Matt Drudge and Michael Arrington found themselves this week in an unpleasant position when visitors to their respective Drudge Report and TechCrunch sites were targeted by malware that appeared to have come from ads.

While Drudge vehemently denied it and blamed accusers with playing politics, Arrington acknowledged on Thursday that there had been malware-laden ads on TechCrunch on Wednesday. It's unclear which ad network served up the malware and what type of malware it was, although it was determined to be an ad running JavaScript, he said.

A browser warning that popped up for a blogger at Phat1.com on Wednesday said the TechCrunch ad contained elements from a site that appeared to be hosting malware. A Web search on the name of that site produced a result that said the site was associated with a virus, according to a post on Phat1.com.

A blogger at Phat1.com reports that this warning appeared when a visit to TechCrunch was attempted earlier this week.

(Credit: Phat1.com)

"We suspended a bunch of (ad) campaigns in the meantime. We're only running ads with static images right now," Arrington said in a telephone interview. "This happens and it sucks and I don't know what we can do except for what we've done--just serve static images."

Web sites whose ads are served via ad networks would seem to be at the mercy of those networks. Last year, Drudge Report and a host of other sites were found to have ads distributing malware.

"You kind of open the doors to networks and there is supposedly a trust relationship," Arrington said. "Anytime someone puts a third-party widget on your site...theoretically that stuff can exploit weaknesses in a browser and install malware on a computer. Generally we look to the networks to be clean and they have the incentive to be clean."

Ad networks, the middle men who connect advertisers with Web sites that have ad space to sell, often serve the ads from a centralized server with no ability for Web site owners to preview the content. Ads also can be served from third-party ad delivery firms.

Even though Web site owners usually don't have a chance to vet the ads or the advertiser, they have an obligation to protect their visitors from malware, said Bennie Smith, a vice president of exchange policy at Yahoo's Right Media.

"Partnering with a third-party ad network is a good thing, but you can't remove all the risk and shift all the responsibility to the ad network," he said. "The user is coming to your site, not to the ad network. The primary responsibility still resides with you."

Before signing up with an ad network, Web site owners need to find out how well the network knows its advertisers and what it does on its own end to monitor for malware, Smith said.

For example Web site owners need to ask: Does the ad network look for red flags such as advertisers that are willing to pre-pay and require a tax ID number? Does the business name match the e-mail address? If the ad network is not using software tools to check the content for malware, is it at least reviewing the ads manually before they run?

Malware, regardless of how it is delivered from a site, can tarnish a Web site's reputation and keep visitors from returning, according to Smith.

"It's important because it erodes a user's confidence in the particular publisher or publisher's Web site in general," he said. "That has the potential to affect the size and quality of the audience, and that's an important component to the online ad model."

Who's responsible?
But who is legally liable?

"Under a negligence theory, one could argue that the Web site is liable," said Ben Edelman, an assistant professor at the Harvard Business School and a specialist in Internet security related to online advertising.

"The easier argument would be that the ad network is liable," he added. "Even then I see arguments on both sides. The ad net could certainly claim that this is a hard problem and that they did everything they ought to be expected to do."

Web site owners have a lot to lose if their customers don't come back. "Web sites have strong incentive to choose their ad networks carefully," Edelman said.

What can Web surfers do to stay safe?

"In general if you properly secure your PC you should be protected against the bulk of these types of attacks," said Joris Evers, a spokesman for McAfee.

"But there's also a responsibility on the (part of the) ad networks to vet the ads that they put through," Evers said, weighing in on the debate over responsibility. "The ad networks should ensure that they aren't serving up rigged images, iFrames, or links to malicious Web sites."

Perhaps Google's announcement that Chinese cyber attackers went after human rights activists' Gmail accounts has made you skittish about just how private your own messages are on the Google e-mail service.

Well, if you want to take a significant step in keeping prying eyes away from your electronic correspondence, one good encryption technology that predates Google altogether is worth looking at. It's called public key encryption, and I'm sharing some instructions on how to get it working if you want try it.

