Category Archives: Insurance

Transparency in Rome

Here’s my presentation, Transparency as Incentive for Internet Security: Organizational Layers for Reputation, from RIPE 61 in Rome. This presentation summarizes the two previous RIPE Labs papers about proposed new organizational layers and outbound spam ranking experiments.

RIPE-NCC is the oldest of the Regional Internet Registries (RIRs), and RIPE is the deliberately unorganized association of interested parties that meets twice a year and holds discussions online in between. It’s a mix of operations, research, and socializing. Topics range from obscure details of deploying IPv6 to organizational proposals such as what I was talking about. 430 people attended the meeting in Rome, which was quite a few more than the dozen or two of the first RIPE meeting I went to many years ago.

Interesting questions were asked. I may blog some of them.


Outbound Spam Ranking Experiments

Should Uganda Telecom be counted as a Belgian ISP for outbound spam rankings?

Which matters most: history, topology, business headquarters location, or some other criterion?

These are some questions that come up in designing experiments in rolling out a reputation system for outbound spam. More on this in the RIPE Labs article (8 Nov 2010), Internet Reputation Experiments for Better Security.

Such experiments can draw on fifty years of social science research and literature, first crystalized as Social Comparison Theory by Leon Festinger in 1954, that indicate that making personal reputation transparent changes personal behavior. More recent research indicates that the same applies to organizations. Using anti-spam blocklist data, it is possible to make E-Mail Service Provider (ESP) behavior (banks, stores, universities, etc., not just ISPs) in preventing or stopping outbound spam transparent, and this paper is about experiments to see how the resulting reputation actually changes ESP behavior.


Organizing the Cloud Against Spam

In RIPE Labs, here’s a paper on Internet Cloud Layers for Economic Incentives for Internet Security by the IIAR Project (I’m the lead author). Anti-spam blocklists and law enforcement are some Internet organizational layers attempting to deal with the plague of spam, so far reaching a standoff where most users don’t see most spam, yet service providers spend large amounts of computing and people resources blocking it.
The root of the ecrime problem is not technology: it is money.
Continue reading

Data, Reputation, and Certification Against Spam

I’m giving a talk today at the Internet2 workshop on Collaborative Data-Driven Security for High Performance Networks at WUSTL, St. Louis, MO. You can follow along with the PDF.

There may be some twittering on #DDCSW.


ResNet for the Home: Why Don’t Last-Mile ISPs Detect, Clean, and Insure Home Machines?

resnet.jpg Colleges and universities often provide residential networks (resnets) for their students. There are companies that do that, such as Apogee Networks, plus value added services such as patching, installing, and configuring secure and virus-free software. Last-mile ISPs could do that too. They could go farther: they could detect, clean, and insure home machines.

Now they may not want to do this because they might incur legal liability. But that’s what insurance is for. And they might not want to do it because it’s not their core competence. But they could offer such services through a third party. Why don’t they?


Boutique Wildfire Insurance

aigtrucks.jpg Of course it’s AIG offering this:

In 2005 the loss prevention experts at AIG Private Client Group created the first-ever personal wildfire protection program. This groundbreaking service is available exclusively to AIG Private Client Group policyholders who reside in designated response zones in the western U.S.

Wildfire Protection Unit®, Exclusively for AIG Private Client Group Policyholders, AIG Private Client Group, accessed 9 October 2007

If you guessed that Aspen and Vail were among the designated response zones, you guessed correctly! And Los Altos and Beverly Hills. Good old AIG: charge what the traffic will bear and see if there’s a market.

They have a similar hurricane protection unit.

Continue reading

Common Sense Lacking for Big Perils such as Georgia Hurricane or WorstCase Worm

KClark.jpg Why it’s not good to depend on common sense for really big perils:
The models these companies created differed from peril to peril, but they all had one thing in common: they accepted that the past was an imperfect guide to the future. No hurricane has hit the coast of Georgia, for instance, since detailed records have been kept. And so if you relied solely on the past, you would predict that no hurricane ever will hit the Georgia coast. But that makes no sense: the coastline above, in South Carolina, and below, in Florida, has been ravaged by storms. You are dealing with a physical process, says Robert Muir-Wood, the chief scientist for R.M.S. There is no physical reason why Georgia has not been hit. Georgias just been lucky. To evaluate the threat to a Georgia beach house, you need to see through Georgias luck. To do this, the R.M.S. modeler creates a history that never happened: he uses what he knows about actual hurricanes, plus what he knows about the forces that create and fuel hurricanes, to invent a 100,000-year history of hurricanes. Real history serves as a guide it enables him to see, for instance, that the odds of big hurricanes making landfall north of Cape Hatteras are far below the odds of them striking south of Cape Hatteras. It allows him to assign different odds to different stretches of coastline without making the random distinctions that actual hurricanes have made in the last 100 years. Generate a few hundred thousand hurricanes, and you generate not only dozens of massive hurricanes that hit Georgia but also a few that hit, say, Rhode Island.

