Why the Internet is Terrible
Saturday, the sixteenth of November, A.D. 2024
I just got done deleting ~30 bogus user accounts from my personal Gitea insteance. They all had reasonable-ish-sounding names, one empty repository, and profiles that looked like this. Note the exceedingly spammy link to a real site (still up as of writing) and the ad-copy bio.
Obviously this is just SEO spam. My Gitea instance got found by some automated system that noticed it had open registration,
This particular problem was easy enough to deal with: Just remove the offending users, and all their works, and all their empty promises. But it got me thinking about the general online dynamic that everybody online is out to get you.
The Internet is terrible, and everyone knows it
This isn’t a news, of course. People go around saying things like:
Here are the secret rules of the internet: five minutes after you open a web browser for the first time, a kid in Russia has your social security number. Did you sign up for something? A computer at the NSA now automatically tracks your physical location for the rest of your life. Sent an email? Your email address just went up on a billboard in Nigeria.
and everyone just smiles and nods, because that’s what they’ve experienced. I’ve encountered people who are highly reluctant to pay for anything online via credit card—they would much rather use the phone and give their credit card number to a real person who is presumably capable of stealing it, should they so desire—because the general terribleness of the internet has become so ingrained into their psyche that this feels like the better option, and you know what? I can’t even blame them.
Anyone who works on web applications for a living (or a hobby) is especially aware of this, because odds are that they’ve been burned by it already or at least are familiar with any number of existing examples. The very existence of sites like Have I Been Pwned is predicated on the inescapable terribleness the permeates every nook and cranny of the Internet.
Of course, people trying to take advantage of the careless and clueless isn’t a new phenomenon. The term “snake oil salesman” dates back to the 18th century and refers people who would go around selling literal snake oil
But something about the Internet makes it much more present, more in your face, than old-timey snake-oil salesmen. I’ve seen no hard numbers on this, and I don’t know how you would even begin to estimate it, but but I would guess that the incidence rate of this sort of thing is vastly higher online than it’s ever been in meatspace.
So what is it about the Internet that makes deception so much more prevalent? Ultimately, I think it boils down to three things: availability, automation, and anonymity. The Three A’s of Awfulness, if you will.
You’re in the bad part of town
Have you ever wondered why physical locks are so easy to pick? It takes some know-how, but from what I can tell, most commonly-sold locks can be bypassed within a minute. I’m just going to say it right here, and I don’t think this is a controversial take: For a web application that would be an unacceptably low level of security. If it took an attacker less than a minute to, say, gain administrative access to a web application, I’d consider it just this side of “completely unsecured”.
But! Meatspace is not the internet. The constraints are different. Over the lifetime of a given lock, the number of people who will ever be in a position to attempt to pick it is usually quite low, compared to the number of people who exist in the world. Of course, the circumstances matter a lot too: A lock in a big city is within striking distance of many more potential lock-pickers than the lock on a farm out in corn country somewhere, which is part of why people in cities are frequently much more concerned about keeping their doors locked than people in rural areas. And within a single city, people who live in the bad parts of town tend to worry more than people who don’t, etc.
But on the Internet, everyone is in the bad part of town all the time! That’s right, there’s nothing separating your podunk website from every aspiring journeyman member of Evil Inc. except a few keystrokes and a click or two. It doesn’t take Sir Scams-A-Lot any longer to send an email to you than to your less-fortunate neighbors in the housing projects, and so on.
In other words, the size of the “target pool” for someone who has a) an Internet connection and b) no conscience is literally everyone else with an internet connection. At last count, that number was in the billions and rising. This alone would make “online scurrilousness” a far more attractive career choice than “cat thief”, but don’t worry, it gets even worse!
Their strength is as the strength of ten
You might be tempted to think something like “Sure, being online gives the seamier sort of people immediate access to basically everyone in the world. But that shouldn’t really change the overall incidence of these sorts of things, because after all, there are only so many hours in the day. A hard-working evildoer can still only affect a certain number of people per unit time, right? right?” But alas, even this limitation pales before the awesome might of modern communications infrastructure.
