Who did you talk to?

[This was originally published in Capital of Nasty Volume IV Issue 17 and mirrored on attrition.org.]

I forget if it was a bank or Credit Card Company or the phone company that I was ‘talking’ with. I think anyone nearby would have classified it as an argument from the tone and volume of my voice. Until this phone call it never really hit me how often this happened, and how much anger it brought out of me. The snotty ‘service agent’ on the other side had asked me a single question, designed exclusively to give them a reason not to help you. “Do you remember who you talked to?

Of course I didn’t. Whatever agent I had spoken to three months ago might as well have been a conversation seventeen years ago. The conversation today reminded me that during the previous conversation, the other agent had explicitly told me of a policy or something else they were able to do for me. The agent today said otherwise. At this point I stopped my sarcastic replies and realized that this question was asked of me more and more.

It’s amazing that despite the incredible technology we have, large companies still do little tracking in regards to customer interaction. When you call in to make a change in your account or ask about one thing or another, the company will often log it. Unfortunately, few will log who you talked to. This is absurd since they will dutifully quiz you on just that during subsequent calls. If you make a call in January and talk to Sue, she may tell you that the bank will credit your account or that the car rental place will let a 24-year-old rent a car. When you check your statement or try to rent the following month, problems arise.

Now you find yourself talking to Bob who shows no record of any such credit, or any such exception to policy. It’s a matter of minutes before Bob will ask the loaded question: “Do you remember who you spoke to“? This is done under some stupid pretense that the given name of who you previously spoke with will magically resolve the situation. Bob acts like this name can be put into the computer and results will pour forth.

When the question is asked, you really have three options in answering this believe it or not. Each has its own merit:

  1. If the person is reasonable, you can try the logic approach. “Bob, there are over ten thousand employees in your organization right now. Do you really know them all by first name? Will me giving you some arbitrary name really resolve my problem?” The downside to this approach is that you are admitting you don’t remember whom you spoke with.
  2. Turn the question back on Bob. “Gee Bob, your customer tracking system should show who I spoke with since she failed to give her name.” I would hazard a guess that often times they DO know who you spoke with, they just don’t want to volunteer that name since it does nothing to resolve the current problem.
  3. “I talked to Jane.” Of course Bob knows Jane right? And no, you didn’t get her last name. Let Bob figure that part out. When Bob comes back to you with continued failure to resolve the issue, you can explicitly say that customer satisfaction will only come if you can talk to Jane or if Bob can honor Jane’s promises.

Each answer’s mileage will vary based on who you are speaking to. The fundamental thing to remember here is that question is designed to give the company an ‘out’ for providing customer service. Don’t let this tactic throw you off or weaken your argument. Be prepared to fire back with your own shots. Manage their expectations and customer service is still attainable.

So if these companies start to stick you with the blame simply because you were so irresponsible and forgot a name, take a deep breath and continue. Put sarcasm aside (as tempting as it may be to flame the ever loving hell out of them) and play the part of the innocent customer.

A customer that is very sure of himself and remembers with 100% certainty that he spoke with ‘Jane’ so long ago. Let them figure the rest out.


Byline: cult hero looks like an ordinary, over worked, computer genius know-how. However, deep undercover, he and the followers of his cult, spread fear and terror in the hearts of spammers.

Is it worth it?

[This was originally published on Hacker News Network (HNN) and mirrored on attrition.org.]

Is it worth it?
Dispelling the myths of law enforcement and hacking

A recent chat with an active web page defacer made me realize just how naïve some crackers can be about law enforcement (LE). Despite a large amount of cases being brought against crackers in the past, there is still an air of uncertainty and a handful of myths lingering in their minds. The problem can be tracked back to two types of individuals that contribute to the problem. I will touch a bit on the problem and spend the rest of this piece trying to clear up some of the myths, as well as bring to light new developments in law enforcement’s handling of computer crime.

