Monthly Archives: September 2012

Terms of Service rankings

Here’s another reputational rankings initiative, about something we all encounter whenever we use a new service on the web.

According to Terms of Service; Didn’t Read (TOS;DR),

TOS;DR “I have read and agree to the Terms” is the biggest lie on the web. We aim to fix that.

We are a user rights initiative to rate and label website terms & privacy policies, from very good Class A to very bad Class E

They’ve got a bit of press, such as on Lifehacker Australia and this one by Jason Gilbert on Huffington Post 10 August 2012, ToS;DR Explains Those Ridiculous Terms Of Service You Agreed To

Quick: If the government asks Facebook for information from your account, does Facebook have to inform you of the request? If you delete your Twitter account, does Twitter still own the content of your tweets? Can Google appropriate your content for use on its other services without notifying you or asking your permission?

You probably don’t know the answer to these three questions off the top of your head, but you did claim to know the answers when you agreed to the respective Terms of Service (ToS) agreements upon signing up for these three popular websites. Facebook doesn’t have to inform you of government requests; Twitter will own your tweets after you deactivate; Google can use any of your content; and you signed off on all three by consenting to the ToS.

The article also gets to the main point:

Continue reading

Reputation as Public Policy for Internet Security @ TPRC 2012

Saturday I presented Reputation as Public Policy for Internet Security Cover at the 40th Telecommunications Research Policy Conference (TPRC) hosted by George Mason University School of Law, Arlington, VA. Attendees seemed to appreciate our efforts to deal with heteroskedasticity with a wild cluster bootstrap-t procedure. The presentation, along with the abstract and the paper, are available from the website.

Blog readers will notice the TPRC presentation excerpted Festi Up Grum botnet is staging a comeback and extended Festi botnet infesting the world, July 2012 as well as making use of the numerous medical posts, while attempting to pull that and other material together in aid of motivating and describing the intended field experiments and their potential policy implications. As Prof. Andrew B. Whinston said to Network World a couple of months ago:

We’re not trying to solve the spam issue. We’re trying to deal with the broader issue of whether companies should publicly report security issues.


Festi in the rest of the top Turkish 7 2012-08 CBL data

We’ve already looked at TTNET, which pushed Turkey Turkey to the top of the spamming world in July 2012, and KOCNET, ditto in August. What about other Turkish ASNs? The next five are AS 12735 ASTURKNET, AS 12978 DOGAN-ONLINE, AS 16135 TURKCELL, AS 29179 KIBRISONLINE-AS, and AS 8517 ULAKNET, in the August from both CBL and PSBL data. You guessed it: they’re all infested with Festi botnet, too.

Festi Turkish top 7-2 June-August 2012 CBL data

Festi Turkish top 7-2 June-August 2012 CBL data
Graph by John S. Quarterman for


Spam externality cost ratio higher than stealing cars: what to do about that?

Spammers only make about $200 million a year, yet they cost everybody else around $20 billion a year, for an externality cost 100 times spam income. That turns out to be higher externality than stealing cars. What can we do about that?

Alexis C. Madrigal wrote for The Atlantic 7 August 2012, All the Spammers in the World May Only Make $200 Million a Year

Now, in a new paper in the Journal of Economic Perspectives, Justin Rao of Microsoft and David Reiley of Google (who met working at Yahoo) have teamed up to estimate the cost of spam to society relative to its worldwide revenues. The societal price tag comes to $20 billion. The revenue? A mere $200 million. As they note, that means that the “‘externality ratio’ of external costs to internal benefits for spam is around 100:1. Spammers are dumping a lot on society and reaping fairly little in return.” In case it’s not clear, this is a suboptimal situation.

Many activities impose costs on society that are not “internalized” by the firms or individuals. Air and water pollution are the paradigmatic examples. You get to drive your car around emitting particulates and various other smog-causing molecules that increase the cost of treating asthma and other illnesses for other people by a tiny bit.

