toboth of these endpoints, and subsequently “locks in” whichever endpoint first elicits a valid response from . Similarly, when receives 's public and private endpoints in the forwarded connection request, starts sending UDP packets to at each of 's known endpoints, locking in the first endpoint that works. The order and timing of these messages are not critical as long as they are asynchronous.

We now consider how UDP hole punching handles each of three specific network scenarios. In the first situation, representing the “easy” case, the two clients actually reside behind the same NAT, on one private network. In the second, most common case, the clients reside behind different NATs. In the third scenario, the clients each reside behind two levels of NAT: a common “first-level” NAT deployed by an ISP for example, and distinct “second-level” NATs such as consumer NAT routers for home networks.

It is in general difficult or impossible for the application itself to determine the exact physical layout of the network, and thus which of these scenarios (or the many other possible ones) actually applies at a given time. Protocols such as STUN [19] can provide some information about the NATs present on a communication path, but this information may not always be complete or reliable, especially when multiple levels of NAT are involved. Nevertheless, hole punching works automatically in all of these scenarioswithout the application having to know the specific network organization, as long as the NATs involved behave in a reasonable fashion. (“Reasonable” behavior for NATs will be described later in Section 5.)

First consider the simple scenario in which the two clients (probably unknowingly) happen to reside behind the same NAT, and are therefore located in the same private IP address realm, as shown in Figure 4. Client has established a UDP session with server , to which the common NAT has assigned its own public port number 62000. Client has similarly established a session with , to which the NAT has assigned public port number 62005.

Suppose that client uses the hole punching technique outlined above to establish a UDP session with , using server as an introducer. Client sends a message requesting a connection to . responds to with 's public and private endpoints, and also forwards 's public and private endpoints to . Both clients then attempt to send UDP datagrams to each other directly at each of these endpoints. The messages directed to the public endpoints may or may not reach their destination, depending on whether or not the NAT supports hairpin translation as described below in Section 3.5. The messages directed at the private endpointsdo reach their destinations, however, and since this direct route through the private network is likely to be faster than an indirect route through the NAT anyway, the clients are most likely to select the private endpoints for subsequent regular communication.

By assuming that NATs support hairpin translation, the application might dispense with the complexity of trying private as well as public endpoints, at the cost of making local communication behind a common NAT unnecessarily pass through the NAT. As our results in Section 6 show, however, hairpin translation is still much less common among existing NATs than are other “P2P-friendly” NAT behaviors. For now, therefore, applications may benefit substantially by using both public and private endpoints.

Suppose clients and have private IP addresses behind different NATs, as shown in Figure 5. and have each initiated UDP communication sessions from their local port 4321 to port 1234 on server . In handling these outbound sessions, NAT has assigned port 62000 at its own public IP address, 155.99.25.11, for the use of 's session with , and NAT has assigned port 31000 at its IP address, 138.76.29.7, to 's session with .

In 's registration message to , reports its private endpoint to as 10.0.0.1:4321, where 10.0.0.1 is 's IP address on its own private network. records 's reported private endpoint, along with 's public endpoint as observed by itself.'s public endpoint in this case is 155.99.25.11:62000, the temporary endpoint assigned to the session by the NAT. Similarly, when client registers, records 's private endpoint as 10.1.1.3:4321 and 's public endpoint as 138.76.29.7:31000.

Now client follows the hole punching procedure described above to establish a UDP communication session directly with . First, sends a request message to asking for help connecting with . In response, sends 's public and private endpoints to , and sends 's public and private endpoints to . and each start trying to send UDP datagrams directly to each of these endpoints.

Since and are on different private networks and their respective private IP addresses are not globally routable, the messages sent to these endpoints will reach either the wrong host or no host at all. Because many NATs also act as DHCP servers, handing out IP addresses in a fairly deterministic way from a private address pool usually determined by the NAT vendor by default, it is quite likely in practice that 's messages directed at 's private endpoint will reach some (incorrect) host on 's private network that happens to have the same private IP address as does. Applications must therefore authenticate all messages in some way to filter out such stray traffic robustly. The messages might include application-specific names or cryptographic tokens, for example, or at least a random nonce pre-arranged through .

Now consider 's first message sent to 's public endpoint, as shown in Figure 5. As this outbound message passes through 's NAT, this NAT notices that this is the first UDP packet in a new outgoing session. The new session's source endpoint (10.0.0.1:4321) is the same as that of the existing session between and , but its destination endpoint is different. If NAT is well-behaved, it preserves the identity of 's private endpoint, consistently translatingall outbound sessions from private source endpoint 10.0.0.1:4321 to the corresponding public source endpoint 155.99.25.11:62000.'s first outgoing message to 's public endpoint thus, in effect, “punches a hole” in 's NAT for a new UDP session identified by the endpoints (10.0.0.1:4321, 138.76.29.7:31000) on 's private network, and by the endpoints (155.99.25.11:62000, 138.76.29.7:31000) on the main Internet.

If 's message to 's public endpoint reaches 's NAT before 's first message to has crossed 's own NAT, then 's NAT may interpret 's inbound message as unsolicited incoming traffic and drop it.'s first message to 's public address, however, similarly opens a hole in 's NAT, for a new UDP session identified by the endpoints (10.1.1.3:4321, 155.99.25.11:62000) on 's private network, and by the endpoints (138.76.29.7:31000, 155.99.25.11:62000) on the Internet. Once the first messages from and have crossed their respective NATs, holes are open in each direction and UDP communication can proceed normally. Once the clients have verified that the public endpoints work, they can stop sending messages to the alternative private endpoints.

3.5 Peers Behind Multiple Levels of NAT

In some topologies involving multiple NAT devices, two clients cannot establish an “optimal” P2P route between them without specific knowledge of the topology. Consider a final scenario, depicted in Figure 6. Suppose NAT is a large industrial NAT deployed by an internet service provider (ISP) to multiplex many customers onto a few public IP addresses, and NATs and are small consumer NAT routers deployed independently by two of the ISP's customers to multiplex their private home networks onto their respective ISP-provided IP addresses. Only server and NAT have globally routable IP addresses; the “public” IP addresses used by NAT and NAT are actually private to the ISP's address realm, while client 's and's addresses in turn are private to the addressing realms of NAT and NAT , respectively. Each client initiates an outgoing connection to server as before, causing NATs and each to create a single public/private translation, and causing NAT to establish a public/private translation for each session.

Now suppose and attempt to establish a direct peer-to-peer UDP connection via hole punching. The optimal routing strategy would be for client to send messages to client 's “semi-public” endpoint at NAT , 10.0.1.2:55000 in the ISP's addressing realm, and for client to send messages to 's “semi-public” endpoint at NAT , namely 10.0.1.1:45000. Unfortunately, and have no way to learn these addresses, because server only sees the truly global public endpoints of the clients, 155.99.25.11:62000 and 155.99.25.11:62005 respectively. Even if and had some way to learn these addresses, there is still no guarantee that they would be usable, because the address assignments in the ISP's private address realm might conflict with unrelated address assignments in the clients' private realms. (NAT 's IP address in NAT 's realm might just as easily have been 10.1.1.3, for example, the same as client 's private address in NAT 's realm.)