The first and foremost problem is uninformed individuals that propagate (or make up) supposed facts about law enforcement procedure. Rather than using common sense to dispel the rumor or taking a little time to research what they say, they blindly pass on errata and treat it as gospel. A good example of this can be found in “Inside Happy Hacker, Jan. 19, 1999”, where Carolyn Meinel asserts “They have *not* sent me (Carolyn) a “target letter.” This is a letter that formally tells someone that he or she is a suspect.” There is absolutely no foundation for this outlandish rumor. Anyone under FBI investigation should know this. Meinel was questioned extensively about her involvement in the defacing of the New York Times web site. Despite this questioning and obvious investigation, she still made this ridiculous claim. The FBI investigation went so far as to ask her to take a polygraph test! Going against track record, Meinel did the right thing and refused to. More on polygraphs later.

The second problem arises from those close to, or involved in an FBI raid and investigation. After waking to gunpoint and watching agents harass family and sometimes neighbors, they see all of their equipment carted out the door. Inevitably, the first thing they do is call their friends and warn them about what happened. Adrenaline still pumping, they tend to exaggerate the events that just occurred. A question about another cracker may lead to “Dood, Joe.. they are coming to raid you next!” One thing often doesn’t mean another.

So, let’s set some minds at ease and answer questions about how law enforcement works. Disclaimer: If anything in this article is incorrect, please e-mail me and let me know! The information presented here is accurate to the best of my knowledge. I have consulted with one FBI agent and two DCIS agents to verify as much as I could.

        Sections:

        1. Who's investigating you?
        2. LE Resources
        3. The Raid
        4. What are they charging me with?
        5. The Polygraph
        6. Copping a plea
        7. Punishment
        8. Why haven't they busted me yet?


Who’s investigating you?

There are at least five agencies that investigate computer crime in the United States. For computer crimes that do not involve crossing state lines (PBX hacking, local dialins, etc), many state or city LE agencies are equipped to investigate. Some state LE offices have a dedicated officer with adequate resources to investigate with no external help. Computer crimes that involve crossing state lines brings two more agencies to bear.

The Federal Bureau of Investigation (FBI) is the primary agency chartered to handle domestic interstate computer hacking. In the late 80’s and early 90’s, these investigations were handled by the Secret Service (SS). With a few rare exceptions, the Secret Service no longer handles computer crime investigation. Some of these exceptions are the hacking of White House machines (unconfirmed rumor) and hacking that involves threats to the President or other specific individuals.

The third agency that comes into play is the Defense Criminal Investigative Service (DCIS). When hacks occur that involve military machines (.mil), DCIS is brought in to investigate. These agents often work closely with the FBI and have liaison agents that spends most of their time working side by side with the FBI. DCIS agents are gun toting, badge carrying, door kicking agents just like the FBI. When not investigating computer crime, they are responsible for most criminal investigations that occur on US Military bases.

The fourth agency is the Air Force Office of Special Investigations (AFOSI). Any computer intrusion into a United States Air Force machine falls into their domain. They operate primarily out of a Washington field office, and work with DCIS when needed.

What NASA lacks in security, they make up for in the investigative department. National Aeronautics and Space Administration, Office of Inspector General (NASA OIG) is a highly regarded branch of NASA that investigates intrusions into their networks. Considered by some investigators to be the top of the food chain, they certainly have a large quantity of work.

If you deface a web site, any one of these (or all of them) may be investigating you. Like many government agencies, the FBI is not well known for inter office communication skills. There have been times when multiple agents investigated the same individual without knowledge of the other. This communication problem extends to DCIS despite their liaison agents to the FBI. Rest assured, at least one of the three does have an investigation into the defacement.

In the past few months I have been told by several defacers “Dood, the NSA is investigating me!” Hate to burst your bubble, but I seriously doubt it. The National Security Agency (NSA) does not even have the power to arrest. With a few exceptions (I imagine), they do not carry guns and they do not spy on you every second. I will not debate what power they do have, but those things I am pretty sure of. Suffice it to say, even if they were keeping tabs on you and your actions, it is the least of your worries. Any evidence they collect is not shared with the FBI, and would have to be explained in court how it was obtained. Do you think the NSA will admit to monitoring domestic communication over a few web page defacements? 😉

For active defacers and crackers in the United Kingdom, you will be investigated by the Computer Crime Unit (CCU) at Scotland Yard.


