Why it’s not good to depend on common sense for really big perils:
The models these companies created differed from peril to peril, but they
all had one thing in common: they accepted that the past was an imperfect
guide to the future. No hurricane has hit the coast of Georgia, for
instance, since detailed records have been kept. And so if you relied
solely on the past, you would predict that no hurricane ever will hit the
Georgia coast. But that makes no sense: the coastline above, in South
Carolina, and below, in Florida, has been ravaged by storms. You are
dealing with a physical process, says Robert Muir-Wood, the chief
scientist for R.M.S. There is no physical reason why Georgia has not been
hit. Georgias just been lucky. To evaluate the threat to a Georgia beach
house, you need to see through Georgias luck. To do this, the R.M.S.
modeler creates a history that never happened: he uses what he knows about
actual hurricanes, plus what he knows about the forces that create and
fuel hurricanes, to invent a 100,000-year history of hurricanes. Real
history serves as a guide it enables him to see, for instance, that the
odds of big hurricanes making landfall north of Cape Hatteras are far
below the odds of them striking south of Cape Hatteras. It allows him to
assign different odds to different stretches of coastline without making
the random distinctions that actual hurricanes have made in the last 100
years. Generate a few hundred thousand hurricanes, and you generate not
only dozens of massive hurricanes that hit Georgia but also a few that
hit, say, Rhode Island.
Sure, the Georgia coast doesn’t have any single concentration of wealth
But it does have a swath of wealth that could be taken down by a single storm.
And complacent owners who think it can’t ever happen,
people in Thailand didn’t believe
Smith Dharmasaroja before the 2004 Tsunami.
SmartHippo today launched the public beta version of the first ever web
site that allows individuals to use the power of a community to save
money and make better decisions when shopping for rates on financial
products and services.
“The lending industry is in a state of transformation,” said George
Favvas, President of SmartHippo, “and consumers are demanding more control
and transparency in their dealings with banks and mortgage companies.”
SmartHippo allows any individual to post information and feedback on
the rate they received, and to compare rates with other members of the
community with similar profiles. This lessens the chance of consumers
with the same lending and risk profile getting different rates on the
same loan, which can happen currently.
This is different from companies like
LendingTree that already facilitate getting multiple bids for mortages
in that SmartHippo lets mortgage customers comment on their experiences.
Participatory, if you will.
It’s great for email, but it can never work for movies, TV shows or music, because in the case of “copy protection” the receiver is also the person that the system is meant to guard itself against.
Say I sell you an encrypted DVD: the encryption on the DVD is supposed to stop you (the DVD’s owner) from copying it. In order to do that, it tries to stop you from decrypting the DVD.
Except it has to let you decrypt the DVD some of the time. If you can’t decrypt the DVD, you can’t watch it. If you can’t watch it, you won’t buy it. So your DVD player is entrusted with the keys necessary to decrypt the DVD, and the film’s creator must trust that your DVD player is so well-designed that no one will ever be able to work out the key.
Fergie points out
a university project investigating censorship:
The "Great Firewall of China," used by the government of the People’s
Republic of China to block users from reaching content it finds
objectionable, is actually a "panopticon" that encourages self-censorship
through the perception that users are being watched, rather than a true
firewall, according to researchers at UC Davis and the University of
The researchers are developing an automated tool, called ConceptDoppler,
to act as a weather report on changes in Internet censorship in
China. ConceptDoppler uses mathematical techniques to cluster words by
meaning and identify keywords that are likely to be blacklisted.
IT and Internet security people and companies act mostly as an aftermarket.
Meanwhile, the black hats are a well-integrated economy of coders,
bot herders, and entrepeneurs.
This is what it will take for the white hats to win:
It can seem overwhelming for security people who are typically housed in
a separate organization, to begin to engage with software developers and
architects to implement secure coding practices in an enterprise. While
the security team may know that there are security vulnerabilities in
the systems, they have to be able to articulate the specific issues
and communicate some ideas on resolutions. This can be a daunting task
especially if the security team does not have a prior workign relationship
with the development staff, and understand their environment.
