Monthly Archives: June 2006

Telco Double Dipping

Here’s a useful analogy for thinking about net neutrality:
On today’s Internet, sending and receiving data has already been paid for and what the ISPs that are resisting net neutrality are calling for is the ability to charge content providers a second time for access to their customers. An apt analogy would be the phone company attempting to take a percentage of any transaction that was done over the phone. The calling party has already paid for the phone call, the receiving party has either paid for the phone call (metered services or cell phone) or has paid for unlimited inbound calling through a subscription. However, the phone company sees that there is money being made by others transacting business over their phone lines and decides they deserve a cut.

Network neutrality is about control Gaige Paulsen, Monday, June 26 2006 @ 10:34 am EDT

If telcos want to provide their own value added services, as they have long done, that’s one thing. If they want to charge somebody else for providing value added services on top of the telco’s carriage, that’s another thing entirely. Gaige also addresses consumer control, content delivery networks, differential utlization, and why net neutrality is a regulatory issue; well worth a read.


Framing Net Neutrality

Interesting bit of political framing here:
Put another way, if net neutrality passes, the AT&Ts of the world will be forced to pay for all of their equipment upgrades themselves and could not subsidize that effort by imposing premium fees for premium services. If net neutrality fails, they will be able to recoup more of those costs than they can now from the likes of Google Inc., Microsoft Corp. and other major users of the World Wide Web.

At its heart, then, the battle is commercial — over who pays how much for improvements to the Internet that we all use and sometimes love.

No Neutral Ground in This Internet Battle By Jeffrey H. Birnbaum Washington Post Monday, June 26, 2006; Page D01

I’d be more willing to believe that if the various incumbent carriers or their predecessors hadn’t already been promising us fast broadband for everyone for many years now, and if Japan and Korea hadn’t already managed it without this kind of finagle. Continue reading

21st Century Risk Management

Have I mentioned I wrote a book?
John Quarterman’s book Risk Management Solutions for Sarbanes-Oxley Section 404 IT Compliance is unique, as far as I know, as a very timely analysis on technical issues and their impact on risk management. The combined forces of technology, increased integration, business reliance on networks and systems, and the market/legal/regulatory forces set the context for this book.

All About Early 21st Century Risk Gunnar Peterson, 1 Raindrop, 22 June 2006

Gunnar mentions much of the content, and a useful context point: Continue reading

Leaves of FBI

Brian Krebs has an interesting post about the Leaves worm of 2001, which masqueraded as a Microsoft update and used the legion of zombies thus recruited to run up click counts on ads, thus generating revenue for its perpetrator. A perpetrator who has never been identified. Which leads to Krebs most interesting point:

Still, I have to wonder whether the case didn’t sour the FBI on investigating these types of crimes, given the resources they piled into an ultimately futile effort. Today, there are hundreds of guys around the world making money just like Mr. Leaves — with far more victim computers at their disposal — except that many of them operate out of countries which have far less cozy legal and diplomatic relations with the United States.

Lessons Learned from the ‘Leaves’ Worm? Brian Krebs on Computer Security, 22 June 2006

We need to find ways to get law enforcement evidence that is not so costly yet is more enforceable.


A Muslim Seminary Has How Many Divisions?

Two American sheiks have formed a Muslim seminary:

Sheik Hamza Yusuf, in a groomed goatee and sports jacket, looked more like a hip white college professor than a Middle Eastern sheik. Imam Zaid Shakir, a lanky African-American in a long brown tunic, looked as if he would fit in just fine on the streets of Damascus.

U.S. Muslim Clerics Seek a Modern Middle Ground By LAURIE GOODSTEIN, New York Times, Published: June 18, 2006

The story goes on about how the two each understand both Islam and U.S. popular culture. Judging by the examples, they also understand both Islamic and Christian religious history. It continues:

Mr. Yusuf told the audience in Houston to beware of "fanatics" who pluck Islamic scripture out of context and say, "We’re going to tell you what God says on every single issue."

"That’s not Islam," Mr. Yusuf said. "That’s psychopathy."