LE Resources

On top of entire labs dedicated to investigating computer crime, most law enforcement uses an entirely different set of resources for the initial investigation. Unbeknownst to many active crackers, it is their own words and actions that lead to trouble. Rather than admit they were careless, conspiracy theory and games of “who’s the narc” come up.

Law Enforcement uses the same resources you do. They view web sites that mirror defacements. They read Bugtraq and other sites that talk about new vulnerabilities. They read hacker social lists like dc-stuff and web based BBSs. They IRC quite frequently, and do so under fairly innocent names. Certainly nothing that screams their real identity. Add all of that up, and they can typically build a good profile of any given cracker with little to no effort.


The Raid

There is nothing quite like waking up to the unfriendly barrel of a 9mm and large armored man pointing it at you. Equally disturbing is watching them parade your roommate or family half naked out to a central room or front porch while the agents secure the residence. LE raids are pretty straight forward. They come in with a Search and Seizure warrant that gives them the right to confiscate anything pertaining to the investigation. This includes everything from computers, to books, to ANY media including tapes, CDROMs, console cartridges and more. During this process you are questioned by several agents. This is where you invoke your right to have a lawyer present during questioning. Do not be hostile or insulting to the agents, just give them relevant information like name, birthdate and vital information. Before they begin the search, you should do two things. First, ask to see their identification and verify who they are. Second, ask to see a copy of the warrant. Some agents will not comply with either demand. Deal with it, they have guns and bad attitudes. You cannot reason with them.

During the questioning take notes. You have the right to have pencil and paper there, but you may not record the conversation or have a witness present. Assume that they are recording the conversation despite what they say. When they ask if you have any traps set to destroy computer equipment if tampered with, tell the truth. If you do not divulge that type of information and it results in an agent getting hurt, your life will not be pleasant and Title 18 will be the least of your concerns.

During the raid they will use all sorts of tactics during questioning. The familiar good cop/bad cop routine, the “let’s be friends after this“, harsh and accusing, and the all time favorite, outright lying. Yes, those oh-so-noble agents will lie to you, all the while bantering about how important honesty is. They are not required to tell you the truth, so don’t think otherwise.

At the conclusion of the raid, you should be left with a copy of the warrant, contact information for at least one agent, and a receipt for all material confiscated. If you are not left with those three items, immediately contact a lawyer and get advice on how to proceed. Despite there being rights and laws to protect you, FBI agents often overlook them.


What are they charging me with?

As many people know, computer crime falls under US Title 18 code. For each system you intrude on, LE can charge you with at least one (usually more) count of violating Title 18. There are adequate papers and web pages that cover this, so I won’t go into much detail. Instead, there are two other aspects which many people aren’t aware of that are worse than Title 18. These are the laws you should truly fear.

The first is Conspiracy. If your friend defaces a web site, you could go to jail as scary as it may sound. Having prior knowledge of, or being an accessory to the crime makes you guilty of Conspiracy. As a responsible law abiding citizen, if you have knowledge of a crime that is about to be, or has been committed, you must report it to the proper authorities. If you make no effort to stop the crime and at the very least report it before it occurs, you are just as guilty as the perpetrator of the crime. What makes this worse than Title 18 violation is the proof. A court of law only has to establish that you knew about the crime and did not act accordingly in order to convict you of it. One IRC chat log, one piece of mail confiscated from a machine, or one recorded phone call (or conference call) is all it takes.

The second set of laws you could conceivably be charged with is much more sinister. They apply to any hacking or defacing of government or military servers. From what I understand, DCIS agents are using this effectively to guarantee prosecution and encourage plea bargains. Rather than charge the cracker with US Title 18, Chapter 47, 1030, they revert to US Title 18, Chapter 119, 2511, which covers disruption and/or interception of communication of US Government and Military computers. By denying service or intercepting communications to or from a government system, you are committing a different crime than those covered under Chapter 47. DCIS was quite clever in using this one as it is apparently easier to prove in court.


