As much as I would love to get rich quick, increase my stamina,
and receive that pesky degree that I never got (I dropped out of four universities in two years), I have never bought a single item as a result of an
unsolicited e-mail. Have you? Fact is, most spam is inherently fraudulent. It pretends to be from your friends or bank, and it peddles goods that are either illegal or rip-offs, like quack pharmaceuticals. So why can´t we prosecute the people responsible for it?
Because, it turns out, today´s overtaxed cybercops and district attorneys are ill-equipped to chase down and identify spammers, who work very hard to hide themselves online. In the grand scheme of things, the problem just doesn´t command a lot of law-enforcement mind-share. This is terribly frustrating for the legions of amateur volunteer spam-
fighters who devote endless hours to tracking down creep spammers.
Lawrence Lessig, a Stanford professor and author of such landmark books as Free Culture and Code and Other Laws of Cyberspace, has proposed a solution: Offer part of the money seized from a spammer to the vigilante geeks who build a case against him. â€There is energy and talent enough in the community of the Net to root out those who would destroy that community,â€ Lessig says. Representative Zoe Lofgren of California has introduced a bill supporting Lessig´s plan, but it´s slow work convincing Congress that effective, community-based spam solutions are needed. There´s little pork or glory in cleaning up your inbox.
That´s a shame, because the mission is critical. Stopping spam isn´t just about sparing you the fake-Viagra pitches. Much of the crud filling up your Junk box is the output of worms, viruses and trojans, malicious software that spreads by hitching a ride on innocent-looking
e-mail. This â€malwareâ€ typically exploits vulnerabilities in Windows, Internet Explorer and Outlook to secretly install itself and then attack other PCs, steal your sensitive data, or use your machine to send the next round of spam (which is another reason tracking down the source is difficult; 50 percent of all spam is
routed through so-called zombie PCs).
A decade ago, Microsoft made a
critical flaw in its technology design by allowing its products to read executable instructions (the code that makes up applications and viruses) hidden within documents that should contain only data (say, text documents or photos)-something practically every security expert agrees is a bad idea. The effect is that viruses and other malware can run when you open that seemingly harmless WMA audio or PowerPoint file you just got.
When there is a rigid separation of executable code and data, computers need only scan programs for potential danger and can handle plain old documents without any special precaution. Because they lack that separation, Microsoft operating systems and applications are practically impossible to secure. â€Microsoft has two problems,â€ says cybersecurity expert Bruce Schneier, whose Applied Cryptography is the bible of the tech-security field. “One, the company has consistently designed its products to put features ahead of security. And two, its monopolistic position makes it the most attractive target out there. If I were a criminal or a hacker,
I would target Outlook.â€
So until we get all the spammers behind bars, the best thing you can do to protect yourself from this scourge is to just get away from Microsoft products. The safest route is to switch to a Mac or GNU/Linux OS, but if that´s too drastic, at least stop using Outlook and Explorer with Windows. Instead try Thunderbird and Firefox, an e-mail client and browser from the nonprofit Mozilla Foundation (mozilla.org), which exists solely to oversee the production and distribution of these free and rock-solid programs. Both are safe against virtually all cyber attacks, are updated almost immediately when new threats are discovered, and are available for Windows, Linux and Mac OS X.
These apps not only correct Microsoft´s tactical error of commingling data and code, but because they´re â€free softwareâ€-also called â€open sourceâ€-
anyone can examine and improve them. As experts like Schneier will tell you, the best methodology for testing a product´s security is to disclose its inner workings to the largest possible pool of experts to see what fresh eyes can detect and fix. We´re not likely to ever get that kind of disclosure from Microsoft, which, protecting its profit first, is ideologically committed to keeping its code secret.
Every complex ecosystem has its parasites, but they don´t have to rule the land. With the right combination of tools, laws and homebrew ingenuity-even in the face of a monopoly-I´m
confident that we can create an e-mail system wherein the worst thing in your inbox is a bad joke.