You are previewing The dotCrime Manifesto.
O'Reilly logo
The dotCrime Manifesto

Book Description

Internet crime keeps getting worse...but it doesn’t have to be that way. In this book, Internet security pioneer Phillip Hallam-Baker shows how we can make the Internet far friendlier for honest people–and far less friendly to criminals.

The dotCrime Manifesto begins with a revealing new look at the challenge of Internet crime–and a surprising look at today’s Internet criminals. You’ll discover why the Internet’s lack of accountability makes it so vulnerable, and how this can be fixed –technically, politically, and culturally.

Hallam-Baker introduces tactical, short-term measures for countering phishing, botnets, spam, and other forms of Internet crime. Even more important, he presents a comprehensive plan for implementing accountability-driven security infrastructure: a plan that draws on tools that are already available, and rapidly emerging standards and products. The result: a safer Internet that doesn’t sacrifice what people value most: power, ubiquity, simplicity, flexibility, or privacy.

Tactics and strategy: protecting Internet infrastructure from top to bottom

Building more secure transport, messaging, identities, networks, platforms, and more

Gaining safety without sacrificing the Internet’s unique power and value

Making the Internet safer for honest people without sacrificing ubiquity, simplicity, or privacy

Spam: draining the swamp, once and for all

Why spam contributes to virtually every form of Internet crime–and what we can do about it

Design for deployment: how to really make it happen

Defining security objectives, architecture, strategy, and design–and evangelizing them

How to Build a Safer, Better Internet

You’ll find yourself deeply concerned, then fascinated, then hopeful as you read about

•    Building an Internet that resists online crime

•    Phishing, botnets, and spam: tactical, workable, immediate countermeasures

•    Establishing the “Accountable Web”: a strategic, long-term solution to Internet crime

•    Improving security without sacrificing what people love about the Internet

The Internet is today’s Wild West: too much lawlessness, too little accountability. Now, one of the Internet’s leading pioneers shows how we can build a more trustworthy Internet: one that resists crime without frustrating honest people or compromising privacy and civil liberties. Drawing on years at the cutting edge of Internet and security research, Phillip Hallam-Baker offers a complete plan for reinventing the Internet: a plan that addresses everything from technology to politics and culture. Whether you’re a technology professional, policymaker, or citizen, this book will show you how we can make the Internet better, smarter, and above all, safer.