The clients therefore have no choice but to use their global public addresses as seen by for their P2P communication, and rely on NAT providing hairpin or loopback translation. When sends a UDP datagram to 's global endpoint, 155.99.25.11:62005, NAT first translates the datagram's source endpoint from 10.0.0.1:4321 to 10.0.1.1:45000. The datagram now reaches NAT , which recognizes that the datagram's destination address is one of NAT 's own translated public endpoints. If NAT is well-behaved, it then translates both the source and destination addresses in the datagram and “loops” the datagram back onto the private network, now with a source endpoint of 155.99.25.11:62000 and a destination endpoint of 10.0.1.2:55000. NAT finally translates the datagram's destination address as the datagram enters 's private network, and the datagram reaches . The path back to works similarly. Many NATs do not yet support hairpin translation, but it is becoming more common as NAT vendors become aware of this issue.

Since the UDP transport protocol provides NATs with no reliable, application-independent way to determine the lifetime of a session crossing the NAT, most NATs simply associate an idle timer with UDP translations, closing the hole if no traffic has used it for some time period. There is unfortunately no standard value for this timer: some NATs have timeouts as short as 20 seconds. If the application needs to keep an idle UDP session active after establishing the session via hole punching, the application must send periodic keep-alive packets to ensure that the relevant translation state in the NATs does not disappear.

Unfortunately, many NATs associate UDP idle timers with individual UDP sessions defined by a particular pair of endpoints, so sending keep-alives on one session will not keep other sessions active even if all the sessions originate from the same private endpoint. Instead of sending keep-alives on many different P2P sessions, applications can avoid excessive keep-alive traffic by detecting when a UDP session no longer works, and re-running the original hole punching procedure again “on demand.”

Establishing peer-to-peer TCP connections between hosts behind NATs is slightly more complex than for UDP, but TCP hole punching is remarkably similar at the protocol level. Since it is not as well-understood, it is currently supported by fewer existing NATs. When the NATs involved do support it, however, TCP hole punching is just as fast and reliable as UDP hole punching. Peer-to-peer TCP communication across well-behaved NATs may in fact be more robust than UDP communication, because unlike UDP, the TCP protocol's state machine gives NATs on the path a standard way to determine the precise lifetime of a particular TCP session.

The main practical challenge to applications wishing to implement TCP hole punching is not a protocol issue but an application programming interface (API) issue. Because the standard Berkeley sockets API was designed around the client/server paradigm, the API allows a TCP stream socket to be used to initiate an outgoing connection via connect(), or to listen for incoming connections via listen() and accept(),but not both. Further, TCP sockets usually have a one-to-one correspondence to TCP port numbers on the local host: after the application binds one socket to a particular local TCP port, attempts to bind a second socket to the same TCP port fail.

For TCP hole punching to work, however, we need to use a single local TCP port to listen for incoming TCP connections and to initiate multiple outgoing TCP connections concurrently. Fortunately, all major operating systems support a special TCP socket option, commonly named SO_REUSEADDR, which allows the application to bind multiple sockets to the same local endpoint as long as this option is set on all of the sockets involved. BSD systems have introduced a SO_REUSEPORT option that controls port reuse separately from address reuse; on such systems both of these options must be set.

4.2 Opening Peer-to-Peer TCP Streams

Suppose that client wishes to set up a TCP connection with client . We assume as usual that both and already have active TCP connections with a well-known rendezvous server . The server records each registered client's public and private endpoints, just as for UDP. At the protocol level, TCP hole punching works almost exactly as for UDP:

1. Client uses its active TCP session with to ask for help connecting to .
2. replies to with 's public and private TCP endpoints, and at the same time sends 's public and private endpoints to .
3. From the same local TCP ports that and used to register with , and each asynchronously make outgoing connection attempts to the other's public and private endpoints as reported by , while simultaneously listening for incoming connections on their respective local TCP ports.
4. and wait for outgoing connection attempts to succeed, and/or for incoming connections to appear. If one of the outgoing connection attempts fails due to a network error such as “connection reset” or “host unreachable,” the host simply re-tries that connection attempt after a short delay (e.g., one second), up to an application-defind maximum timeout period.
5. When a TCP connection is made, the hosts authenticate each other to verify that they connected to the intended host. If authentication fails, the clients close that connection and continue waiting for others to succeed. The clients use the first successfully authenticated TCP stream resulting from this process.

Unlike with UDP, where each client only needs one socket to communicate with both and any number of peers simultaneously, with TCP each client application must manage several sockets bound to a single local TCP port on that client node, as shown in Figure 7. Each client needs a stream socket representing its connection to , a listen socket on which to accept incoming connections from peers, and at least two additional stream sockets with which to initiate outgoing connections to the other peer's public and private TCP endpoints.

Consider the common-case scenario in which the clients and are behind different NATs, as shown in Figure 5, and assume that the port numbers shown in the figure are now for TCP rather than UDP ports. The outgoing connection attempts and make to each other's private endpoints either fail or connect to the wrong host. As with UDP, it is important that TCP applications authenticate their peer-to-peer sessions, due of the likelihood of mistakenly connecting to a random host on the local network that happens to have the same private IP address as the desired host on a remote private network.

The clients' outgoing connection attempts to each other's public endpoints, however, cause the respective NATs to open up new “holes” enabling direct TCP communication between and . If the NATs are well-behaved, then a new peer-to-peer TCP stream automatically forms between them. If 's first SYN packet to reaches 's NAT before 's first SYN packet to reaches 's NAT, for example, then 's NAT may interpret 's SYN as an unsolicited incoming connection attempt and drop it.'s first SYN packet to should subsequently get through, however, because 's NAT sees this SYN as being part of the outbound session to that 's first SYN had already initiated.

What the client applications observe to happen with their sockets during TCP hole punching depends on the timing and the TCP implementations involved. Suppose that 's first outbound SYN packet to 's public endpoint is dropped by NAT , but 's first subsequent SYN packet to 's public endpoint gets through to before 's TCP retransmits its SYN. Depending on the operating system involved, one of two things may happen:

• 's TCP implementation notices that the session endpoints for the incoming SYN match those of an outbound session was attempting to initiate.'s TCP stack therefore associates this new session with the socket that the local application on was using to connect() to 's public endpoint. The application's asynchronous connect() call succeeds, and nothing happens with the application's listen socket.

  Since the received SYN packet did not include an ACK for 's previous outbound SYN,'s TCP replies to 's public endpoint with a SYN-ACK packet, the SYN part being merely a replay of 's original outbound SYN, using the same sequence number. Once 's TCP receives 's SYN-ACK, it responds with its own ACK for 's SYN, and the TCP session enters the connected state on both ends.

• Alternatively,'s TCP implementation might instead notice that has an active listen socket on that port waiting for incoming connection attempts. Since 's SYN looks like an incoming connection attempt,'s TCP creates a new stream socket with which to associate the new TCP session, and hands this new socket to the application via the application's next accept() call on its listen socket.'s TCP then responds to with a SYN-ACK as above, and TCP connection setup proceeds as usual for client/server-style connections.

  Since 's prior outbound connect() attempt to used a combination of source and destination endpoints that is now in use by another socket, namely the one just returned to the application via accept(),'s asynchronous connect() attempt must fail at some point, typically with an “address in use” error. The application nevertheless has the working peer-to-peer stream socket it needs to communicate with , so it ignores this failure.

The first behavior above appears to be usual for BSD-based operating systems, whereas the second behavior appears more common under Linux and Windows.

