One of the most intriguing movies I’ve ever seen is Being John Malkovich. My favorite scene is the one where John Malkovich is in a room full of variously guised John Malkoviches speaking a vocabulary of exactly one word: Malkovich. Malkovich Malkovich Malkovich. Malkovich.

Anyway, as I was saying - I hate phishing as at least as much as you do (assuming you’re not a phisher). But I also love what it has to teach us. I find that phishing phenomena epitomize how many security problems are incepted, exploited, and dealt with. I sure wish we’d pay more attention to it.

I’ve no idea how much the world spent on phishing in 2006. If you have a good estimate please tell me. But judging by the curves reported at the Anti-Phishing Working Group, it was a lot more than we spent 2005. Whatever it was, I’m certain we squandered at least 90% of it.

Some say phishing is a technology problem stemming from a universal lack of authenticated email. Others say it’s a social problem stemming from universal lack of public education. Having watched my security team struggle with it at Amazon.com, I’m not convinced either is right.

Like a majority of security problems, we’ve invited phishing upon ourselves through an astounding lack of imagination, foresight and insight. Imagination, because those who first thought it was a good idea to use HTML for email message bodies obviously didn’t take five to consider its abuse potential. Foresight, because many e-companies who stand to legitimately profit from HTML email continue to put all their eggs into that one basket. Insight, because we’re all wringing our hands and throwing money at a problem with nothing but lost ground to show for it.

Enter John Malkovich. My plan is simple: Everyone puts their entire 2007, 2008, and 2009 phishing budget into a big pot; takes back 90% of what they put in (that’s the “Security ROI” your Finance department keeps asking about); and leaves the remaining 10% for John Malkovich and the major media outlets. In return John Malkovich makes a commercial that’s aired with mind-numbing frequency on television and YouTube. Here’s the script:

John Malkovich enters a room full of John Malkoviches holding an open wallet overstuffed with hundred dollar bills. He wanders aimlessly about the room saying “Phishing Phishing Phishing.” The other John Malkoviches grab bills from the wallet saying “Phishing Phishing Phishing.” Then John Malkovich looks squarely at the camera and says:

Give John Malkovich a phish, he’ll take some of your money. (Tosses one bill into the John Malkovich crowd, who all jump to get it)

Teach John Malkovich to phish, he’ll take all of your money. (Tosses the whole wallet into the John Malkovich crowd, who all fight to get it)

Or, keep your money. Stop using HTML email today.

If you think I’m kidding, do the math. Be sure to factor in all the time we spend wringing our hands. And don’t forget Net Present Value.

John Malkovich: You’re the only one who can save us from ourselves. Please, let’s talk…just not via email.

By Ira Winkler

I must admit that I am truly baffled by people wanting to run out and buy Vista. It just doesn’t make sense to me. I am not a Microsoft basher who thinks that Vista is inherently evil, however why ruin a perfectly good computer?

(more…)