I was idly trolling around the press releases on Microsoft's site when I came
across this one: Industry,
Law Enforcement Team to Launch Digital PhishNet. The bottom line is that
Microsoft, AOL, Digital River, EarthLink, Lycos, Network Solutions and VeriSign
are getting together with a batch of law enforcement people to form Digital PhishNet (catchy, no?) - an
organization designed "to identify, arrest and hold accountable, those that are
involved in all levels of phishing attacks to include spammers, phishers, credit
card peddlers, re-shippers and anyone involved in the further abuse of
consumers’ personal information."
Well, certainly phishing (gathering personal financial information from
unsuspecting Internet users through forged e-mails and Web sites) has become a
major problem. It's easy to deduce that from the sheer flood of phishing e-mail
that comes into my inbox: they wouldn't send so much if people didn't fall for
it. But, you know, the blame doesn't rest solely with those Evil Hackera and the
Innocent Consumers that they exploit.
From my perspective, one of the big sources of fuel for the growth of
phishing has been the continued stream of security bugs in Internet Explorer
(and therefore in Outlook, which uses the same HTML rendering engine). It's one
thing to send someone an e-mail that purports to be from CitiBank with a link to
www.BadThingsWillHappen.example.org. It's quite another to have that link show
up with the real CitiBank URL, thanks to a spoofing bug in IE, and to have the
nasty Web site able to fake the address bar, status bar, and other portions of
the browser. As far as I'm concerned, Microsoft gets the blame for the ability
of sophisticated phishing attacks to be technically indistinguishable from real
e-mail and Web sites from financial institutions.
Think of is this way: if you run a company that manufactures cigarette
lighters that can easily be turned into nuclear bombs, it's not enough to go
after the bombers who start taking advantage of this fact. You also have to
clean up your own house by making sure the darned lighters can't be turned into
nukes any more: even if that means completely retooling your production line.
While Microsoft has been pretty responsive the last couple of years about
patching browser issues, the plain fact is that this has not worked to stop
people from finding more exploitable vulnerabilities. The
patch-on-a-patch-on-a-patch strategy has failed, and it's time to try something
else - like rewriting the browser from scratch and decoupling it from the
operating system.
Don't get me wrong: I do hope Digital PhishNet is more than a bit of
feel-good PR, and I hope it helps put some of the e-scum out there behind bars.
But while that's going on, let's remember that we as developers all have a
responsibility to write secure code, and to take responsibility for the code
that we write.