OK - but from a CIO's perspective, any security risk is too much both from the bad guys getting in and creating mischief, and proprietary data getting out (in my business, more the latter). Until innovations stabilize, I would think that every CIO will choose isolation. Unfortunately, once there it's hard to get them back out. How do you get the CIOs to either wait or to adopt temporary solutions?

Absolutely. Part of the problem is that everyone is being rational here! For CIOs I can understand the desire to bolt everything down. But I guess I'd say that bolting down too much can be like stripping a screw... employees will end up creating their own shadow IT if the official systems are too locked down. I'd ask CIOs to be willing to participate in some of the "digital nervous system" apps that we're developing (we're = Oxford/Harvard) to allow PCs to anonymously broadcast their basic vital signs (not the company documents), especially because then mainstream Internet users could ask the system things like, "How many expert/corporate machines have this software installed, vs. the AOL-types?" (apologies to AOL types)

You write glowingly of the open, collaborative process used to create Wikipedia. How can a process like that can be used to solve today's worst cybersecurity problems, which are criminal in nature?

I'm eager to see us develop the kinds of technical tools that Wikipedia has -- think quick revert -- so that harmful stuff isn't a catastrophe. And tools that let people collaborate to give early warning of bad or unfamiliar code. Right now surfing the Web is designed to be an autistic experience.

Do you use an iPhone, Blackberry or other PDA? How do you square that with your views of how tethered Internet appliances are hampering innovation on the Internet?

I actually don't use any of those devices -- I find that email is fun when it comes in, but a burden once it's stale, which is in about five seconds. So I like to deal with email from a PC, when I'm devoted to truly processing it. But I'm not too doctrinaire about it -- I don't think the iPhone is evil, just that (1) it and platforms like it may well crowd out the PC and (2) if that happens, we'll lose much of the ability to innovate that we've enjoyed for the past thirty years. And we'll gain new vectors of government/regulatory surveillance and control. Facebook can be told to kill Scrabulous in a way that Bill Gates was never told to kill Grokster or Bittorrent.

Are there many open/closed mixed products and are we heading back to the "old days" in some sense?

I think the iPhone w/SDK is a good example of a mixed product -- a "contingently generative" technology. I worry it's the worst of both worlds rather than the best - and I see Facebook and Google apps the same way. I like 'em both, but they both reserve the right to kill any app at any time - so it's the old days of appliances, but still the new days of networked: with the vendor having a privileged role in reprogramming the users' experiences.

One of the big security risks we see today are not necessarily the open net but these little high-capacity memory drives that can contain all your source code and walk out the door in one's pocket. So the bad guys will find every seam in the fabric and use whatever tools are available to enter. Not sure which is worse....

Agreed. I think the overall challenge is best put as how to operate successfully in an open environment. What if you couldn't keep secrets? What are the minimum number of secrets to be kept? (SSNs, merger proposals, etc.)

You favor the Internet Engineering Task Force, the Internet's premier standards body which operates via rough consensus and running code. Here's something you didn't mention: It takes a long time for IETF working groups to finish standards, and sometimes (as in the case of instant messaging) they fail to get standards to market in time to stop proprietary solutions from taking over. What are your thoughts on that?

Yes, I think the IETF may be dead. (Sigh, I probably shouldn't have said that.) What I mean more directly is that the IETF functioned best in a backwater, when people were basically having fun, not taking themselves too seriously. As soon as people with coats and ties (Vint Cerf excluded, of course) started showing up, "rough consensus and running code" became harder to achieve. The story of ICANN is this story in a nutshell, how something -- the top level of the domain name system -- run by one guy with sandals, could become a $30 million+ / year operation and everyone still hating it and little getting done. I even see it reflected in the troubles of going from IPv4 to IPv6.