Former presidential terrorism advisor Richard Clarke has attracted passionate supporters and equally impassioned foes – and that’s just about the Internet.

Clarke, of course, has been making big headlines these days for his criticism of the Bush Administration’s handling of 9/11 and Iraq. But in the past he made much a much smaller splash while warning about the threat of “cyberterrorism” – the possibility that terrorists or other criminals might, via the Internet, unleash viruses, hack vital computer databases, and otherwise inflict major social and economic damage.

As the critics see it, Clarke relentlessly hyped the cyberterrorism threat. Many Internet experts think hacking and virus threats generally are overblown – more annoyance than menace. While the FBI categorizes computer-related crimes as among the fastest growing criminal enterprises, the bulk of them rely on old-fashioned con artistry, not technological wizardry. As the cyberterrorism skeptics see it, if a terrorist wants to cause 9/11-type damage to the nation’s computer infrastructure, bombing a key data center will be more of a threat than Internet hacking.

Now undoubtedly Clarke does have a certain flair for the dramatic. But a lot of what he had to say was right on target: Internet security is terrible. And it is placing a huge cost on Internet users.

The Internet was never intended to be the mass medium it is today. One of the reasons it was created was to be a communications system that could survive a nuclear war. A key underpinning of Internet standards,
for example, is that data, rather than moving directly
from Point A to Point B like a telephone call, instead
is broken up into pieces and sent out to flow along
whatever path it finds available. This is great for
automatically rerouting transmission around lines that have been destroyed in an atomic attack, but not so great in controlling the number of systems that potentially handle the data.

At the time a major safeguard was that only a few institutions had the capability for computer transmissions. Now Internet enabled computers are as plentiful as toasters, and the original safeguards aren’t looking very safe. One of the most familiar consequences: no particularly rigorous standards were adopted to insure that the name on the “from” line of an email is real and not a fake. The result is the flood of spam and the ever more elaborate “spoofs” that actually are con games.

The price users pay for this is not just in the expense of purchasing defense software such as Symantec's Norton Internet Security Professional ($55) or Zone Labs' Zone Alarm Pro ($50). It's also the productivity lost in dealing with Internet threats. Just stop and think, for instance, about how much time you spend deleting spam. Or consider the latest versions of the aforementioned products. When Internet Security 2004 or Zone Alarm 4.5 load up, you can practically sense them trying to dig a virtual moat around your computer.

Kraig Lane, Group Product Manager in charge of Internet Security Products for Consumers at Symantec, says "our goal is to make the security software's functions unnoticeable to the user." But he acknowledges that there can be performance losses, particularly in a Windows XP system that is short on memory. Plus, both his software and Zone's pop up warning notices at frequent intervals to take up more of a user's time.

Fred Feldman, Vice President of Marketing at Zone Labs, says today's "biggest threat is social engineering" -- the tech community's phrase for conning people. Both he and Lane point to the current surge in "spoofs" and "phishing attacks." A spoof is when the con artist sends you an email that appears to be from a legitimate company you do business with -- typically a bank or credit card company. The email, which often uses the company's graphical style, solicits credit card numbers and other financial information. Phishing takes this a step further by giving you a link to a web site that also appears legitimate, including a fake URL that seems to be the company's real web address.

As a result of these and other new scams, Norton Internet Security Professional and Zone Alarm Pro have added additional features -- which of course making additional demands on your system's resources.

Both the Symantec and Zone Labs solutions offer good security, but equally both had aggravating characteristics.

Zone Alarm Pro, for example, treated buttons on my personal web site as ads, which it not only blocked -- but kept blocking even though I used its controls to permit ads on the site. This inability to grant specific sites exemption from ad blocking or pop-ups is a major weakness in the program as, in the interests of privacy and security, it makes many sites unusable.

Symantec, meanwhile, refuses to let users determine which Internet Security Components to install -- even though users might want to go with Norton AntiVirus, but pass on Norton Personal Firewall or Norton AntiSpam in favor of alternate programs. Particularly annoying, even when you turn off AntiSpam, its Outlook toolbar continues to load. (Solution: rename the "MsouPlug.dll" in your "C:\Program Files\Common Files\Symantec Shared\Antispam" -- do not delete it; Symantec does not have a "repair" installation option.) Nor does Norton AntiSpam allow you to designate domains for your allowed address list -- while promising, it's very much the 1.0 version it is.

The key buying decision, really, is whether you do or do not want to use Norton AntiVirus, still one of the segment leaders. If you do, then the Internet Security bundle is cost effective. If you are going elsewhere for virus protection, Zone Alarm Pro offers the most bulletproof firewall bundle. (Also, don't forget there's a free version of Zone Alarm, which is firewall only, without the ad blocking, etc.)

The fate of both packages is somewhat up in the air now with Microsoft about to add beefed up security features to Windows XP Service Pack 2. Traditionally the utilities Microsoft builds into Windows are weak versions of like standalone products, but because of mounting complaints about lax security Redmond may be more aggressive than usual. The antispam capabilities in Outlook 2003, if this is any sign, are very competent.

As for why we are in this predicament to begin with, Lane faults the limitations not only of the Internet but also most major computer operating systems. He notes that personal computing, and programming for it, started out as a hobbyist endeavor and security features were added in as an afterthought. Moreover, as the operating systems get ever more complex with armies of programmers working on them, the possibilities for vulnerabilities multiply as well.

Which brings us back to Richard Clarke. Among his cyber-causes were a number of perfectly sensible alternative ideas. One was that software companies ought to write programs that actually work and are not full of flaws that can be exploited by malicious hackers. Another is that Internet Service Providers, which usually are large corporations, ought to take on more of the responsibility for screening out intrusions rather than dump the job on their customers.

Even those who are not fond of the messenger would be hard pressed to find much wrong with that particular message.

(c) 2004 Al Gordon.

In addition to his computer interests, Al Gordon is a principal in the Boston-area strategic consulting firm, Mary Fifield Associates, www.maryfifieldassociates.com

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

You can reach Al Gordon at:

al@tnpcnewsletter.com