dotCrime Manifesto: How to Stop Internet Crime, (paperback), The - Softcover

Dr. Phillip Hallam-Baker has been at the center of the development of the World Wide Web, electronic commerce, and Internet security for more than a decade. A member of the CERN team that created the original Web specifications, his list of design credits has few rivals and includes substantial contributions to the design of HTTP, the core protocol of the World Wide Web.

A frequent speaker at international conferences with more than 100 appearances over the past four years and numerous media interviews, Hallam-Baker is known for his passionate advocacy of what he calls technology for real people. His mission is to democratize technology, making technology serve the needs of the ordinary person rather than interest technologists or an artificial business model. The dotCrime Manifesto serves this mission by reaching out beyond the field of network security specialists to provide a firsthand, accessible account of the measures needed to control Internet crime.

Dr. Hallam-Baker was also responsible for setting up the first-ever political Web site on the World Wide Web and worked with the Clinton-Gore ’92 Internet campaign, correctly predicting that the Web would change the future of political communication, a prediction that led to the creation of the Clinton Presidential Web site, whitehouse.gov. While at the MIT Laboratory for Artificial Intelligence, Dr. Hallam-Baker worked on developing a security plan to allow deployment of the groundbreaking Internet publications system at the executive office of the president.

VeriSign Inc. was founded in 1995 to provide a trust infrastructure for the Internet that would allow people to buy and sell over the Web without worrying that a criminal might be able to steal their credit card number. This trust infrastructure was the key technology that allowed the development of online retail stores and banks. Dr. Hallam-Baker joined VeriSign in 1998 and became its first principal scientist in 2000. His first commission as principal scientist was to design a second-generation trust infrastructure for the Internet. This research work led to the design of XML Key Management Specification (XKMS), a protocol that reduces the number of lines of code necessary to connect to a trust infrastructure from more than a quarter of a million to less than two thousand. This research was also a major influence on the development of the Security Assertion Markup Language (SAML) protocol, which Dr. Hallam-Baker also edited. Both XKMS and SAML have been adopted as industry standards, and SAML was chosen by the Liberty Alliance as its key infrastructure protocol.

Since 2002, Dr. Hallam-Baker has increasingly focused on the problem of how to stop Internet crime. He played a leading role in the fight against spam and was one of the first researchers to argue for the authentication-based approach to spam control that has since become the Industry standard. In 2004, Dr. Hallam-Baker testified at the Federal Trade Commission workshop on authentication-based approaches to stopping spam.

Dr. Hallam-Baker holds a degree in electronic engineering from Southampton University and a doctorate in computer science from the Nuclear Physics Lab at Oxford University. He has worked at internationally respected research institutions such as DESY, CERN (as a European Union Fellow), and MIT. He is a member of the Oxford Union Society and a Fellow of the British Computer Society.

Preface

For more than a decade, surveys of Internet users, administrators, and developers have consistently ranked "security" as the top concern. Despite the advances in Internet security technology, the problem of criminal activity on the Internet has only become worse.

As Nicholas Negroponte, founder of the MIT Media Lab and the One Laptop Per Child association observed: bits not atoms. As the world goes digital, so does crime. Only the venue is new in Internet crime. Every one of the crimes described in this book is a new twist on an ancient story. Willie Horton robbed banks because, "That's where the money is." Today, the money is on the Internet, and so are the criminals trying to steal it.

People not bits: Internet crime is about people. Money is the means; technology is merely an end. Some Internet criminals are world-class technology experts, but rather fewer than you might expect. Most Internet criminals are experts in manipulating and exploiting the behavior of people rather than machines.

Internet crime is caused by the criminals, but certain limitations of the original design of the Internet and the Web have encouraged its growth. To change the behavior of people, we must change the environment in which they interact. Understanding the problem of Internet crime as a social process paradoxically leads us to solutions that are primarily expressed as technical proposals.

If we are going to beat the Internet criminals, we are going to need both strategy and tactics. In the short term, we must respond tacticallymdfoiling attacks in progress even if doing so costs more than accepting the loss. In the longer term, we must change the infrastructure of the Internet so that it is no longer a lawless frontier but do this in a way that does not compromise the privacy and liberties that have attracted people to the Internet in the first place.

We must pursue both courses. Unless we can bring Internet crime under short-term control through a tactical response, it will be too late for strategy. If we don't use the time bought by the tactical approach to advance a long-term strategy, we will eventually run out of tactical options.

