Wired on Friday:The internet, one might surmise from reading the headlines, has become a dangerous place, writes Danny O'Brien.
Viruses, phishing, spam, fraudsters, identity theft and hacking are all out there, somewhere. But could the regulatory fixes we might hurl at the problem be worse than the disease itself?
Many of these plagues have their origins, not just in the iniquity of man, but in the insecurity of our software.
Everyone knows by now that Windows is notoriously full of hooks and holes for criminals to catch on to.
Vint Cerf, the father of the internet, estimates that 150 million online machines are compromised: in the control, not just of their owners, but of criminal third parties, using them in blackmail attempts, illegal spamming and other fraud.
These are the PCs that make up the "botnets". They are infected with alien code which, like a parasite, make its host do whatever it wants, often without the owner of the machine knowing what's going on.
To you, your internet-connected computer just appears to be running a little slow. But in the background, it could be emitting pornographic spam or sending a blast of data which, when combined with the output of thousands of other zombie machines, could take down a legitimate commercial website.
That is, unless the owners of the website pay protection money to the controllers of the botnet: controllers that are often involved in organised crime, hiring the machines from hackers for a rental fee.
What's the solution? Well, the solution seems straightforward: make those computers more secure.
And yet, that seems to be a task that is not only nigh impossible, but difficult to get anyone to take seriously enough to attempt.
Companies like Microsoft pay lip service to security, but aren't willing to sacrifice other priorities to attain it.
Microsoft works hard at improving security in its latest operating systems, but will not maintain updates for older versions. Security, it will point out, doesn't sell: features do.
It has been suggested that the best way to incentivise software companies is to make them liable for the damage their programs cause. A Microsoft that was liable for the chaos, fraud and spam spewed out by zombie PCs whose Windows software has left them vulnerable to attack, would be a far more cautious corporation. Security would certainly be at the very top of every technology provider's requirements.
But it would also freeze the rapid pace of innovation. It would give companies an excuse not to interoperate with other third-party software ("why should we expose ourselves to their vulnerabilities and perhaps mutual liability?", their lawyers would say, quavering).
It would also spell a death blow for open-source software. Liability law is meant to deal with corporations which have something to lose from being sued, and something to gain from being able to trade their software.
Open-source software is the product of a loose confederation of developers, creating cathedrals of code like Linux, and code that drives the infrastructure of the net with very little formal organisation or support. Who would be liable? No one? Everyone?
Ironically, open-source software has a reputation for good security because of the transparency of how it is designed. Anyone can spot a problem, and anyone can submit a fix. A liability regime would encourage commercial and hobbyist developers to conceal their flaws, for fear they would be exposed by hackers or those looking for a quick class-action settlement.
Open source's transparency may provide the hint to solving the security incentive problem. By far the hardest incentive to change is that of end users. They don't care about security, because in large part their own security isn't threatened by the weakness of their software. When your computer is zombified by a criminal, it's not you who suffers - it's those who are the target of the criminal's plans.
The best way to encourage users to care about security is to keep them informed. Allow internet service providers a conduit to tell users when they are receiving complaints about their machine; provide software that tells the end user when its computer is sending information to the outside world without their knowledge.
And give ordinary computer owners the same sort of notifications of security flaws that governments and national infrastructure services give to large computer installations.
A nation of zombie-controlled home PCs is as much a threat to the national infrastructure as any other, so the authorities should take a lead in warning us all of the consequences of our unsecure machines.
Government and regulation do have a part to play: the police could be given resources and incentives to fight crime that is perpetrated online. Proposals are always being made to have specialist computer crime departments, but cyber crimes are no different from ordinary crimes: it's just the tools that have changed.
Defending ourselves against criminals is a solved problem - or at least, a managed one. We just need to be aware of the dangers, given the tools to inform and defend ourselves against them, and confident that if we report a crime, the authorities will pursue it.
The internet isn't any more dangerous than the real world, and we've been coping with the dangers of the real world for a lot longer - and with less fear mongering - than the internet has suffered in its short life.