4.4 Simultaneous TCP Open

Suppose that the timing of the various connection attempts during the hole punching process works out so that the initial outgoing SYN packets from both clients traverse their respective local NATs, opening new outbound TCP sessions in each NAT, before reaching the remote NAT. In this “lucky” case, the NATs do not reject either of the initial SYN packets, and the SYNs cross on the wire between the two NATs. In this case, the clients observe an event known as a simultaneous TCP open: each peer's TCP receives a “raw” SYN while waiting for a SYN-ACK. Each peer's TCP responds with a SYN-ACK, whose SYN part essentially “replays” the peer's previous outgoing SYN, and whose ACK part acknowledges the SYN received from the other peer.

What the respective applications observe in this case again depends on the behavior of the TCP implementations involved, as described in the previous section. If both clients implement the second behavior above, it may be thatall of the asynchronous connect() calls made by the application ultimately fail, but the application running on each client nevertheless receives a new, working peer-to-peer TCP stream socket via accept()--as if this TCP stream had magically “created itself” on the wire and was merely passively accepted at the endpoints! As long as the application does not care whether it ultimately receives its peer-to-peer TCP sockets via connect() or accept(), the process results in a working stream on any TCP implementation that properly implements the standard TCP state machine specified in RFC 793 [23].

Each of the alternative network organization scenarios discussed in Section 3 for UDP works in exactly the same way for TCP. For example, TCP hole punching works in multi-level NAT scenarios such as the one in Figure 6 as long as the NATs involved are well-behaved.

4.5 Sequential Hole Punching

In a variant of the above TCP hole punching procedure implemented by the NatTrav library [4], the clients attempt connections to each other sequentially rather than in parallel. For example: (1) informs via of its desire to communicate,without simultaneously listening on its local port; (2) makes a connect() attempt to , which opens a hole in 's NAT but then fails due to a timeout or RST from 's NAT or a RST from itself; (3) closes its connection to and does a listen() on its local port; (4) in turn closes its connection with , signaling to attempt a connect() directly to .

This sequential procedure may be particularly useful on Windows hosts prior to XP Service Pack 2, which did not correctly implement simultaneous TCP open, or on sockets APIs that do not support the SO_REUSEADDR functionality. The sequential procedure is more timing-dependent, however, and may be slower in the common case and less robust in unusual situations. In step (2), for example, must allow its “doomed-to-fail” connect() attempt enough time to ensure that at least one SYN packet traverses all NATs on its side of the network. Too little delay risks a lost SYN derailing the process, whereas too much delay increases the total time required for hole punching. The sequential hole punching procedure also effectively “consumes” both clients' connections to the server , requiring the clients to open fresh connections to for each new P2P connection to be forged. The parallel hole punching procedure, in contrast, typically completes as soon as both clients make their outgoing connect() attempts, and allows each client to retain and re-use a single connection to indefinitely.

This section describes the key behavioral properties NATs must have in order for the hole punching techniques described above to work properly. Not all current NAT implementations satisfy these properties, but many do, and NATs are gradually becoming more “P2P-friendly” as NAT vendors recognize the demand for peer-to-peer protocols such as voice over IP and on-line gaming.

This section is not meant to be a complete or definitive specification for how NATs “should” behave; we provide it merely for information about the most commonly observed behaviors that enable or break P2P hole punching. The IETF has started a new working group, BEHAVE, to define official “best current practices” for NAT behavior. The BEHAVE group's initial drafts include the considerations outlined in this section and others; NAT vendors should of course follow the IETF working group directly as official behavioral standards are formulated.

5.1 Consistent Endpoint Translation

The hole punching techniques described here only work automatically if the NAT consistently maps a given TCP or UDP source endpoint on the private network to a single corresponding public endpoint controlled by the NAT. A NAT that behaves in this way is referred to as a cone NAT in RFC 3489 [19] and elsewhere, because the NAT “focuses” all sessions originating from a single private endpoint through the same public endpoint on the NAT.

Consider again the scenario in Figure 5, for example. When client initially contacted the well-known server , NAT chose to use port 62000 at its own public IP address, 155.99.25.11, as a temporary public endpoint to representing 's private endpoint 10.0.0.1:4321. When later attempts to establish a peer-to-peer session with by sending a message from the same local private endpoint to 's public endpoint, depends on NAT preserving the identity of this private endpoint, and re-using the existing public endpoint of 155.99.25.11:62000, because that is the public endpoint for to which will be sending its corresponding messages.

A NAT that is only designed to support client/server protocols will not necessarily preserve the identities of private endpoints in this way. Such a NAT is a symmetric NAT in RFC 3489 terminology. For example, after the NAT assigns the public endpoint 155.99.25.11:62000 to client 's session with server , the NAT might assign a different public endpoint, such as 155.99.25.11:62001, to the P2P session that tries to initiate with . In this case, the hole punching process fails to provide connectivity, because the subsequent incoming messages from reach NAT at the wrong port number.

Many symmetric NATs allocate port numbers for successive sessions in a fairly predictable way. Exploiting this fact, variants of hole punching algorithms [9,1] can be made to work “much of the time” even over symmetric NATs by first probing the NAT's behavior using a protocol such as STUN [19], and using the resulting information to “predict” the public port number the NAT will assign to a new session. Such prediction techniques amount to chasing a moving target, however, and many things can go wrong along the way. The predicted port number might already be in use causing the NAT to jump to another port number, for example, or another client behind the same NAT might initiate an unrelated session at the wrong time so as to allocate the predicted port number. While port number prediction can be a useful trick for achieving maximum compatibility with badly-behaved existing NATs, it does not represent a robust long-term solution. Since symmetric NAT provides no greater security than a cone NAT with per-session traffic filtering, symmetric NAT is becoming less common as NAT vendors adapt their algorithms to support P2P protocols.

5.2 Handling Unsolicited TCP Connections

When a NAT receives a SYN packet on its public side for what appears to be an unsolicited incoming connection attempt, it is important that the NAT just silently drop the SYN packet. Some NATs instead actively reject such incoming connections by sending back a TCP RST packet or even an ICMP error report, which interferes with the TCP hole punching process. Such behavior is not necessarily fatal, as long as the applications re-try outgoing connection attempts as specified in step 4 of the process described in Section 4.2, but the resulting transient errors can make hole punching take longer.

A few existing NATs are known to scan “blindly” through packet payloads for 4-byte values that look like IP addresses, and translate them as they would the IP address in the packet header, without knowing anything about the application protocol in use. This bad behavior fortunately appears to be uncommon, and applications can easily protect themselves against it by obfuscating IP addresses they send in messages, for example by sending the bitwise complement of the desired IP address.

5.4 Hairpin Translation

Some multi-level NAT situations require hairpin translation support in order for either TCP or UDP hole punching to work, as described in Section 3.5. The scenario shown in Figure 6, for example, depends on NAT providing hairpin translation. Support for hairpin translation is unfortunately rare in current NATs, but fortunately so are the network scenarios that require it. Multi-level NAT is becoming more common as IPv4 address space depletion continues, however, so support for hairpin translation is important in future NAT implementations.

To evaluate the robustness of the TCP and UDP hole punching techniques described in this paper on a variety of existing NATs, we implemented and distributed a test program called NAT Check [16], and solicited data from Internet users about their NATs.

NAT Check's primary purpose is to test NATs for the two behavioral properties most crucial to reliable UDP and TCP hole punching: namely, consistent identity-preserving endpoint translation (Section 5.1), and silently dropping unsolicited incoming TCP SYNs instead of rejecting them with RSTs or ICMP errors (Section 5.2). In addition, NAT Check separately tests whether the NAT supports hairpin translation (Section 5.4), and whether the NAT filters unsolicited incoming traffic at all. This last property does not affect hole punching, but provides a useful indication the NAT's firewall policy.

