Hackers keep hacking because they can

The idea is that everything needs to be authenticated, including the hardware, operating system, application software, and anything the software creates or sends. It all starts with trusted hardware components, to prevent software from manipulating and invalidating the trust routines situated in the hardware. Currently, many hardware and CPU vendors are building TPM (trusted platform module) chips onto the motherboard. Linux and Microsoft are already starting to use the chips; enterprise versions of Windows Vista will use the TPM chips to store encryption keys that lock up the hard drive prior to booting to prevent boot-around attacks.

Once the hardware is secure, vendors can build trusted and authenticated operating systems that rely on the trusted hardware. Then application vendors can rely on the OS for trust and allow people to send trusted data content back and forth to each other.

In the future, it is highly likely that the Internet Version 2 will require default authentication on all messages, from source to destination. For example, in order for your e-mail server to send an e-mail to my e-mail server, it must authenticate to my e-mail server first. Your e-mail server will authenticate that your e-mail came from you and that you meant to send it. Your operating system will ensure that your e-mail client isn’t being controlled by a worm or spybot.

Some people say that persuasive authentication is bad, that anonymity is necessary in certain places, like AIDS testing organizations and rape recovery meeting groups. That's fine -- keep your anonymity. I’ll just not allow anything that needs anonymity to connect to my business asset, and I’ll pay extra for that protection.

Maybe there will be two Internets: one for default authentication (and encryption) and another for the untrusted world to play. IRC (Internet Relay Chat) channels have that now. Communicating on unauthenticated IRC chat channels is a dangerous place to hang out for most Internet users. The trusted and authenticated IRC chat channels are mostly free of malicious hacking and bot wars that plague the untrusted version.

For hackers to attack the trusted Internet, they will need to compromise the persuasive authentication mechanisms. And they will, because humans will code the authentication mechanisms and we are imperfect. But we will be able to install one patch and immediately remove that attack threat -- which is the opposite of what we do now. Today, we cure one symptom while ignoring the underlying disease.

The solution to our security problems isn’t a particular product or vendor, but persuasive authentication, which will probably only happen after multiple catastrophic e-commerce events and forced government regulation. We know what the fix is, but we are reactive sheep, waiting to be forced to the real solution.