I’m giving a talk today at the Internet2 workshop on
Collaborative Data-Driven Security for High Performance Networks
at WUSTL, St. Louis, MO.
You can follow along
with the PDF.
There may be some twittering on #DDCSW.
-jsq
Aldo Cortesi channels Elinor Ostrom and summarizes what we need to fix Internet security by enticing the providers and users of the Internet to manage it as a commons. But first, some background.BN > BE + C
Since at least 1997 (“Is the Internet a Commons?” Matrix News, November 1997) I’ve been going on about how Garrett Hardin’s idea of the tragedy of the commons doesn’t have to apply to the Internet, because: Continue reading
Five years of the Anti-Phishing Working Group! Dave Jevans gave a retrospective, followed by country reports:
Japan: Pretending to be grandchild to get bank account transfer is popular. ATM scams are the most lucrative.
Russia: Second biggest global source of spam. Ecrime economy is ten times the si ze of the anti-ecrime industry, and that’s a problem.
Brazil: Most phishing is done locally. Is all organized crime.
I don’t want to go into too much detail, even though the bad guys don’t seem to need any help. APWG continues to climb the ecrimeware curve, catching up with th e miscreants.
Regarding
Perry’s comment to the previous post,
the point is that the specific example on which Hardin based his thesis,
the one everyone cites in support of it, is not borne out by the evidence,
not that he presented any evidence for it in the first place.
Further, that it’s not a tragedy in the sense Hardin meant: that of a Greek tragedy in which a flaw of character inevitably leads to the demise of the protagonist. Individuals are not inevitably disposed to claw out their own at the expense of everyone else. Sometimes people realize that there really is such a thing as the common good; that benefiting everyone benefits themselves.
Yes, I know about the Sahara and the Sahel; I’ve been there; I’ve seen the goats gnawing away at everything.
The solution is not state central planning: you cite Chinese lakes; I’ll cite the Aral Sea.
The solution is also not privatization of the commons: look at the wildfires in the U.S. west exacerbated by subdivisions built in forests.
Solutions that work seem to involve combinations of innovation, education, and especially cooperation. Like this one:
In the late 1970s, when the problems of desertification, combined with population growth, drought and grinding poverty in West Africa first began to get sustained global attention, the prognosis was mostly gloom and doom. And as has been well documented, foreign aid has been less than successful in improving matters. In Yahenga, Reij and Fabore note, efforts to modernize agriculture through large-scale mechanized operations usually failed, for a variety of reasons. The spread of zai hole planting spearheaded by Sawadogo was mostly carried out by the local farmers themselves, with limited support from the government or foreign donors. Those with access to labor dug the holes, and used local sources of organic manure to fill them.A tree grows in the Sahel, Andrew Leonard, How the World Works, Wednesday, Oct. 4, 2006 11:22 PDT
The “free market” isn’t enough. Cooperation on scales from local to global is also needed. And it does happen, despite Garrett Hardin’s myth that it can’t.
-jsq
Interesting article here making a point that should have been obvious for
forty years.
When Garrett Hardin published his famous article about the
“tragedy of the commons”
in Science in December 1968,
he cited no evidence whatsoever for his assertion that a commons
would always be overgrazed; that community-owned resources would always
be mismanaged.
Quite a bit of evidence was already available, but he ignored it,
because it said quite the opposite:
villagers would band together to manage their commons,
including setting limits (stints) on how many animals any villager could
graze, and they would enforce those limits.
Finding evidence for Hardin’s thesis is much harder:
The only significant cases of overstocking found by the leading modern expert on the English commons involved wealthy landowners who deliberately put too many animals onto the pasture in order to weaken their much poorer neighbours’ position in disputes over the enclosure (privatisation) of common lands (Neeson 1993: 156).So privatization is not, as so many disciples of Hardin have argued, the cure for the non-existant tragedy of the commons. Rather, privatization can be the enemy of the common management of common resources.Hardin assumed that peasant farmers are unable to change their behaviour in the face of certain disaster. But in the real world, small farmers, fishers and others have created their own institutions and rules for preserving resources and ensuring that the commons community survived through good years and bad.
Debunking the `Tragedy of the Commons’, By Ian Angus, Links, International Journal of Socialist Renewal, August 24, 2008
What does this have to do with risk management? Well, insurance is the creation of a managed commons by pooling resources. Catastrophe bonds are another form of pooled resources, that is, a form of a commons.
On the Internet, the big problem with fighting risks like phishing, pharming, spam, and DDoS attacks is that the victims will fail if they go it alone. The Internet is a commons, and pretending that it isn’t is the problem. Most people and companies don’t abuse the Internet. But a few, such as spam herders and some extremist copyright holders (MPAA, RIAA), do. They need to be given stints by the village.