The Polygraph

The Polygraph test analyzes various physiological reactions to questions asked of you. Based on these reactions, they try to determine if you are lying. Sounds like the ultimate law enforcement tool right? Wrong. The courts have ruled that polygraph test results are inadmissible in court. The FBI and other LEs use the poly as a guideline to help steer their investigation. Asking someone to take one is one of many ways LE forces people into a Catch-22 of sorts. If you take it, you can’t lie about anything. Worse, you can’t get nervous as that could affect the results. If you decline the polygraph, the LE agency will imply or outright accuse you of declining because of guilt. Regardless of their request, decline all polygraph requests! A polygraph can rarely help you. Even if you did not commit a crime and say so under poly, it will never see a court. If the LE chooses to bring a case against you anyway, taking the test will not have helped.


Copping a plea

If the investigation progresses to the point of them pressing charges against you, the prosecuting attorney and agent may approach you to cut a deal. First and most important warning! LE Agents do NOT have the ability to cut deals! They can recommend certain actions to the prosecution, but have no power to cut a deal themselves.

There are two points in the investigation that LE agents may approach you to cut a deal: before and/or after pressing charges. If an agent comes to you promising a sweet deal without pressing charges, smile to yourself. No charges, no reason to cut a deal. This is another ploy used to encourage you to admit to a crime.

Once the prosecuting attorney presses charges, they may come to you looking for you to cut a deal. One thing this will entail is admitting to some or all of the crimes you stand accused of. Some of the other things they may look for:

  • 1. Admission of other crimes you haven’t been accused of.
  • 2. A list of additional systems you have or can access.
  • 3. Cooperation in busting other individuals.
  • –a. Current information you possess on other cracker activity (aka narc)
  • –b. Gaining additional information via logged chat or recorded calls. (aka informant)

Punishment

It is very difficult to guess what type of punishment you can expect to get if caught and convicted. Relevant factors that affect this are your age, level of crime, whether you are a repeat offender, if you cut a deal and more. Because most cracker cases never reach trial, there is little case history to draw off and try to isolate any trends. For the most part, cases end in a deal that involves little jail time, long probation, community service and fines. If convicted, you can expect all of the above.


Why haven’t they busted me yet?

One of the most often asked questions by young hackers is, “Why haven’t they raided me yet?” Seemingly the best evidence to support the theory that they are not being investigated, it is a lack of understanding on how the feds work, nothing more. Once an investigation begins, federal agents will do as much work on the case as humanly possible without running the chance of alerting the individual. This means that subpoenas or anything else that could get back to the target comes when all other resources have been exhausted. Once all of the evidence is processed and the case formed, agents will make sure they have a case.

Case information in hand, they take it to a judge to get a search and seizure warrant in order to accumulate more information. Once the judge issues this warrant, it is sometimes a matter of hours before they execute it and knock on the door. Because of the order of events and the way they work, it is quite likely you will not know of an investigation until you are looking down the barrel of a gun.

“But, it’s been six months since I did anything!” Another good observation, but still naïve. While the federal agents are investigating you, they are also investigating dozens, maybe hundreds of other people. Each agent works day to day with several cases open, contributing to several as they make phone calls and do research. It is not uncommon that with the amount of cases, they become backlogged. Six months? You aren’t in the clear.


In Conclusion

Defacing a web page, especially one run by the government, is a serious crime. With the recent rash of government/military defacements, one has to wonder if the defacers are aware of the potential repercussions of their actions. Is replacing a web page with a hastily written one or two line text message worth going to jail for? No justification of ‘hacktivism’, free security audit, or any other shallow attempt to justify defacing holds up. No court will buy it, no agent will go easy on you for it.

        "0wn3d by h4ckerX, fuk da gov. greetz to bob"

        "hacked for my true love Meg!$!$@$"

Are either of those messages really worth rotting in jail for a year? At the end of which you are not allowed to touch a computer or cell phone? Did you really accomplish anything or get a message across?

I certainly think not.

