《电子与通信工程专业英语》课件第15章

Unit15NetworkSecurityBasicsNEWWORDSANDPHRASES

NOTES EXERCISES

参考译文

EXTENSIVETEXT

Thefirstquestiontoaddressiswhatwemeanby“networksecurity”.Severalpossiblefieldsofendeavorcometomindwithinthisbroadtopic,andeachisworthyofalengthyarticle.Tobegin,virtuallyallthesecuritypolicyissuesraisedinMattBishop’sbook,ComputerSecurityArtandScience,applytonetworkaswellasgeneralcomputersecurityconsiderations.Infact,viewedfromthisperspective,networksecurityisasubsetofcomputersecurity.Theartandscienceofcryptographyanditsroleinprovidingconfidentiality,integrity,andauthenticationrepresentsanotherdistinctfocuseventhoughit’sanintegralfeatureofnetworksecuritypolicy[1].Readerslookingforagoodintroduction(andmore)tothisareashouldconsiderPracticalCryptographybyNielsFergusonandBruceSchneier.

Thetopicalsoincludesdesignandconfigurationissuesforbothnetwork-perimeterandcomputersystemsecurity.ReferencesinthisareaincludeStephenNorthcuttandcolleagues’InsideNetworkPerimeterSecurity,theclassicFirewallsandNetworkSecuritybyStevenBellovinandWilliamCheswick,andtoomanyspecificsystemconfigurationtextstolist.Thesearemerelystartingpointsfortheinterestednovice.

Thepracticalnetworkingaspectsofsecurityincludecomputerintrusiondetection,trafficanalysis,andnetworkmonitoring.Thisarticlefocusesontheseaspectsbecausetheyprincipallyentailanetworkingperspective.

1．Networktraffic

Toanalyzenetworktraffic,weneedabasicunderstandingofitscomposition.Inthisregard,networkingpeopleoftenspeakofflowsandformats.Flowisalaconicreferencetonetworkingprotocolsandthemessagesthattravelbackandforthbetweentheirendpoints.Formatreferstothestructureofthecells,frames,packets,datagrams,andsegments(theawkwardgenerictermisprotocoldataunits)thatcomprisetheflow.ThevastmajorityofnetworktraffictodayusestheInternetProtocol(IP)asitsnetwork-layerprotocol.IPaddressesrepresentsourcesanddestinations,andIProutersworktogethertoforwardtrafficbetweenthem.Link-layerprotocolssuchasEthernet(IEEE802.3),tokenring,framerelay,andasynchronoustransfermode(ATM)forwardIPpackets,calleddatagrams,acrossmanytypesoflinks.

Networkscanbeattackedatmultiplelayers;here,Ifocusonthenetworklayerandthelayeraboveit(thetransportlayer).TheInternetnetworklayeris“unreliable”,meaningitdoesn’tguaranteeend-to-enddatadelivery.Togetreliableend-to-endservice,auserinvokestheTransportControlProtocol(TCP).Fig15.1showstheformatforanIPdatagram;Fig15.2showstheformatforaTCPsegment,whichistheprotocoldataunitassociatedwiththeTCPprotocol.Theseformatsareessentialforunderstandingnetworktrafficcompositionandsomethingofthemethodsthatcanbeusedtocorruptthem.TCP/IPtrafficaccountsformuchofthetrafficontheInternet(althoughTCPisn’ttypicallyusedforvoiceorvideotraffic).

Fig15.1Internetdatagramheaderformat

Fig15.2TransportControlProtocolheaderformat

WenowhaveafairlyrepresentativepictureofthetrafficflowingacrosstheInternet.ItconsistsofIPdatagrams(whichcanbecarriedinsidelink-layerframes,forexample)carryinghigher-layerinformation,oftenincludingTCPsegments.

ThosewithmaliciousintentcouldmisuseanyofthefieldsshowninFig15.1andFig15.2.Theattackerswouldknowtheprotocol’sintentandtherulestousetointerprettheassociatedformatsandflows.Theycancreateanetworkingattackbychangingvaluesinanyofthefields—anyensuingproblemsconstituteattacksonthenetwork.Spoofing,orchangingthesourceaddress,letsanattackerdisguisemalicioustraffic’sorigin.

