Category Archives: Distributed Participation

APWG Atlanta Buckhead

apwgfall08.jpg Five years of the Anti-Phishing Working Group! Dave Jevans gave a retrospective, followed by country reports:

Japan: Pretending to be grandchild to get bank account transfer is popular. ATM scams are the most lucrative.

Russia: Second biggest global source of spam. Ecrime economy is ten times the si ze of the anti-ecrime industry, and that’s a problem.

Brazil: Most phishing is done locally. Is all organized crime.

I don’t want to go into too much detail, even though the bad guys don’t seem to need any help. APWG continues to climb the ecrimeware curve, catching up with th e miscreants.

Further Hardin Debunking

yacouba.jpg Regarding Perry’s comment to the previous post, the point is that the specific example on which Hardin based his thesis, the one everyone cites in support of it, is not borne out by the evidence, not that he presented any evidence for it in the first place.

Further, that it’s not a tragedy in the sense Hardin meant: that of a Greek tragedy in which a flaw of character inevitably leads to the demise of the protagonist. Individuals are not inevitably disposed to claw out their own at the expense of everyone else. Sometimes people realize that there really is such a thing as the common good; that benefiting everyone benefits themselves.

Yes, I know about the Sahara and the Sahel; I’ve been there; I’ve seen the goats gnawing away at everything.

The solution is not state central planning: you cite Chinese lakes; I’ll cite the Aral Sea.

The solution is also not privatization of the commons: look at the wildfires in the U.S. west exacerbated by subdivisions built in forests.

Solutions that work seem to involve combinations of innovation, education, and especially cooperation. Like this one:

In the late 1970s, when the problems of desertification, combined with population growth, drought and grinding poverty in West Africa first began to get sustained global attention, the prognosis was mostly gloom and doom. And as has been well documented, foreign aid has been less than successful in improving matters. In Yahenga, Reij and Fabore note, efforts to modernize agriculture through large-scale mechanized operations usually failed, for a variety of reasons. The spread of zai hole planting spearheaded by Sawadogo was mostly carried out by the local farmers themselves, with limited support from the government or foreign donors. Those with access to labor dug the holes, and used local sources of organic manure to fill them.

A tree grows in the Sahel, Andrew Leonard, How the World Works, Wednesday, Oct. 4, 2006 11:22 PDT

The “free market” isn’t enough. Cooperation on scales from local to global is also needed. And it does happen, despite Garrett Hardin’s myth that it can’t.

-jsq

Debunking the Tragedy of the Commons

x7579e05.gif Interesting article here making a point that should have been obvious for forty years. When Garrett Hardin published his famous article about the “tragedy of the commons” in Science in December 1968, he cited no evidence whatsoever for his assertion that a commons would always be overgrazed; that community-owned resources would always be mismanaged. Quite a bit of evidence was already available, but he ignored it, because it said quite the opposite: villagers would band together to manage their commons, including setting limits (stints) on how many animals any villager could graze, and they would enforce those limits.

Finding evidence for Hardin’s thesis is much harder:

The only significant cases of overstocking found by the leading modern expert on the English commons involved wealthy landowners who deliberately put too many animals onto the pasture in order to weaken their much poorer neighbours’ position in disputes over the enclosure (privatisation) of common lands (Neeson 1993: 156).

Hardin assumed that peasant farmers are unable to change their behaviour in the face of certain disaster. But in the real world, small farmers, fishers and others have created their own institutions and rules for preserving resources and ensuring that the commons community survived through good years and bad.

Debunking the `Tragedy of the Commons’, By Ian Angus, Links, International Journal of Socialist Renewal, August 24, 2008

So privatization is not, as so many disciples of Hardin have argued, the cure for the non-existant tragedy of the commons. Rather, privatization can be the enemy of the common management of common resources.

What does this have to do with risk management? Well, insurance is the creation of a managed commons by pooling resources. Catastrophe bonds are another form of pooled resources, that is, a form of a commons.