In Response To: Computer Crime-Abetting Sites…

[This was originally published on Aviary Magazine and mirrored on attrition.org.]

Original Article:
        http://biz.yahoo.com/bw/991018/ca_compute_1.html
        (Company Press Release)
        Computer Crime-Abetting Sites Will Dramatically Increase
        Costs for Businesses and Consumers
        Business Wire -- Oct. 18, 1999

When it Rains it Pours

It was only weeks ago that I wrote an article on inflated damage figures. After reading several pieces on supposed damage figures for various computer crimes, a pattern began to form that did not sit easy with me. As luck would have it, another damage figure jumped out that topped the previous record of the early 298 million amount set early on the Kevin Mitnick case. Do we hear half a billion? A billion? Nope, lets jump up one more notch and hit the TRILLION figure. No, I wish I were kidding too.

Because of the nature of this article (company press release) and the abundance of shady points, I will resort to the age old method of Usenet/e-mail style reply. Text from the company press release will be in italics while my reply will be in regular text. You’ll have to excuse me as I will have fun with this one!

My Response, Point by Point

> Hacking and computer-crime-abetting Web sites are supplying
> Web surfers with tools and instructions that could cost
> consumers and businesses worldwide over a trillion dollars this year.

Wow! What a dramatic and shocking intro to a company press release. Unfortunately for them, it did not have the desired affect like they had planned I am guessing. Rather than think “This is a serious problem!”, many colleagues and myself said very little because of the laughter that ensued.

The first problem is defining “computer-crime-abetting Web sites”. There are two basic things that could possibly brand a site with this label. Intent and Information. Did the we site knowingly and intentionally distribute information with the intent to encourage computer crime? Proving intent in such a fashion is very difficult and often falls as a debate among scholars. How can you positively say the site wasn’t distributing the information with the intent to help people by making them aware of the problem?

Second, the information itself. Does posting information regarding activity that is illegal constitute ‘abetting’ criminals? Of course not. If it did, then sites like CERTSecurity Focus, and Happy Hacker would all be guilty of this crime. I think it is safe to say at least two of those sites have good intentions. The only way to combat security problems and protect sites is knowing the details about attacks. Without these details, site administrators can not make the determination to shut a service down, upgrade their Operating System, apply new patches, or ignore it as it does not affect them.

Of particular interest is this ‘trillion’ dollar claim. Throughout the short press release, Computer Economics gives no support to this damage figure. They give no insight as to how they reached this number, who they surveyed, or anything else remotely insightful. Isn’t this one of the signs of snake oil?! **link snake oil faq** Isn’t one trillion dollars one quarter of the national deficit?!

> Computer Economics research shows that hacking and computer crime
> will experience a dramatic increase in the next few years due to
> the abundance of Web sites devoted to these topics. Also factoring
> into the growth of computer crime is the low cost of the tools and
> instructions that these sites sell, and the rise of the wireless
> Internet.

I can’t help but wonder why they use the word ‘sell’ in relation to computer crime information. Why they would refer to a handful of distributers that pawn off half a CD-ROM of outdated text files while ignoring the sites that give away up-to-date information for free. Perhaps this falls into the picture of nefarious activity and helps sell their cause? And where in the world did the wireless aspect come in?

> "The Internet has always been a haven for computer criminals,"
> said Computer Economics research analyst Adam Harriss. "The
> technologically savvy hackers have been online swapping tips
> and programming for decades, but now the information is being
> posted and sold at low cost in a form that even the techno-illiterate
> can understand. Causing damage to machines and infiltrating systems
> has become as easy as putting together a child's Christmas toy."

I would be willing to bet a couple dollars that Adam Harriss has been on the Internet for less than two years. I certainly hope I am correct as the above quote should only come from a complete neophyte that has little to no clue about the history of the Internet. Founded on open resources and sharing of knowledge, the Internet was a research and development network designed to facilitate the advancement of technology and all scientific ideas. For the first decade or two, there were no laws governing it. There was no ‘computer crime’, no laws against hacking or intrusion. To make such absurd and un-intelligent claims as Harriss does is an outright insult to the founders of the Net.

