Hot news: the Internet is as insecure as ever

I’ve been writing about the Internet for years, and some of my earliest articles were about security problems. I’ve written about why anti-virus software is ineffective, how application insecurities leave web servers open to attack, and why we need authenticated email combined with collective whitelisting in order to solve the problem of spam and virus-laden emails.

What depresses me is that we have made little if any progress over the last decade. Email is broken, but I have to use it for my work. Recently I’ve been bombarded with PDF spam and ecard viruses, which for some reason seem to slip past my junk mail filter. Said filter does a reasonable job and I could not manage without it, but I still get false positives from time to time – genuine messages that get junked and might or might not be spotted when I glance through them. The continuing flow of garbage tells me that anti-virus software is still failing, because it comes from other machines that are already infected.

And what about comment spam? Akismet is fantastic; it claims to have caught 43,000 spam comments to this blog since I installed it in October last year. In the early days I used to glance through all of them and occasionally I did find a comment that was incorrectly classified. Now, the volume of spam comments makes that unfeasible, so no doubt there are some being needlessly junked.

Security is a huge and costly problem. Even when everything is running sweetly, anti-virus and anti-spam software consumes a significant portion of computing resources. Recently I investigated why an older machine with Windows XP was running slowly. It did not take long: Norton anti-virus was grabbing up to 60% of the CPU time. Disabling NAV made the machine responsive again. Nevertheless, the user decided to keep it running. What is the cost to all of us of that accumulated wasted time?

We have become desensitized to security problems because they are so common. I come across people who know they have viruses on their PCs, but continue to run them, because they have stuff to do and would rather put up with a “slow” machine than try to fix it. Other machines are compromised without the awareness of their owners. Those PCs are pumping out viruses and spam for the rest of is, or are part of the vast botnet army which is now an everyday part of the criminal tool chest.

I actually write less about security that I used to, not because the issue is of any less importance, but because it becomes boringly repetitive. Desensitized.

The frustration is that there are things we could do. Email, as I noted above, could be made much better, but it requires collective willpower that we seem to lack. A while back I started authenticating my emails, but ran into problems because some email clients did not like them. Users saw attachments and thought it might be a virus, or could not reply to the email. I had to remember to remove the authentication for certain recipients, and it became too difficult to manage, so I abandoned the experiment. That’s really a shame. Authentication in itself does not prevent spam, but it is an essential starting point.

Do we have to live with this mess for ever? If not, how long will it take until we begin to see improvement?

Technorati tags: , , , ,

4 thoughts on “Hot news: the Internet is as insecure as ever”

  1. Has anybody done any kind of assessment of what proportion of Internet traffic is garbage? And what the trend has been of late? It would be interesting to see what effect punitive legals sanctions are having.

  2. No, neither do I. I suppose I was wondering (perhaps naively) if it the amount of junk traffic being originated was inversely related to initiatives to stamp it out.

  3. It is one of those paradoxes in life – we all know Internet security is flawed and yet we continue to behave as though everything is just fine.

    I like to think it is not the will we lack – but the focus of resources to address the problem. The email security is a case in point. Authenticating email is hard even though Comodo offers free email certificates because email authentication is a multi vendor platform and most other vendors are not interested in “giving it away”. Or take firewalls. It is astonishing that here in the US we assume we are protected because we may pay for a firewall. What about all the bots PCs out there infecting our PCs because people in these often poorer countries can’t afford to pay for a firewall. Again, Comodo gives away an award winning firewall for everyone. But we don’t get a lot of coverage because we don’t spend oogles on advertising for our free products hence we get little coverage.

    Here’s a challenge. Go to CNET and try and find a review of the Comodo Firewall product (I promise – CNET did one very recently and it was great). You won’t find it in a logical place. If you really are determined you will find it – but that’s not reality (btw – here is the CNET link; http://www.download.com/8301-2007_4-9792351-12.html?tag=head).

    So I hope that all industry stakeholders begin to change their model. A safer internet means that some basic stuff should be available to all for free (sorta like universal health coverage). Then the eCommerce engine of the Internet can lift all boats.

    That’s something we at Comodo are trying to do. But today, we are largely battling this alone.

Comments are closed.