Spam has a remarkably high externality ratio, not just relative to driving an automobile, but stealing one, too. Here’s a chart that Rao and Reiley include in their paper, which just looks at the direct costs of spam to end users (which they estimate at $14-$18 billion):

The article examines those costs more, and then gets to the point:

So what’s the way forward? The researchers gloss a variety of techniques like “attention bonds,” in which you’d be paid some tiny amount (say, $0.05) for reading unsolicited emails, and government interventions. But their preferred solution is to find ways to raise the cost of business for spammers, so that their campaigns become unprofitable.

“We advocate supplementing current technological anti-spam efforts with lower-level economic interventions at key choke points in the spam supply chain, such as legal intervention in payment processing, or even spam-the-spammers tactics,” they conclude. “By raising spam merchants’ operating costs, such countermeasures could cause many campaigns no longer to be profitable at the current marginal price of $20-50 per million emails.”

Interesting ideas, but legal intervention requires dealing with multiple legal regimes throughout the world, while spammers can shift from a botnet in one regime to another elsewhere, as just demonstrated by the Grum botnet takedown being followed by a huge surge in spam from Festi botnet including from Turkey where even when one infested organization (TTNET) ejected Festi, spammers just moved to another (KOCNET). Oh, and Grum botnet is staging a comeback.

I would argue the first thing to do is to make it more obvious which organizations are infested by what, when, and where, as in for example Reputation alone may then cause the infested organizations themselves to take action. At the least, long experience indicates that if nobody knows about such infestations, the infested organizations will not try to stop outbound spam, which they also consider an externality.


Festi pushes KOCNET to #1 in Turkey and #3 in the world

Festi botnet spam made KOCNET beat TTNET to #1 in Turkey for the first time ever in August 2012, in rankings from both CBL and PSBL data. While TTNET managed to stop most spam from Festi botnet, Festi spam from KOCNET massively ramped up.

KOCNET July-August 2012

Graph by John S. Quarterman for

Both ISPs hit a Festi low on 21 July, which raises the speculation that that low had nothing to do with infosec efforts by the ISPs, and more to do with something going on inside Festi. After that low, TTNET briefly started back up with Festi, but then dropped down. KOCNET just kept going up. Up so far that KOCNET made #3 in the world in rankings from CBL data and #4 in the world in rankings from PSBL data, pushing Turkey itself up to #4 (CBL) and #5 (PSBL).

TTNET had already pushed Turkey last month to #4 (CBL) and #6 (PSBL). It was Festi then, and it’s Festi now, but the lead Turkish ISP has changed: last month it was TTNET, this month it’s KOCNET. It’s a problem when a botnet parasite can just move on to a new host like that. Do TTNET and KOCNET even know this is happening?


Grum botnet is staging a comeback

Remember the apparently successful Grum botnet takedown? Well, Grum is staging a comeback. Sure, a few tens of thousands of spam messages in August 2012 doesn’t seem like much compared to the millions in Grum’s heyday in July 2012, yet those new numbers are clearly increasing.

July, August 2012 Grum botnet top 10 ASNs

Let’s compare the July 2012 Grum botnet top 10 ASNs to the August 2012 top 10. Still spewing spam from Grum in August were India’s AS 9829 BSNL-NIB – National Internet Backbone Korea’s AS 4766 KIXS-AS-KR – Korea Telecom and Vietnam’s AS 7643 VNPT-AS-VN – Vietnam Posts and Telecommunications (VNPT). Is there a pattern there? National government-sponsored Internet backbones don’t clean up their spam-spewing botnet act well?

Congratulations to those ASNs missing from the new top 10, which are

Continue reading

TTNET ejected Festi but still infested with Lethic and other botnets 2012-07,2012-08

Congratulations to Turkey's TTNET's AS 9121 for getting Festi botnet spam down from more than a million messages a day to less than 100,000!


However, Festi is still in there, and TTNET has other problems, as well, including Lethic, Cutwail, Waledac, Maazben, and even Grum(!) botnets, plus Sendsafe.

Continue reading