The struggle of fixing net crime

Originally published as a comment to Eric Sink's article, Thirteen Guitars.

The net is an anarchy - much like a city without any police. Where there is no functional real-life police, everyone has to allocate a good portion of time and resources to protect against crime, and woe to the gullible one. The net is much like that right now.

The primary reason hackers, fraudsters and spammers can elude detection is because (1) they have access to millions of zombie machines, and (2) they can log on to the internet anonymously through things like Wi-Fi hot spots.

Removing these people's ability to (1) command armies of zombies, and (2) log on to the net in anonymity would go a long way towards eliminating net crime.

The only way to solve #1 is to fix the way software is written.

1. It must be written in a language created with security in mind, so that no buffer overruns or integer overflows are possible. Java and .NET are a good step in this direction, and it is a good thing that Windows Vista is moving the focus of programming to managed code with .NET.

2. Software security must be capability-based. The platform must allow you to run your browser with only the capability to display graphics and play sound, not the ability to read or change files that are outside of its cache and settings directories. There is no mainstream platform right now that has this. There is some, but I think not enough, work going on to deal with this problem, including the Singularity project at Microsoft Research (which employs some 30 researchers, but really should employ the company as whole), as well as Combex's now less well-funded (and possibly abandoned) efforts with CapDesk, a capability-based desktop.

Without this shift in how we write software, zombies will always be readily available for exploitation.

If we are successful in drastically changing and improving programming techniques worldwide and taking other related steps to eliminate zombie machines on the net, we will reduce net evil but of course not completely eliminate it. Still, at that stage life on the net should generally be much better and safer and the risks easier to manage.

About spam - I used to receive up to 400 spam messages per day, which I had to eliminate manually. Now I bought myself an email server so that I can manage the usernames for my own domain. I create usernames for any new entities I communicate with, and I remove usernames when they start to receive spam. This eliminates near 100% of spam and has no false positive problem in the sense that even if people write to an inactivated address, they get a normal bounce message instead of their mail disappearing in a black hole.


Popular posts from this blog

"Unreachable" beauty standards

Is the internet ready for DMARC with p=reject?

When monospace fonts aren't: The Unicode character width nightmare