The web, you see, is connectionless at bottom. I’m not referring to protocols, for those of you technically bent.

What I mean, in a non-engineering way, is that in the old days (say about the time of Alexander Graham Bell), to have your device connect to another person’s, you had to physically hook wires to it, generally by way of young women sitting at a wall of jack fields. That, by the way, led to a prediction that eventually we would run out of people to sit in central offices and shove plugs into jacks.

That notion evolved – I’m skipping forward rapidly – to massive computers in central offices doing the plug shoving (at least virtually). That era was called the circuit-switched era (I just coined an era!).

Then, of course, we entered the era of packet switching (skipping even more). In this era, the destination device is connected (virtually) not by wires and plugs, but by way of little packets that contain destination addresses. All these little packets find their own way to their destination. They are trusted to get there safely and without modification.

Which leads to my latest theory (file this under Harebrained, Latest): Packet switching causes the security problems inherent with the internet.

I know, I know — nothing is that simple. But when you have a system that can be used to intercept, modify, or connive readily, you will find people who intercept, modify and connive. If you can anonymously change, or spoof, a few packets instead of running drugs, heisting banks, or doping horses, crime will pay.

When the internet first started to actually work, it worked because the people building it trusted one another. That is, when you sent your personal information, Social Security number, bank account numbers, and children’s ages, the guy at the other end just figured it was test data, or that you were terribly confused, or both. They typically did not use the info to open bogus credit cards, drain your bank account, or kidnap your kids.

How things change!

Maybe a circuit-switched network was no safer, and there may be no causal link between an open, trusted model of networking and cybercrime, but it would likely be safer to run transactions on the Graham Bell, “Watson, come here” model.

Of course, it would be inefficient, expensive, and very near impossible to maintain. And life would be dull without what the internet has evolved to.

But the idea of talking to someone and otherwise exchanging information without worrying about devastating financial loss lurking behind every link is blissful.

When that universe opens up, let me know.

H4ck3rs Are People Too is a recently released documentary that gives an enlightening and comical glimpse into the hacker community. Not just the cybercriminal launching attacks from the dark shadows of their basement, the film proves that hackers are fun, passionate, beer-drinking, normal people. 

The film dispels the notion that all hackers are out to steal your credit card info and replaces it with the reality that many hackers are IT security professionals, computer analysts and researchers. The message that comes through, for me, is that a lot of hackers are just normal people trying to break things to make them better.

The film was edited and directed by Ashley Schwartau, a 23 year-old University of Central Florida digital media student.  Daughter of Winn Schwartau, CEO of The Security Awareness Company, Schwartau has been going to hacker conventions since the age of 16. The documentary was shot at a recent Defcon conference where Schwartau interviewed some prominent names in the IT security community.

To believe the data, the trends, the analysts and the other interested observers, lawlessness is the status quo in computer security.

I’m just talking here. And as a colleague of mine used to grumble, I know nothing…

But what happened to the implied social contract of the internet?

In society, the theory goes, people go about living without fear because of protection afforded by the policing function of government. In fact, the need for effective protection arose from an inability of ordinary individuals to curb lawlessness.

And where does lawlessness stem from? Criminal minds, of course. That is the purview of criminologists, right? Criminology theoretically draws on the study of multiple disciplines from biology to anthropology. Crime relates to a multiplicity of conflicting and convergent influences, so any understanding of causality remains hard to pin down.

In general, however, security implies prevention – preventative measures and investigation of incidents after the fact (in theory to prevent future incidents and discourage wrongdoers). Most organizations are on their own in terms of prevention; and investigating is the last measure one would engage in if it involves outside help and notoriety.

Even if outside help were relied on, the nature of computer offenses is not something that lends itself to everyday recourses. In this country, there is a very disjointed system of governmental administration, including thousands of disparate municipal and county law-enforcement agencies and even more federal, state, and local agencies with specialized jurisdictions. 

Whether or not you agree that computer security is a law-enforcement problem, the enforcers cannot be expected to create order from whole cloth; we’re talking about a criminal behavior quite different from the usual street crime.

That is, though crimes are considered injurious to society, the onus of cybercrime is addressed mainly by commercial products aimed at prevention of overt acts in private organizations.

People engaged in business should be able to go about being productive without concern that assets they create and work with will be drained and sold in cyberspace. This freedom of action has to be protected, and it is now only through a strange amalgam of government and private efforts.

Where does one begin and the other end?

The news: Gary McKinnon, the alleged NASA hacker, has failed in his last ditch appeal to the European Court of Human Rights to have his extradition to the United States quashed.

Here’s the background: In 2002, McKinnon, also known as Solo, left this message on a computer belonging to the U.S. Army:

“US foreign policy is akin to government-sponsored terrorism these days… It was not a mistake that there was a huge security stand-down on September 11 … I am SOLO. I will continue to disrupt at the highest levels.”

As a result of this action, and a few others, he was indicted in 2002 by a federal grand jury on seven counts of computer fraud and related activity, and faces on each count a maximum sentence of 10 years of prison and a $250,000 fine.