-jsq
As
expected,
the
FCC approved more media consolidation, this time of newspapers and TV stations.
That’s one approach to disruptions in a market:
game the regulatory apparatus to permit consolidation of two failing industries
(even though one of them, the one being bought, newspapers,
is still hugely profitable).
There’s another approach, from the wilds of south Georgia:
The statewide papers from Atlanta and Jacksonville have pulled out of this market back to their own communities leaving a void of state and national news from a print media. When I was growing up, The Atlanta Journal “covered Dixie like the dew” and the Atlanta Constitution covered Atlanta. Today the “dew” stops in Macon and the Journal is now just the Constitution. The Florida Times-Union several years ago started the Georgia Times-Union with distribution across the bottom third of our state. Now, with the pullback coming soon, their distribution will be limited to Southeast Georgia or east of Waycross.So what does this small city newspaper do? Run to Congress or the state legislature to let it merge with a TV station? Nope: Continue reading— From the publisher: Disruptions are opportunities, By Sandy Sanders, Valdosta Daily Times, Published December 09, 2007 01:28 am –
Colleges and universities often provide residential networks (resnets)
for their students.
There are companies that do that,
such as
Apogee Networks,
plus value added services such as patching, installing, and configuring
secure and virus-free software.
Last-mile ISPs could do that too.
They could go farther: they could detect, clean, and insure home machines.
Now they may not want to do this because they might incur legal liability. But that’s what insurance is for. And they might not want to do it because it’s not their core competence. But they could offer such services through a third party. Why don’t they?
-jsq
Mostly increased monitoring provokes privacy concerns.
But what if it’s objects that are being monitored?
Carolinas HealthCare System (CHS), the third-largest public healthcare system in the US, has completed the first phase of an asset tracking program that is believed to be one of the largest healthcare real-time location system (RTLS) deployments in the US. Currently about 5,000 assets are being tracked over 1.4 million square feet at five facilities.
CHS plans to extend the WiFi-based RTLS system throughout its network, which includes 15 hospitals and medical centers in the Carolinas. Additional facilities totaling about 3 million square feet are scheduled to go live by the end of the quarter.
"As a healthcare organization, we’re required to upgrade or perform preventive maintenance regularly on medical equipment," Clay Fisher, director of information service at Carolinas HealthSystem, told RFID Update. "Imagine trying to find one specific IV pump when you have thousands of them across multiple facilities. We have reduced our ‘time-to-find’ for individual pieces of equipment from hours to less than ten minutes."
— Carolinas HealthCare Launches Huge RTLS System, RFID Update, Tuesday October 9th, 2007
One odd side effect is that CHS says if your wireless network isn’t configured for VoIP, you should add that, because then it will have enough coverage to do RTLS.
Now if they can find a way to track patient orders between nursing shifts, and which doctors sign off on drugs without seeing their patients….
-jsq
Well, not quite yet, but this could be the start:
“It is learnt that taking advantage of the inability of the Myanmar military junta to provide satisfactory and affordable mobile phone services in the Shan State and the Kachin State areas of North Myanmar, Chinese companies have been operating mobile phone services in Yunnan for the benefit of the people of North Myanmar.”This bears watching, also because while I’ve been predicting the U.S. may end up buying fast Internet access from Japanese companies, just like cars, actually it could be Chinese companies.— Chinese Mobile Phone Services in North Myanmar, By B. Raman, Paper no. 2470, South Asia Analysis Group, 21-Nov.-2007, quoted in Lots More Reasons Why China is the New America, By Bruce Sterling, Beyond the Beyond, Wired Blogs, November 23, 2007 | 8:35:27 AM
-jsq
How to get rich quick through ecrime:
This paper studies an active underground economy which specializes in the commoditization of activities such as credit card fraud, identity theft, spamming, phishing, online credential theft, and the sale of compromised hosts. Using a seven month trace of logs collected from an active underground market operating on public Internet chat networks, we measure how the shift from "hacking for fun" to "hacking for profit" has given birth to a societal substrate mature enough to steal wealth into the millions of dollars in less than one year.
— An Inquiry into the Nature and Causes of the Wealth of Internet Miscreants Jason Franklin, Vern Paxson, Adrian Perrig, and Stefan Savage. Proc. ACM CCS, October 2007.
How to stop it? Law enforcement is good, but insufficient. Ditto traditional technological Internet security methods. We already knew that. What now?
Real progress will be made by disrupting the criminal economy by poisoning trust. Read the paper for the authors’ suggestions of Sybil attacks and slander attacks. Make the criminals’ identities unreliable and poison their reputations.
This is considered the paper of the year by some prominent computer security professionals, and for good reason.
-jsq