Unfortunately, better security typically goes hand in hand with increased inconvenience. But some human rights activists who used Gmail right now likely wish they'd put up with a little hardship to help keep hackers at bay. I'm not going so far as to recommend you use e-mail encryption, but I think this is a good time to take a close look at it.

Specifically, I'll show here how to use a collection of free or open-source software packages: GPG, or GNU Privacy Guard, Mozilla Messaging's Thunderbird e-mail software, and its Enigmail plug-in.

But first, some background about how it works.

Public key cryptography
Encryption scrambles messages so that only someone with a key (or a tremendous amount of computing horsepower, or knowledge of how to exploit an encryption weakness) can decode them. One form is called, curiously, public key encryption, and this is what GPG and Enigmail use.

Here's the quick version of how it works. You get a private key known only to yourself and a public key that's available for anyone else to use. The person you're corresponding with also has such a pair of keys. Although the public and private keys are mathematically related, you can't derive one from the other.

To send a private message, someone encrypts it with your public key; you then decrypt it with your private key. When it's time to reply, you encrypt your message with the recipient's public key and the recipient decodes it with his or her private key.

Messages in transit from one machine to another are a bunch of textual gobbledygook until decoded. If you're being cautious enough to encrypt your e-mail, you should be aware that there's still some information that leaks out to the outside world. The subject line isn't encrypted, and somebody might take interest in the identity of your active e-mail contacts and the timing and frequency of communications.

So how do you find out what your correspondent's public key is? You can either fetch the key firsthand from the correspondent, or you search for it on public computers on the Net called key servers--mine is stored at pool.sks-keyservers.net.

This form of encryption has another advantage: you can sign your e-mail electronically so the recipient knows it really is from you. This time the process works in reverse: you sign your e-mail with your private key, then your recipient verifies it's from you using your public key.

Drawbacks aplenty
Weighed against the encryption advantages of privacy and message signing is the fact that you'll lose access to service you may like or depend on.

When you see an encrypted e-mail in the Web-based Gmail, it's gibberish. Google doesn't index it, so Gmail search doesn't work. And the strong points of cloud computing--reading your e-mail from your mobile phone, your friend's computer, a computer kiosk on the airport--isn't possible. You're once again anchored to your PC with the encryption software installed.

Gmail won't be able to make heads or tails of your encrypted e-mail.

(Credit: Screenshot by Stephen Shankland/CNET)

Another doozy is that the technology, while conceptually manageable in my opinion, quickly gets complicated. It's the kind of thing where you benefit from some hand-holding from your technologically sophisticated pal. Encryption is chiefly used by the expert crowd, so the documentation quickly gets technical, the options quickly go beyond most people's comprehension, and the help quickly can shift from Spartan manuals to grasping at straws on a search engine results page.

Given time and experience, intractable technology can be beaten into submission, though. The bigger problem with encrypted mail is convincing others to install the software and use it. Until then, you'll be like the proverbial owner of the world's single fax machine: nice technology, but there's nothing you can do with it until someone else gets one.

My personal hope is that encrypted e-mail will become more common and that wider use will encourage some flavor of it that will work more transparently with existing systems, perhaps through local plug-ins on a computer such as FireGPG, though there appears to be challenges getting it to work with Gmail.

Meanwhile, here's one collection of software that's available today for public key e-mail encryption.

Install the software
First, install Thunderbird e-mail software, if you haven't already. I recommend the new version 3.0, which is available for Windows, Mac OS X, and Linux. One particularly nice feature is that the software will ask you for your e-mail address and password on its first launch, and Gmail users will find the software automatically handles the tangle of configuration details that previously had to be manually set.

Next up is GPG, the command-line software that handles the actual encryption, decryption, and key management behind the scenes. Fetch the appropriate copy for your operating system from the "binaries" links at the GPG downloads page. Technophiles will like using this actual software from the command line, but don't worry--you don't have to.

Last is installing the Enigmail plug-in for Thunderbird. Fetch the appropriate version from the Enigmail download site and make a note of where you save the file.