In Nature’s Casino, By Michael Lewis, New York Times, August 26, 2007

And of course a hurricane did hit the Georgia coast before detailed records were kept, in 1898. The article notes that before Hurricane Andrew, insurers believed that a Florida hurricane would cost max a few billion. The actual cost was more like $15.5 billion, predicted only by one woman: Karen Clark, founder of A.I.R.

Sure, the Georgia coast doesn’t have any single concentration of wealth like Miami. But it does have a swath of wealth that could be taken down by a single storm. And complacent owners who think it can’t ever happen, just like people in Thailand didn’t believe Smith Dharmasaroja before the 2004 Tsunami.

Meanwhile, on the Internet, the few insurers of Internet business continuity are winging it and most companies have no insurance at all, despite online crime becoming increasingly sophisticated, leveraging the global reach of the Internet, and the possibility of a global worm that could cause $100 billion damage still being out there.

-jsq .

To Insure or Not to Insure?

firewallmovie.jpg Iang reminds me that it was on his blog, Financial Cryptography, that I saw the rough estimate of how much an identity theft costs, that is, about $1,000.

He follows up on my post of yesterday about LifeLock, discussing a company called Integrity which insures identities in Second Life. Or, actually, insures any lawsuits resulting from "inappropriate content", whatever that is.

Then he gets to the real quesion:

How viable is this model? The first thing would be to ask: can’t we fix the underlying problem? For identity theft, apparently not, Americans want their identity system because it gives them their credit system, and there aren’t too many Americans out there that would give up the right to drive their latest SUV out of the forecourt.

On the other hand, a potential liability issue within a game would seem to be something that could be solved. After all, the game operator has all the control, and all the players are within their reach. Tonight’s pop-quiz: Any suggestions on how to solve the potential for large/class-action suits circling around dodgy characters and identity?

If Insurance is the Answer to Identity, what’s the Question?, Iang, Financial Cryptography, September 11, 2007

This wraps right around to the original reaction of the person from whom I heard it (hi, Anne Marie) on a list that is silent.

I have several thoughts about this:

Continue reading

Identity Theft as Marketing Opportunity

Since identity thieves are making many people worried about losing control of their identities, of course somebody has found a way to cash in on all that free publicity:
By now you’ve heard the stories about Americans whose identities have been stolen. They’re not pretty…people working for hundreds of hours over many years to get their lives back in order, kids not getting student loans because someone has already ruined their credit, people losing homes because thieves placed mortgages they never knew existed, even innocent individuals ending up in jail.

LifeLock can keep this from happening to you and we guarantee our service up to $1,000,000.


I seem to recall reading that the typical identity theft is only worth $1,000, but nevermind that.

Look who recommends it:

You’ve heard Rush Limbaugh, Paul Harvey, Dr. Laura, Sean Hannity, Howard Stern, Dr. Joy and others endorse us.
Well! None of those people would ever sell pure fear, would they?

I have to give them credit for honesty, though: LifeLock admits right out that the main four preventive things they do you could do for yourself. Beyond that, the main substance they seem to offer is essentially an insurance package:

If your Identity is stolen while you are our client, we’re going to do whatever it takes to recover your good name. If you need lawyers, we’re going to hire the best we can find. If you need investigators, accountants, case managers, whatever, they’re yours. If you lose money as a result of the theft, we’re going to give it back to you.
For $110/year or $10/month, is such an insurance policy overpriced, underpriced, or what?


Brooklyn Tornado


How soon they forget:

It wasn’t just the tornado in Brooklyn — the first in recorded history in the borough — it was the huge quantities of rain that flooded basements and stranded rail and road commuters from Mineola to Midtown.

End of the world as we know it? By Carl Macgowan, Newsday, 10:51 PM EDT, August 8, 2007

Sounds kind of like "who could have predicted it?"

Continue reading