informit.com/aw

Preface xix

Acknowledgments xxiv

About the Author xxviii

Chapter 1: Motive 1

Chapter 2: Famous for Fifteen Minutes 37

Chapter 3: Learning from Mistakes 51

Chapter 4: Making Change Happen 81

Chapter 5: Design for Deployment 107

Chapter 6: Spam Whack-a-Mole 119

Chapter 7: Stopping Spam 135

Chapter 8: Stopping Phishing 155

Chapter 9: Stopping Botnets 175

Chapter 10: Cryptography 199

Chapter 11: Establishing Trust 215

Chapter 12: Secure Transport 227

Chapter 13: Secure Messaging 251

Chapter 14: Secure Identity 277

Chapter 15: Secure Names 311

Chapter 16: Secure Networks 323

Chapter 17: Secure Platforms 343

Chapter 18: Law 355

Chapter 19: The dotCrime Manifesto 377

Further Reading 383

References 387

Index 395

Table of Contents

  1. Copyright
    1. Dedication
  2. Preface
    1. Section One: People Not Bits
    2. Section Two: Stopping the Cycle
    3. Section Three: Tools of the Trade
    4. Section Four: The Accountable Web
    5. A Note on Jargon
  3. Acknowledgments
  4. About the Author
  5. One. People Not Bits
    1. 1. Motive
      1. The Tools of the Trade
        1. Of Bots and Botnets
        2. Spam
        3. Internet Crime Markets
      2. The Crimes
        1. Phishing
        2. Click Here for the Egress
        3. Conversion to Cash
        4. The Last Mile
        5. Pump and Dump
        6. Premium Service Fraud
        7. An Accountability Failure
        8. Extortion
        9. Advance Fee Fraud
          1. Franchising Fraud
        10. Copyright Theft
      3. Emerging Threats
        1. Spyware
        2. Terrorism
        3. Espionage and Warfare
        4. Pedophile Rings
        5. Offline Safety
      4. Key Points
    2. 2. Famous for Fifteen Minutes
      1. No Professor Moriarty
      2. The Internet Vandals Have Grown Up
      3. Emerging, Failed, and Kleptocratic States
      4. Growth
      5. Turning the Tide
      6. Key Points
    3. 3. Learning from Mistakes
      1. The Triumph of Slogans over Common Sense
      2. The World Is Waiting
      3. Security for Engineers
      4. Security Must Make Sense
      5. Political Priorities
      6. The End-to-End Principle
      7. Security through Obscurity
      8. Flawed Analogy
        1. Why Four Digits Are Not Enough
        2. Wired Equivalent Privacy
      9. False Reduction
      10. Is No Security Better Than Bad Security?
      11. Familiarity Leads to Complacency
      12. Failing to Recognize Success
      13. Key Points
    4. 4. Making Change Happen
      1. That Dizzy Dot.Com Growth
      2. Finding the Killer Application
      3. Why Standards Matter
      4. Marry in Haste, Repent at Leisure
      5. Ownership and Control
      6. Standards Organizations
      7. Inclusiveness
      8. Consistency
      9. Dependency
      10. Advocacy
      11. The Four Horsemen of Internet Change
        1. Customers
        2. Liability
        3. Audit
        4. Regulation
      12. Key Points
    5. 5. Design for Deployment
      1. Objectives
      2. Architecture
      3. Strategy
      4. Design
      5. Evangelize
      6. Key Points
  6. Two. Stopping the Cycle
    1. 6. Spam Whack-a-Mole
      1. The Green Card Spam
      2. Blacklists: Shutting Spammers Down
      3. Filters: An Effective Palliative, Not a Cure
      4. Sue and Jail Them
      5. The Longitude of the Internet Age
      6. The Worst of the Worst
      7. Out of the Ashes
      8. Key Points
    2. 7. Stopping Spam
      1. Accountability
      2. Who to Hold Accountable
      3. Authentication
      4. Accreditation
      5. Consequences
      6. Critical Mass and the Tipping Point
      7. Deploying SenderID/SPF
      8. Key Points
    3. 8. Stopping Phishing
      1. The Phishing Cycle
        1. Credentials of Any Kind
        2. Variations on the Theme
      2. Intervention
        1. Takedown
        2. Discovery
        3. Preparation
      3. Intelligence
        1. Local Intelligence
        2. External Intelligence
      4. The Carding Cycle
        1. Forged Cards
        2. Package Reshippers and Money Movers
        3. Auction Fraud
      5. Stopping Carding
      6. Conditions for Success
        1. Disrupting Attacks in Progress
        2. Preventing Theft of Credentials
        3. Preventing Use of Stolen Credentials
        4. Adapting to Survive
      7. Key Points
    4. 9. Stopping Botnets
      1. Where Biological Analogies Fail
      2. Stopping Infection
        1. Blocking Bug Exploits
        2. Firewalls
        3. E-Mail
        4. Blocking Executable Code
        5. Shared Folders
      3. Curing the Disease
        1. Crimeware Removal
      4. Stopping Transmission
        1. Reverse Firewalls
      5. Intelligence and Control
        1. INCH
        2. Pre-Emptive Data Escrow
      6. Key Points
  7. Three. Tools of the Trade
    1. 10. Cryptography
      1. Historical Use of Cryptography
      2. Machine Encryption
      3. The Keying Problem
      4. A New Direction
        1. Session Keys
      5. Digital Signatures
      6. Smartcards
      7. Equations Alone Do Not Make a Solution
      8. Key Points
    2. 11. Establishing Trust
      1. The Problem of Identity
      2. The Problem of Bits
        1. Digital Certificates
        2. Revocation
        3. Topology of Trust
        4. Synthesis
        5. XKMS
      3. The Problem of Trust
      4. Key Points
