The dotCrime Manifesto: How to Stop Internet Crime
by Philip Hallam-Baker
ISBN 978-0321503589, amazon.com USD21.89 bookpool.com USD19.95
Reviewed by Richard Austin March 10, 2008
The Internet is a crime-friendly place: SPAM clogs our EMAIL infrastructure, phishing EMAILs seem to arrive every other day or so, viruses and Trojans lurk at every corner to entrap the unwary, and organized crime seems to see the Internet as the successor to the drug trade. It's a pretty depressing picture but one that Hallam-Baker believes can be changed.
The book is divided into four sections that form a logical progression toward Hallam-Baker's vision of taking the Internet back. The first section is entitled "People not Bits" and focuses on the human element of the problem of Internet crime, both perpetrators and victims. Motives are considered to reveal that, like many other crimes, it really is all about the money. The "Hollywood stereotype" of the socially-challenged teenager has been replaced by the skilled criminal whose objective is not "15 minutes of fame" in an Internet chatroom but a steady stream of income. Weaknesses in many countermeasures are traced to a lack of concern for usability and deployment - that bears repeating, in order for our countermeasures to be effective, they must actually be usable by the target population and relatively easy to put into effect.
The second section focuses on "Stopping the Cycle" and begins with a charming analogy of "SPAM Whack-a-Mole" where one SPAM source is shut down to only pop up in another place. The point is made that a significant contributor to the frequency of SPAM is the underlying lack of accountability in the core messaging protocols and the key mantra of "authentication, accreditation and consequences" is introduced as an outline for guiding a solution. SPAM's ugly twin, the phishing EMAIL, is reviewed and found to flourish in the same ground of a lack of accountability. To complete the section, the botnets that play a major role in generating SPAM are examined. The point is made that many individual "bots" are created with the help of a SPAM/phishing EMAIL that lures the user into executing a malicious attachment or visiting a malicious website for a "drive by download".
The third section, "Tools of the Trade" focuses on some of the tools that will play a part in creating accountability on the Internet. A relatively painless introduction to cryptography is followed by a good discussion of what "trust" is and how it can be established and verified.
The final and longest section, "The Accountable Web", introduces Hallam-Barker's vision of the future and the tools that will help us get there. The section describes a mix of techniques that are available "off the shelf" such as SSL/TLS and others that are under active development (e.g., "Secure Internet Letterhead"). Chapter 14, "Secure Identity" is particularly recommended as a clear and cogent discussion of what "identity" really means and what it required to establish and use one. Other chapters cover secure transport, secure messaging, secure names (identities), secure networks, secure platforms (such as the Trusted Platform Module from the Trusted Computing Group), and law. The final chapter, "The dotCrime Manifesto", is hopeful in noting that while the issue of Internet crime is both huge and difficult, there are ways to address the underlying problems.
Some of the ideas are controversial - for example, the idea of accountability for EMAIL will chill some human rights activists with the thought of a totalitarian regime being able to reliably trace a dissident's messages, but Hallam-Barker provides good advice - accountability should be only sufficient for its intended use. A dissident's EMAIL should have a much lower accountability standard than a physician's EMAIL communicating a patient's diagnosis.
This book will serve a number of audiences particularly the interested general reader who wants to go beyond the media reports of SPAM incidence, fresh phish, etc. As Hallam-Barker points out, if we are going to "take a bite out of Internet crime", we have to pay attention to securing the last two feet (the separation between the user and the keyboard) and most of the people on the other side of that last two feet are not security professionals. The book also provides a good overview on accountability for security professionals both to shape the solutions we pursue and provide context for evaluating the roles of different technologies.
Before retiring, Richard Austin was the storage network security architect at a Fortune 25 company and currently earns his bread and cheese as an iterant university instructor and security consultant. He welcomes your thoughts and comments at email@example.com