Future of the Internet Symposium: Do We Know the Future of the Internet?

You may also like...

4 Responses

  1. Steven Bellovin says:

    Orin, I think that the absence of global worms like Melissa and I Love You is in fact a bad sign. People have stopped writing them because they’re bad for business. The bad guys have learned that they can make money from malware, by stealing bank account credentials, sending spam, and engaging in extortion. There is now profit from hacking, and the market has worked its magic: we’re seeing very sophisticated, high-quality worms, worms that don’t call attention to themselves, but instead quietly go about their business. Shut down the Internet? No, of course not; if you can’t deliver the spam, you won’t get paid.

    I hadn’t noticed the drop in the CSI/FBI numbers, but I’ve always felt they were quite suspect. The methodology in their surveys is extremely suspect; they rely on self-reporting. Besides, companies can only report attacks that they notice; most attacks are never noticed.

  2. Orin Kerr says:

    Thanks for the interesting response, Steve.

    Two thoughts. First, I’m curious how you draw the comparison. The I Love You virus caused an estimated $5 billion to $10 billion in losses: It shut down offices around the world. All things considered, isn’t it better to have more spam than that kind of loss?

    Second, I’m not sure if your argument cuts in favor of Zittrain’s argument or against it. I believe Zittrain’s argument is that security is getting so bad that users will eventually demand a closed network: Users will give up and reject the open Internet because they’re fed up with the security threat. To the extent the security threat has thrived by becoming invisible to the user, doesn’t that make it unlikely that users will respond by demanding a switch to a more closed system?

  3. Steven Bellovin says:

    I’m not arguing about the total world-wide economic loss; if the numbers you cite are accurate (and I have considerable doubts, but that’s another matter), we had serious problems, but they reflect the overall insecurity of the net against a more or less random attack. What we have now are targeted attacks. These are much harder to defend against, because they can be arbitrarily clever — the profit motive (and yes, the national security motive, for other people’s nations) has led to some very sophisticated attacks. It’s easy to defend against email that says “click here to see naked pictures of Britney Spears” when that’s really pointing to a well-known exploit for which a patch exists and which anti-virus software will pick up in any event. It’s a lot harder if you receive a PDF that is apparently from a colleague, asking you to comment on a draft of her latest paper — but the PDF really has a so-called “0-day exploit”, one never seen before, and the email is really a forged note from a foreign intelligence agency. The societal and legal responses (to say nothing of the technical responses) have to be different; the former is more or less a statistical phenomenon, while the latter is someone out to get you.

    An interesting case is the so-called Stuxnet worm, which received far too little attention outside of the security communit. I wrote about it (http://www.cs.columbia.edu/~smb/blog/2010-07/2010-07-16.html); briefly, it was a very sophisticated attack aimed at critical infrastructure systems.

    I’m not arguing for or against Zittrain’s proposition right now, though I do think that the demand for closed systems will come more from the server side than from consumer demand. If nothing else, current laws and policies have largely shielded consumers from losses. At most, it will make consumers more willing to accept such systems, but only if they aren’t inconvenienced too much. The first bank to mandate an appliance runs a serious risk of losing customers, I suspect.

  4. Daithi Mac Sithigh says:

    Orin, some very interesting points above. I too find it difficult to figure out precise criteria for judging the benefits of openness – and I’m struck by how we can see different social networking sites, to take one example, doing well in one part of the world but not another. Certainly, there can be differences in the basic model behind Facebook as opposed to MySpace (choose your own examples), but it’s very hard to figure out why X does well in one place and Y in another. But it could mean that you have ‘open’ in one nation and ‘closed’ in another, even though they share fundamental features of culture or government. (There’s even the class-based argument that danah boyd and others have made about SNS use within the US). This strikes me as an experiment waiting to happen, if one could control for the appropriate variables. The problem with comparing an open and a closed system within a single environment is – taking social networking again – is the lack of ‘real choice’ when one site is already dominant – can a user really opt for a more open place if the people they want to talk to are happy in closed-world?