Spoutin' Off: We're responsible for our computer use, security
By Michael E. Rau
August 8, 2005
Well, I'd really hoped to be able to share some amazing new insights into malware to come out of the two big hacker conventions, which just wrapped up in Las Vegas and the Netherlands.
Alas It's not to be...
As it turns out, except for a couple of relatively interesting keynotes, both conventions deteriorated into a series of rather puerile my hack is better than your hack competitions. Sure It's kinda fun to watch someone crack a supposedly uncrackable security protocol. But except for pointing out to the creator of the protocol that their system isn't really all that secure, what good have they done?
I had hoped that some sort of resolution would emerge from the hacker community condemning the criminalization of the World Wide Web. But instead, as usual, they thought only of themselves and their own edification.
Hackers create the problems which online criminals in turn exploit. Their self-absorption forces to the rest of us to have to continue to try and contain the damage wrought by their activities.
So as promised in my last column, we're going to start considering some possible long-term methods for dealing with criminal malware, as well as less malicious but invasive and exploitative Web instruments such as tracking cookies. Let's begin with this:
First, as mentioned before, I believe the key to making this work is the creation and maintenance of a dynamic database which documents the exact elements of spyware utilized by any given URL.
As I foresee it, the database itself would be created and maintained by an existing neutral consortium, such as ICANN or W3C. This is also a task which could be ceded to a non-profit organization such as SpamHaus.
It would be maintained through voluntary disclosure by sites seeking credibility, and by an effort which would use a pool of volunteers (or perhaps convicted hackers) to extract the information from non-compliant Websites and publish their dirty little secrets for all the world to see.
Let's use Yahoo as an example of how this database might be used. Yahoo is a company which I would describe as highly legitimate, but which uses spyware extensively to gather information about it's users.
Assuming that Yahoo, being a legitimate company which isn't trying to engage in deceptive practices, is willing to disclose it's practices up front, they would send the databasing organization a list of the tracking cookies and web beacons which they utilize, including a description of exactly what information each cookie or beacon collects.
Once satisfied that the information is accurate, the databasers would then issue Yahoo a registration code, which Yahoo would in turn insert in it's metatags. The encrypted code would contain information regarding the number and type of spyware which is utilized within the structure of that URL.
I believe any existing browser could be configured in subsequent versions to look for this registration code, and then determine whether or not to open the site based on your predetermined security settings, based on what level of personal information you're comfortable with releasing online.
Let's look at Yahoo again. As I said when I wrote about their use of web beacons, I don't believe that Yahoo is collecting data which I would find objectionable to provide to them (I'm still a registered user) only that I resent the fact that I'm not told before I visit so I can choose for myself whether or not to provide that information.
With a newly configured browser using the malware database registration code, I would navigate to Yahoo's URL, my browser would read the registration code, determine if the data sought by their spyware is information which I don't mind sharing, and then either open the home page, or tell me why it didn't.
The browser could be set to reject such URLs as those without a registration code, those which attempt to install adware or other spyware such as keystroke loggers, those whose spyware seeks data which I'm not willing to provide, those which the databasing consortium determines has falsified data, or those which have inherent security flaws (watch out, ActiveX users).
You may notice that nothing here sounds like a particularly original idea, and there's a reason all the technology to accomplish this already exists. The online world isn't already moving in this direction only due to lack of public demand. This idea, as well as many others out there, mean nothing if existing apathy persists.
You, as a consumer, whether for personal or professional purposes, have to exercise control over your online experience. You have to use the security tools available to protect yourself. You have to refuse, no matter how tempting, to visit unsecured sites or open unknown applications.
It's all about choices, folks. You have to choose to protect yourself and by extension, be part of the solution instead of a contributor to the problem.
Michael E. Rau is a communications consultant in Virginia Beach. To send comments to Mike or view past columns, visit http://dailypress.asoundidea.com/.
Copyright © 2005, Daily Press