Enigmail isn't the kind of file you double-click to install. Instead, go to Thunderbird, open the Tools menu and click Add-ons. In the lower-left corner of the dialog box that appears, click "Install..." When prompted for a location, point to where you saved the plug-in; the filename should be "enigmail-1.0-tb-win.xpi" or some other operating system-appropriate variation.

Set up the software
Next, it's time to get started. Enigmail offers useful instructions that generally are up to date, though they don't mention Thunderbird 3.0 and some other matters.

You'll likely get a setup Wizard from Enigmail, which is fine. My advice: set it to sign encrypted messages by default but not to encrypt messages by default unless you're confident you're going to use it a lot.

The first task is generate your public and private keys--your "keypair." Enigmail can handle this chore. In Thunderbird, click the OpenGPG menu, then the "Key Management" option. A new window will pop up with its own set of menus. Click the rightmost one, "Generate."

The default options are pretty good, though setting the key not to expire might be preferable for some people. That can be changed later, if you have second thoughts. For your passphrase, the usual password rules apply: the longer it is and the farther away from anything in a dictionary it is, the harder it is to crack.

Now comes the best part of the whole thing: helping out the random number generator while the keys are being generated. It doesn't take long, but doing something else while it happens--browsing a Web page or loading a word processing file, for example--creates events that actually inject a little helpful unpredictability into the algorithm. It's one of those wacky computer science moments.

Once the keys are generated, upload yours to a key server so your pals can find your key. It's easy: click the "Keyserver" menu, "Upload Public Keys," and go with the default pool.sks-keyservers.net server.

Try it out
Now it's time to get viral. You have to find somebody to experiment on. Go through your list of nerdy, security-minded, perhaps somewhat paranoid friends and start recruiting. A tinfoil hat isn't a prerequisite for using e-mail encryption, but there's a connection.

Once you've got a companion--or set up a second keypair with another e-mail account--start a new e-mail message and type in a subject line and some text. In the OpenPGP menu, select "sign message," "encrypt message," and if your message recipient is using Enigmail, "Use PGP/MIME for this message." (The latter option has some advantages, but isn't supported universally.)

When you send the message, you'll need to use your recipient's public key to encrypt the message and your own passphrase to sign the message with your private key.

When it's time to read, you'll need the public key of your correspondent to verify the signature and your own passphrase to decrypt it.

Sending and receiving is where those public key servers come in handy. Seek, and if ye don't find, ask your friend to e-mail you the public key.

There's a whole new world of encryption out there--the web of trust, key signing, fingerprints and such--that I won't get into here. I recommend a look at the Enigmail configuration manual and the Enigmail Handbook.

If you're a command-line nut, I recommend Brendan Kidwell's practical introduction and, with my usual reservations about the utter lack of informative examples, the GPG man page. History buffs can check the Wikipedia pages (the saga of Phil Zimmermann vs. the U.S. government concerning GPG's precursor, PGP, or Pretty Good Privacy, is particularly notable), and one 10th-anniversary GPG retrospective from founder Werner Koch.

In closing: backup your key
There is one last task you should attend to: export your keypair. Enigmail can handle this fine: In the search field, type your name until your key appears, click it to select it, then click "File" and "Export Keys to File."

This backup will be useful for decrypting your mail on a new computer, installing software from scratch, or otherwise managing the inevitable digital transitions in your life. But be warned: that private key is what somebody needs to crack your encryption, so don't leave it where somebody can find it.

I'm not convinced that GPG will rule the world. Indeed, I'm concerned that so much documentation I encountered for this article was written before Windows Vista arrived.

But I am convinced there are serious holes with our current security and privacy arrangements. A 2,048-bit encryption key won't thwart phishing scams or other social engineering attacks that appear to have been employed in the Google-China case, but it's a good place to start.

And using encryption sends a message to the technology world: perhaps it's time to start taking our security more seriously. Google opted for encrypted Gmail network connections, even though it will tax their servers with more processing, which is a good start. Better security can be inconvenient and expensive, but don't forget to consider the drawbacks of poor security.