The indictment says that in one instance he obtained administrator privileges to a military computer, deleted approximately 1,300 user accounts, deleted critical system files, copied a file containing usernames and encrypted passwords for the computer; and installed tools for obtaining unauthorized access to networked peers. What’s more, he did the same thing to Army, Navy, Air Force and NASA computers from Groton, CT to Pearl Harbor.

Specifically, the indictment charged that McKinnon scanned a large number of computers in the .mil network and was able to obtain administrative privileges to many of them. Once he was able to access the computers, McKinnon installed a number of hacker tools (one of which was “Remotely/Anywhere”), copied password files, then deleted a number of user accounts and critical system files. Eventually, he was able to scan more than 73,000 computers.

At the Naval Weapons Station Earle, on one of the computers used for monitoring the identity, location, physical condition, staffing and battle readiness of Navy ships, he deleted files that rendered the base’s entire network of over 300 computers inoperable. This was at a critical time: immediately following September 11.

The indictment goes on to say that once inside a network, McKinnon would use the hacked computers to find additional military and NASA hosts. In one attack, McKinnon caused a network in the Washington D.C. area to shut down, resulting in the total loss of internet access and email service to approximately 2,000 users for three days. The estimated loss for all of this has been put at approximately $900,000.

OK, then. Let me get this straight. Using his home computer, McKinnon, through the internet, identified networked government computers and from those extracted the identities of certain administrative accounts and associated passwords. Having gained access to those accounts he installed Remotely/Anywhere, which enabled him to access and alter data at any time. Right…

It’s hard to feel too sorry for this guy, considering the nature of the charges against him. If he didn’t do this stuff, or if he can justify his actions in some way (he claims he was looking for UFO information), he should tell it to the judge.

“So, I have this watch I’d like to sell you. You probably don’t need a watch, and you could likely live without this one, but the nice lady you’re with would surely be impressed if you were wearing some nice new shiny man-links on your wrist. Just look at the way she’s studying your face as you examine it!

“And the price! How can you go wrong? $20 dollars and it’s yours. You walk away a new man, your girl is bowled over, and at that price — well, you really put one over on me.”

“He’s right,” you think. “It’s flashy, I dig the design, she’s really acting as though she’s impressed. The guy looks like a good guy, and he’s talking a square deal … I think.

“What the heck? Call me a sucker, but what if this thing is legit? I may have just stepped into a bit of good luck. I’ll hand over this nice new twenty and put the glitz on…”

As you walk away, the seller disappears, the watch stops, and your girl can’t get over why in the world you would do such a thing. Her look of being impressed was really one of incredulous amazement at your stupidity.

To be human is to be weak, just read Hamlet or King Lear. And tragedy is not limited to storied interactions. It permeates all human activity, right? So it is in the modern corporations, peopled by potential tragedies sitting at every monitor and keyboard. Any user falling for a seemingly innocent ploy can bring down the whole company. Click that email attachment, download that fun game, and unknown — unseen even — a door opens to the Raiders of the Lost Bot.

The modern term of art is “social engineering,” but it may be the world’s third-oldest profession. Every generation produces people who are skilled at conning others, and a sucker is born every 60,000 milliseconds. It’s the final frontier for the current con artist, the guy who lurks around every corner of the internet stalking his next mark.

The only effective way to combat this menace, the experts agree, is end-user training, constant vigilance, and up-to-date patches. Train, watch, patch… Train, watch, patch…

Why am I reminded of a half strophe, “the day the music died” (from Don McLean’s American Pie)? The internet made the world different, but in a lot of ways the world is just the same. The criminal tragedy suffusing the internet parallels the demise of hope that the internet could be free of human malfeasance.

But, alas poor Yorrick, fellow of infinite jest, we must progress: Train, watch, patch…

Human nature can rarely change, and when it does, it is mostly a reaction to environmental variation. This is Darwinism, and was famously reflected in Lincoln’s observation about human nature: “…repeal all compromises — repeal the declaration of independence — repeal all past history, you still can not repeal human nature.”

Thus it is with security in the interconnected world. When we think of security at all, it is from a defensive standpoint. Our forebears built fences, walls, castles, forts, and each of those defensive measures waned in turn. In the great conflagrations of the 20th Century, only when strategy turned from defensive posturing to offensive maneuvering did the winning side prevail.

Could our current plight in the face of a constantly evolving threat state only be rectified with a transformation of human nature? Should we abandon all further hope of creating the decisive defensive weapon and simply go after the attackers?

It’s hard to imagine such a radical shift. The environmental variation has not sunk in – most of the industrial world seems only vaguely aware that a problem of security exists.

Thus, repealing human nature seems unlikely. The answer may be that threats must be preempted. And the only way to see that happen peacefully is through governmental cooperation, on a level that requires more than just police action.

Therein lies the rub. Governments are made up of humans, and Darwin, Lincoln, and your local DHS office are not going to repeal the defensive mood.

What am I driving at? Until everyone senses some kind of a worldwide criminal breakdown — chaos, anarchy, disorder, and monetary collapse — our defensive mentality is unlikely to change. The industry is safe for venture capitalists.

But if doomsday approaches, then survival may depend on a more proactive approach to the bad guys who thrive in the current setting. The pressure on governments, however reluctant, to cooperate in finding and eliminating cybercriminals behind their lines may push the cretins out of the picture.

But I’m not holding my breath.