It seems to me that email woes like spam, viruses and phishing1 arrived when businesses left their expensive private networks and exploited our free and open email world. The Internet has a proud tradition of being free, open and unfettered without the encumbrances of businesses and government regulations. Heck, without such systems, it would be impossible for people in oppressed countries to easily get information in and out of the borders. A "liberalizing" China is a perfect example of a nation that watches every Internet transaction and demands it's people provide real names and phone numbers to engage in various group coversations. The Internet is all about freedom, not about control.
As a techie, I don't recall any of these email problems back in 1992 before big business had transitioned to the Internet. Email is like CB radios, free and wild. Only a fool would trust an unsolicited message if they didn't know who they were dealing with, but businesses rushed to adopt free email and helped confuse regular people into believing that such significant communications could be delivered using such an insecure technology.
If you found a package on your doorstep with a hand-drawn "stamp" addressed to "Friend of Citibank," would you open it? Of course not. But people open and respond to emails like this all the time, and they do so because they were not properly trained or alerted.
New computers users should have been told that all email is completely insecure and that you cannot verify the identity of people who send them. They should have been told it's easy to copy logos and other things that look valid, but are easily faked. They should have been told that they should never open an attachment sent by anybody unless they were expecting it and believed they could trust the content.
Unfortunately, they weren't told despite trillions of dollars being made selling them hardware and software and Internet bandwidth. Apparently, corporate America didn't care at all about you, as they certainly didn't mention that your new email account was more closely aligned with CB radios and bulletin boards than postal service mail, despite the "e-mail" moniker.
With all of the proposals2 out there to "fix" email, you'd think the problem lay within and not with businesses abusing our free and open technology. An employee at AOL was arrested for selling their client list to gambling spammers, yet AOL leads the charge for fixing email to solve the spam problem! They want us to pay for each email we send, or identify ourselves to their satisfaction before we can send out an email. Such systems already block many legitimate people from sending business-related or "personal domain" email while at home or on the road since their ISPs won't let them send email using any of their valid email addresses besides the one the ISP assigned.
Why is it we all need to "fix" our email systems to suit business? Businesses created these problems! AOL, Yahoo!, Earthlink and MSN are all working together to create systems that will cost regular email users dearly, disrupting regular email because people will assume regular email is spam if it doesn't comply with their new rules on our Internet.
Email works fine when you understand it's not a replacement for the post office or FedEx. Email discussions lists, forwarding services, web-based groupware and even limited anonymity (this is particularly important for sensitive topics or when under dictatorial regimes) are all threatened by corporations that demand we identify ourselves and pay to send even though we didn't create the mess, they did.
Next they're planning to require our computers be certified and biometrically activated - for our protection -- and our hobby and political web sites will require expensive hardened web servers and digital certificates that prove our identities to work. Palladium and "Trusted Computing" are already under development because businesses, especially software and media companies, fear we'll run unapproved software or listen to songs or watch movies we didn't buy using our very own computers, yet all of the viruses and security issues related to computers came from commercial software companies in the first place.
Microsoft is now planning to enter the anti-virus software game, apparently figuring you'll give them more protection money so that their flawed programs won't harm you further. So each piece of their bad programming can be fixed if you buy a never-ending subscription to a service that disables the flaw. And if you don't, well you'll suffer the consequences.
Previous failures by Microsoft include sloppy programming and buffer overruns or null bytes embedded in URLs, but it also includes outright bad ideas that just about anybody would have detected on a moment's reflection.
For example, the default folder and file view on Windows suppresses "known file extensions," so potentially harmful .EXE, .COM, .SCR and .PIF file attacks (these are all executable content on Windows) are easily hidden using names like "application.html.exe," in which Windows helpfully removes that known extension so you see just an innocuous-looking "application.html" file instead.
Another example is how reading an email can cause new emails to be sent without your authorization, usually to everyone in your address book to help increase the likelihood others will be infected. I don't know about you, but an email is supposed to be a message, just data, not something that starts to execute just because it was read. I've never seen a letter jump out, copy itself thousands of times and then mail itself out without my consent, so why would Microsoft think an email should be able to execute instead of just being read?
Similar helpful scripting was added to Internet Explorer, Excel and Word, to name a few, so instead of having a simple document that reflects a contract or letter, or a web page that gives us information, we now have a potential executable when visiting a web site or opening a document, and we suffer with pop-ups and window resizing and viruses being installed.
Would viruses even be a problem today if such email exploits hadn't been enabled by Microsoft? First, viruses wouldn't have propagated so easily. Second, the virus payloads wouldn't have allowed spammers to install email zombies3 that cause more spam and viruses to go out. Third, real web links (URLs) wouldn't be hidden behind links that look like they'll take you to one place when they really take you elsewhere.