On the Internet, the big problem with fighting risks like phishing, pharming, spam, and DDoS attacks is that the victims will fail if they go it alone. The Internet is a commons, and pretending that it isn’t is the problem. Most people and companies don’t abuse the Internet. But a few, such as spam herders and some extremist copyright holders (MPAA, RIAA), do. They need to be given stints by the village.

-jsq

Tokyo in May: CeCOS II

cecos2indexLogo.jpg 26-27 May 2008 in Tokyo:
The second annual Counter-eCrime Operations Summit (CeCOS II) will engage questions of operational challenges and the development of common resources for the first responders and forensic professionals who protect consumers and enterprises from the ecrime threat every day. This year’s meeting will focus on the development of response paradigms and resources for counter-ecrime managers and forensic professionals. Presenters will proffer case studies of national and regional economies under attack, narratives of successful trans-national forensic cooperation as well as models for cooperation and unified response against ecrime and data resources for forensic activities.

Counter-eCrime Operations Summit II, APWG Japan, 2008

The Anti-Phishing Working Group continues to expand via national associates, and to put on good workshops.

-jsq

Media Security: Consolidation or Diversity?

Despite unanimous vote of the Senate Commerce Committee to delay, and direct question from one of its members, (not to mention overwhelming opposition in meetings across the country), FCC Chairman Kevin Martin plans to go ahead with the media consolidation vote scheduled for tomorrow, 18 December, which, given the 3-2 Republican-Democrat makeup of the Commission, will almost certainly result in more media consolidation.
Not only John Kerry, but even Trent Lott and Ted Stevens spoke against Martin’s plan. Martin, pretending not to know that newspapers are one of the most profitable industries (and nobody on the Commerce Committee thought to ask him directly whether he knew that; they only asked him if he had seen a specific report that said that), claims that the only way to save newspapers is to let them buy television stations. The New York Times published Martin’s op-ed to this effect. (Today the Times did at least publish their own editorial criticizing his position.)

Meanwhile, three members of the House Judiciary Committee have written an op-ed calling for the impeachment of vice-president Cheney, and no major newspaper will carry it, even though one of them, Wexler of Florida, collected more than 50,000 names for it over one weekend (up to 77,000 as of this writing).

Were it left to me to decide whether we should have a government without newspapers, or newspapers without a government, I should not hesitate a moment to prefer the latter.

Letter to Nathaniel Macon, Thomas Jefferson, January 12, 1819

What would Jefferson have thought about newspapers that wouldn’t publish a call for impeachment by members of the committee that is supposed to bring such charges? And why, given such a press, is anyone even considering more media consolidation? Which is better for the security of the Republic: more media consolidation or less?

-jsq

Chinese Honeynet Project: Botnets Are Sneaky and Evolving; Need Adaptive Distributed Counter

lifetime.png The subject is my interpretation of a sixteen page paper by a joint Chinese-German project to examine botnets in China.
Botnets have become the first-choice attack platform for network-based attacks during the last few years. These networks pose a severe threat to normal operations of the public Internet and affect many Internet users. With the help of a distributed and fully-automated botnet measurement system, we were able to discover and track 3,290 botnets during a period of almost twelve months.

Characterizing the IRC-based Botnet Phenomenon, Jianwei Zhuge1 , Thorsten Holz2 , Xinhui Han1 , Jinpeng Guo1 , and Wei Zou1 Peking University Institute of Computer Science and Technology Beijing, China, University of Mannheim Laboratory for Dependable Distributed Systems Mannheim, Germany, Reihe Informatik. TR-2007-010

The paper provides many interesting statistics, such as only a small percent of botnets are detected by the usual Internet security companies. But the main point is exactly that a distributed and adaptive honeypot botnet detection network was able to detect and observe botnets in action and to get data for all those statistics. Trying to deal with an international adaptive botnet threat via static software or occasional centralized patches isn’t going to work.

Some readers conclude that this paper shows that reputation services don’t work,because they don’t show most botnets. I conclude that current reputation services don’t work because they aren’t using an adaptive distributed honeypot network to get their information, and because their published reputation information isn’t tied to economic incentives for the affected ISPs and software vendors, such as higher insurance rates.