2．Networkintrusions

TypicalnetworktrafficconsistsofmillionsofpacketspersecondbeingexchangedamonghostsonaLANandbetweenhostsontheLANandotherhostsontheInternetthatcanbereachedviarouters.Networkintrusionsconsistofpacketsthatareintroducedspecificallytocauseproblemsforanyofthefollowingreasons[2]:

toconsumeresourcesuselessly,

tointerferewithanysystemresource’sintendedfunction,or

togainsystemknowledgethatcanbeexploitedinlaterattacks.

Thesimplestexampleofanetworkintrusionisprobablythelandattack.SomeearlyIPimplementationsfailedtotakeintoaccountthatadatagrammightbegeneratedwithidenticalsourceanddestinationIPaddresses.Someolderoperatingsystems(andperhapsunpatchedones)simplycrashediftheyreceivedsuchdatagrams.

Somewhatmorecomplicatedoneisthesmurfattackinwhichanattackerspoofsthesourceaddressandsetsitequaltothetargetedmachine’saddress.Theattackerthenbroadcastsanechorequesttoperhapshundredsofmachinesondistantnetworks—acapabilityprovidedbytheInternetControlMessageProtocol(ICMP).EachdistantmachinerespondstothereceivedechorequestwithanechoresponsemessagetothetargetedIPaddress,thusoverwhelmingthetargetedmachine’sresources.

TheteardropattackissomewhatmoresophisticatedinitsuseoftheheaderfieldsshowninFig15.1.IPversion4(IPv4)canbreaklargedatagramsintosequencesofsmallerIPdatagramsthroughaprocessreferredtoasfragmentation.Itusescertainbitflagsandthefragmentoffsetfieldtoensurethatthefragmentscanbereassembledatthedestination(seeFig15.1).Inateardropattack,anattackersendsfragmentsthatarepurposelymadetooverlapsothattheydon’tfittogetherproperlyatthedestination.Again,older(orunpatched)operatingsystemscouldhavesevereproblemswithsuchfragments.

3．DDoSattacks

InFebruary2000,hackersattackedseveralhigh-profileWebsites,includingA,B,CNNInteractive,andeBay,bysendinglargenumbersofboguspacketswiththeintentofslowingorinterruptingofferedservices.Manyarticleshavesinceexaminedtheseattacksandpotentialdefenses,andseveralWebsitesofferoverviews,casehistories,suggesteddefenses,andotherresources.Inspiteofalltheworkdoneinthisarea,thethreatofDoSattacksremains,ashigh-profileattacksdescribedperiodicallyinthenetworkingtradepresswillattest.Typically,ahackerlaunchesadistributeddenial-of-service(DDoS)attackbyissuingcommandsto“attackzombie”computerprogramsthathavepenetratedunsuspectingusers’machinesviatheInternet—perhapspropagatedbyvirusesorworms,forexample.Oncepresent,thezombiesallowhackerstoleverageusermachinesaspartofanattackagainstagiventarget.NotethatthegeneratedtrafficmightseemtobenormalWebbrowserrequestsandotherinnocent-lookingtrafficthat,infact,differsfromvalidtrafficprincipallyinitsintent.Thismakesidentifyingsuchattacksextremelydifficult.

4．Intrusiondetectionsystems

Nosingletechniqueislikelytodetectallpossibletypesofnetworkintrusions—especiallybecausenewintrusiontypesarestillwaitingtobeexploited.Reviewingtheattacksdescribedhere,it’sclearthatlandattackscanbediscoveredbylookingforarrivingpacketsinwhichthesourceanddestinationIPaddressesareidentical.Smurfattackscan’tbedetectedonthebasisofcontentfromsinglepackets;onlythearrivalofanunusuallylargenumberofICMPechorequestsandresponseswouldsignalsuchanattack’spresence.Wecouldrespondbykillingallechorequestsatagatewayrouter,butdoingsowouldinterferewithothernetworkfunctionsthatmightbevitaltotheorganizationbeingprotected.Wemightdiscovertheteardropattackbylookingforillegalfragmentationinarrivingpackettrains,buttherouter(orfirewall)wouldhavetomaintainasignificantamountofstateinformation.

Intrusiondetectionsystems(IDSs)useparticularcollectionsofanalyticaltechniquestodetectattacks,identifytheirsources,alertnetworkadministrators,andpossiblymitigateanattack’seffects.AnIDSusesoneorbothofthefollowingtechniquestodetectintrusions:

(1)

Signaturedetection—theIDSscanspacketsorauditlogstolookforspecificsignatures(sequencesofcommandsorevents)thatwerepreviouslydeterminedtoindicateagivenattack’spresence.

