Info/Law

Network World has an interesting article called “CAN-SPAM: What Went Wrong?” This title is akin to: “Subprime Mortgages: A Bad Idea?” There are three depressing trends: spam remains a huge problem, both in IT costs and in volume; legal efforts have been mostly useless; and experts still disagree about solutions. There are two interesting ones: people are less worried about spam as a problem, and spammers have found a new way to monetize unwanted mail. The junk in your Inbox used to be about V1agra, illicit software, or get-rich-quick offers from deposed Nigerian officials. Now, spam is about malware: getting users to click links that then download programs to their computers (which then add them to botnets).

Spam’s basic problem is the same: our social norms of trust are at odds with the insecure foundations of e-mail. Put another way, both we and our e-mail systems are too trusting, and thus easily duped. Spam exploits the credulous (”If my friend forwarded this link, it must be OK!”) and the opportunistic (”Hey, free Anna Kournikova pictures!).

I still think we should do three things. First, e-mail just doesn’t work for communications that need security and the ability to authenticate senders. I proposed “safe mail” a few years back, and as with most academic ideas, it’s garnered almost as many supporters as Blagojevich for President. But it’s still a good approach. Second, ISPs need to think about rather paternalistic approaches (=URL blocking) in some cases, with opt-out for those willing to take informed risks. Think of this as mandatory StopBadware - when you try to connect to a spoofed or phishing site, you can’t. Finally, we need better defenses on our computers. Microsoft Vista tried for this, but its constant security warnings annoyed everyone without increasing security, leading to defensive ad campaigns rather than defensive computing.

Spam will always be around. It worries me, though, that our perception of its threat seems to be inversely proportional to the harm its payload carries…

Filed under: Computer crime, Filtering, ISP, Intermediaries, Internet & Society, Microsoft, Security, Software, Spam, badware