The task seems daunting also because there are so many developers compared
to security people. I am here to tell you though that you don’t have
to win over every last developer to make some major improvements. In my
experience a small percentage of developers write the majority of code
that actually goes live. The lead developers (who may be buried deep
in the org charts) are the ones you need to engage, in many cases they
really don’t want to write insecure code, they just lack the knowledge
of how to build better. Once you have a relationship (i.e. that you are
not just there to audit and report on them, but are there to help *build*
more secure code) it is surprisingly easy to get security improvements
into a system, especially if the design is well thought and clearly
articulated. You don’t have get the proverbial stardotstar, each and
every developer on board to make positive improvements, it can be
incremental. See some more specific ideas on phasing security in the SD!
LC here. In meantime, with security budgets increasing 20% a year,
use some of that money to take your top developers out to lunch.
Today, few malware developers use their own code. They write it for the
same reason commercial software developers do: to sell it for a healthy
profit. If you’ve ever bought anything online, buying from them may be
disconcertingly familiar. If you want to break into a computer or steal
credit card numbers, you can buy the necessary software online, just
like almost anything else. More than that, you can find user friendly,
point-and-click attack applications that have been pre-tested and
reviewed by experts, and read through customer feedback before making
You might even be able to buy technical support or get a money
back guarantee. Some developers offer their malware through a
software-as-a-service model. If you prefer an even more hands-off
approach, you can simply buy pre-screened credit card numbers and identity
information itself, or sign a services agreement with someone who will
do the dirty work for you. As in many other industries, money has given
rise to professionalism.
Online crime and malware development has become a full-blown and extremely
profitable commercial enterprise that in many ways mirrors the legitimate
software market. "We’re in a world where these guys might as well just
incorporate," says David Parry, Trend Micro’s Global Director of Security
Education. "There’s certainly more money in the cybercrime market than
the antivirus market. The internet security industry is a drop in the
bucket; we’re talking about hundreds of billions of dollars."
There is still plenty of room for qualitative decision-making in arenas
where there aren’t enough facts or the facts haven’t been quantified
or there’s no baseline or there’s no mechanical method yet.
But where those things are available, it’s better to use them.
You’ll still need qualitative judgement for cases where
the algorithm is right but it didn’t take into effect
unfortunate side effects, for instance.
Even then, you’ve got a better chance of knowing what you’re doing.
He follows up on my post of yesterday about LifeLock, discussing
a company called Integrity which insures identities in Second Life.
Or, actually, insures any lawsuits resulting from "inappropriate content",
whatever that is.
Then he gets to the real quesion:
How viable is this model? The first thing would be to ask: can’t we fix
the underlying problem? For identity theft, apparently not, Americans
want their identity system because it gives them their credit system,
and there aren’t too many Americans out there that would give up the
right to drive their latest SUV out of the forecourt.
On the other hand, a potential liability issue within a game would seem
to be something that could be solved. After all, the game operator has
all the control, and all the players are within their reach. Tonight’s
pop-quiz: Any suggestions on how to solve the potential for
large/class-action suits circling around dodgy characters and identity?
Since identity thieves are making many people worried
about losing control of their identities, of course
somebody has found a way to cash in on all that free publicity:
By now you’ve heard the stories about Americans whose identities have
been stolen. They’re not pretty…people working for hundreds of hours
over many years to get their lives back in order, kids not getting student loans because someone has already ruined their credit, people losing homes because thieves placed mortgages they never knew existed,
even innocent individuals ending up in jail.
LifeLock can keep this from happening to you and we guarantee our service up to $1,000,000.
I seem to recall reading that the typical identity theft is only
worth $1,000, but nevermind that.
Look who recommends it:
You’ve heard Rush Limbaugh, Paul Harvey, Dr. Laura, Sean Hannity, Howard Stern, Dr. Joy and others endorse us.
Well! None of those people would ever sell pure fear, would they?
I have to give them credit for honesty, though: LifeLock admits right out
that the main four preventive things they do you could do for yourself.
Beyond that, the main substance they seem to offer is essentially
an insurance package:
If your Identity is stolen while you are our client, we’re going to
do whatever it takes to recover your good name. If you need lawyers,
we’re going to hire the best we can find. If you need investigators,
accountants, case managers, whatever, they’re yours. If you lose money
as a result of the theft, we’re going to give it back to you.
For $110/year or $10/month, is such an insurance policy overpriced,
underpriced, or what?