(2)

Anomalydetection—theIDSusesitsknowledgeofbehaviorpatternsthatmightindicatemaliciousactivityandanalyzespastactivitiestodeterminewhetherobservedbehaviorsarenormal.

It’sfairlyeasytounderstandhowsignaturedetectioncanhelpfindidentifyingcharacteristicsinpreviouslyobservedattacks.Thisisfarfromsimpletoaccomplish,however,becauseattackerscanchangesomeidentifier(aportnumber,aparticularsequencenumber,aparticularprotocolindicator)thataltersthesignaturewithoutaffectingtheattack’sfundamentalnature.Moreover,someoneconstructinganalertbasedonsignaturedetectionmustbemindfulthatnormaltrafficcouldhavethesamecharacteristics.

Ausefulsignaturemustreflectareliableattackidentifierthatdoesn’tgeneratemanyalertsonnonmalicioustraffic.Withthehugenumberofpacketsarrivingatmostmodernsubnets,evenaminisculeerrorratecouldgeneratetensofthousandsoffalsealarmswithinafewminutes.

NEWWORDSANDPHRASES

endeavor n. 努力，尽力

cryptography n.密码术；密码系统，密码使用法

confidentiality n.机密性

authentication n.证明，鉴定

perimeter n. 周边，周长；边缘

novice n. 新手，初学者

intrusion vt. 入侵，闯入

laconic adj. 简洁的，简明的

awkward adj. 难使用的，笨拙的

invoke vt. 调用

malicious adj. 怀恶意的，恶毒的

spoof vt. 哄骗

disguise vt. 假装，伪装，掩饰

fragmentation n. 分段，

bogus adj. <美>假的,伪造的

attest vt. 证明

zombie n. 巫毒崇拜，蛇神，生性怪僻的人

NOTES

[1]Theartandscienceofcryptographyanditsroleinprovidingconfidentiality,integrity,andauthenticationrepresentsanotherdistinctfocuseventhoughit’sanintegralfeatureofnetworksecuritypolicy.

本句可译为：尽管密码技术是网络安全策略的一个不可分割的特征，但在提供机密性、完整性和认证方面它代表了另一个截然不同的观点。

[2]Networkintrusionsconsistofpacketsthatareintroducedspecificallytocauseproblemsforanyofthefollowingreasons:

“thatareintroducedspecificallytocauseproblemsforanyofthefollowingreasons:”是修饰前面的“packets”的后置定语从句；“tocauseproblems”是不定式短语，作目的状语。

本句可译为：网络入侵包括了一些特别导入的分组，它们可由于以下任何原因而导致问题。

EXERCISES

Ⅰ.

Translatethefollowingwordsorphrases.

networksecuritypolicy computerintrusiondetection trafficanalysis

networkmonitoring networkadministrator DDoS

ICMP false-alarm 敏感数据

恶意代码行为模式分析信号检测

Ⅱ.TranslatethefollowingparagraphsintoChinese.

(1)

Inthisregard,networkingpeopleoftenspeakofflowsandformats.Flowisalaconicreferencetonetworkingprotocolsandthemessagesthattravelbackandforthbetweentheirendpoints.Formatreferstothestructureofthecells,frames,packets,datagrams,andsegments(theawkwardgenerictermisprotocoldataunits)thatcomprisetheflow.ThevastmajorityofnetworktraffictodayusestheInternetProtocol(IP)asitsnetwork-layerprotocol.IPaddressesrepresentsourcesanddestinations,andIProutersworktogethertoforwardtrafficbetweenthem.Link-layerprotocolssuchasEthernet(IEEE802.3),tokenring,framerelay,andasynchronoustransfermode(ATM)forwardIPpackets,calleddatagrams,acrossmanytypesoflinks.

(2)

Inspiteofalltheworkdoneinthisarea,thethreatofDoSattacksremains,ashigh-profileattacksdescribedperiodicallyinthenetworkingtradepresswillattest.Typically,ahackerlaunchesadistributeddenial-of-service(DDoS)attackbyissuingcommandsto“attackzombie”computerprogramsthathavepenetratedunsuspectingusers’machinesviatheInternet—perhapspropagatedbyvirusesorworms,forexample.Oncepresent,thezombiesallowhackerstoleverageusermachinesaspartofanattackagainstagiventarget.Notethatthegeneratedtrafficmightseemtobenormal.