Continue reading

Theft Fear

According to a recent opinion survey by the International Telecommunication Union (ITU), the biggest online fear is of stolen personal information:
These concerns over privacy were reflected in users’ fears while surfing, with theft of personal information the most commonly cited concern by over one quarter of respondents. Another quarter feared viruses and worms. Nearly one fifth were worried about spyware, while scams and fraud ranked slightly lower (13 per cent). Only 8 per cent found spam something to be afraid of, rather than just a nuisance (Figure 1, left chart), perhaps reflecting a grudging acceptance of spam or improvements in filtering.

Promoting Global Cybersecurity ITU announces results of global survey and launches cybersecurity gateway on World Telecommunication Day 2006 ITU Press Release, Geneva, 17 May 2006

Such fears cause 64% of respondants to avoid some online activities out of fear. Continue reading

Local IPTV

Cringely harps on something I’ve been saying for a while, too:
The Internet television story, even as written here in columns going back as far as the late 1990s, pushed the idea of enabling the aggregation of widely-dispersed viewing audiences, allowing programming to thrive that might not be successful on any local station, much less on the national network. A good example is NerdTV, which wouldn’t attract enough viewers on most PBS stations to even generate a rating, yet when offered as an Internet download, drawing from a global population, makes some pretty good numbers. But there is no concept called “local” in this aggregation model, so stations tend to feel threatened by it; if the network can reach local viewers directly, what need is there for a local station?

But it doesn’t have to be that way, because the supposed strengths of centralization aren’t really strengths at all when viewed in terms of the much more imposing issue of bandwidth costs, where all the advantages are local. Local Heroes: Could the Key to Successful Internet Television Be…PBS? By Robert X. Cringely, PBS, June 8, 2006

What about the opposite of NerdTV? Local football! Continue reading

Proactive Honeypotting

OK, here’s something I don’t do often: praise Microsoft.
Strider HoneyMonkey is a Microsoft Research project to detect and analyze Web sites hosting malicious code. The intent is to help stop attacks that use Web servers to exploit unpatched browser vulnerabilities and install malware on the PCs of unsuspecting users. Such attacks have become one of the most vexing issues confronting Internet security experts. Strider HoneyMonkey is a project of the Cybersecurity and Systems Management group in Microsoft Research.

Strider HoneyMonkey Exploit Detection, Microsoft Research

Instead of waiting around for attacks to happen, this project emulates average users in web browsing, and catches spyware and attacks that occur as a result. Sort of a proactive honeypot. Clever.

This goes beyond traditional Internet security, which normally builds forts and waits for the enemy to attack. This project sends out multiple scouts to entice the enemy to attack ambushes. This is real intelligence, and moves into risk management.


PS: Thanks, Chez, for the pointer.

USB Social Engineering

Why bother with traditional social engineering, when you can let a USB drive do it for you?

It was really amusing to watch the reaction of the employees who found a USB drive. You know they plugged them into their computers the minute they got to their desks.

I immediately called my guy that wrote the Trojan and asked if anything was received at his end. Slowly but surely info was being mailed back to him.

Social Engineering, the USB Way, Steve Stasiukonis, darkreading, 7 June 2006

So much for the traditional network perimeter.


PS: Thanks, Johnny.

VoIP CALEA Considered Risky

The FCC has required extension of CALEA to VoIP. An all-star cast of Internet security and protocol people beg to differ:
In order to extend authorized interception much beyond the easy scenario, it is necessary either to eliminate the flexibility that Internet communications allow, or else introduce serious security risks to domestic VoIP implementations. The former would have significant negative effects on U.S. ability to innovate, while the latter is simply dangerous. The current FBI and FCC direction on CALEA applied to VoIP carries great risks.

Security Implications of Applying the Communications Assistance for Law Enforcement Act to Voice over IP, by Steve Bellovin, Matt Blaze, Ernie Brickell, Clint Brooks, Vint Cerf, Whit Diffie, Susan Landau, Jon Peterson, John Treichler.

Which is more valuable? A free, extensible, and relatively secure Internet, or one controled by a state? Continue reading