Category Archives: Culture

John Quarterman on Mapping Spam and Politics (audio)

At a meeting on a completely different subject, I was interviewed about Here's the audio, and here's the blurb they supplied:

John S. Quarterman, long time Internet denizen, wrote one of the seminal books about networking prior to the commercialization of the Internet. He co-founded the first Internet consulting firm in Texas (TIC) in 1986, and co-founded one of the first ISPs in Austin (Zilker Internet Park, since sold to Jump Point). He was a founder of TISPA, the Texas ISP Association. Quarterman was born and raised in Lowndes County, where he married his wife Gretchen. They live on the same land where he grew up, and participate in local community and government.

Quarterman took some time during Georgia River Network's Weekend for Rivers to speak with the Nonprofit Snapshot about spam-mapping and small town politics.

More about Elinor Ostrom's Nobel-prize-winning work on organizing the commons, and how that applies to

The water organization has since been incorporated as the Georgia non-profit WWALS Watershed Coalition:

WWALS is an advocacy organization working for watershed conservation of the Willacoochee, Withlacoochee, Alapaha, and Little River Systems watershed in south Georgia and north Florida through awareness, environmental monitoring, and citizen advocacy.


Cultural Risk

Arkush.jpg Or risk as culture. Malcolm Gladwell writes in his book, Outliers:
The historian David Arkush once compared Russian and Chinese peasant proverbs, and the differences are striking. “If God does not bring it, the earth will not give it” is a typical Russian proverb. That’s the kind of fatalism and pessimism typical of a repressive feudal system, where peasants have no reason to believe in the efficacy of their own work. On the other hand, Arkush writes, Chinese proverbs are striking in their belief that “hard work, shrewd planning and self-reliance or cooperation with a small group will in time bring recompense.”

Here are some of the things that penniless peasants would say to one another as they worked three thousand hours a year in the baking heat and humidity of the Chinese rice paddies (which, by the way, are filled with leeches):

“No food without blood and sweat.”

“Farmers are busy; farmers are busy; if farmers weren’t busy, where would grain to get through the winter come from?”

“In winter, the lazy man freezes to death.”

“Don’t depend on heaven for food, but on your own two hands for carrying the load.”

“Useless to ask about the crops, it all depends on hard work and fertlizer.”

“If a man works hard, the land will not be lazy.”

And, most telling of all, “No one who can rise before dawn three hundred sixty days a year fails to make his family rich.”
As Gladwell points out, this is a bit of a different attitude to those of the nut-gathering !Kung or the medieval French peasant. Or, for that matter to the 40-hour-week office dweller. Any of them would consider working 360 days a year, which at even 8 hours a day is 2880 hours a year, to be hazardous to their health. But if you’re hand cultivating rice paddies, with your family, it’s a bigger risk not to work that hard.

Further Hardin Debunking

yacouba.jpg Regarding Perry’s comment to the previous post, the point is that the specific example on which Hardin based his thesis, the one everyone cites in support of it, is not borne out by the evidence, not that he presented any evidence for it in the first place.

Further, that it’s not a tragedy in the sense Hardin meant: that of a Greek tragedy in which a flaw of character inevitably leads to the demise of the protagonist. Individuals are not inevitably disposed to claw out their own at the expense of everyone else. Sometimes people realize that there really is such a thing as the common good; that benefiting everyone benefits themselves.

Yes, I know about the Sahara and the Sahel; I’ve been there; I’ve seen the goats gnawing away at everything.

The solution is not state central planning: you cite Chinese lakes; I’ll cite the Aral Sea.

The solution is also not privatization of the commons: look at the wildfires in the U.S. west exacerbated by subdivisions built in forests.

Solutions that work seem to involve combinations of innovation, education, and especially cooperation. Like this one:

In the late 1970s, when the problems of desertification, combined with population growth, drought and grinding poverty in West Africa first began to get sustained global attention, the prognosis was mostly gloom and doom. And as has been well documented, foreign aid has been less than successful in improving matters. In Yahenga, Reij and Fabore note, efforts to modernize agriculture through large-scale mechanized operations usually failed, for a variety of reasons. The spread of zai hole planting spearheaded by Sawadogo was mostly carried out by the local farmers themselves, with limited support from the government or foreign donors. Those with access to labor dug the holes, and used local sources of organic manure to fill them.

