A few days ago, the ninth Def Con hacker's conference was held in Las Vegas. I didn't go. I used to go every year, and was the only reporter at all to cover the very first Def Con — an event my paper at the time didn't think would be interesting, so I had to pay my own way. In those days, Def Con was funky and fun, and was run by guys named the Dark Tangent and Dead Addict. I have great stories. Today, those same guys have real names and the stakes have become too high for playing with data security to be fun, at least for me. Internet security used to be a headache, but it is about to become a nightmare. Systems are getting less secure, not more, and the damage bill — $10 billion plus last year — is going to get even higher.

Here is how. Sometime this year or next, a bored 14 year-old kid with a satellite connection will start an automated chain reaction from his sheep station in the Australian outback. Or maybe it will be a kid in the barrio or at a prep school in New England, I don't know. Whoever it is, his automated hacking machine, a program far more sophisticated than the kid will even know, will probe and scan to find secure and accessible systems — hundreds or thousands of unprotected PCs — across the world. Accessible systems are safe havens. He'll lodge his software on them and use peer-to-peer techniques to automatically share the domain addresses of secure Web sites, which are targets. Then he'll start a cascade Denial of Service/FloodNet style attack using ALL the accessed insecure systems, operating in tandem as a peer-to-peer network. As soon as a secure system goes down, his P2P net will automatically start on another server from the list they share and update. And on and on it will go. The hack will continue until the entire P2P net is, itself, taken down by the collateral damage. But leave just one system running a hack, and it will automatically migrate new viral bots to find new insecure hosts and propagate the P2P net further. It will be beautifully organic, this hacking organism that can only be stopped by being utterly destroyed. And because it can live on any insecure system anywhere on the Net, and replicate from there, the chances of taking it down are very low indeed. It can even spawn dormant cells that remain hidden unless the entire P2P net goes quiet. Then the dormant cells will wake up and restart the procedure. It will be a living electronic hack, an organism that lives on the Web.

It will be Borg code, the creation of e-life.

At this point, I'm supposed to write, "Ah, but here's what we do about it," only I can't. Our vulnerability is too great and our lack of defensive talent too profound. There are ways to protect systems and networks against these kinds of attacks, but no depth of will to really fight them. The Internet is already such an ingrained and incompetently managed part of our lives that it is already too late.

But we don't have to be totally stupid about it. The initial point of vulnerability for these types of attacks is generally through e-mail. Stop the e-mail distribution of viruses, worms, and trojans, and you'll at least slow down the overall threat. I know of only one really reliable way to do that. A British company called MessageLabs will next week roll out in the U.S. its virus scanning service. The way this service works is simply complicated. They look at your e-mail before you do, before it ever gets through your corporate firewall. Every message and attachment is run through a total of four virus scanners. Three of these scanners come from the big anti-virus companies and are updated several times per day. Despite what some people (including the scanner makers) say, three scanners are better than one. The fourth scanner is MessageLabs' own and is the only scanner that doesn't need a virus signature first in order to detect a virus. In other words, some other outfit doesn't have to be damaged before you know how to defend yourself. This very special scanner was the first to detect last year's LoveBug, an affliction that MessageLabs named before it did $10 billion in damage — none of it to MessageLabs customers.

The MessageLabs scanner works on the basis of knowing what viruses usually look like and how they usually act. If it looks like a virus, acts like a virus, heck, it just might be a virus, and often is.

MessageLabs can also eliminate spam, foul language, and pornography, but viruses are what matters to me. Still, did you know that 41 percent of images attached to British business e-mail messages are pornographic? Does that say more about business or the British? MessageLabs even has an intelligent scanner that can look at an image and recognize the difference between baby pictures and Debbie doing Dallas. I wonder if it can also detect beauty?

Right now, half a million corporate users in the UK have their e-mail scanned by MessageLabs, soon to be followed by 26,000 users at their first U.S. customer, Air Products and Chemicals, Inc. The Air Products deal came about because last year, that company was talking of merging with British Oxygen, an early MessageLabs customer. The Air Products IT guy was amazed to learn that British Oxygen had not a single virus infestation in the previous year — not one. The merger fell through, but MessageLabs still found a new customer.

I have no financial interest in MessageLabs, the columnist was forced to point out. I just think their work is good and that we deserve to be protected. But even their technology won't protect against cyber vermin brought home through Web mail accounts.

Now what makes the next year especially scary for data security is the pending arrival of Window XP, an operating system that will come loaded on millions of PCs, each one ready out-of-the-box to be a zombie machine. The problem is that for competitive reasons, the home version of Windows XP has to be able to run programs written for Windows 95, 98, and ME. Windows 2000 can't reliably do that and it has the same core as Windows XP. The only way Microsoft was able to manage this backward compatibility was by disabling a very important security feature. Windows XP will be the first home OS from Microsoft to have full raw TCP/IP socket support (just like Windows 2000), but without Win2000's root-level security. Windows XP runs EVERYTHING at root, which means every program (and even the trojans hidden within that program) has full access to all Windows services, including more advanced network services than ever before. Where Windows ME is generally limited to UDP- and ICMP-flooding, for example, Windows XP can jump straight to the main event — http flooding aat port 80. This combination of full socket support (more protocols with which to do damage) and root level access is really, really scary.

I am far from the first person to write about this problem. You can find it explained in excruciating detail by my old friend Steve Gibson of Gibson Research. That link, as always, is behind the Links of the Week button on this page.

Now Microsoft is unmoved by this new vulnerability it is creating. Microsoft argues that the same vulnerability can be created on today's systems by loading third-party device drivers, so what's the big deal? I say don't do the hackers' job for them. If Windows ME is a gun, Windows XP is a loaded gun.

So it is likely to be a long fall and winter for the Internet. My advice is to get a dog.