I was idly trolling around the press releases on Microsoft's site when I came across this one: Industry, Law Enforcement Team to Launch Digital PhishNet. The bottom line is that Microsoft, AOL, Digital River, EarthLink, Lycos, Network Solutions and VeriSign are getting together with a batch of law enforcement people to form Digital PhishNet (catchy, no?) - an organization designed "to identify, arrest and hold accountable, those that are involved in all levels of phishing attacks to include spammers, phishers, credit card peddlers, re-shippers and anyone involved in the further abuse of consumers’ personal information."

Well, certainly phishing (gathering personal financial information from unsuspecting Internet users through forged e-mails and Web sites) has become a major problem. It's easy to deduce that from the sheer flood of phishing e-mail that comes into my inbox: they wouldn't send so much if people didn't fall for it. But, you know, the blame doesn't rest solely with those Evil Hackera and the Innocent Consumers that they exploit.

From my perspective, one of the big sources of fuel for the growth of phishing has been the continued stream of security bugs in Internet Explorer (and therefore in Outlook, which uses the same HTML rendering engine). It's one thing to send someone an e-mail that purports to be from CitiBank with a link to www.BadThingsWillHappen.example.org. It's quite another to have that link show up with the real CitiBank URL, thanks to a spoofing bug in IE, and to have the nasty Web site able to fake the address bar, status bar, and other portions of the browser. As far as I'm concerned, Microsoft gets the blame for the ability of sophisticated phishing attacks to be technically indistinguishable from real e-mail and Web sites from financial institutions.

Think of is this way: if you run a company that manufactures cigarette lighters that can easily be turned into nuclear bombs, it's not enough to go after the bombers who start taking advantage of this fact. You also have to clean up your own house by making sure the darned lighters can't be turned into nukes any more: even if that means completely retooling your production line. While Microsoft has been pretty responsive the last couple of years about patching browser issues, the plain fact is that this has not worked to stop people from finding more exploitable vulnerabilities. The patch-on-a-patch-on-a-patch strategy has failed, and it's time to try something else - like rewriting the browser from scratch and decoupling it from the operating system.

Don't get me wrong: I do hope Digital PhishNet is more than a bit of feel-good PR, and I hope it helps put some of the e-scum out there behind bars. But while that's going on, let's remember that we as developers all have a responsibility to write secure code, and to take responsibility for the code that we write.

Upcoming Events