Got ... Net ... Clue?
Today Olympia Snowe, Bill Nelson, the most conservative Democrat in the Senate, and Ted Stevens, the guy who made "intertubes" famous, introduced a bill "aimed at ending the deceptive practice known as phishing".
The dumb way to proceed is to attach some liability to the actual practice of phishing, from the banal stuff like putting "looks similar" characters in a domain name, like the famous crylic "a", so that urls that look like "paypal.com" go to someplace novel, where credit cards are harvested, to the slightly less banal stuff like putting html glop into "html enhanced email" and urls that look like "paypal.com" also go to someplace novel, where credit cards are also harvested, and lots more variations on the theme of misdirection.
The better way to proceed is to reduce the time each phish pitch can work from the weeks-to-days, which is the present operational art, to minutes, which is both technically possible, and administratively possible. In fact, it is something I've been working towards for several years (phish is only a recent use of domain names and network addresses for black-hat fun and profit), and encouraging the institutional framework that can cause such a reduction in the time-to-live for crap that drops into your inbox or otherwise arrives at your mouse's nibbly nose via one of a number of behavior profiling applications (aren't ads kwel?) would be wicked useful.
The interesting challenges are things like double-fast-flux, where the name servers for the urls used by the thousands of attack assets for "where the money goes" are rotated across many name servers and many, many more hosts and ... all wicked quick. We can effectively engage that too, and with relatively thick fingered and clumsy policy tools, as simple as putting a fee on name server changes, a fee as small as a penny, in addition to the smarter bits we use to measure it.
Registrars sell domain names. Registries publish domain names. We operate on a time-scale of seconds to minutes, and we can, if ICANN (our regulator, your incorporated-in-California 501(c)(3) successor-in-interests to DARPA, ARPA, the NSF and the Department of Commerce) assists us, do to the use of domain names for spam, phish and lots of other applications of idle hands and criminal minds, what the simple application of a 20 cent fee did to the domain tasting sub-industry (another industrial strength scam, on trademarks and typos generally, all fueled by Google Ads (aren't ads kwel?).
My point here is the same point I made over a decade ago to the then Chief Scientist at the NSA, geeks beat heat. He took my point, which is why there is a Computer Emergency Response Team, to ask us what to do when something really awkward happens. Phish isn't really awkward, its just a big heap of small robberies.
We know (a) that what was unorganized crime using computers, aka "cyber-crime", is now organized. In fact, there is a market for attack assets, just like there is a market for AK-47s and RGPs. We know (b) that gaming the system can be fixed. We know (c) that very, very few computer scientists want to work with or for John Ashcroft or Alberto Gonzales or Michael Mukasey, and that the "other side of the shop" went non-linear under Donald Rumsfeld et seq., and everything under DNI Mike McConnell is "complicated" by pervasive wiretap, about which we have spoken authoritatively in RFC 2804 IETF Policy on Wiretapping.
But it takes non-dumb on the public policy side of the table. That was the most attractive bit about the idea of Larry Lessig running for the seat vacated by Tom Lantos' death. Someone in the lower body who actually has clue, not about real estate or used cars or banks or big law, but about the anomaly we call the net.
I can't help but think of the anti-internet-gaming bill introduced by the GOP member from the IA 2nd. Null content but lots of happy applause. Punished credit card companies for doing what credit card companies weren't doing anyway. Bag of hammers dumb.
Here's the lnk to Olympia's technology staffer's latest PR gimmik.
