This will be a bit of a public service message with as little technical gobbledygook as possible. Computers and the Internet have become an entrenched technology. In the first world, it is prohibitively difficult to live a normal life without interacting with them. And, the younger demographic has embraced the web, e-mail, and instant messaging as cultural tools. As a scientist / engineer / researcher (I've never been sure?) in the field of computing security, I am ashamed that the software ecosystem I have helped develop that opens us all to risk.
But first, in an effort to gather a slightly realistic perspective on the situation, I'm writing this in one of the local coffee shops. My laptop is running software to monitor all nearby Internet usage. On this average Sunday evening, there are eleven laptops split between two separate wireless connections. After ten minutes of recording, I feel better about publishing a few items:
Our web surfing is public.
The sites we visit on the web are often comical, boring and completely public. This is an issue with the two building blocks of the web: HTTP and HTML. Both are verbose and in English - thus easily read and understood, even without esoteric software.
The infrastructure behind so-called secure connections is dysfunctional. Their use interferes with only the rank amateur.
Our e-mail is public.
The history of e-mail is one of telecommunications' tragedies. The origins of the contemporary system are solidly rooted in a much kinder and gentler time. Spam, identify theft, and malicious entities were non-issues. But, as the times have raced ahead, e-mail has been hard pressed to keep up. Coincidentally, the preceding segment about web surfing is applicable: most of us read our e-mail through our web browsers.
- Yahoo! Mail
Our instant messages are public.
This is odd to me because, with the exception of AOL Instant Messenger (and ICQ), the infrastructure was built after the risks were well understood.
- Yahoo! Messenger
- MSN Messenger
- AOL Instant Messenger
Our passwords are safer than our content.
With all the press about privacy, it seems the industry is failing to protect the three most commonly used Internet services. It has been eight years since TLS, a drop-in method of on-the-wire encryption, was standardized. Quixotically, of all our information, our passwords are the best protected. Every major website and IM service protects them from being picked up by malicious third-parties. E-mail is the least protected due to its age, as efforts to add security have had to be done in a way that doesn't interfere with older programs.
This isn't to imply our passwords are safe. Studies have shown the average individual doesn't use secure passwords. Mathematical strategies like raindow tables and social engineering methods like phishing are alarming effective on even the educated average individual. Put simply, passwords are a technique used inappropriately in all the right places.
Why are we failing?
My bad. It's the fault of every software producer. From the initial planning stages, to the creation process, and finally release to market, the software industry has faulty but well established practices. It's both difficult and time-consuming to reeducate multiple generations of programmers. I just hope we do before our industry, as a whole, receives a deserved and painful bite of regulation from the governments of the world.
Surprisingly, I don't know of any technically inclined folk who take advantage of the current asymmetric situation. It's not unheard of - the mainstream press ensures of that. But, it's also not common. Depending on your personal experiences, this anecdote may seem either incredulous or under-stated. Drop a comment and let me know how our experiences compare?