The Internet is a Slum
Some folks like slums. They think they are gritty, colorful and interesting. They are confident in their abilities to survive rough neighborhoods, and believe that any kind of regulation or controls are unnecessary interference.
I'm not into gritty. I don't find spam, botnets, denial-of-service attacks, rootkits, infected Web pages, phishes, brute-force password attacks, Trojan horses, viruses, worms or non-stop automated attacks to be any more colorful or interesting than constant threats to my physical health and safety.
The Costs of Malice
Depending on whose numbers you believe, only 12 to 20 percent of all email traffic is non-spam. My own estimate is that over 90 percent of spam is for criminal purposes: identity theft, fraud, spyware, and botnets to spew forth more spam and spyware. Another sizable chunk of Internet traffic is devoted to extortion (give us money or we DDoS your site into oblivion), and just plain random malice, because it's so easy to download an automated crack written by someone else, turn it loose, and never face the consequences. Rather like dropping dung in the punchbowl, only the perpetrators don't need to leave home or ever face their victims.
Every network and system administrator is forced to spend way too much time and resources on security. How many border defenses do you have? What about subnet firewalls? Host firewalls? Intrusion detection? Content filtering? Adding insult to injury, you and I are paying for all that wasted bandwidth and all the abuse management forced on our service providers. Some estimates are $5 to $10 per month per user account. And they're not really dealing with it, are they? It's still there, and it's worse than ever. If we secured our homes the way we secure our computers, they would be concrete bunkers.
We Need Gates, No Not Bill
Since cleaning up the public Internet is futile, I propose a gated Internet community, a PrivateNet with fences and moat monsters and gun towers to keep the riff-raff out, with no connection to the public Internet. Sure, it will cost money. But spam and malware cost users billions of dollars per year; how many billions depends on who you believe. But it's still a pile of money. So why not build a nice PrivateNet that is clean, and fast, and free of garbage? Then we can go about our business and do actual useful things.
The first step is all members of the PrivateNet must prove their identities. This won't eliminate anonymous surfing and postings, it just ensures that your service provider knows who you really are.
These days the delivery vectors of choice for spam and malware are botnets. Open proxies and open relays are time-honored old favorites still in use, but botnets are the biggies now. So we need to take a hard look at allowing Windows PCs on our PrivateNet, since these comprise the overwhelming majority of infected machines on the Internet. Microsoft is not displaying any indication that it knows how to build a secure operating system, which is quite remarkable for the richest software company on the planet. Also remarkable is that crackers do not have access to the source code, and yet have created thousands of successful exploits. So how do we handle this problem? Perhaps we should err on the side of generosity, and deal with problems as they arise with a universal policy of cutting off anyone who becomes a source of contagion, and not allowing them back on until they have had a complete security audit and repair at their own expense, including paying for cleaning up all collateral damage. Sure, it's a harsh policy, but it ought to get the attention of the I-don't-need-to-care crowd. And it is not as harsh as my first choice, which is banning all Windows PCs and servers.
Since all users on the PrivateNet are known and traceable, the sources of attacks will be easy to find and deal with. So it's not just blaming the victims, but also providing recourse against the people responsible.
Eliminating spam eliminates a majority of all malware. So no spammers are allowed to enter the PrivateNet. Any that do succeed in sneaking in will be mercilessly ejected with no second chances. Most spammers are already known, so they don't get to enter our nice clean playground at all.
The PrivateNet will have multiple service providers who must obey a strict, customer-friendly TOS. So no more playing games with spammers, like shuffling them around different IP blocks, no more ignoring abuse reports, and no more opt-out, because the PrivateNet's overriding rule is opt-in. If you don't opt-in in a verifiable, proven way it's spam.
We cannot count on the law or the big security vendors like Symantec, McAfee, and so on to protect us from corporate malware, as the Sony rootkit fiasco proved. Absolutely no corporate spyware, rootkits, or malware of any kind will be allowed, and it doesn't mat ter how the malware is delivered, whether it's online or from a disk. First offense is the last offense, and the offender is kicked off the PrivateNet. If they are not a member they will be posted on a public Wall of Shame as a warning to other users.
Imagine an online world where you can put up a Wiki that is not vandalized; a public forum that is not spammed; visit a Web site and not risk infection; where you can post your email address publicly and not get instantly deluged with garbage. Doubtless there are flaws in my ideas, so I'm open to better ideas; contact email@example.com. I just know that I am sick and tired of subsidizing criminals and having to build ever-stronger fortresses, and if it means building a snooty private Internet, I'm all for it.