1 2 3 4 5 6 7 8

and social integrity of the international community. Nations whose life-line becomes increasingly dependent on information networks should realize that there is no sanctuary from information-based assaults. Commercial organizations, especially in telecommunications, finance, transportation, and power generation offer choice targets to massive disruption."[18] In the light of the GAO report's comments on security, this is a disturbing scenario. Strassman and Marlow go on to argue that anonymous remailers are a dangerous "pathology" requiring public- health style measures of inoculation and quarantine.

Europe, too, contemplates requiring traceability as the price of allowing the use of anonymity, and it became plain in late 1996 when the Church of Scientology won its court order against Helsingius how much pressure any anonymous remailer operator who functions within the borders of a single country may face from his or her national authorities. The CoS was alleging yet another set of copyright violations, a civil matter. Helsingius had believed that Finnish law would place privacy above civil--though not criminal--violations. But changes to Finnish telecommunications law earlier that summer had removed this privacy protection, and although Helsingius expected it to be restored in new laws, there was a gap during which his users weren't covered.

"We need to work out the rules for who's responsible for what and when you can actually get access to that information," Helsingius said shortly after the server's closure. "I feel that working with the authorities and within the law is the only way you can do something like this in the long run."[19]

One big issue that faces us is distinguishing the areas where passing laws makes sense from those where it's better to use a technological fix--the same kind of balance that privacy advocates are trying to find between data protection legislation and spreading the use of encryption. It's stupid, for example, to outlaw the use of a readily available item like a radio scanner to eavesdrop on a mobile phone conversation if you can deploy encryption to garble the conversation so that even if anyone hears it they can't understand what's being said. On the other hand, it's wasteful to deploy an expensive technological fix if it's not needed. One thing is for sure, especially in view of the GAO report's conclusions: we should not be designing systems on the presumption that we can make them so perfect that they will never fail; we should be designing systems that incorporate elements that minimize the damage when they do fail. Because fail they will, somehow, sometime, whether rats chew through a vital cable or someone forgets to disable the default accounts supplied on a new system (a common point of entry for hackers). Or, in the words of the WELL's press release after Mitnick's arrest: "Public computer systems, by their very nature, are impossible to entirely secure." The argument that we should design systems to minimize the damage of failure was persuasively made about software design in the 1995 book Fatal Defect,[20] and it applies even more to computer networks; it was, in fact, precisely the principle on which the Internet was built.

This is particularly true because the insane pace of technological development means that new technology is deployed before anyone can consider the consequences. That twelve-year-old's Java script was relatively harmless, but why should we assume all such things will be? In December 1996, Edward Felton, head of Princeton University's Safe Programming Team, announced he had discovered major flaws in the design of the World-Wide Web that could allow a spoof server to insert itself between a Web site and a visiting user and intercept (and potentially alter) traffic passing between them.[21] A different risk was found in early 1997, when in a twist on 800-number scams a sex-oriented site required users to download a viewer to access its pornographic pictures; when they did and ran the software, it silently disconnected their modem and redialed long distance to Moldova, racking up huge phone bills whose profits went to the site itself (and the relevant phone companies). Around the same time, a team of German hackers announced that they had been able to write a script to use Microsoft's Active-X controls (a system for producing small programs to run animations and manage interactive features) to access information stored on a user's hard disk in the personal finance software Quicken and transfer funds from the user's bank account. Microsoft's answer was to recommend allowing your Web browser to run