Yes, other operating systems have flaws, but Microsoft has certainly won the prize in damage and losses incurred despite being the richest, most profitable software company ever, creating the wealthiest people in the world, yet providing shoddy products without any commercial liability protections that would be commonplace in any other product market. You mean you didn't know that they only "license" the software to you, effectively giving you permission to run their software, not yours, as long as you do so following their rules? You mean you didn't know that their licenses disclaim all warranties and liabilities and specifically deny that the software you paid them money for will do anything of value for you? You can't buy anything else like this; heck, you can't even buy the software!
Why is it that businesses are switching from paid telephone service to VoIP4 and then complaining web surfing or email is slowing down their calls. They already switched from sending postage-paid letters and expensive glossy brochures to email and web sites, but now they grumble that we need to pay and change and undergo losses in privacy because of their mess and excesses.
Do we really need businesses doing the dirty work of Big Brother, providing us software that monitors our every action, only runs what they want our computers to run, and can be used for various investigations without your knowledge? With the Patriot Act's changes in search warrant requirements, the government can demand these records without informing you and without getting a traditional search warrant that used to protect your rights against unreasonable searches and violate your privacy. It's no longer required that they go to a judge with reasonable evidence you've committed a crime before they can begin these investigations, and all these helpful software changes include additional tracking, monitoring and logging capabilities.
So, what's the solution, you ask?
Well, for starters, businesses shouldn't be using a CB radio-type technology to run their important business communications. Email was never secure. Email has never been encrypted, so your messages can be read as it hops through the various servers and routers and networks. Email has always been easily forged, so phishing attacks and spam are simply the logical result of businesses foolishly using a low-end, free system without any consideration for your security or privacy. Spam ads wouldn't have any relevance if people knew that reputable businesses didn't send marketing material through such a low quality system any more than they stick paper ads on your front door handle.
Then, law enforcement should work harder to curb spammers at the source by purchasing their products and then following the money until they reach the spamming business for an arrest. A few high profile convictions will help dissuade smaller businesses who buy into spam marketers, and a few more will jail the big time spammers.
Couple the legal attack on the production of spam with an education campaign on the target of spamming, and we might reduce the effectiveness of spam. Computer sellers and ISPs should include a pamphlet to all new customers informing of the following issues related to spam:
Next, Microsoft should send a free fix to all users of Outlook and Outlook Express users so that it is impossible to open an email and have it execute anything on your computer. The idea that email text should be allowed to contain executable content is silly and has resulted in most of the virus and spyware problems we've experienced to date.
Businesses routinely use postal mail and FedEx; telephone calls; TV, radio, newspaper and magazine advertising, and offices or storefronts to communicate with its customers. Why this mad rush to use insecure email, saving a few pennies at the expense of all Internet users? And now they claim it's such a problem that they want us to give up our privacy and pay for each message sent in order to fix their mess.
There already are services available for businesses that want senders identified, paid messaging, and an assurance that content is secure and is unlikely to contain spam or viruses (who'd pay to send such things when they are fully identified when they send it out?).
Well, businesses shouldn't destroy our perfectly fine email system just because it doesn't meet their needs. It never did. Businesses, long ago, should have realized that you get what you pay for. That's as American as you get!
Leave our free, open and unfettered email alone. It was just fine before businesses crashed our party. It's time they used secure, private, commercial systems to delivery trusted content in a trustworthy way and not make us pay to clean up their mess. If they leave, email will return to being what it was best for: simple, free, world-wide messaging between friends and colleagues.
1 Phishing is a fake email that looks like it's from a reputable company, but it's really designed to trick you into providing sensitive information. This is a classic "social engineering" exploit because most people are trusting. Classic examples of phishing include Citibank and PayPal email spoofs that ask you to login to your account. Of course, by doing so, you'd just give your account information and password to a thief. Another is the "Microsoft update" that asks you to install a security patch to protect your system, though the "update" is just a virus, and may contain spy-ware.
Spy-ware is software that watches what you do and sends it to others without your permission. It often includes a "keyboard sniffer" that records every keystroke looking for accounts and passwords.
2 Proposed solutions include identifying the sender using Sender Policy Framework (SPF), which is favored by spam and CD distribution king AOL. Yahoo! supports DomainKeys, another proposal that requires you be fully identified before sending an email. Bill Gates, the richest man in the world, thinks we need to make him richer each time an email is sent out.
3 Email zombies are a form of virus that sends out emails from an infected computer at the request of an outside party. Those who favor email identification and pay-per-send haven't specified what a poor sap who is victimized will do since every email sent will look perfectly fine, but it will cost him dearly and may even cause him to end up in jail for being a spammer.
4 VoIP means Voice Over IP or the ability to place a telephone call over your Internet connection rather than over a standard telephone line.