> While some hacker sites warn that the products they sell are to be
> used for informational purposes only, other sites pander to malicious
> users, and are growing a future generation of hackers by targeting
> children. The proprietors of some hacking manuals tout them as guides
> that help users "search for company secrets." Vendors of hacking
> hardware often boast that their goods "screw up all types of computer
> disks." Software that could be used to pirate other programs is
> sometimes said to be "a must for anyone who doesn't want to pay full
> price for software."

I will send mail to the contact for this article as well, but let this be an open challenge for Computer Economics to quote where any “Vendor of hacking hardware” boasts that their goods “screw up all types of computer disks.” It amazes me that industry charlatans get away with spewing loads of false claims without ever backing them in any fashion. That a single person gets taken in by such unfounded and wild claims still amazes me.

> Not only are these hacking tools priced very low, but many of the most
> popular hacking tools, such as L0phtCrack, AntiSniff, nmap, and netcat
> are free shareware. Manuals and software about hacking and computer
> crime interests such as viruses, counterfeiting, piracy, and various
> types of fraud typically run from $8 to $60.

Interesting that Computer Economics calls L0phtCrack a ‘hacking’ tool, while agencies like the Department of Energy pay for it as an internal auditing tool. Security consultants and hackers alike use NMAP and other network scanning utilities. If a hacker uses ISS or Retina to break into an NT machine, does it automatically change their status from ‘Network Security Scanner’ to ‘hacking tool’?

I don’t know about you, but I have never paid $8 to $60 for any manual or software about hacking and computer crime. In fact, it is rare that you see any organization selling this information, and even fewer that make any form of living off it. All of the information sold by these companies is readily available on hundreds of computer security sites. Using the word ‘typically’ is flat out wrong.

> The low cost of computer crime software and hardware combined with the
> dramatic expansion of the Internet into new, lesser-developed regions
> of the world promises to exacerbate the hacking problem. There are
> roughly three times as many people using wireless phone services as
> there are people on the Internet, so there is possibility for an
> online explosion once a wireless Internet is established. With the
> expansion and proliferation of the Internet in many countries with
> loose regulation of computer crime and poorly organized law enforcement,
> hacking and computer crime will flourish in the years to come.

Blame it on third world nations, that always works! This is just about the last possible point of blame that could be drug into this article in a desperate attempt to sell that ‘trillion’ figure. We also get the second mention of the ‘wireless’ Internet that will be established. I’d hate to be the first to break this to Computer Economics, but wireless is already here, and it is in no position to challenge the hardline backbone the Internet relies on. Using this is weak justification for a completely unrelated point (that of computer crime proliferation).

> Computer Economics is an independent research firm specializing in
> helping IT decision makers plan, manage, and control IT costs through
> advisory services, analyst support, an innovative Web site, and
> printed reports. Based in Carlsbad, Calif., Computer Economics serves
> 82 percent of the Fortune 500. For further information, please visit
> the Web site at http://www.computereconomics.com.

Wow. 82 percent of Fortune 500 and I have never heard of this company. Asking around I can’t find a single colleague that has seen the name, many of which work daily for Fortune 5’s. Looking at their statement, it is interesting to note there is absolutely no mention of security services, computer forensics, computer crime control or anything remotely related to the subject of this press release.

Lucky for us, they were kind enough to include a contact address for further inquiry. In case it wasn’t apparent, I encourage all OSALL readers to take a moment and send mail to this company. Ask them some of the questions I have posed as well as anything that backs their claims. Let them know these articles will not go unchecked!

   Contact:
     Computer Economics Inc.
     Catherine Huneke, 760/438-8100, ext. 108 or 116
     chuneke@compecon.com
     http://www.computereconomics.com

Inflated damage figures. No quoted sources backing their claims. No reputation good or bad among a dozen or so security professionals. Add them up and it seems to me we have a new industry charlatan in the making.

In Response To: Bring in the Cyberpolice

[This was originally published on Aviary Magazine and mirrored on attrition.org.]

