We have been incredibly lucky. Despite the numerous businesses, government organizations, and individuals that have found danger lurking on the Web, there have been remarkably few large-scale electronic attacks on the systems that make up the Web. Despite the fact that credit card numbers are not properly protected, there is surprisingly little traffic in stolen financial information. We are vulnerable, yet the sky hasn't fallen.
Today most Net-based attackers seem to be satisfied with the publicity that their assaults generate. Although there have been online criminal heists, there are so few that they still make the news. Security is weak, but the vast majority of Internet users still play by the rules.
Likewise, attackers have been quite limited in their aims. To the best of our knowledge, there have been no large-scale attempts to permanently crash the Internet or to undermine fundamental trust in society, the Internet, or specific corporations. The New York Times had its web site hacked, but the attackers didn't plant false stories into the newspaper's web pages. Millions of credit card numbers have been stolen by hackers, but there are few cases in which these numbers have been directly used to commit large-scale credit fraud.
Indeed, despite the public humiliation resulting from the well-publicized Internet break-ins, none of the victimized organizations have suffered lasting harm. The Central Intelligence Agency, the U.S. Air Force, and UNICEF all still operate web servers, even though all of these organizations have suffered embarrassing break-ins. Even better, none of these organizations actually lost sensitive information as a result of the break-ins, because that information was stored on different machines. A few days after each organization's incident, their servers were up and running again—this time, we hope, with the security problems fixed.
The same can be said of the dozens of security holes and design flaws that have been reported with Microsoft's Internet Explorer and Netscape Navigator. Despite attacks that could have allowed the operator of some "rogue web site" to read any file from some victim's computer—or even worse, to execute arbitrary code on that machine—surprisingly few scams or attacks make use of these failings.This is true despite the fact that the majority of Internet users do not download the security patches and fixes that vendors make available.