Category Archives: Business

ResNet for the Home: Why Don’t Last-Mile ISPs Detect, Clean, and Insure Home Machines?

resnet.jpg Colleges and universities often provide residential networks (resnets) for their students. There are companies that do that, such as Apogee Networks, plus value added services such as patching, installing, and configuring secure and virus-free software. Last-mile ISPs could do that too. They could go farther: they could detect, clean, and insure home machines.

Now they may not want to do this because they might incur legal liability. But that’s what insurance is for. And they might not want to do it because it’s not their core competence. But they could offer such services through a third party. Why don’t they?

-jsq

Bot Buyin

Pickers.jpg Bruce, seeing that the Storm Worm has sprouted stock tout popups on its own bots:
(((I’m guessing the next step is to contact Storm bot victims directly and ask them to join the Storm Network voluntarily. AFter all, if you obeyed that Storm spam pop-up, you cashed in; and this would be a valuable opportunity to become a foot-soldier in the biggest online organized=crime outfit ever.)))

Storm Worm spams its own bots, By Bruce Sterling, Beyond the Beyond, November 15, 2007 | 11:34:00 AM

Having proved that it can infect much of the Internet and the alleged security professionals can do nothing about it, Storm now bids to get its victims to join it?

-jsq

Privacy and Breach Reporting

Why do corporations and the government think we should trust them with everything, yet they shouldn’t even have to report security breaches?

Adam notes that the Commission on Cyber Security is currently meeting “to provide advice about cyber-security policy to the next presidential administration.” Adam has a recommendation:

Many of our fears about what happens after a company is breached have turned out to be false. This is the first key lesson. We have feared that companies will go out of business, people will lose their jobs, and customers will flee. Generally, these things happen only in extreme outliers, if at all. (Two companies have gone out of business; average customer churn is about 2%.)

The second lesson comes from studying the data. The dataloss list contains less selection bias about a broader set of incidents than any other public data I’ve ever seen.

So my goal for the 44th Presidency would be to overcome the fear that has held us back from having national cybercrime statistics, in the form of good law requiring breach disclosure.

How Government Can Improve Cyber-Security, by Adam Shostack, Emergent Chaos, 12 Nov 2007

This would be a big improvement.

-jsq

Wealth of Internet Miscreants: Beyond Law Enforcement to Disrupting the Criminal Economy

figure4.gif How to get rich quick through ecrime:

This paper studies an active underground economy which specializes in the commoditization of activities such as credit card fraud, identity theft, spamming, phishing, online credential theft, and the sale of compromised hosts. Using a seven month trace of logs collected from an active underground market operating on public Internet chat networks, we measure how the shift from "hacking for fun" to "hacking for profit" has given birth to a societal substrate mature enough to steal wealth into the millions of dollars in less than one year.

An Inquiry into the Nature and Causes of the Wealth of Internet Miscreants Jason Franklin, Vern Paxson, Adrian Perrig, and Stefan Savage. Proc. ACM CCS, October 2007.

How to stop it? Law enforcement is good, but insufficient. Ditto traditional technological Internet security methods. We already knew that. What now?

Real progress will be made by disrupting the criminal economy by poisoning trust. Read the paper for the authors’ suggestions of Sybil attacks and slander attacks. Make the criminals’ identities unreliable and poison their reputations.

This is considered the paper of the year by some prominent computer security professionals, and for good reason.

-jsq

Antitrust and Microsoft: Still on the Table?

Taft.jpg More time to determine whether Microsoft has a monopoly?

Microsoft, state prosecutors, and the U.S. Department of Justice on Tuesday said a federal judge needs more time to weigh whether Redmond should be subjected to a lengthier period of antitrust policing.

In a joint filing with U.S. District Judge Colleen Kollar-Kotelly, who has been overseeing Microsoft’s antitrust compliance, they asked for a soon-to-expire oversight period to be temporarily extended until at latest January 31, 2008. That way, the judge will have more time to weigh the merits of last-minute pleas from a number of state prosecutors to add another five years to the oversight regime.

Right now, most of Microsoft’s 2002 consent decree with the Bush administration is set to expire November 12. One small portion, related to a communications protocol licensing program that has encountered numerous delays since its inception, has already been extended through November 2009.

U.S.-Microsoft antitrust deal to get temporary extension, by Anne Broache, C|Net News.com News blog, October 30, 2007 2:24 PM PDT

The story says the judge and Microsoft are expected to agree to the extension. Not surprisingly, there’s an objection from a different quarter:

The Justice Department has already said it doesn’t believe there’s any need to extend the oversight period and that the agreement with Redmond has been working as designed.

It’s state prosecutors from 10 states who are driving this extension.

These days we don’t have Teddy Roosevelt to bust trusts, nor even William Howard Taft, whose Department of Justice started 80 antitrust lawsuits. Maybe the states can do it.

-jsq

Better Products Bootstrap

Gunnnar notes the formation of a software vendor security best practices consortium and asks:
Why not bootstrap a Fortune 500 Secure Coding Initiative to drive better products, services and share best practices in the software security space?

