Monthly Archives: March 2005

Stopping Phishing

Banks are tired of phishers fooling their customers into revealing information so the phishers can mimick identities and steal money. Last year banks and other financial instituations banded together to do something about phishing. The first phase of this initiative involved

“… educating customers, outfitting customer desktop PCs with anti-spam-protection software, and working with law-enforcement authorities and Internet service providers to identify and stop phishing attacks while they’re in progress.”
Phishing Expedition Set To Enter Second Phase,   Oct. 29, 2004  By Steven Marlin InformationWeek

There’s a report out now on Phase I, Financial Services Technology Consortium Counter-Phishing Initiative: Phase I. Several reports, actually, ranging from definitions of terms (it wasn’t even clear before what phishing was) to categorizing vendors solutions according to an FSTC Phishing Attack Lifecycle and Solutions Categorization.

Many of the FSTC recommendations sound like good risk management in general, for example:

“ Ensure that phishing preparedness plans (staff responsibilities, incident response plans, procedures, etc.) are appropriate, frequently reviewed, and updated as necessary. FSTC’s Phishing Life Cycle Model and Attack Taxonomy can be used to structure concrete planning activities and assess adequacy.”

The first of the next steps FSTC will be investigating illustrates a basic feature of this work:

“Investigate and adopt better mutual authentication practices.”

Although the FSTC report says that institutions acting alone can do these things, it’s not clear that that is possible for something that is mutual.  As the report also says, the industry acting as a whole can do these things.

In other words, collective action is needed for an aggregate threat.


Gift culture considered beneficial

I posted the text below on Dave Farber’s Interesting People list and am now blogging it here. The specific subject of the thread was an article in the Boston Globe about Harvard Business School (HBS) rejecting 119 applicants because they viewed their admission status before they were suposed to: “Harvard rejects 119 accused of hacking” By Robert Weisman, Globe Staff  |  March 8, 2005. Farber particularly liked the starred paragraph, which was pointed out to me by Peggy Weil, a Harvard graduate who is an adjunct professor at USC; she heard it from one of her students. If it’s not obvious what this post has to do with Internet business risk management, I can explain further.


Tim Finan’s message is the first I’ve seen in this thread that referred to the original meaning of the word hacker: someone who enjoys stretching the capabilities of a system and solving hard problems.

It’s true that many people who pick up scripts and use them to attack systems (script kiddies) and others who do nothing but try to break systems (crackers) and others who systematically exploit system weaknesses for financial gain (organized crime) may call themselves hackers, but they’re flattering themselves.

Eric Raymond’s article about “The Hacker Milieu as Gift Culture” makes clear the difference.

Real hackers have given us Unix and Emacs and the Macintosh and apache and BSD and Linux and sendmail and numerous other high quality gifts, because that’s what they enjoy and that’s how they build their reputations.

Given the results, it’s useful to distinguish between real hackers (whom I’d think Harvard Business School would want to encourage, considering their activities benefit the economy) and crackers.

******* Also, as an admissions consultant noted in the original article:

"Kreisberg said some applicants may had inadvertently tried to access the files, without realizing they were looking for confidential information, after they were e-mailed directions from other students who had copied them from the BusinessWeek message board."

If that actually happened, some of the applicants may have simply thought they were participating in the gift culture when they and Harvard Business School (HBS) were actually victims of a rogue patch, resulting in reputation damage to them and HBS of the sort described in Eric Raymond’s paper.

Maybe HBS should spend a bit more resources increasing value offered to students by getting up to speed on present-day online culture rather than pursuing cost-cutting too far by outsourcing critical functions such as applications to a company that failed to keep them secure. The former might result in better improvements to the bottom line.


esr @ UT B School

Eric Raymond is back in Austin, this time for a talk at the University of Texas Business School, CBA, 3rd floor, Classroom 3.2000, 3:30 PM Tuesday March 8th, 2005.

I haven’t heard a specific topic, but given that it’s esr, we can assume open source, and given that the talk is being organized by Prof. Andy Whinston, whose research is in pricing of networks and services, we can assume some intersection of those two things. Quantified diversity, if you will. It should be good for risk management.