NAT Check makes no attempt to test every relevant facet of NAT behavior individually: a wide variety of subtle behavioral differences are known, some of which are difficult to test reliably [12]. Instead, NAT Check merely attempts to answer the question, “how commonly can the proposed hole punching techniques be expected to work on deployed NATs, under typical network conditions?”

NAT Check consists of a client program to be run on a machine behind the NAT to be tested, and three well-known servers at different global IP addresses. The client cooperates with the three servers to check the NAT behavior relevant to both TCP and UDP hole punching. The client program is small and relatively portable, currently running on Windows, Linux, BSD, and Mac OS X. The machines hosting the well-known servers all run FreeBSD.

6.1.1 UDP Test

To test the NAT's behavior for UDP, the client opens a socket and binds it to a local UDP port, then successively sends “ping”-like requests to servers 1 and 2, as shown in Figure 8. These servers each respond to the client's pings with a reply that includes the client's public UDP endpoint: the client's own IP address and UDP port number as observed by the server. If the two servers report the same public endpoint for the client, NAT Check assumes that the NAT properly preserves the identity of the client's private endpoint, satisfying the primary precondition for reliable UDP hole punching.

When server 2 receives a UDP request from the client, besides replying directly to the client it also forwards the request to server 3, which in turn replies to the client from its own IP address. If the NAT's firewall properly filters “unsolicited” incoming traffic on a per-session basis, then the client never sees these replies from server 3, even though they are directed at the same public port as the replies from servers 1 and 2.

To test the NAT for hairpin translation support, the client simply opens a second UDP socket at a different local port and uses it to send messages to the public endpoint representing the client's first UDP socket, as reported by server 2. If these messages reach the client's first private endpoint, then the NAT supports hairpin translation.

6.1.2 TCP Test

The TCP test follows a similar pattern as for UDP. The client uses a single local TCP port to initiate outbound sessions to servers 1 and 2, and checks whether the public endpoints reported by servers 1 and 2 are the same, the first precondition for reliable TCP hole punching.

The NAT's response to unsolicited incoming connection attempts also impacts the speed and reliability of TCP hole punching, however, so NAT Check also tests this behavior. When server 2 receives the client's request, instead of immediately replying to the client, it forwards a request to server 3 and waits for server 3 to respond with a “go-ahead” signal. When server 3 receives this forwarded request, it attempts to initiate an inbound connection to the client's public TCP endpoint. Server 3 waits up to five seconds for this connection to succeed or fail, and if the connection attempt is still “in progress” after five seconds, server 3 responds to server 2 with the “go-ahead” signal and continues waiting for up to 20 seconds. Once the client finally receives server 2's reply (which server 2 delayed waiting for server 3's “go-ahead” signal), the client attempts an outbound connection to server 3, effectively causing a simultaneous TCP open with server 3.

What happens during this test depends on the NAT's behavior as follows. If the NAT properly just drops server 3's “unsolicited” incoming SYN packets, then nothing happens on the client's listen socket during the five second period before server 2 replies to the client. When the client finally initiates its own connection to server 3, opening a hole through the NAT, the attempt succeeds immediately. If on the other hand the NAT does not drop server 3's unsolicited incoming SYNs but allows them through (which is fine for hole punching but not ideal for security), then the client receives an incoming TCP connection on its listen socket before receiving server 2's reply. Finally, if the NAT actively rejects server 3's unsolicited incoming SYNs by sending back TCP RST packets, then server 3 gives up and the client's subsequent attempt to connect to server 3 fails.

To test hairpin translation for TCP, the client simply uses a secondary local TCP port to attempt a connection to the public endpoint corresponding to its primary TCP port, in the same way as for UDP.

The NAT Check data we gathered consists of 380 reported data points covering a variety of NAT router hardware from 68 vendors, as well as the NAT functionality built into different versions of eight popular operating systems. Only 335 of the total data points include results for UDP hairpin translation, and only 286 data points include results for TCP, because we implemented these features in later versions of NAT Check after we had already started gathering results. The data is summarized by NAT vendor in Table 1; the table only individually lists vendors for which at least five data points were available. The variations in the test results for a given vendor can be accounted for by a variety of factors, such as different NAT devices or product lines sold by the same vendor, different software or firmware versions of the same NAT implementation, different configurations, and probably occasional NAT Check testing or reporting errors.

Out of the 380 reported data points for UDP, in 310 cases (82%) the NAT consistently translated the client's private endpoint, indicating basic compatibility with UDP hole punching. Support for hairpin translation is much less common, however: of the 335 data points that include UDP hairpin translation results, only 80 (24%) show hairpin translation support.

Out of the 286 data points for TCP, 184 (64%) show compatibility with TCP hole punching: the NAT consistently translates the client's private TCP endpoint, and does not send back RST packets in response to unsolicited incoming connection attempts. Hairpin translation support is again much less common: only 37 (13%) of the reports showed hairpin support for TCP.

Since these reports were generated by a “self-selecting” community of volunteers, they do not constitute a random sample and thus do not necessarily represent the true distribution of the NATs in common use. The results are nevertheless encouraging: it appears that the majority of commonly-deployed NATs already support UDP and TCP hole punching at least in single-level NAT scenarios.

There are a few limitations in NAT Check's current testing protocol that may cause misleading results in some cases. First, we only learned recently that a few NAT implementations blindly translate IP addresses they find in unknown application payloads, and the NAT Check protocol currently does not protect itself from this behavior by obfuscating the IP addresses it transmits.

Second, NAT Check's current hairpin translation checking may yield unnecessarily pessimistic results because it does not use the full, two-way hole punching procedure for this test. NAT Check currently assumes that a NAT supporting hairpin translation does not filter “incoming” hairpin connections arriving from the private network in the way it would filter incoming connections arriving at the public side of the NAT, because such filtering is unnecessary for security. We later realized, however, that a NAT might simplistically treat any traffic directed at the NAT's public ports as “untrusted” regardless of its origin. We do not yet know which behavior is more common.

Finally, NAT implementations exist that consistently translate the client's private endpoint as long as only one client behind the NAT is using a particular private port number, but switch to symmetric NAT or even worse behaviors if two or more clients with different IP addresses on the private network try to communicate through the NAT from the same private port number. NAT Check could only detect this behavior by requiring the user to run it on two or more client hosts behind the NAT at the same time. Doing so would make NAT Check much more difficult to use, however, and impossible for users who only have one usable machine behind the NAT. Nevertheless, we plan to implement this testing functionality as an option in a future version of NAT Check.

Despite testing difficulties such as those above, our results are generally corroborated by those of a large ISP, who recently found that of the top three consumer NAT router vendors, representing 86% of the NATs observed on their network, all three vendors currently produce NATs compatible with UDP hole punching [25]. Additional independent results recently obtained using the UDP-oriented STUN protocol [12], and STUNT, a TCP-enabled extension [8,9], also appear consistent with our results. These latter studies provide more information on each NAT by testing a wider variety of behaviors individually, instead of just testing for basic hole punching compatibility as NAT Check does. Since these more extensive tests require multiple cooperating clients behind the NAT and thus are more difficult to run, however, these results are so far available on a more limited variety of NATs.

UDP hole punching was first explored and publicly documented by Dan Kegel [13], and is by now well-known in peer-to-peer application communities. Important aspects of UDP hole punching have also been indirectly documented in the specifications of several experimental protocols, such as STUN [19], ICE [17], and Teredo [11]. We know of no existing published work that thoroughly analyzes hole punching, however, or that points out the hairpin translation issue for multi-level NAT (Section 3.5).

