The Internet Endangered: Enter At Your Own Risk

No official announcement yet, but the Internet is broken and it can't be repaired. Oh, it's still there. You can still use it. Then again, if you went hiking and came across an old, broken-down mine shaft, you could still use that, too.

Sometimes reporters come to this kind of broad, presumptuous conclusion when a collection of otherwise unrelated reporting starts to form its own narrative. That is precisely what happened here. The idea that the Internet now suffers an incurable malignancy started its mitosis during my reporting on a feature on Internet vulnerability disclosure (The Chilling Effect, CSO, January, 2007). The picture that emerged from the interviews I conducted was one of an impossible-to-secure Internet overrun by vulnerabilities and legal quagmires.

At a conference a few months later, a security executive in the financial industry was reliving some phishing scams, conveying how hard they are to contain and how hopeless they are to prosecute. With a wave of his drink and a grin he said, "It's not going to get better. The Internet wasn't built for this, was it? It was built for a bunch of academics to share data, not online banking."

The same week, a forensics expert was asked what the good guys can do to counter the growing technical and legal threat of antiforensics. "There's not a hell of a lot they can do," he said. Meanwhile, on an online forum, a botnet expert analyzed the state of security for critical DNS infrastructure. "There are operational issues of the highest importance that are not being addressed," he wrote. "The current situation can not go on."

All the while, stories accumulated, thick and steady like a wet spring snow. And this is just what's publicly known. Sources tell reporters you-didn't-hear-it from- me stories all the time, like the one an investigator told me about the credit card processing service that exposed 130 merchants' card transactions.

The sheer volume of serious security events doesn't blow your mind, it numbs it. And then comes something like Gozi.

Gozi is a bot that steals sensitive data off PCs. It can install itself without user intervention - all you do is visit a website. It's a significant bot, but not because it's a technical marvel. Gozi is significant because despite the fact that it has mostly disappeared from public consciousness, it still severely threatens the public. Despite the fact that banks have barely acknowledged it, their customers are the primary targets.

The Gozi Threat

The Gozi Threat

Despite the fact that online banking uses SSL, Gozi gets around it. Multi-factor authentication? Some variants are working out ways to defeat it. Despite the fact that researchers and law enforcement know precisely how Gozi works, it still works. It has not been contained. As this is being written, personal data culled with Gozi variants is being peddled on the black market, and despite an ongoing investigation, no one is stopping it. Few are even talking about it. They are numb to it.

Don Jackson, the researcher who discovered Gozi, is not numb, he's alarmed. He wants to talk about Gozi and its implications. He works for a company that provides security services and he says, "I have a very pessimistic outlook on the question of what are we going to do. I think it's inevitable. Anything you do online, there will be a run on that information. Gozi uses reasonably simple exploits. If someone knows what they're after and can target their attack, there's really no defense against it."

There it was. No defense at all. A strand that entwined itself with all of the other strands of reporting that had been piling up over the past six months. No hope. Not a hell of a lot they can do. No choice. The current situation can not go on. It's not going to get better. They wove and they wound until the thread thickened into this solid idea: the Internet is broken.

And it can't be fixed. How long before the toxic environment collapses like the veins of an old mine shaft? How long will consumers tolerate the unstable, ungovernable place the Internet is becoming? At what point do the risks that they've borne to date in order to explore the mine become too dangerous to dare? Where are the big thinkers, the big idea for a public works project that will rebuild the mine shaft into something useful, or seal it up for good and start over? Who are the visionaries that can devise a stable, secure public network?

The canary has stopped singing. What do you see coming next? CIO