________________________________________________________________________________



        Turning Tides: Reading the Hotmail Hack

        Two stories landed at the top of the technology news the same
        day. One was the massive security breach at Hotmail, the other
        was Sun Microsystem's acquisition of Star Division, a small
        developer of office software. Both events are deeply connected
        though this escaped the editors who put them on the same page
        (if there are indeed still human editors for webpages...).

        Sun has been pushing for a long time the "network computer".
        According to this vision applications which right now reside on
        our PC, e.g. word processors will be located remotely on
        powerful networks server and accessed (and paid for?) on demand.
        Not coincidentally Sun produces powerful network servers. This
        shift from the PC to the network is often portrayed as the
        logical next step after the shift from the mainframe to the PC.
        However, it's a shift which makes the tide flow xactly in the
        opposite direction. PCs, which function by and large as
        autonomous units, brought a decentralization of computing power
        and arguably an empowerment of the average user. The move to the
        network reverses this trend. The term "network" sounds
        innocently enough though it means in fact in the context of
        Sun's initiative a few central computers that distribute
        applications to relatively dumb peripheral network computers,
        glorified monitors. Which sounds almost like mainframes all
        over!

        Acquiring Star Sun plans to release its office suite as a
        network application to be accessed over the web whenever needed.
        While this cosmological drama is directed against Microsoft's
        dominance over the desktop, it's ironically Microsoft itself
        that owns the only net-based application that really holds mass
        appeal: Hotmail's web-based e-mail. 40 million people (give or
        take a few millions) are using Hotmail. This is an unprecedented
        centralization of the most important Internet application in one
        system.

        And why does that matter?

        All systems are vulnerable to attacks, the Internet is not built
        to be a high security network. In huge centralized system the
        effects of such attacks are greatly magnified because one single
        line of code can suddenly open millions of mailboxes.
        Furthermore, along with such a centralization comes as shift in
        the power balance between the provider and user of the service.
        Contrary to what many of the optimistic net futurist predict,
        the power shifts, at least in this case, towards the provider
        and away the user. Virtually all analysts agreed in their
        seemingly paradox assessment of the Hotmail hack. It is the most
        significant security breach on the web so far and, at the same
        time, it does not matter for Microsoft. The balance between the
        behemoth corporation and potentially damaged users is just too
        skewed for Microsoft to care. Yes, it's a bit an embarrassing
        itch, but as one analyst put it aptly "There are many flees in a
        500 pound gorilla."  Unfortunately, the flee is you! Or as the
        service agreement states: "the services is provided without
        warranty of any kind." There are commitments, to be sure,
        expressed in all kinds of privacy statements, but these are very
        different from obligations, as one can see now that something
        went wrong. In effect, this means that using the system, you do
        not only sign-off all rights, but given the imbalance between
        the two parties, protest in almost useless.

        But the imbalance runs deeper, it's not only in numbers but also
        in knowledge. The classic argument goes that if the service is
        too bad, then the users will go somewhere else. Unfortunately,
        given the nature of computing problems, its pretty difficult to
        even find out when the service is bad. You have no way of
        knowing if someone read your e-mail. And the Microsoft statement
        posted after the incident is more opaque that a Kremlin release
        in the early 1980s. You have to be an insider to understand it.

        However, to expect that every user is highly "computer
        literate," thus the informed consumer of the neo-liberal theory,
        is a) unrealistic and b) not desirable. We shouldn't be forced
        to become nerds just to use computers, as much as we do not have
        to become mechanics to drive cars.

        What this the Hotmail hack shows is that the Internet's
        self-regulation doesn't work anymore because it relies on the
        assumption of more or less equal participants. This is clearly
        no longer the case. There not much guessing about what happens
        when you and Microsoft (or Sun, for that matter) regulate one
        another. You invariably end up with no rights what so ever, and
        you are likely not even to know it because you would have to be
        a computer scientist and a lawyer at the same time. Both of
        which are at ample supply on the side of Microsoft. What the Sun
        acquisition shows is that the trend which causes this imbalance
        is only getting stronger.

        But there are ways to reverse this trend. One is to develop and
        spread technologies which put control back into the hands of
        individuals users. The open source movement is doing a lot in
        this direction. Cryptography is on top of the list. Free,
        easy-to-use, public-domain cryptographic tools are a necessity.
        And with a few targeted public research grants they could become
        a reality rather sooner than later. But cryptography is not a
        the magic bullet. We also need to create mechanisms of
        accountability which replace fancy worded "commitments" with
        "binding obligations" so that screwing up really hurts. Like in
        most other areas of life.

        [first published in Telepolis - Magazine of NetCulture
        http://www.heise.de/tp]

          -----|||||---||||----|||||--------||||-----
          Les faits sont faits.
          http://www.fis.utoronto.ca/~stalder



     #  distributed via <nettime>: no commercial use without permission
     #  <nettime> is a moderated mailing list for net criticism,
     #  collaborative text filtering and cultural politics of the nets
     #  more info: majordomo@bbs.thing.net and "info nettime-l" in the msg body
     #  archive: http://www.nettime.org contact: nettime@bbs.thing.net


________________________________________________________________________________
no copyright 1999 rolux.org - no commercial use without permission. <rolux> is a
moderated mailing list for the advancement of minor criticism. more information:
mail to: majordomo@rolux.org, subject line: <rolux>, message body: info. further
questions: mail to: rolux-owner@rolux.org. <rolux> archive: http://www.rolux.org