Jonathan Zittrain is correct. Internet security is fundamentally flawed, and radical, community-based intervention is vital to mitigating the ubiquitous, hostile elements that threaten the Web. However, his article is problematic, lacking a clear objective, and marred by several fallacies. More importantly, his computer security ideas do not address the core, causative factors of insecurity and other significant categories of Internet maliciousness that would easily circumvent his proposed solutions.
First, the small problems. Zittrain begins with a multi-page, historic overview of some well-known Internet malware events. Unfortunately, Zittrain incorrectly mixes the descriptive labels of virus, worm, and Trojan. Although casual readers might not notice the inaccurate usage, it will undermine his proposed solutions among anti-malware experts.
Zittrain also frequently undercuts his own predictions. For example, he writes that computers, are becoming—and will continue to become—increasingly less open and innovative, citing the examples of Microsoft’s Xbox 360 and Apple’s iPhone. But he also champions the innovative wiki, Skype, and Google’s Android, a revolutionary, ultra-open cell phone. It’s hard to say that closed systems are taking a more prominent role when open examples abound. Even the “closed” systems he mentions are becoming more open thanks to competition and customer demand.
The larger problems with the essay are two-fold. First, Zittrain’s proposals do not address many classes of malicious Internet behavior, including password guessing, remote buffer overflows, spam, phishing emails, network eavesdropping, malformed data, physical attacks, mis-configurations, and social engineering—whereby users are induced to divulge information they otherwise would not. The author focuses on preventing end-users from intentionally running malicious executable code. This is a needed, laudable goal. But he ignores the significant threats posed by the other classes of malware.
And, the core security problem of the Internet—pervasive anonymity and lack of accountability—isn’t even addressed. The key issue, the one that if solved would make the Internet a safer place to compute, isn’t even considered. It is like a car mechanic confirming an oil leak and then recommending higher viscosity oil.
The article’s second major failing is that the interim solutions Zittrain offers have already been considered and found to be lacking. One, “Generative PCs with easy reversion,” covers easily reversible computers and secondary virtual environments. Yet all of these types of environments contain innate connections to their underlying host computer, which can be exploited by malware. To date, not a single virtual environment has been created that does not allow unexpected host interaction.
The idea of encouraging more easily reversible computer environments also fails because it relies on the end-user to determine when to reverse the environment. If average end-users knew when they had been maliciously manipulated, we wouldn’t need the reversible environment in the first place. The truth is that the vast majority of end-users don’t know that they have been infected by malware or exploited. Much of the malware on a given PC originates in programs that a user intentionally installs or legitimate, trusted Web sites that are maliciously modified without the user’s knowledge.
But let us unrealistically suppose that the average end-user could notice a malware infection 60 minutes after it happened (the real timeline could probably be measured in weeks or months). Malware working at machine language speeds can easily do what it needs to (e.g. steal passwords, re-direct the user to a Trojan Internet location, send spam, attack another computer, etc.) within the shortened time frame. Today’s botnet-inspired malware is intentionally coded to be mobile and efficient. By the time the average user recognizes that his or her computer is infected, and attempts to reverse the environment, the damage is done.
Zittrain’s essay uses Wikipedia as a positive comparative example for computer security. Wikipedia’s community nature allows it to self-heal and correct errors‚ maliciously posted or not. I love Wikipedia and use it nearly every day. But its entries can remain inaccurate for weeks, and some are never corrected. The billions of commercial dollars crossing the Internet every day cannot abide reactive, slow to fix, corrections. The caring community of the Wikipedia does not scale into the business world.
But one should not take my criticisms to suggest that I do not agree with the author’s project. It is easier to tear down a barn than to build one. The heart of the article is in the right place: it will take a community to raise a child-like Internet to adulthood. I am sure, though, that Zittrain’s plan is not the complete care and feeding instructions.