Original Article:
        Bring in the Cyberpolice
        by Christopher Watts
        Forbes, November 1, 1999
        page 112

Warning and Disclaimer

Every once in a while a new article comes across my desk that I just have to respond to. In most cases I try to present additional ideas or a new viewpoint and often agree with the original article. This article will be different. I’d like to apologize in advance for the more insulting tone this article will take. The article I am responding to rubs every last nerve in my body and just screams “What in the hell were you thinking?”. My response will also contain more questions than usual. Questions that will not be answered by me, as I am posing them to the subject of this article in an attempt to point out how thoroughly naïve and unthoughtful he was before making his comments. For those who dig articles beset with flames, you will no doubt have fun!

Original Article Summary and Relevant Quotes

Christopher Watts devotes a couple of pages to ideas on Internet regulation and funding from Robert Cailliau, a 52-year-old Belgian native who heads Web communications at CERN and spends much of his time with the International World Wide Web Consortium (a standards-setting body). Some of the more interesting parts of the article lead to an abundance of questions.

  "We're in the middle of chaos. It may calm down. But the alternative
   is that there's a total meltodwn of the system and that it becomes
   unusable. That would be a catastrophe. We must regulate [the Web]
   if we want to have some civilization left. And it's getting urgent."
                                        - Robert Cailliau

  How would Cailliau make the Web more civil and less chaotic? His
  controversial idea is that we should find some means other than
  banner ads to finance it. "The forced influence of advertising has
  given us completely useless TV," he notes. "You don't want that on
  the Net. But most on-line information providers need to attract
  advertising - which slows downloads and clutters the screen with
  windows."

  To reduce the Web's dependence on advertising, Cailliau proposes a
  socalled micropayment system, wherein Web surfers would pay a few
  cents every time they download a page from the Web. "It would change
  the landscape completely if [Web-site owners] could live by providing
  a high-quality, responsive service," says Cailliau.

  "An article from a newspaper would [cost users] something on the
   order of a cent or less, but a really hot item could be several
   cents, depending on what the author thinks he or she can get away
   with. If you find it too expensive, you go somewhere else. The site
   that's too expensive loses clients." - Robert Cailliau

  Cailliau's other proposal to save the Web from its own success:
  License all Internet users, the way auto-mobile drivers must be
  licensed to use public streets. In defense of this controversial
  idea, Cailliau says: "To get a license, people would have to learn
  basic behaviour: choosing an Internet service provider; connecting
  to the Web; writing e-mails; problem diagnosis; censoring your own
  computer; and setting up a site. More important than that: knowing
  what dangers to expect and knowing how the Internet can influence
  others."

  "If you operate a TV or radio state, you have to have a license. It
   has nothing to do with fundamental freedom. It has to do with
   protection of the average citizen against abuses."
                                        - Robert Cailliau

  "Everybody thinks that licenses are perfectly all right on the
   roads, because of the danger to life and limb. But one can equally
   cause a lot of harm by spreading false and dangerous information.
   Sooner or later someone is going to be able to trace the death of
   a person to an Internet act. Then [the licensing question] will
   probably be taken seriously."        - Robert Cailliau

The so-called macropayment system

For avid Cyberpunk readers, you are probably already groaning about this idea, frantically waving your copy of Snow Crash around. Neal Stephenson described the macro-payment system in more detail in his 1993 book “Snow Crash”. In the novel, Hiro Protagonist uploads information to a large network like the Internet in hopes that someone will find it useful. When they do, he collects money from their use of the information. What Robert Cailliau seems to forget is the actual implementation of this. Sure, it is trivial and novel to suggest such grand ideas that will revolutionize the Internet while saving us from ourselves, but these ideas look petty and trite in their infant stages.

Taking his example, lets say the article you are reading cost three cents. We can answer my first question of “Who determines the value of each page?” with “the author does.” Imagine browsing the OSALL site and seeing an article title “In Response To: Bring in the Cyberpolice”. Would you pay three cents to read it based on that? If not, would a three line summary of the article do it? After all, it’s only three whole cents to read it. So you decide to give it a shot and click on it. Wait, pop up box asking if you are sure you want to pay three cents for the following page. Imagine that pop up box for almost every page you see. Browsing would get very annoying very fast.