We also know of no prior work that develops TCP hole punching in the symmetric fashion described here. Even the existence of the crucialSO_REUSEADDR/SO_REUSEPORT options in the Berkeley sockets API appears to be little-known among P2P application developers. NatTrav [4] implements a similar but asymmetric TCP hole punching procedure outlined earlier in Section 4.5. NUTSS [9] and NATBLASTER [1] implement more complex TCP hole punching tricks that can work around some of the bad NAT behaviors mentioned in Section 5, but they require the rendezvous server to spoof source IP addresses, and they also require the client applications to have access to “raw” sockets, usually available only at root or administrator privilege levels.

Protocols such as SOCKS [14], UPnP [26], and MIDCOM [22] allow applications to traverse a NAT through explicit cooperation with the NAT. These protocols are not widely or consistently supported by NAT vendors or applications, however, and do not appear to address the increasingly important multi-level NAT scenarios. Explicit control of a NAT further requires the application to locate the NAT and perhaps authenticate itself, which typically involves explicit user configuration. When hole punching works, in contrast, it works with no user intervention.

Recent proposals such as HIP [15] and FARA [2] extend the Internet's basic architecture by decoupling a host's identity from its location [20]. IPNL [7], UIP [5,6], and DOA [27] propose schemes for routing across NATs in such an architecture. While such extensions are probably needed in the long term, hole punching enables applications to work over the existing network infrastructure immediately with no protocol stack upgrades, and leaves the notion of “host identity” for applications to define.

Hole punching is a general-purpose technique for establishing peer-to-peer connections in the presence of NAT. As long as the NATs involved meet certain behavioral requirements, hole punching works consistently and robustly for both TCP and UDP communication, and can be implemented by ordinary applications with no special privileges or specific network topology information. Hole punching fully preserves the transparency that is one of the most important hallmarks and attractions of NAT, and works even with multiple levels of NAT--though certain corner case situations require hairpin translation, a NAT feature not yet widely implemented.

The authors wish to thank Dave Andersen for his crucial support in gathering the results presented in Section 6. We also wish to thank Henrik Nordstrom, Christian Huitema, Justin Uberti, Mema Roussopoulos, and the anonymous USENIX reviewers for valuable feedback on early drafts of this paper. Finally, we wish to thank the many volunteers who took the time to run NAT Check on their systems and submit the results.

1

Andrew Biggadike, Daniel Ferullo, Geoffrey Wilson, and Adrian Perrig.
NATBLASTER: Establishing TCP connections between hosts behind NATs.
In ACM SIGCOMM Asia Workshop, Beijing, China, April 2005.

2

David Clark, Robert Braden, Aaron Falk, and Venkata Pingali.
FARA: Reorganizing the addressing architecture.
In ACM SIGCOMM FDNA Workshop, August 2003.

3

S. Deering and R. Hinden.
Internet protocol, version 6 (IPv6) specification, December 1998.
RFC 2460.

4

Jeffrey L. Eppinger.
TCP connections for P2P apps: A software approach to solving the NAT problem.
Technical Report CMU-ISRI-05-104, Carnegie Mellon University, January 2005.

5

Bryan Ford.
Scalable Internet routing on topology-independent node identities.
Technical Report MIT-LCS-TR-926, MIT Laboratory for Computer Science, October 2003.

6

Bryan Ford.
Unmanaged internet protocol: Taming the edge network management crisis.
In Second Workshop on Hot Topics in Networks, Cambridge, MA, November 2003.

7

Paul Francis and Ramakrishna Gummadi.
IPNL: A NAT-extended Internet architecture.
In ACM SIGCOMM, August 2002.

8

Saikat Guha and Paul Francis.
Simple traversal of UDP through NATs and TCP too (STUNT).
http://nutss.gforge.cis.cornell.edu/.

9

Saikat Guha, Yutaka Takeday, and Paul Francis.
NUTSS: A SIP-based approach to UDP and TCP network connectivity.
In SIGCOMM 2004 Workshops, August 2004.

10

M. Holdrege and P. Srisuresh.
Protocol complications with the IP network address translator, January 2001.
RFC 3027.

11

C. Huitema.
Teredo: Tunneling IPv6 over UDP through NATs, March 2004.
Internet-Draft (Work in Progress).

12

C. Jennings.
NAT classification results using STUN, October 2004.
Internet-Draft (Work in Progress).

13

Dan Kegel.
NAT and peer-to-peer networking, July 1999.
http://www.alumni.caltech.edu/~dank/peer-nat.html.

14

M. Leech et al.
SOCKS protocol, March 1996.
RFC 1928.

15

R. Moskowitz and P. Nikander.
Host identity protocol architecture, April 2003.
Internet-Draft (Work in Progress).

16

NAT check.
http://midcom-p2p.sourceforge.net/.

17

J. Rosenberg.
Interactive connectivity establishment (ICE), October 2003.
Internet-Draft (Work in Progress).

18

J. Rosenberg, C. Huitema, and R. Mahy.
Traversal using relay NAT (TURN), October 2003.
Internet-Draft (Work in Progress).

19

J. Rosenberg, J. Weinberger, C. Huitema, and R. Mahy.
STUN - simple traversal of user datagram protocol (UDP) through network address translators (NATs), March 2003.
RFC 3489.

20

J. Saltzer.
On the naming and binding of network destinations.
In P. Ravasio et al., editor, Local Computer Networks, pages 311-317. North-Holland, Amsterdam, 1982.
RFC 1498.

21

P. Srisuresh and M. Holdrege.
IP network address translator (NAT) terminology and considerations, August 1999.
RFC 2663.

22

P. Srisuresh, J. Kuthan, J. Rosenberg, A. Molitor, and A. Rayhan.
Middlebox communication architecture and framework, August 2002.
RFC 3303.

23

Transmission control protocol, September 1981.
RFC 793.

24

G. Tsirtsis and P. Srisuresh.
Network address translation - protocol translation (NAT-PT), February 2000.
RFC 2766.

25

Justin Uberti.
E-mail on IETF MIDCOM mailing list, February 2004.
Message-ID: <402CEB11.1060906@aol.com>.

26

UPnP Forum.
Internet gateway device (IGD) standardized device control protocol, November 2001.
http://www.upnp.org/.

27

Michael Walfish, Jeremy Stribling, Maxwell Krohn, Hari Balakrishnan, Robert Morris, and Scott Shenker.
Middleboxes no longer considered harmful.
In USENIX Symposium on Operating Systems Design and Implementation, San Francisco, CA, December 2004.

The core of our offering is a discrete sensor that leverages multiple inputs (primarily an imaging sensor + PIR-based motion sensing), which feed into a neural network model that executes inference directly on the device. This allows us to do powerful processing on inexpensive hardware.

Our machine-learning stack is built around Tensorflow, which we use in two ways: 1) for inference (we embed Tensorflow directly on a Raspberry Pi), and 2) training new models in the cloud. New models can be pushed remotely to the devices over-the-air to make the sensors “smarter”.

While our sensors are currently trained to count people, our vision is to evolve into a 100% passive "super-sensor" that can be configured to detect thousands of different types of events. Examples that we've explored include things like detecting falls (e.g. during an emergency), counting assets (equipment, furniture, cars), and monitoring equipment usage (for preventative maintenance).

We're happy to chat and would love to hear your thoughts. Some things we've worked on that might be interesting to discuss: rapid-prototyping for hardware (Raspberry Pis +ESP8266), machine-learning, computer-vision, building automation, BLE, B2B sales, keeping sane while drawing bounding boxes, or anything else that comes to mind!