In meatspace, you can only be in one place at a time. If you’re over on Maple Street burglarizing Mr. and Mrs. Holyoke’s home, you can’t also be selling fake stock certificates on Jefferson Ave, or running a crooked blackjack game in the abandoned warehouse off Stilton. But we aren’t in meatspace any more, Toto. We’re online, where everything is done with computers. You know what computers really love doing? Endlessly repeating the same boring repetitive task forever. The Internet is a medium uniquely suited to automated consumption. In fact, approximately 30% of all internet traffic comes from automated systems, according to Clouflare, and they should know.
So what does a clever-but-unscrupulous technologist do? That’s right, he goes looking for vulnerabilities in widely-used platforms like Wordpress, finds one, then sets up an automated system to identify and exploit vulnerable Wordpress installs. Or he uses an open-source large language model like Llama to send phishing emails to every email address he can get his hands on, and maybe even correspond with susceptible people across multiple messages,
Interestingly, the automate-ability of anything that happens over the Internet seems to have leaked back into the phone system as well. I don’t think anybody would disagree that scam phone calls are far more common than they used to be.
One might ask why this wasn’t the case before the Internet, since auto-dialing phone systems certainly predate the widespread use of the Internet,
The scammer with no name
There’s a third contrast with meatspace that makes life easier for people whose moral compass has been replaced by, say, an avocado: Nobody knows who you are online. In real life, being physically present at the scene of a crime exposes you to some degree of risk. There might be witnesses or security cameras, your coat might snag on a door and leave some fibers behind for the forensic team to examine, you might drop some sweat somewhere and leave DNA lying around, and of course there are always good ol’ fingerprints.
All of this is much less of an issue online. In fact, one of the loudest and most attention-seeking hacking groups literally just called themselves Anonymous. Of course, then a bunch of them got arrested, so maybe they weren’t quite as anonymous as they seemed to think they were. Still, I think it’s safe to say that it’s a lot easier to stay anonymous when you’re committing crimes online vs. in person. Or from another angle, it takes (on average) significantly more law-enforcement effort to de-anonymize a criminal online than in person.
I’m pointing out the downsides here, of course, but it’s worth noting that online anonymity is a coin with two faces. It’s fundamental to the question of privacy, especially from governments who would love nothing better than to know every sordid detail of their citizens’ lives forever.
The economics of evil
In the end, you can think of this all as a question of economics.
Will it ever change?
The Internet has often reminded me, alternately, of a) the Industrial Revolution and b) the Wild West. It reminds me of the Industrial Revolution because there are great examples of unscrupulous people taking advantage of a new set of economic realities to make tons of money at the expense of poor everyday folk who are just trying to live their lives. And not just straight-up criminals like we’ve been discussing, but also exploitative businesses and corporations (adtech, anybody?) that hearken back to the days of e.g. factory owners profiting from the slow destruction of their workers’ lives. But the Internet also calls to mind the Wild West of the mid-to-late 1800s. Like the Wild West, it’s a huge new swathe of unexplored territory rich with opportunity, if a little uncivilized.
But eventually, both the Industrial Revolution and the Wild West settled down and got a little more civilized. Eventually people developed things like labor unions and OSHA regulations,
Will the same thing happen to the Internet? I don’t know. It might! Already you can start to see a sort of social “immune system” developing with regard to things like phishing emails and calls. For instance, I know plenty of people who have a policy of never answering their phone at all if the call is from a number they don’t recognize.
Ultimately the only workable solutions will have to a) increase the cost of carrying out these attacks, or b) reduce (on average) the reward. In the end it probably won’t be solved completely, much like crime isn’t solved today. But I’m hopeful that, much like today’s Texans don’t have to worry much about their stagecoach being waylaid by bandits, we’ll see less and less of it as time goes on.