So now you’ve clicked on this article and read it. How do you pay for it? You have an outstanding debt of $0.03 to pay to OSALL and believe me, Mike wants to collect! What kind of payment system would have to be in place for this to work? Would you pay your ISP who would in turn pay OSALL? Wouldn’t paying two hundred sites a month become more tedious and annoying? I don’t know about you, but my bank charges me for wiring funds to other account holders, cutting cashiers checks and more. Imagine the fees associated with paying hundreds of people. In today’s world, I have a feeling the fees would outweigh the browsing costs.

When you reload the page, is there a second charge? What if the article is updated with more information or corrects errors? How about sites that mislabel the cost of their articles? Or sites that overbill you by ten cents? Are you really going to take fifteen minutes out of your day to complain about each site that does this? All of which is adding up creating a bill three times what you expect? What if you aren’t satisfied with the content you read, who do you get a refund from? What is the process for doing so?

There are so many questions and so few answers, this system seems doomed to failure before it leaves Cailliau’s mouth. Does he have answers to any of these questions? Or does the W3C have ideas on how to implement this in a fashion that is standard? I don’t think so.

License and Registration please!

Can you imagine the dialog box that would pop up when you violated an Internet regulation? I sure can’t. Cailliau’s idea that we should “license all internet users the way automobile drivers must be licensed to use public streets.” is another beautify of an idea. Let’s give this one some more thought.

Licenses are designed to show you are familiar with the laws and regulations that govern a particular aspect of society. Your driver’s license is more than a picture that gets you into bars, it shows you have fundamental operating knowledge of automobiles, and the regulations that dictate driving them on public streets. Well, what laws are there that govern Internet usage? A handful of laws about cyber stalking, computer hacking and the like. Cailliau’s idea that Internet Licenses would cover everything down to netiquette suggests more laws would need to be created. Do we really need laws and regulations dictating that quoted material in a Usenet post should not exceed the reply? That flames should be taken to e-mail after x amount in a public forum? That emoticon abuse consists of using x emoticons in a given message? While some of this is actually appealing because of the rampant stupidity displayed by many net users, do we really need laws governing it all?

Now the tough questions. Who would set all of this up? Would you be granted a country based license? International license? Who would make the regulations that dictate Internet use? Who would issue these licenses? Would they be a software token that interfaces with your dialup software? Who would police violations of regulations? If you violate a law, what would the punishment be? What would the penalty of ‘surfing without a license’ be? Would there be a charge associated with the license? Renewal? Revocation?

What next? A license to walk down the street? Makes as much sense as any Internet license. Both allow you to interact with other people, view businesses and web sites, put up your own message and more. Yet we need a license for one and not the other? It seems to me this idea was born out of the media hype and hysteria surrounding “all the bad things” found on the Internet.

Perhaps a more practical solution would be increased attention to abusive individuals. When i report a spammer or flooder, it the foreign system will take the steps necessary to document the incident and terminate the net access of the offending individual, wouldn’t that work just as well? If the person keeps doing it, they will eventually run out of ISPs in their area. If ISPs shared files on these abusive individuals, it would make it even more difficult. While my idea is not much better than Cailliau’s, it is already there and works sometimes.

My turn for a great idea

The notion of macropayment is very appealing, especially to me. I help run and maintain a web site that gets more than five million hits a month, without making a penny for my efforts. If I could get one penny per hit, or even ten cents per person that visited the site, life would be good. I for one would love to see some kind of system set up to pay for content, but my practical and logical side kicks in every time.

In keeping with Cailliau’s naïve and primitive ideas, I would like to suggest that in the future we travel via Star Trek teleporters. They are faster and more efficient, and are much more practical. Rather than spend all of that time and hassle on airplanes, boats, trains and cars, we can beam straight to where we want. Of course, like Cailliau’s ideas, I may need to actually think about how it would be implemented first. Damn, I knew it sounded too good to be true!