We look forward to your feedback!

Dan + Kelby

A hacker going by the handle xerub has just released what he claims to be a full decryption key for Apple's Secure Enclave Processor (SEP) firmware.

This could be a major blow for iOS security because of the importance of the SEP: It handles Touch ID transactions and is completely isolated from the rest of its host device. Your iPhone, iPad, or iPod has no idea what's going on in the SEP, and that means no one else does either—at least until today.

Now that its firmware code is exposed it's open season on SEP vulnerabilities.

What the Secure Enclave Processor is

Ever since Touch ID came out with the iPhone 5S, there has been a tiny coprocessor embedded in the main S-series, and now A-series, processor chip. That tiny coprocessor runs completely on its own—it has a separate OS, updates separately, and nothing it does is known to the rest of the device.

One of the key points of the SEP is its generation of the device's Unique ID (UID). That UID is further secured by tangling it up with an ephemeral key that changes every time the device is rebooted.

SEE: Special report: Cybersecurity in an IoT and mobile world (free PDF) (TechRepublic)

Protecting the UID is why the SEP exists, and why all Touch ID actions, password verification, and other security processes happen inside it. .

Why the SEP's decryption is a big deal

The SEP's firmware code is now open to the world, thanks to xerub's efforts. The key is published here, this GitHub repository contains what you need to decrypt it, and this one has the tools to process it.

"The fact that [the SEP] was hidden behind a key worries me," said xerub. "Is Apple not confident enough to push SEP decrypted as they did with kernels past iOS 10?" He added that while SEP is amazing tech the fact that it's a "black box" adds very little, if anything to security. "Obscurity helps security—I'm not denying that," he said, but added that relying on it for security isn't a good idea.

Expert hackers, he added, won't be stopped by black boxes. Just slowed down.

"I think public scrutiny will add to the security of SEP in the long run," xerub said, noting that was also his intention with releasing the key. It's another act in the arms race between tech companies and hackers, who poke and prod software in a way that ultimately can make users safer.

"Apple's job is to make [SEP] as secure as possible," xerub said. "It's a continuous process ... there's no actual point at which you can say 'right now it's 100% secure.'"

Decrypting the SEP's firmware is huge for both security analysts and hackers. It could be possible, though xerub says it's very hard, to watch the SEP do its work and reverse engineer its process, gain access to passwords and fingerprint data, and go even further toward rendering any security relying on the SEP completely ineffective.

"Decrypting the firmware itself does not equate to decrypting user data," xerub said. There's a lot of additional work that would need to go into exploiting decrypted firmware—in short it's probably not going to have a massive impact.

SEE: Every iOS user should update to 10.3.3 now to avoid this Wi-Fi hack (TechRepublic)

There's no telling when any potential effects of the SEP's decryption could start being felt, or in what way. Ideally, Apple will release a fix as soon as possible, but failing that be on the lookout for Touch ID hacks, password harvesting scams, or other attacks that could take advantage of the decryption.

We reached out to Apple and xerub for comments. This article will be updated with any response.

Update 8/17: Added information from a conversation with xerub.

Top three takeaways for TechRepublic readers:

1. A hacker has released what they claim to be a decryption key for the Apple Secure Enclave Processor (SEP) firmware. The SEP handles password and Touch ID encryption, and decrypting it could have serious security consequences.
2. It's still too early to know what the full fallout from the SEP's decryption will be, but it could open the door for password harvesting, spoofing, and other security-compromising attacks.
3. Decryption of firmware doesn't equate to decryption of personal data. While SEP's firmware may have been opened up your personal data isn't necessarily at risk.

Also see:

Victor Fraile/Corbis/Getty

China’s move to a two-child policy has been a boon for fertility clinics.

Getting time with Qiao Jie is not easy. At 7:30 a.m., the line coming out of the fertility centre that she runs blocks the doorway and extends some 80 metres down the street. Inside, about 50 physicians on her team are discussing recent findings, but Qiao, a fertility specialist and president of Peking University Third Hospital in Beijing, is still in an early-morning consult.

When she finally emerges, she jumps to the topic at hand: spreading awareness of preimplantation genetic diagnosis (PGD), a procedure that helps couples undergoing in vitro fertilization (IVF) to avoid passing on genetic mutations that could cause disease or disability in their children. Qiao typically refuses interview requests, but she’s concerned that people aren’t getting the message about PGD fast enough. “Now, more and more diseases can be stopped — if not immediately, in the generation after next,” she says. 

Early experiments are beginning to show how genome-editing technologies such as CRISPR might one day fix disease-causing mutations before embryos are implanted. But refining the techniques and getting regulatory approval will take years. PGD has already helped thousands of couples. And whereas the expansion of PGD around the world has generally been slow, in China, it is starting to explode.

The conditions there are ripe: genetic diseases carry heavy stigma, people with disabilities get very little support and religious and ethical push-back against PGD is almost non-existent. China has also lifted some restrictions on family size and seen a subsequent rise in fertility treatments among older couples. Genetic screening during pregnancy for chromosomal abnormalities linked to maternal age has taken off throughout the country, and many see this as a precursor to wider adoption of PGD.

Although Chinese fertility doctors were late to the game in adopting the procedure, they have been pursuing a more aggressive, comprehensive and systematic path towards its use there than anywhere else. The country’s central government, known for its long-term thinking, has over the past decade stepped up efforts to bring high-quality health care to the people, and its current 5-year plan has made reproductive medicine, including PGD, a priority, an effort that Qiao is leading. Researchers are hunting down various mutations in the Chinese population that might be screened for in PGD. And well-equipped and powerful clinical-research groups, including Qiao’s, are stepping up efforts to improve the technology, increase awareness and bring down costs. 

Comprehensive figures are difficult to come by, but estimates from leading PGD providers show that China’s use of the technique already outpaces that in the United States, and it is growing up to five times faster. Qiao’s clinic alone now performs more procedures with PGD each year than all of the United Kingdom. 

“Looking over the development in China over the past 10 years, they might start to think it’s possible to get rid of these diseases,” says Kangpu Xu, a Chinese-born reproductive biologist at Weill Cornell Medical College in New York City.

Such systematic efforts raise thorny questions for bioethicists. Some worry that pushes to eliminate disabilities devalue the lives of those who already have them. The cost and accessibility of the procedure raises concerns about genetic traits further widening the divide between rich and poor people. Then there are concerns about the push to select for non-disease-related traits, such as intelligence or athletic ability. The ever-present spectre of eugenics lurks in the shadows. But in China, although these concerns are considered, most thoughts are focused on the benefits of the procedures. “There are ethical problems, but if you bring an end to the disease, I think it’s good for society,” says Qiao. 

Heyday for PGD

Physicians in the United Kingdom pioneered PGD in humans about 30 years ago, initially to help genetic carriers of a disorder that affects mainly boys. Thanks to the procedure, the parents were able to select for girls. Generally, the process involves removing one or a few cells from an embryo created during IVF and then using various techniques to test the structure and number of chromosomes and even the sequence of individual genes. Physicians typically discard embryos that don’t pass the tests.

Uncertain about the procedure’s safety, and wary of its potential for abuse (selecting for males in China is illegal, for example), the Chinese government restricted the practice to hospitals with a licence. By the end of 2004, only four centres in the entire country had such a licence. By 2016, the number had risen to 40. 