-jsq

Bot Buyin

Pickers.jpg Bruce, seeing that the Storm Worm has sprouted stock tout popups on its own bots:
(((I’m guessing the next step is to contact Storm bot victims directly and ask them to join the Storm Network voluntarily. AFter all, if you obeyed that Storm spam pop-up, you cashed in; and this would be a valuable opportunity to become a foot-soldier in the biggest online organized=crime outfit ever.)))

Storm Worm spams its own bots, By Bruce Sterling, Beyond the Beyond, November 15, 2007 | 11:34:00 AM

Having proved that it can infect much of the Internet and the alleged security professionals can do nothing about it, Storm now bids to get its victims to join it?

-jsq

Free Burma!

free_burma_05.gif Well, I hadn’t been planning on posting more on the Myanmar or Burma situation, but within minutes of my posting yesterday, the Free Burma folks found my post and commented on it with a link back to their site.

I’ve got to admire their quick use of the Internet to amplify their activism. Their web pages say they only started Sunday. Looks like some of their supporters are actually astroturf web sites, but that just goes with the territory. Also, a lot of people can’t type in their own web addresses correctly. However, they’ve collected a dozen more supporters while I’ve been typing this.

So, how could I refuse to post again on their requested date, which happened to be today?

-jsq

Simply Switched Off the Internet: Myanmar Junta v. Bloggers

Sanghas23.jpg When blogging is a revolutionary act:
Internet geeks share a common style, and Ko Latt and his four friends would not be out of place in cyber cafés across the world. They have the skinny arms and the long hair, the dark T-shirts and the jokey nicknames. But few such figures have ever taken the risks that they have in the past few weeks, or achieved so much in a noble and dangerous cause.

Since last month Ko Latt, 28, his friends Arca, Eye, Sun and Superman, and scores of others like them have been the third pillar of Burma’s Saffron Revolution. While the veteran democracy activists, and then the Buddhist monks, marched in their tens of thousands against the military regime, it is the country’s amateur bloggers and internet enthusiasts who have brought the images to the outside world.

Armed with small digital cameras, they have documented the spectacular growth of the demonstrations from crowds of a few hundred to as many as 100,000. On weblogs they have recorded in words and pictures the regime’s bloody crackdown, in a city where only a handful of foreign journalists work undercover. With downloaded software, they have dodged and weaved around the regime’s increasingly desperate attempts to thwart their work. Now the bloggers, too, have been crushed. Having failed to stop the cyber-dissidents broadcasting to the world, the authorities have simply switched off the internet.

Bloggers who risked all to reveal the junta’s brutal crackdown in Burma, by Kenneth Denby, The Times, 1 October 2007

Unfortunately for the bloggers, they all had to register with the government to be allowed to blog in the first place. If the junta falls, they’ll be heroes. If it survives, they’ll probably be dead.

This is not the first time. Continue reading

Mortgage Confusopoly Disintermediated

gI_logo.gif.jpg Adam Shostack finds a company distintermediating the other half of the house buying confusopoly, mortgages:
SmartHippo today launched the public beta version of the first ever web site that allows individuals to use the power of a community to save money and make better decisions when shopping for rates on financial products and services.

“The lending industry is in a state of transformation,” said George Favvas, President of SmartHippo, “and consumers are demanding more control and transparency in their dealings with banks and mortgage companies.”

SmartHippo allows any individual to post information and feedback on the rate they received, and to compare rates with other members of the community with similar profiles. This lessens the chance of consumers with the same lending and risk profile getting different rates on the same loan, which can happen currently.

SmartHippo.com Launches World’s First Community Comparison Shopping Site for Financial Services at TechCrunch40 Event; Founding Participating Banks Include QuickenLoans and Bank of Internet, PRWeb, 17 Sept 2007

This is different from companies like LendingTree that already facilitate getting multiple bids for mortages in that SmartHippo lets mortgage customers comment on their experiences. Participatory, if you will.

-jsq