This past week I was overwhelmed with responses from a number of media stories. A couple of Blackberry business articles, a couple of Facebook expert articles, an article about a Hong Kong sex scandal, as well as some TV and radio appearances, first about the bust of a child porn ring, and then about the bust of a Quebec based Hacker cell.

In general my policy is to respond to anyone who takes the time to get in touch with me. Yet I've now had to revise this policy to only reply to people who show respect rather than outright hostility. Something about the audience that reads the National Post that brings all sorts of trolls out from under the bridge.

The CBC audience on the other hand is a pleasure to interact with. Even when they strongly disagree with me I find CBC viewers and listeners to be intelligent and engaging. One particularly pleasant email I received was from a "middle-aged mother" who will remain nameless, but I suspect represents a typical Canadian, from an average family. For the sake of argument, let's call her Louise.

As the mother of the family, Louise more by default than by choice has become the person responsible for taking care of, and more importantly securing the family computer. While she claims she's not all that "tech savvy" her email actually demonstrates that indeed she is, or rather that her humility is what allows her to genuinely understand what's going on.

Unfortunately tech savviness is one of these myths that are more attitude than reality. I've been thinking of an article titled "The Problems with Technology Journalism" and the cultivation of perceived tech saviness is right up there as all sorts of hucksters use it to establish their illegitimate authority. A rant for another day.

Let's get back to Louise. She's smart, and she's in touch with news, and she can't help but start connecting the dots:

When I began hearing reports that thousands of computers in Ontario are carrying on-line child porn, I was incredulous that there could be so many deviants among us, and therefore began to wonder if this nefarious trafficking could be happening on hijacked computers, which I had vaguely heard about.

Indeed the distribution methods and counter-espionage techniques that child pornography rings use to evade detection and move their files around the Internet are the same models employed by the computer underground in general. Personal or home computers are the front line for cyber crime as they are the most insecure and the easiest to hijack. We're seeing the emergence of mercenary botnets that can be hired for any illicit role, from spam to child porn to whatever.

So Louise naturally wonders if her computer is at risk, and it is her role to ensure the system is properly updated and that the necessary security software is also updated, running, and not complaining. This of course can be a pain, especially when the security software starts complaining about legitimate software like mIRC which can and is used by botnets.

In this case a conflict starts festering between the concern of the mother in protecting the family (and the computer) and the desire of the son to be free to use the Internet as it should be used. This polarization between paranoia and security on the one hand, and complacency and freedom on the other are not uncommon. Louise writes me in part to help clarify aspects of the debate, but also to weigh in on which side I might agree with.

Of course being the Libra that I am, I like to find balance, and I think there's truth on both sides, and the answer lies in the middle in addition to elsewhere. Louise ended her email with a list of questions, and encouraged me to answer via blog post, instead of just a reply. So here goes:

What do you think?

I think Louise is typical because many Canadians use security software and yet are still not left with a feeling that they are secure. When the software does tell them there's a problem, they do not necessarily know if it's real, a false positive, or for that matter if the action they should take is appropriate.

Louise has good reason to be paranoid. Almost all the computer security professionals I know who truly understand the state of the net are totally paranoid.

Yet on the other hand her son has good reason to dive right into the Internet and learn as much as he can, by any means. I personally use IRC all the time, and have learned a great deal over the years using this wonderful interactive medium. I personally think it's power is part of why botnets use IRC as a command and control mechanism, although that's being replaced by encrypted and distributed p2p nets (also a story for another day).

Does it look like our computer could be at risk for hijackers?

As far as I'm concerned any computer is at risk of being hijacked. Factors such as running Windows increases this risk, but not to the extent that Apple, Linux, or anything else is immune. Running security software decreases the risk, but it won't eliminate it. Malware and trojans exist now that can do all sorts of nasty tricks, from turning off security software while it appears its still running to just burrowing into the system and hiding until activated at a later date. While security software does a good job of catching these worms, they can take time, and they require regular updates and vigilance that many people just don't have.

I think we're nearing the end of personal computing, or at least in the way it has existed the last couple of decades. I myself have been operating on a network-centric computing model for some time, and am now integrating this with a broader social-centric model. I think of my personal systems as disposable, and if they were infected, I could easily wipe them clean and start again. With that in mind I pretty much do not run any security software at all, and have a firewall that is somewhat restrictive, although I've taken the time to learn how to tweak it when necessary.

How can one find out if one's computer is being used for nefarious purposes, such as child porn?

Well, if you really want to go nuts, it helps to have it behind a router/firewall such as BSD or Linux that would then allow you to sniff packets and analyze data traffic. I've done this during past infections and it can be kind of fun doing the sort of investigation into what's going on. My brother Joshua has done this many times, in one instance even going into the irc channel of the mastermind to have a chat with him. I've saved that chat and have included it in a book I've been working on for almost a decade. :P

Have innocent people really been put at risk of prosecution for material they don't know about?

No, not that I'm aware of, however I think it's only a matter of time.

I raise this specter whenever I talk about the innocent bystanders who are dragged into this when their computers are compromised. It worries me that so much of computer crime exists within hijacked personal computers. While at present there's been no liability if say your machine becomes an accomplice in a major crime, but I can't help but distrust the role of corruption. Unfortunately I read about instances in which authorities slip from the confines of the rule of law and either mistakes are made, or even worse, evidence is tampered with.

Given how crazy the climate is around child porn, my fear is that it can be used to deliberately hurt someone's reputation, liberty, time, or family. Thus I worry that the crises of general computer insecurity will combine with the pandemic of cyber crime and be used as a political or personal weapon.

Ok, so maybe Louise and I are a little paranoid, but can you blame us given how many millions of machines have been compromised around the world? The storm worm still rages a year plus after being born. What more will we see in the year ahead?