The clinics are huge and growing. Qiao’s centre carried out 18,000 IVF procedures in 2016. The biggest clinic, the Reproductive and Genetic Hospital CITIC-Xiangya in Changsha, recorded 41,000 IVF procedures in the same year. That’s roughly one-quarter of the annual number for the entire United States. One reason for the dramatic rise is China’s policy change last year that now allows families to have two children. This has led to a huge number of older women seeking fertility treatment. Another factor is the changing culture in China. Ten years ago, people who couldn’t conceive would take traditional Chinese medicine, or they might adopt a child. “Now they know assisted reproductive technologies can help,” says Qiao. 

And the centres with licences to do PGD have created a buzz in their race to claim firsts with the technology. In 2015, CITIC-Xiangya boasted China’s first “cancer-free baby”. The boy’s parents had terminated a prior pregnancy after genetic testing showed the presence of retinoblastoma, a cancer that forms in the eyes during early development and often leads to blindness. In their next try, the couple used PGD to ensure that the gene variant that causes retinoblastoma wasn’t present. Other groups have helped couples to avoid passing on a slew of conditions: short-rib-polydactyly syndrome, Brittle-bone disease, Huntington’s disease, polycystic kidney disease and deafness, among others. Qiao, working with biochemist Sunney Xie at Harvard University in Cambridge, Massachusetts, has also introduced a method that can do both chromosomal analyses and next-generation genetic analyses on a single cell. China might have got a slow start, but it is now overtaking Western nations in its use of PGD.

Andy Wong/AP/REX/Shutterstock

Chinese clinics are pioneering new methods for embryo testing.

Qiao’s clinic screened embryos for individual disease-causing genes about 100 times last year. It screened for abnormal chromosome counts, such as that associated with Down’s syndrome, in another 670 cases. For comparison, 578 such procedures were done in the entire United Kingdom in 2014, the latest year for which numbers are available. And China’s uptake is growing fast. At CITIC-Xiangya, the number of preimplantation testing procedures rose by 277% over just 2 years, from 876 in 2014 to 2,429 in 2016, and 700 of these were for single-gene disorders.  

What’s more, many fertility centres in China have the capacity for high-quality research. Qiao is interested in safety and is studying whether extracting the cells for PGD causes subtle damage to the embryo. She is in the middle of compiling data from all IVF clinics in China for a 10-year study on such effects. 

Qiao is also working with Xie and Sijia Lu, the chief technology officer of Shanghai-based Yikon Genomics, to develop a technique to do all the necessary sequencing without removing cells, by sampling free-floating DNA in the media the embryos are cultured in. Such an advance could make PGD safer and easier to do.

Joe Leigh Simpson, a medical geneticist at Florida International University in Miami, and former president of the Preimplantation Genetic Diagnosis International Society, is impressed by the quality and size of the Chinese fertility clinics. They “are superb and have gigantic units. They came out of nowhere in just 2 or 3 years,” he says. 

Chinese researchers are also looking for more disease-associated gene variants, specifically to expand the impact of PGD. The most concentrated efforts are being orchestrated by He Lin, a geneticist at Shanghai Jiao Tong University. He has set out an ambitious project: to pin down all the mutations in all the genes that cause diseases and put them into a single database. “We just do them one by one until we get the whole set,” he says, referring to the roughly 6,000 known genetic diseases. As disease–gene links are verified, they could be added to the list of things that PGD can screen for. 

The first target, He says, is deafness. Wang Qiuju, a hearing-loss specialist at the Chinese PLA General Hospital in Beijing and head of the project, says that she plans to get up to 200,000 samples from 150 hospitals throughout China to identify associated mutations. 

The large numbers are needed because there are a handful of genes involved in hearing loss, and each of them have dozens, even hundreds, of mutations. “When we have big databases, we can see the contribution of each gene more clearly. Then it’s easy to do PGD,” says Wang. 

Culture clash

Such efforts, for hearing loss in particular, can seem jarring because many people in the West do not consider it a problem to be avoided. In the United States, some deaf couples have used PGD to select for congenital deafness, in an effort to preserve Deaf culture. Such sentiments wouldn’t make sense to many parents in China, says Wang, because there is little support for them: “If they have a deaf child, they feel the need to have a normal child to help them take care of the deaf child.”

People in China seem more likely to feel an obligation to bear the healthiest child possible than to protect an embryo. The Chinese appetite for using genetic technology to ensure healthy births can be seen in the rapid rise of pregnancy testing for Down’s syndrome and other chromosomal abnormalities. Since Shenzhen-based BGI introduced a test for Down’s syndrome in 2013, it has sold more than 2 million kits; half of those sales were in the past year.

Although such testing has become routine in the United Kingdom and United States, many in the West won’t terminate a pregnancy just because of Down’s syndrome. 

Jiani Chen, a genetic counsellor at the University of Oklahoma Health Sciences Center in Oklahoma City, says that this isn’t the case in China. “In China, if you want to abort a baby with Down’s syndrome, no one will scold you.” Since moving from her native Taiwan to Oklahoma, Chen herself says that she is no longer sure what she would do.

In the West, PGD still raises fears about the creation of an elite genetic class, and critics talk of a slippery slope towards eugenics, a word that elicits thoughts of Nazi Germany and racial cleansing. In China, however, PGD lacks such baggage. The Chinese word for eugenics, yousheng, is used explicitly as a positive in almost all conversations about PGD. Yousheng is about giving birth to children of better quality. Not smoking during pregnancy is also part of yousheng. 

This is not to say that the Chinese haven’t thought about abuses of the technology. The Chinese government was worried, as were many Western governments, that PGD would be used to select physical characteristics, such as height or intelligence. The clinics licensed to do PGD can use it only to avoid serious disease or assist infertility treatments. And sex selection through PGD is off the table. Yikon’s Lu says that some families ask to weed out the mutation that renders many Asians unable to process alcohol, something that could affect the ability to take part in the often alcohol-fuelled Chinese business lunches. “They want their son to be able to drink,” says Lu. “We say no.” Shanghai Jiao Tong University’s He has made training genetic counsellors — people versed in the risks, benefits and ethical issues related to PGD — a priority. Currently, they are almost non-existent in China.

The UK Human Fertilisation & Embryology Authority also tightly regulates PGD — limiting its use to 400 conditions. But in the United States, clinics have fairly free rein. Sex selection, for example, is acknowledged as controversial by the American Society for Reproductive Medicine, but its ethics committee largely leaves it to individual clinics to decide what is permissible. 

To many fertility specialists, what’s most striking about China’s adoption of PGD is the speed and organization of its uptake. China already seems to provide more procedures than the United States, and with growth estimated at 60–70% per year, is on target to catch up in per capita terms in the next few years.

This could be a boon for the country, given the economic arguments for PGD. For instance, one study has compared the average costs of the PGD procedure needed to avoid cystic fibrosis — US$57,500 — with the medical costs incurred in a lifetime by an average patient, which amounted to $2.3 million (I. Tur-Kaspa et al. Reprod. Biomed. Online 21, 186–195; 2010). The authors calculated net savings on health care of all patients born in a year over the average patient’s lifespan of 37 years to be $33.3 billion. That is just for one of hundreds of diseases that can be avoided with PGD. 

But PGD has not been an easy sell in the West. The Catholic Church, for example, opposes embryo manipulation, including the removal of cells for testing, as well as the destruction of embryos. “The idea that scientists are playing god is always a theme,” says Natasha Bonhomme, chief strategy officer at Genetic Alliance, a lobbying group in Washington DC that focuses on genetic diseases. 