Secure Coding Advocacy Group, Gunnar Peterson, 1 Raindrop, 23 October 2007

Yes, if the customers demanded it, that might make some difference, and the vendors do pay the most attention to the biggest customers. Of course the biggest customer is the U.S. government, and they seem more interested in CYA than in actual security. And I’m a bit jaded on “best practices” due to reading Black Swans. But regardless of the specific form of better such a group demanded, demanding better security might make some difference.

Maybe they could also demand risk management, which would including having watchers watching ipsos custodes. Not just in the circular never-ending hamster wheel of death style, but for actual improvemment.

-jsq

Chinese Firewall Viewed as Vacuum

greatwall.jpg In addition to the Chinese national firewall being used as a Panopticon that encourages self-censorship, other uses are now emerging:
Further to our earlier story on visitors to Google Blogsearch being redirected to Baidu in China, new reports have surfaced that would indicate that China has unilaterally blocked all three major search engines in China and is redirecting all requests to Baidu.

Cyberwar: China Declares War On Western Search Sites, by Duncan Riley, TechCrunch, 18 October 2007

Sort of an involuntary proxy, going somewhere other than where you thought.

Note the distinction between censorship and this new action:

…the redirect to Baidu would indicate an economic motive; if the Chinese Government were serious about censorship alone we would have reports of page not found/ blocked messages, not redirects to Baidu. The Chinese Government is clearly using its censorship regime to the economic benefit of a Chinese owned (but NASDAQ listed) company.
And also remember that there are U.S. government sponsored web panopticon projects. Research so far, or so far as we know.

-jsq

PS: Seen on Dancho Danchev‘s blog.

RIAA Money Pit

RIAA demonstrates how not only to alienate customers by suing them, but to lose money while doing so:

During an occasionally testy cross examination, a Sony executive said what many observers have suspected for a long time. The RIAA’s four-year-old lawsuit campaign is costing the music industry millions of dollars and is a big money-loser for the record labels. The revelation came during the first day of Capitol Records v. Jammie Thomas, the first file-sharing case to go to trial (it was formerly known as Virgin v. Thomas, but the sole Virgin Records track was stricken from the complaint, making Capitol Records the lead plaintiff).

RIAA anti-P2P campaign a real money pit, according to testimony, By Eric Bangeman, ars technica, October 02, 2007 – 11:40PM CT

I don’t quite understand how this is good for anybody, except maybe iTunes. As risk management goes, it’s about as negative as it gets.

-jsq

Silver Bullet Security Considered Harmful

Silver_Bullet.jpg In the comment discussion about Linus’s schedulers vs. security polemic, Iang mentioned a paper he’s writing:
We hypothesize that security is a good with insufficient information, and reject the assumption that security fits in the market for goods with asymmetric information. Security can be viewed as in a market where neither buyer nor seller has sufficient information to be able to make a rational buying decision. These characteristics lead to the arisal of a market in silver bullets as participants herd in search of best practices, a common set of goods that arises more to reduce the costs of externalities rather than achieve benefits in security itself.

The Market for Silver Bullets, by Ian Grigg, Systemics, Inc. $Revision: 1.27 $ $Date: 2005/11/05 18:25:54 $

Evidently security needs to find another precious metal for its bullets, given that the Storm Botnet is still out there after months, phishing becomes more expensive all the time, spam has killed electronic mail for a whole generation of users, and the best the monoculture OS vendor can come up with is a new release that attempts to push responsibility for all its bugs and design flaws back on the user.

What to do? Continue reading

HelpJet: Disaster Evacuation in Style

images.jpeg AIG may sell boutique wildfire insurance, but that’s nothing on HelpJet:
The new service from West Palm Beach-based Galaxy Aviation guarantees its well-heeled members a seat on a chartered jet out of the hurricane zone, reserves five-star hotel rooms and limousine transfers and rolls out a red carpet — literally.

“We call it evacuation in style,” said Brian Rems, who came up with the HelpJet concept.

Hurricane Victims Can Evacuate in Style, By MATT SEDENSKY, Associated Press Writer Saturday, September 16, 2006

Naomi Klein points out the flip side:
For the people left behind, there is a different kind of privatized solution. In 2006, the Red Cross signed a new disaster-reponse partnership with Wal-Mart. “It’s all going to be private enterprise before it’s over,” said Billy Wagner, chief of emergency management for the Florida Keys. “They’ve got the expertise. They’ve got the resources.” He was speaking at the National Hurricane Conference in Orlando, Florida, a fast-growing annual trade show for the companies selling everything that might come in handy during the next disaster.

Disaster Capitalism: The new economy of catastrophe, By Naomi Klein, Harper’s Magazine, September 8, 2007

So what are we looking at here? Clever entrepeneurs seeing a market need and filling it? Or the calculated privatization of every government function (Klein)? More to the point, is it good risk management?

Oh, and is there really money in it? www.HelpJet.us currently is all about Galaxy Aviation, and doesn’t say Help Jet anywhere, nor does it mention the kinds of services Help Jet was selling. (I’m pretty sure that’s the right URL, since Google still shows old initial text for about.html as “Not any more with Help Jet, the world’s first hurricane escape plan that turns a hurricane evacuation into a jet-setter vacation. Here’s how Help Jet works. …”) Meanwhile, AIG has been known to start a line of insurance just to see if it will sell.

-jsq