(3)

SeveralcommercialandafewpublicIDSsareavailable.Thetradepressfrequentlyevaluatesthem,butresearchjournalsgenerallydonot.EarlyIDSslargelyusedsignaturedetection.Generallyspeaking,theydetectedalltheattackscapturedintheirsignaturedatabases,buttheysufferedfromunacceptablyhighfalse-alarmrates.

参考译文

第十五单元网络安全基础

要解决的第一个问题是“网络安全”的含义。脑海里想到的几个领域都处在这个宽泛的主题下，而每个领域都值得长篇大论。事实上，MattBishop的著作《网络安全技术和科学》中提出的安全策略既可以应用到网络中，也可以应用到计算机安全中。从这个角度上说网络安全实际上是计算机安全的一个子集。尽管密码技术是网络安全策略的一个不可分割的特征，但在提供机密性、完整性和认证方面，它代表了另一个截然不同的观点。对此领域期望更多了解的读者可以阅读NielsFerguson和BruceSchneier所著的《实践密码学》一书。

主题也包括了网络边缘和计算机系统的设计和配置问题。这方面的参考资料包括StephenNorthcutt及其同事所编写的《网络边缘安全内幕》、StevenBellovin和WilliamCheswick的经典著作《防火墙和网络安全》，其中列出了许多的特定系统设置。这些仅仅是对此有兴趣的初学者的启蒙书籍。

实际的网络安全包括计算机入侵检测、业务分析和网络监控。由于它们体现了网络的各个方面，因此本文集中讨论这几个问题。

1．网络业务量

为了分析网络业务量，我们需要对它的组成有一个基本的了解。在此方面，网民们常常提到流量和格式。流量是对端点间传输组网协议和信息的简称。格式指的是组成数据流的信元、帧、分组、数据报和分段(难懂的专业术语是协议数据单元)的结构。今天，大多数的网络流量使用IP协议作为网络层协议。IP地址描述了源和目的地址，IP路由器在它们之间转发业务数据。链路层协议穿过多种类型的链路转发称为数据报的IP分组，这些链路层协议包括以太网(IEEE802.3)、令牌环、帧中继和异步传输模式。网络可能在很多层上遭到攻击，这里集中(讨论)网络层和它的上层(传输层)。互联网层是“不可靠的”，这意味着它不能保证端到端的数据传递。为了确保端到端的数据的可靠传递，使用者调用了传输控制协议(TCP)。图15.1所示为IP数据报的格式，图15.2所示为TCP分段的格式，这是与TCP协议相关的协议数据单元。这些格式对于了解网络业务组成是重要的，并且也是攻击它们的方法(出处)。TCP/IP业务占据了大部分的互联网的流量(尽管TCP通常不用于话音和视频业务)。

图15.1互联网数据报头部格式

图15.2传输控制协议头部格式

我们现在对Internet内的业务量给出相当有代表性的描述。它包含了传送高层信息的IP数据报(比如，数据报可被链路层帧传送)，这些高层信息通常包含了TCP分段。

那些带有恶意的人可以滥用图15.1和图15.2中所示的任何字段。攻击者知道协议的意图和相关格式的解释及业务流的规则。他们通过改变(格式中)任何字段的值来创造一个网络攻击——所有相继发生的问题构成了网络攻击。哄骗或改变业务源的地址可让攻击者掩盖恶意业务的来源。

2．网络入侵

典型的网络业务包括了一个LAN内的主机间、LAN内的主机和互联网内的主机(通过路由器可到达)间每秒交换的成千上万的分组。网络入侵包括了一些特别导入的分组，它们可由于以下任何原因而导致问题：

无谓的消耗网络资源；

妨碍任何系统资源的既定功能；

获取可用于以后攻击的系统知识。最简单的网络入侵例子可能是登录攻击。一些早期的IP实现未能考虑到可能产生相同源和目的IP地址的数据报。如果一些旧的操作系统(以及可能未打补丁的操作系统)接收这样的数据报，它们很快就会崩溃。

稍微更复杂的是smurf攻击，在这种攻击中攻击者哄骗源地址，并把源地址设为与目标机地址相同。然后，攻击者会把echo请求广播到远方网络中的成百上千台主机中——这是ICMP协议提供的功能。每台远方主机都以echo信息回复给目标IP地址，因此远远超过了目标主机(所能接受)的资源能力。

teardrop攻击利用图15.1所示的字段头部，这种攻击更复杂。IP版本4(IPv4)能把大的数据报通过一个称为分段的过程分割成一系列小的IP数据报。它利用某些标记比特和分段偏移字段来保证分段能在目的端被重新组合在一起(如图15.1所示)。在teardrop攻击中，攻击者故意传送重复的分段，这样在目的端它们就不能被正确地组合在一起。此外，使用这样的分段，较旧(或未打补丁的)的操作系统可能会有更严重的问题。