A tree grows in the Sahel, Andrew Leonard, How the World Works, Wednesday, Oct. 4, 2006 11:22 PDT

The “free market” isn’t enough. Cooperation on scales from local to global is also needed. And it does happen, despite Garrett Hardin’s myth that it can’t.


Silver Bullet Security Considered Harmful

Silver_Bullet.jpg In the comment discussion about Linus’s schedulers vs. security polemic, Iang mentioned a paper he’s writing:
We hypothesize that security is a good with insufficient information, and reject the assumption that security fits in the market for goods with asymmetric information. Security can be viewed as in a market where neither buyer nor seller has sufficient information to be able to make a rational buying decision. These characteristics lead to the arisal of a market in silver bullets as participants herd in search of best practices, a common set of goods that arises more to reduce the costs of externalities rather than achieve benefits in security itself.

The Market for Silver Bullets, by Ian Grigg, Systemics, Inc. $Revision: 1.27 $ $Date: 2005/11/05 18:25:54 $

Evidently security needs to find another precious metal for its bullets, given that the Storm Botnet is still out there after months, phishing becomes more expensive all the time, spam has killed electronic mail for a whole generation of users, and the best the monoculture OS vendor can come up with is a new release that attempts to push responsibility for all its bugs and design flaws back on the user.

What to do? Continue reading

Outrage at Outrage Management


So we were discussing Peter Sandman’s recommendations for outrage management, which mostly have to do with how to deal with management not doing something that you’ve given them rational reasons to do, because of some emotional resistance or other. The opposite problem also occurs: they believe you; they just don’t care. Then you could use some outrage.

Alex brings up two good points in the previous comments:

I’m afraid that outside of usefulness in those communications channels, I just would hesitate to use the term "Outrage". For example, creating "Outrage" metrics sounds like you’re working in hollywood publicity for Paris Hilton, not protecting business assets. 🙂

Yes, exactly, it’s usefulness in these communications channels, that is, with management, that emotion, up to and including outrage, has to be used and managed.

Continue reading

Non-Asymmetric Malware


Most exploits through the Internet have been relatively small guys (individuals, gangs, etc.) against big companies and governments. Yet they’re already using botnets to leverage their activity. What happens when botnets start connecting with other botnets via wireless?

Consider the following scenarios:

  • malware infected PCs actually opening a WiFi connection in a port-knocking nature to the wireless botnet master only
  • no need for wardriving, as malware authors would quickly map the entire WiFi vulnerable population around a given region in the age of malware geolocating IPs using commercial services
  • once a PC gets infected inside an organization, it can automatically turn into a wardriving zombie exposing vulnerable WiFi connections within
  • Bluetooth scanning plugins expose even more vulnerable Bluetooth-enabled devices in the range of the infected host

— Distributed WiFi Scanning Through Malware, by Dancho Danchev, @ Friday, August 24, 2007

It already wasn’t clear which side the asymmetry favored, since the bad guys use the full leverage of the Internet and the defenders mostly don’t. Now the bad guys can leverage the leverage of the Internet by also using local wireless connections to further interconnect.

Did we need more proof that there’s no such thing as a perimeter to fortify anymore?


Outrage Considered Useful

peter_sandman.jpg There’s a bit of comment discussion going on in Metricon Slides, and Viewed as PR about counting vs. selling, in which the major point of agreement seems to be that even at a metrics conference there weren’t a lot of metrics presented that were strategic and business-like.

Let’s assume for a moment that we have such metrics, and listen to Peter Sandman, whose website motto is Risk = Hazard + Outrage:

Sometimes, of course, senior management is as determined as you are to take safety seriously. And sometimes when it’s not, its reservations are sound: The risk is smaller than you’re claiming, or the evidence is weak, or the precautions are untested or too expensive. But what’s going on when a senior manager nixes your risk reduction recommendation even though you can prove that it’s cost-effective, a good business decision? Assume the boss isn’t too stupid to get it. If the evidence clearly supports the precautions you’re urging, and the boss isn’t dumb, why might the boss nonetheless have trouble assessing the evidence properly?