  8. Four. The Accountable Web
    1. 12. Secure Transport
      1. How SSL Works
        1. TLS Restart
        2. Gap Analysis
        3. Secure Chrome
      2. The Problem of Trust
        1. Costs and Benefits
        2. Promiscuous Security
        3. Domain-Validated Encryption
        4. Accountability
        5. Re-Establishing Accountability
        6. Extended Validation
        7. Issuer Accountability
      3. Secure Internet Letterhead
        1. Accessibility
      4. Beyond Accountability
        1. Authenticating Assurance
        2. Certificate Issuer Liability, Warranties, and Insurance
        3. Communicating Assurance
      5. Revocation and Reputation
        1. Blacklists
        2. Trusted Agent
      6. Key Points
    2. 13. Secure Messaging
      1. Requirements
        1. Authentication
        2. The Enterprise Dimension
        3. Confidentiality
        4. Luxury
        5. Gap Analysis
      2. Designing for Deployment
        1. How E-Mail Is Different
        2. Damaged Goods
        3. Authentication
        4. Confidentiality
        5. User-Level Keying
      3. Domain Keys Identified Mail
        1. Signing E-Mails with DKIM
        2. Canonicalization
        3. Key Distribution by DNS
        4. Secure Internet Letterhead
        5. Mail Sending Policy
      4. Providing Confidentiality
        1. Mail Receipt Policy
        2. Communicating with Perimeter Security
      5. Deploying DKIM
      6. Key Points
    3. 14. Secure Identity
      1. Authentication Technologies
        1. First Contact
        2. Passwords and PINs
        3. Knowledge-Based “Authentication”
        4. Callback
        5. Machine Verification
        6. One-Time Password Tokens
        7. Smartcards and Smart Tokens
        8. Hybrid Tokens
        9. Biometrics
      2. User Experience
        1. User Centric
        2. Registration
        3. Log In
        4. Ubiquity
        5. Roaming
        6. Card Space
        7. OpenID
      3. The Architecture of Identity 2.0
        1. SAML: Access Control as Service
        2. SAML Identity Assertions
        3. Toward the Semantic Web
        4. Discovery: The Missing Piece
      4. Applied Identity
        1. Enterprise Authentication
        2. Stopping Blogspam
        3. Secure Online Banking
        4. Secure Transactions
        5. Ubiquitous Customization
        6. Protecting Children
      5. Identity 3.0
        1. Deferred Registration
        2. Attribute Only Authentication
        3. Unlinkable Identifiers
      6. Key Points
    4. 15. Secure Names
      1. Unified Communications
        1. One Address
        2. Rights
        3. Ownership
      2. Gatekeepers
        1. Levels of Contact
        2. Introductions
      3. Social Networking
        1. Friend of a Friend
        2. Scheduling a Meeting
      4. Architecture
        1. DNS Service Specification
        2. DNS Policy
        3. DNS Security
      5. Key Points
    5. 16. Secure Networks
      1. Designing for Deployment
        1. IPv6
      2. Default Deny Infrastructure
        1. Ubiquitous Authentication
          1. Device and Application Description
          2. Service and Policy Discovery
        2. Ubiquitous Policy Enforcement
          1. The Death of Broadcast
          2. Intelligence and Control
        3. Data-Level Security
      3. Network Administration
        1. Starting a Network
        2. Adding a Device to a Network
        3. Adding Wireless Devices
        4. Coffee Shop Connection
      4. Securing the Internetwork
        1. BGP Security
      5. Key Points
    6. 17. Secure Platforms
      1. Building a Secure Platform
        1. Questions of Code
        2. Least Privilege, Least Risk
        3. The Trusted Computing Base
      2. Trustworthy Computing
        1. Trustworthy Bootstrap
        2. Trustworthy Operating System
      3. Secure Code
        1. Signed Code
        2. Accreditation
        3. Secure Drivers
        4. Revocation and Patches
        5. Current Technology
      4. Key Points
    7. 18. Law
      1. Deterring Crime
        1. Setting the Agenda
        2. To Make the Punishment Fit the Crime
        3. Successful Cases
          1. Vladimir Levin
          2. The Jeremy Jaynes Gang
          3. Zachary Keith Hill
        4. The International Dimension and the Nigeria Effect
      2. Legislating Internet Crime
        1. Jurisdiction
        2. Deemed Losses
        3. Tripwire Offenses
        4. Clarification
        5. Agency
        6. Spyware
        7. Arms Suppliers
      3. Civil Law
        1. Responsibility
        2. Eliminating Perverse Liabilities
      4. Maintaining Pressure
        1. Follow the Money
        2. Internet Currencies
      5. Key Points
    8. 19. The dotCrime Manifesto
      1. Design Rules
      2. Broken Windows and the Tipping Point
  9. Further Reading
    1. On Security Principles
    2. History of Cryptography
    3. On Cryptography
    4. On Internet Safety
    5. History of Internet Crime
    6. On Security Usability
  10. References
    1. Chapter 1
    2. Chapter 2
    3. Chapter 3
    4. Chapter 4
    5. Chapter 5
    6. Chapter 6
    7. Chapter 7
    8. Chapter 8
    9. Chapter 9
    10. Chapter 10
    11. Chapter 11
    12. Chapter 12
    13. Chapter 13
    14. Chapter 14
    15. Chapter 15
    16. Chapter 16
    17. Chapter 17
    18. Chapter 18