3．DDoS(拒绝服务)攻击

2000年2月，黑客通过发送大量的伪造分组攻击了几个引人注目的网站，包括A、B、CNN交互频道和eBay，目的是减慢、妨碍它们提供的服务。自此，许多文章仔细研究了这些攻击和潜在的防御手段，一些站点提供了观察项、病例、建议的防御措施和其他资源。尽管人们在这个领域做的工作不少，但是DoS攻击仍然保持着引人注目的状态，(攻击事实)被周期性地刊登在网络商业新闻上就是证明。典型地，黑客通过发布命令给“攻击怪人”计算机程序来发动分布式拒绝服务攻击(DDoS)，这些程序能通过互联网渗透到信任者的机器中——例如，可能通过病毒或蠕虫传播。一旦确定目标，“怪人”允许黑客利用用户机作为攻击特定目标的一部分。注意：产生的业务量要看起来(像)正常的网络浏览器请求和其他看起来正常的数据流。事实上，它们主要在目的上与正常的业务不同，这也使得要鉴别这些攻击特别困难。

4．入侵检测系统

没有单个技术能够检测到所有可能的网络入侵类型——主要因为仍有新的入侵类型等待检测出来。回顾前面提到的攻击，很明显，登录攻击可通过查找具有相同源和目的IP地址的到达分组来发现。基于单个分组的内容检测不出smurf攻击；只有不正常的大量ICMPecho请求和回复的到达能给出这种攻击来到的信号。我们的反应是：在网关路由器处杀死所有的echo请求，但是这样做可能干扰网络的其他功能，而这些功能对于被保护的组织也许是至关重要的。我们可以通过在到达的分组队列中查找非正常的分段来发现teardrop攻击，但是路由器(或防火墙)可能必须维护数量惊人的状态信息。

入侵检测系统(IDS)利用特殊的分析技术来检测攻击、识别攻击来源、向网络管理员发出警报，这样才有可能减轻(被攻击)后果。入侵检测系统采用以下一种或两种技术来检测入侵：

(1)签名检测——入侵检测系统通过扫描数据包或审计日志来寻找特殊的签名(命令或事件序列)，而这些签名可预先暗示特定攻击的存在。

(2)异常检测——入侵检测系统运用行为模式知识来分析过往行为，进而确定观察到的行为是否正常。签名检测能够帮助识别过往攻击中的一些特征，理解这些是相当容易的。但是，完成签名检测远不止如此简单。因为攻击者可能会改变某一标识符(端口号、特别的序列号、特别的协议指示器)，但是某些标识符的改变并不影响攻击的基本特征。此外，有人基于签名检测构建了报警系统，但是(在使用时)必须谨慎，因为正常的业务可能也具有相同的特征。

一个有用的签名检测必须能够可靠地识别攻击，(此处)可靠的识别攻击指的是对非恶意业务不能产生大量虚警。在大部分的现代子网中，短短几分钟内可能就会接收到海量数据分组，(所以)即使一个小小的错误也可能导致产生好几万个虚警。

EXTENSIVETEXT

TakeThisBlogandShoveIt!

Inthehistoryofweb,lastspringmayfigureasatippingpoint.That’swhenWikipedia,“thefreeencyclopediathatanyonecanedit”—asitethatgrewfrom100,000articlesin2003tomorethan15milliontoday—begantofalterasasocialmovement.Thousandsofvolunteereditors,theloyalWikipedianswhoactuallywrite,fact-check,andupdateallthosearticles,loggedoff-manyforgood.Forthefirsttime,morecontributorsappearedtobedroppingoutthanjoiningup,activityonthesitehasremainedstagnant,accordingtoaspokespersonfortheWikimediaFoundation,thenonprofitbehindthesite,andit’sbecome“areallyseriousissue”.Soserious,infact,thatthisfallWikipediawillturntosomethingithasneverneededbefore:recruiters.

