Felix Stalder on Thu, 2 Sep 1999 20:25:28 +0200 (CEST)


[Date Prev] [Date Next] [Thread Prev] [Thread Next] [Date Index] [Thread Index]

<nettime> Turning Tides: Reading the Hotmail Hack


Turning Tides: Reading the Hotmail Hack

Two stories landed at the top of the technology news the same day. One was
the massive security breach at Hotmail, the other was Sun Microsystem's
acquisition of Star Division, a small developer of office software. Both
events are deeply connected though this escaped the editors who put them
on the same page (if there are indeed still human editors for
webpages...). 

Sun has been pushing for a long time the "network computer". According to
this vision applications which right now reside on our PC, e.g. word
processors will be located remotely on powerful networks server and
accessed (and paid for?) on demand. Not coincidentally Sun produces
powerful network servers. This shift from the PC to the network is often
portrayed as the logical next step after the shift from the mainframe to
the PC. However, it's a shift which makes the tide flow xactly in the
opposite direction. PCs, which function by and large as autonomous units,
brought a decentralization of computing power and arguably an empowerment
of the average user. The move to the network reverses this trend. The term
"network" sounds innocently enough though it means in fact in the context
of Sun's initiative a few central computers that distribute applications
to relatively dumb peripheral network computers, glorified monitors. Which
sounds almost like mainframes all over! 

Acquiring Star Sun plans to release its office suite as a network
application to be accessed over the web whenever needed. While this
cosmological drama is directed against Microsoft's dominance over the
desktop, it's ironically Microsoft itself that owns the only net-based
application that really holds mass appeal: Hotmail's web-based e-mail. 40
million people (give or take a few millions) are using Hotmail. This is an
unprecedented centralization of the most important Internet application in
one system. 

And why does that matter? 

All systems are vulnerable to attacks, the Internet is not built to be a
high security network. In huge centralized system the effects of such
attacks are greatly magnified because one single line of code can suddenly
open millions of mailboxes. Furthermore, along with such a centralization
comes as shift in the power balance between the provider and user of the
service. Contrary to what many of the optimistic net futurist predict, the
power shifts, at least in this case, towards the provider and away the
user. Virtually all analysts agreed in their seemingly paradox assessment
of the Hotmail hack. It is the most significant security breach on the web
so far and, at the same time, it does not matter for Microsoft. The
balance between the behemoth corporation and potentially damaged users is
just too skewed for Microsoft to care. Yes, it's a bit an embarrassing
itch, but as one analyst put it aptly "There are many flees in a 500 pound
gorilla."  Unfortunately, the flee is you! Or as the service agreement
states: "the services is provided without warranty of any kind." There are
commitments, to be sure, expressed in all kinds of privacy statements, but
these are very different from obligations, as one can see now that
something went wrong. In effect, this means that using the system, you do
not only sign-off all rights, but given the imbalance between the two
parties, protest in almost useless. 

But the imbalance runs deeper, it's not only in numbers but also in
knowledge. The classic argument goes that if the service is too bad, then
the users will go somewhere else. Unfortunately, given the nature of
computing problems, its pretty difficult to even find out when the service
is bad. You have no way of knowing if someone read your e-mail. And the
Microsoft statement posted after the incident is more opaque that a
Kremlin release in the early 1980s. You have to be an insider to
understand it. 

However, to expect that every user is highly "computer literate," thus the
informed consumer of the neo-liberal theory, is a) unrealistic and b) not
desirable. We shouldn't be forced to become nerds just to use computers,
as much as we do not have to become mechanics to drive cars. 

What this the Hotmail hack shows is that the Internet's self-regulation
doesn't work anymore because it relies on the assumption of more or less
equal participants. This is clearly no longer the case. There not much
guessing about what happens when you and Microsoft (or Sun, for that
matter) regulate one another. You invariably end up with no rights what so
ever, and you are likely not even to know it because you would have to be
a computer scientist and a lawyer at the same time. Both of which are at
ample supply on the side of Microsoft. What the Sun acquisition shows is
that the trend which causes this imbalance is only getting stronger. 

But there are ways to reverse this trend. One is to develop and spread
technologies which put control back into the hands of individuals users. 
The open source movement is doing a lot in this direction. Cryptography is
on top of the list. Free, easy-to-use, public-domain cryptographic tools
are a necessity. And with a few targeted public research grants they could
become a reality rather sooner than later. But cryptography is not a the
magic bullet. We also need to create mechanisms of accountability which
replace fancy worded "commitments" with "binding obligations" so that
screwing up really hurts. Like in most other areas of life. 

[first published in Telepolis - Magazine of NetCulture
http://www.heise.de/tp]

  -----|||||---||||----|||||--------||||-----
  Les faits sont faits.
  http://www.fis.utoronto.ca/~stalder



#  distributed via <nettime>: no commercial use without permission
#  <nettime> is a moderated mailing list for net criticism,
#  collaborative text filtering and cultural politics of the nets
#  more info: majordomo@bbs.thing.net and "info nettime-l" in the msg body
#  archive: http://www.nettime.org contact: nettime@bbs.thing.net