Monthly Archives: February 2007

Directed Scale-Free Networks

John Robb points out that students of terrorists networks have discovered they’re directed scale-free networks. That is, communication isn’t always two-way; often there’s much more communication in one direction between two people than in another. In particular, one person may be a hub who talks to many people, but each of those other people may have little to say back.

This seems familiar somehow; oh; yes: it’s like USENET. Anyway, it seems good risk management to understand what sort of network you’re dealing with.


jetBlue Renewed

I have to admit I didn’t even know jetBlue had been having some problems until I got an apology from them in my electronic mail. I fly them from time to time, and apparently they sent the apology to every customer.
How would you respond to a week-long fiasco of international media scrutiny and criticism following a highly publicized episode of your intolerable treatment of customers, especially if your company was founded on a pledge of superior customer service?

Recovering from a Crisis: Jet Blue Gets It Right, Jon Harmon, Force for Good, 20 Feb 2007

I suppose they could have tried censoring and suing, as some other companies and trade organizations have done. Continue reading

Phishing Report

Sure, phishing is bad, but how bad is it? The Anti-Phishing Working Group posts periodic reports, such as the one for December 2006. APWG received more than 20,000 phishing reports for at least as many phishing sites. While 146 brands were hijacked by phishers, 16 brands accounted for 80% of phishing campaigns that month. And the country doing the most phishing: the U.S.


Software Vendor Liability

Bruce Schneier calls for software vendor liability:
Fundamentally, the issue is insecure software. It is a result of bad design, poorly implemented features, inadequate testing and security vulnerabilities from software bugs. The money we spend on security is to deal with the myriad effects of insecure software. Unfortunately, the money spent does not improve the security of that software. We are paying to mitigate the risk rather than fix the problem.

The only way to fix the problem is for vendors to improve their software. They need to design security in their products from the start and not as an add-on feature. Software vendors need also to institute good security practices and improve the overall quality of their products. But they will not do this until it is in their financial best interests to do so. And so far, it is not.

Information Security and Externalities, Bruce Schneier, Schneier on Security, 18 Jan 2007

Turn an externality into a liability, and software vendors will do something about it. The usual objection is that this would do in free software. I don’t see why, since it should be easy enough to craft liability laws that factored in profit, chronic nature of bugs, etc. so as to distinguish between big commercial vendors and free software volunteers. Meanwhile, many users and even governments are applying their own kind of software liability by moving away from the biggest commercial vendor to smaller ones or to free software.


Who’s Liable for Botnets?

Pushpa Sathish thinks end users are responsible for botnets. Referring to a recent root DNS DDoS attack, he says:

If you thought the news above was bad, brace yourself, you’re about to hear worse. YOU may have been responsible in part for the attack! Before you go all indignant on me, let me put it across differently. Your computer may have been one in the millions used by hackers to launch the disruption of service, without your knowledge, of course.

Heard of botnets? They’re the armies of zombie computers that have been taken over and are controlled by hackers to perpetrate other heinous crimes on the Internet. If you do not protect your system with adequate measures such as anti-virus software and sensible Internet usage, you leave your doors (Windows?) wide open to hackers. Your computer then becomes the next link in the chain of systems that form a botnet!

Root Cause for the Root Attack – YOU! Pushpa Sathish, Staff Writer, Network Security Journal, 7 Feb 2007

While no doubt end users should be somewhat careful about what they do, suppose we make an analogy to automobiles. If a car manufacturer sold cars that were easy for joyriders to remotely hijack out of your garage at night and drive around without you ever knowing it, who do you think would be liable? You, or the manufacturer?

Seems to me the most relevant part of the above post is the parenthetical remark:


When will we see software vendor liability like we already see automobile manufacturer liability? That would be some good risk management.


Should a Breach be Unreported if It Wasn’t Really Lost?

Adam has some ruminations on what should happen when a data loss has been reported, and it turns out the data wasn’t really lost (the tape was found, the laptop was in the closet, etc.). While I can understand the temptation to strike out that entry in wherever it was logged, I think it’s important to keep both the original report and a new report of the data being found. Why don’t we see statistics on data that wasn’t really lost, anyway? Is it because lost data is almost never found? Or just nobody thought to compile such statistics?


Known Identity Thieves?

Adam posts some interesting hypotheses about how much of identity theft is perpetrated by thieves known to the victims:
Now, if (1) is true, then for all ID theft victims, 40% should know the perpetrator. If (2) is true, then perhaps 11% of ID theft is committed by someone who the victim knows, and 90% of that is detected. Perhaps it’s 90% of ID theft is committed by someone who the victim knows, and that’s only detected 27% of the time.

Identity theft numbers: Javelin vs. FTC, Adam Shostack, 13 Feb 2007

Read his blog for the details. As he says, his hypotheses should be testable. And which (if either) hypothesis is correct should have some bearing on measures that will work to prevent identity theft.


Son of Base Rate Fallacy

Lamar Smith has proposed to wiretap everything on the Internet:


(a) Regulations- Not later than 90 days after the date of the enactment of this section, the Attorney General shall issue regulations governing the retention of records by Internet Service Providers. Such regulations shall, at a minimum, require retention of records, such as the name and address of the subscriber or registered user to whom an Internet Protocol address, user identification or telephone number was assigned, in order to permit compliance with court orders that may require production of such information.

H.R. 837, 6 Feb 2007, "SAFETY Act" (Stopping Adults Facilitating the Exploitation of Today’s Youth Act)

Once again children are used as an excuse for blanket spying.

Continue reading