There’snoshortageoftheoriesinwhyWikipediahasstalled.Oneholdsthatthesiteisvirtuallycomplete.Anothersuggeststhataggressiveeditorsandatangleofantivandalismruleshavescaredoffcasualusers.Butsuchexplanationoverlookafardeeperandenduringtruthabouthumannature:mostpeoplesimplydon’twanttoworkforfree.TheyliketheideaoftheWebasaplacewherenoonegoesunheardandthecontributionsofmillionsofamateurscanchangedtheworldandturnontheircomputer,itturnsoutmanyofthemwouldratherwatchfunnyvideosofkittensorshopforcheapairfaresthancontributetothegreatergood.EventheInternetisnomatchforsloth.

That’swhyWikipedia’snewrecruitingpushwillnotrelymerelyonhighfalutinpromisesaboutpooledgreatnessand“thesumofallhumanknowledge”.Instead,theorganizationishopingtogetstudentstowriteandeditentriesaspartofeightprofessorsatschoolsincludingGeorgeWashingtonandPrincetontointegratetheoncefrowned-uponresearchtoolintopublic-policycurricula.Aspartoftheprogram,Wikipedia’s“campusambassadors”willleadin-classtrainingsessionsonhowtoeditthesiteandhelpstartWikipediastudentgroips.

Techwriterscontinuetotoutsocialmediaasatransformativephenomenoninitsinfancy.That’scertainlytrueforsuchsiteasFacebook,whichboastsmorethan500millionactiveusers,orFlickr,whichhostssome4billionphotos.YouTubealsoshowsnosignofslowingdown.Butthosesitesofferclearbenefitstousers,indulgeinagameofMobWars,sharebabypictures,orwatchvideosoffashionmodelsfallingdown,inexchangefortheirtimeandefforts.

Manyotherelementsoftheuser-generatedrevolution,meanwhile,arebeginningtolooksluggish.Thepracticeofcrowdsourcing,inparticular,workedbecausetheearlyWebinspiredakindofcollectivefever,onethatmadetheslogofwritingencyclopediaentriesfeelnew,cool,fun.ButwiththreeoutoffourAmericanhouseholdsonline,contributionstothehivemindcanseemabitpassé,andWebparticipation,well,boring—kingoflikewritingencyclopediaentriesforfree.

Evidenceofthisennuiiseverywhere.Amateurblogs,theoriginalembodimentofWebdemocracy,areshowingsignsofdecline.Whileprofessionalbloggersare“arisingclass”,accordingtoTechnorati,hobbyistsareinretreat,andabout95percentofblogsarelaunchedandquicklyabandoned.ArecentPewstudyfoundthatblogginghaswitheredasapastime,withthenumberof18to24-year-oldswhoidentifythemselvesasbloggersdecliningbyhalfbetween2006and2009.AshifttoTwitter—ormicroblogging,asit’scalled—partlyaccountsforthesenumbers.ButwhileTwittercarriesmorethan50milliontweetsperday,itsarmyofkeystrokersmaynotbeaslargeasitseems.Asmanyas90percentoftweetscomefrom10percentofusers,accordingtoa2009Harvardstudy.Theothersareprimarily“lurkers”—peoplewhodon’tcontributebuttrackthepostingsofothers.Between60and70percentsofpeoplewhosignupforthe140-characterplatformquitwithinamonth,accordingtoarecentNielsenreport.

Citizenjournalismalsohasstabilized.Fewerthanonein10Webuserssaytheycreatedtheirownoriginalnewsoropinionpiece,accordingtoPew,andcommentsectionsonblogsormainstreammediasites,whichwheresupposedtoturntheoldone-waymediaintoatwo-waystreet,areoftentooprofane,hateful,oroff-pointtoattractpeople.OnlyoneinfourWebusersleftacomment—probablynomorethanwroteletterstotheeditorindecaderspas,saysBrianThornton,aUniversityofNorthFloridaprofessorwhohasstudiedthehistoryoftheletterspage.

Naturally,assomeenergygoesoutoftheWeb,sitethatdependonenthusiasticfreelaborarescramblingtoremainit.Thetaskismademoredifficultbythefactthattheeompetitionissteeperthanever.MichiganStateUniversityprofessorCliffLampe,whostudiesonlinecommunities,saysthatwheretherewereoncethreeorfoursitesarenowthousandsorevenmillions.“You’retakingalimitedresource—people—andspreadingitoveramuchwidersetofopportunities”,hesays.“itchangestheplayingfield.”

Thesmartplayersarechanging,too.Diggbeganas“thenewNewYorkTimes”,adigitalfrontcuratedbyuserswho“voteup”theirfavoritestories.Thesiteq