small medium large xlarge

Shady Illuminations

The Phish Cheer

by John Shade

Generic image illustrating the article
  Phishing has John feeling like he’s living in a dream world—only it’s not his dream.  

This is apparently not a new Google feature introduced at Google I/O:

“Proof of concept phishing attack with a fake browser window created with HTML/CSS/Javascript.”

Hurray. Research continues to advance the state of stealing your passwords.

Wikipedia tells us that phishing is “the act of attempting to acquire information such as usernames, passwords, and credit card details (and sometimes, indirectly, money) by masquerading as a trustworthy entity in an electronic communication.”

The people who track this sort of thing tell us that phishing is on the rise. And not just because of the tour.

Phishing is the only truly unsolvable problem in computer security. It exploits what will always be the weak link in electronic communication: humans.

OK, that’s not entirely true. It’s true enough that people are the weak link. But it’s not true that this weak link can’t be eliminated. True computer security can be achieved by eliminating the middle (man). Machine-to-machine communication eliminates sluggishness, ambiguity, and a host of other problems in eliminating the human element. Some problems just go away entirely when you take humans out of the equation. You don’t need laws against drunk driving or other unsafe driving practices, or traffic cops to enforce those laws or traffic court to decide cases, if cars drive themselves.

But as exciting as the prospect of phasing out humans is, it only goes so far. You probably can’t entirely remove the human from commerce or politics. There will continue to be some humans in cyberspace for the forseeable future.

And if you’re human, you can be phished.

Once you know you’ve been phished, though, the forensic phase begins. Or phorensic phase. And that’s a different game. Now the predator-prey relationship is flipped. Phlipped. It’s now about phinding the phisherman. And here we have decades of relevant data drawn from police procedurals. We know how conventional police find conventional crooks: the crooks brag to their friends. Or phriends. Who aren’t such good phriends. Because, duh, they are friends with crooks.

So the crooks have an equally unsolvable problem of security. Unsolvable for exactly the same reason, because they have to depend on exactly the same weak link: humans.

And we can see a familiar meta-game here. Each new advance on one side leads to advances on the other, in an ever-escalating cat-and-mouse game that produces ever more complex and clever cats and mice. (If you build a better mouse will the world beat a path to your door?) For the mouse, the goal is to keep from being noticed as long as possible. Because as long as the victim doesn’t know she’s a victim, the vicious meta-game of cat and mouse hasn’t even begun.

We begin to see where this is heading. In the Wikipedia phrase “masquerading as a trustworthy entity,” the word “entity” is a free variable. Really, phishing makes you think you’re somewhere you aren’t by faking an environment. Clearly, the phishing operations of the future will create ever-more complex and persistent fake, or phake, environments, keeping the victim in phishspace as long as possible, postponing the inevitable moment when the fakery is exposed and the hunt begins.

But does the fakery ever have to end? The internet is already being balkanized. Might it not come to include one or more phish domains, imitating the rest of the internet, bounded by invisible walls, keeping the victim inside?

Imagine a virtual world, created just for you, your own private and thoroughly convincing phishspace. If it never gave you reason to doubt it, you would move about in it as obliviously as you do in the “real” online world.

Thin tendrils could reach out to capture your email and facebook traffic, or, alternatively, any email or other connection could result in your contact being absorbed into the phishspace you’re in.

The difficulty (for the phisher) would come when your bank account became empty. If the phisher is doing all this to grab your money, then the game will end as soon as the bank in the real world notifies you that you’re broke.

So the phisher doesn’t make you broke. If he just syphons off a fraction of a cent here and there, like a bank cyber-embezzler, he ought to be able to keep the game going indefinitely. especially if he absorbs all your connections and all their connections, and taps all their bank accounts....

Eventually this would reach some sort of Borgesian superposition of inevitability and impossibility. Eventually, one of these phish worlds would succeed in swallowing the real world, and we’d find ourselves—without knowing it—living in a phuture where everything would be exactly as it is now except that some kajillionaire or group of kajillionaires would be sucking the blood of the world unnoticed.

And we wouldn’t be able to distinguish that world from the world we currently live in.

Crazy idea, I know.

John Shade was born under a cloud in Montreux, Switzerland, in 1962. Subsequent internment in a series of obscure institutions of ostensibly higher learning did nothing to brighten his outlook. Vide supra. Follow John on Twitter, send him your feedback, or discuss the article in the magazine forum.