There are also social and economic concerns. Some parents of affected children argue that reducing the number of children with those diseases would reduce government funding for research into treatments. Others object to the idea that they are being discouraged from conceiving children the usual way.

The debate has made physicians and scientists wary. “The scientific community is not interested in getting too forward out in front of public opinion,” says Simpson, even though he thinks that the evidence is on the side of employing more PGD. “With every reproductive-biology advance,” he says, “we get the same questions: ‘won’t there be a slippery slope that leads to abuse?’ But it never happens.” 

The upshot is that there has never really been advocacy organized around PGD in the United States, says Bonhomme. And without government support, it remains for many a prohibitively expensive procedure. Insurance coverage is “pitiful”, says Svetlana Rechitsky, director of the genetic-testing firm Reproductive Genetic Innovations in Northbrook, Illinois. Sitting at her desk, sorting through letters from insurers — mostly refusals to offer coverage for PGD — she says, “It’s getting worse and worse.” 

Already the procedure is much cheaper in China — about one-third of what it costs in the United States. Cheaper tests will make it more palatable for national insurance coverage, something Qiao has already started pushing for. “Before I retire, I want to get the government involved. I have 12 years,” she says.

Qualifications include: Proficiency in multiple languages, but an expert in at least one object oriented and one procedural language. Experience with HTTP/RPC/REST API development Experience with Relational databases, such as MySQL or Postgres Experience with caching mechanisms and unstructured data stores Experience with Message Queues Strong knowledge of Unix/Linux systems

Ideally, you'll: Have deployed and scaled high availability distributed services Be comfortable helping lead the direction of our core infrastructure architecture Have previous experience with Borg, Omega, Mesos or Kubernetes Golang experience

Your responsibilities will include: Work with geographically distributed backend systems Design and build core backend software components and services Instrumentation for monitoring the health and availability of services Performance management including benchmarking and monitoring of vital metrics Analyze and improve scalability and efficiency of system resources

Perks: Competitive salary Stock options Employer-paid health care Employer match of retirement contribution up to the maximum allowed by law Company credit card Multiple large monitors, Aeron chair Electronically operated sit to stand desks Free food, drinks & snacks at the office (including breakfast, lunch, and dinner prepared by our professional chef) In-office gym, weekly yoga classes and massages Fun, get-things-done work environment -- work whenever you want, take days off whenever you want, as long as you're getting things done

Company:

Weebly is a complete platform that allows anyone to start and grow an online business with curated website templates, powerful ecommerce and integrated marketing. More than 40 million entrepreneurs around the world use Weebly to grow their customer base, fuel sales and market their idea. Designed for any entrepreneur who wants to reach a global audience, Weebly gives everyone the freedom to create a high quality online presence that works brilliantly across any device. Over 325 million people a month visit a site or store made on Weebly.

The office culture at Weebly encourages new ideas and teamwork above all else. Our team is collaborative and sociable.

http://careers.weebly.com/#111159

Australian researchers have made a breakthrough in the treatment of peanut allergy in children.

A small clinical trial conducted at the Murdoch Children’s Research Institute has led to two-thirds of children treated with an experimental immunotherapy treatment being cured of their allergy. Importantly, this desensitisation to peanuts persisted for up to four years after treatment.

“These children had been eating peanut freely in their diet without having to follow any particular program of peanut intake in the years after treatment was completed,” said the lead researcher, Prof Mimi Tang.

Peanut allergy is the most common cause of anaphylaxis, a life-threatening allergic reaction, and one of the most common causes of death from food allergy.

To combat this Tang, an immunologist and allergist, pioneered a new form of treatment that combines a probiotic with peanut oral immunotherapy, known as PPOIT. Instead of avoiding the allergen, the treatment is designed to reprogram the immune system’s response to peanuts and eventually develop a tolerance.

It’s thought that combining the probiotic with the immunotherapy gives the immune system the “nudge” it needs to do this, according to Tang.

Forty-eight children were enrolled in the PPOIT trial and were randomly given either a combination of the probiotic Lactobacillus rhamnosus with peanut protein in increasing amounts, or a placebo, once daily for 18 months.

At the end of the original trial in 2013, 82% of children who received the immunotherapy treatment were deemed tolerant to peanuts compared with just 4% in the placebo group.

Four years later, the majority of the children who gained initial tolerance were still eating peanuts as part of their normal diet and 70% passed a further challenge test to confirm long-term tolerance.

Tang said the results were exciting and had been life-changing for participants. “The way I see it is that we had children who came into the study allergic to peanuts, having to avoid peanuts in their diet, being very vigilant around that, carrying a lot of anxiety with that and, at the end of treatment and even four years later, many of these children who had benefited from our probiotic peanut therapy could now live like a child who didn’t have peanut allergy.”

The results are published in the Lancet Child & Adolescent Health.

If confirmed by larger clinical studies, the broader hope is that this treatment can have an impact on the high rates of food allergy among children.

“This is a major step forward in identifying an effective treatment to address the food allergy problem in western societies,” Tang said.

The Quantum Flow and Photon projects have exciting newsletters. The Quantum graphics project (integrating WebRender in Firefox) hasn’t provided a newsletter so far and people have asked for it, so let’s give it a try!

This newsletter will not capture everything that is happening in the project, only some highlights, and some of the terminology might be a bit hard to understand at first for someone not familiar with the internals of Gecko and WebRender. I will try to find the time to write a bit about WebRender’s internals and it will hopefully provide more keys to understanding what’s going on here.

The terms layer-full/layers-free used below refer to the way WebRender is integrated in Gecko. Our first plan was to talk to WebRender using the layers infrastructure in the short term, because it is the simplest approach. This is the “layers-full” integration. Unfortunately the cost of building many layers to transform into WebRender display items is high and we found out that we may not be able to ship WebRender using this strategy. The “layers-free” integration plan is to translate Gecko’s display items into WebRender display items directly without building layers. It is more work but we are getting some encouraging results so far.

Some notable (recent) changes in WebRender

• Glyph Cache optimizations – Glenn profiled and optimized the glyph cache and made it a lot faster.
• Texture cache rewrite (issue #1572) – The new cache use pixel buffer objects to transfer images to the GPU (previously used glTexSubImage2D), and does not suffer from fragmentation issues the way the previous one did, and has a better eviction policy.
• Other text related optimization in the display list serialization.
• Sub-pixel positioning on Linux.

Some notable (recent) changes in Gecko

• Clipping in layers free mode (Bug 1386483) – This reuses clips instead of having new ones for every display item. This will reduce the display list processing that happens on the Gecko side as well as the WebRender side. This was one of the big things missing from getting functional parity with current layers-full WebRender.
• Rounded rectangle clipping in layers free mode (Bug 1370682) – This is a noticeable difference from what we do in layer-full mode. In layer-full mode we currently use mask layers for rounded clipping. Doing this directly with WebRender gives a noticeable performance improvement.

How to get the most exciting WebRender experience today:

Go to about:config and change the following prefs:

• turn off layers.async-pan-zoom.enabled
• turn on gfx.webrender.enabled
• turn on gfx.webrendest.enabled
• turn on gfx.webrender.layers-free
• add and turn on gfx.webrender.blob-images
• if you are on Linux, turn on layers.acceleration.force-enabled

This will give you a peek at the future but beware there are lots of rough edges. Don’t expect the performance of WebRender in Gecko to be representative yet (Probably better to try Servo for that).

All of the integration work is now happening in mozilla-central and bugzilla, WebRender development happens on the servo/webrender github repository.