The Internet has more than a billion users. It is a complex and expensive infrastructure. Changing the Internet is difficult, particularly when success requires many changes to be made at the same time and the people who must bear the cost are not always the ones who will see the benefit.

I am currently a participant in six different working groups tasked with changing a small part of the Internet. I have interactions with and occasionally appear at 20 more. Taken individually, none of the groups are likely to have a significant effect on the level of Internet crime. The best that can be hoped for is to move the problem from one place to another. Secure the e-mail system, and the criminals will start infiltrating Instant Messaging; secure Instant Messaging, and they will attack blogs or voice communications.

Taken together, the groups are working toward something that is much larger: a new Internet infrastructure that is a friendlier place for the honest person and a less advantageous environment for criminals.

The purpose of this book is to show how these pieces come together. In particular, it is an argument for a particular approach to Internet security based on accountability.

This book is arranged in four sections providing a rough narrative from problem to solution and from people issues to technology issues.

Section One: People Not Bits

Before we start to look at solutions, we need to understand both the problem we want to solve and the reasons it has not been solved before. What might surprise some readers is the fact that technology plays only a minor role. Money is the motive; people are the cause. You don't need to be a technology expert to understand how these crimes work; the typical Internet criminal is not a technology expert.

The first two chapters deal with the problem. Chapter 1, "Money Is the Motive," looks at the crimes themselves, every one a new twist on an ages-old scam, and Chapter 2, "Famous for Fifteen Mouse Clicks," looks at the criminals behind the scams. The common theme running through both chapters is that these crimes are due to the lack of accountability in the design of the Internet and the Web. To combat Internet crime, we must establish an accountable Web.

The next three chapters consider the problem of changing the Internet infrastructure to make it a less crime-friendly environment, how to make the changes necessary to establish accountability. Chapter 3, "Learning from Mistakes," looks back at the reasons that the Internet is the way that it is. Chapter 4, "Making Change Happen," looks forward and sets out a strategy for changing the Internet that is driven by pain and opportunity. Chapter 5, "Design for Deployment," describes an engineering approach based on that strategy: design for deployment.

Section Two: Stopping the Cycle

Having looked at the problem, we can begin to look at solutions to specific types of Internet crime, such as phishing and measures to limit the use of the criminal infrastructures that support them.

At this point, we are looking at measures that can be deployed in the short term with minimal changes to the existing Internet infrastructure. As a result, the measures tend to offer tactical rather than strategic advantage. Although tactical measures are valuable in the short run, we must accept that the respite they offer is temporary and use the time that they provide to deploy strategic changes to the Internet infrastructure that bring lasting benefits that the criminals find much harder to circumvent and make a profit from their activities.

Chapter 6, "Spam Whack-a-Mole," looks at previous efforts to control spam and the reasons that they have failed. Chapter 7, "Stopping Spam," describes more recent efforts to control spam by establishing an accountability infrastructure for e-mail use.

Chapter 8, "Stopping Phishing," examines the problem of phishing. Although phishing is not the only form of bank fraud on the Internet, it is currently the one that causes the most widespread concern.

Spam is one of the two principle engines of Internet crime. Chapter 9, "Stopping the Botnets," looks at ways to disrupt the use of the other principle engine of Internet crime: networks of captured computers known as botnets.

Section Three: Tools of the Trade

Before looking at how to change the Internet infrastructure to make strategic changes, it is necessary to describe the technical tools available, in particular the use of cryptography.

Chapter 10, "Cryptography," presents a brief introduction to modern cryptography. Cryptography is a powerful tool but must be used with care. Security is a property of a system. A program can employ the most advanced cryptographic techniques known and still fail to control real risks and thus provide security in the real world.

Chapter 11, "Establishing Trust," describes mechanisms that are used to establish trust in the online world today and some of the recent developments in the state of the art that will help us to establish the infrastructure we need to meet our future needs.

Section Four: The Accountable Web

The final section of this book presents the actual technical architecture of the accountable Web. Each chapter focuses on a particular layer of security infrastructure, beginning with those where work is already well advanced.

Chapters 12, "Secure Transport," and 13, "Secure Messaging," describe work that is currently underway to create the next-generation transport and messaging layer security infrastructures. In particular, the design of Extended Validation certificates and Secure Internet Letterhead are examined.

Chapters 14, "Secure Identity," and 15, "Secure Names," address the issues identity and nam...