As a rule, when smart people act stupid, something emotional is usually getting in the way. I use the term “outrage” for the various emotion-laden factors that influence how we see risk. Whether or not a risk is actually dangerous, for example, we are all likely to react strongly if the risk is unfamiliar and unfair, and if the people behind it are untrustworthy and unresponsive. Factors like these, not the technical risk data, pretty much determine our response. Risk perception researchers can list the “outrage factors” that make people get upset about a risk even if it’s not very serious.

— The Boss’s Outrage (Part I): Talking with Top Management about Safety by Peter M. Sandman, The Peter Sandman Risk Communication Web Site, 7 January 2007

He goes on to outline several reasons management might get upset.

Continue reading

Interactive Fact

gibson.jpg William Gibson talking about a shoe that appears in his latest novel, Spook Country:
Wired: One of the details that leaped out at me was the Adidas GSG9, named for the German counterterrorism squad. I felt certain you’d invented the shoe, but then I Googled it.

Gibson: The Adidas GSG9s were the obvious choice for the thinking man’s ninja. Nothing I could make up could resonate in the same way. There’s code in name-checking the GSG9 history — esoteric meaning. Something that started with Pattern Recognition was that I†discovered I could Google the world of the novel. I began to regard it as a sort of extended text — hypertext pages hovering just outside the printed page. There have been threads on my Web site — readers Googling and finding my footprints. I still get people asking me about “the possibilities of interactive fiction,” and they seem to have no clue how we’re already so there.

Q&A: William Gibson Discusses Spook Country and Interactive Fiction, Warren Ellis, Wired, Email 07.24.07 | 2:00 AM

So true.

And not just for fiction. As blogs and the Daily Show have made clear, it’s silly for any political candidate or appointee to think any longer that they can like on video or the witness stand about documented facts, because it’s getting easier all the time to just google them. As YouTube has already demonstrated, such interactive reality can tip elections.

I wonder if this has anything to do with why some big companies are working on suppressing the Internet and Google has put its money where its mouth is in promoting open access.


Wildfire Myopia

smoke.gif It looks like technological security isn’t the only kind disorganized in government. The latest GAO report about wildfires seems like more smoke than fire:

This testimony summarizes several key actions that federal agencies need to complete or take to strengthen their management of the wildland fire program, including the need to (1) develop a long-term, cohesive strategy to reduce fuels and address wildland fire problems and (2) improve the management of their efforts to contain the costs of preparing for and responding to wildland fires.

For cost-containment efforts to be effective, the agencies need to integrate cost-containment goals with the other goals of the wildland fire program–such as protecting life, resources, and property–and to recognize that trade-offs will be needed to meet desired goals within the context of fiscal constraints.

— Wildland Fire Management: A Cohesive Strategy and Clear Cost-Containment Goals Are Needed for Federal Agencies to Manage Wildland Fire Activities Effectively, GAO-07-1017T, U.S. General Accounting Office, June 19, 2007

How about a strategy for integrating wildfire planning into subdivision planning, or cost allocations from homeowner wildfire insurance?

Continue reading

FISMA Failing

Shades of SOX complaints: the U.S. GAO reports that the Federal Information Security Management Act (FISMA) is failing:

When we go out and conduct our security control reviews at federal agencies, we often find serious and significant vulnerabilities in systems that have been certified and accredited. Part of it, I think, is just that agencies may be focusing on just trying to get the systems certified and accredited but not effectively implementing the processes that the certification and accreditation is supposed to reflect.

— Q&A: Federal info security isn’t just about FISMA compliance, auditor says, Most agencies still have security gaps, according to Gregory Wilshusen, by Jaikumar Vijayan Computerworld, June 14, 2007

Sounds like they haven’t implemented numerous simple security measures that were known before FISMA, they don’t have processes to do so, and they don’t adequately report what they’re doing, even with FISMA. What to do?

Continue reading