Category Archives: Internet risk management strategies

Darknet v. Botnet

In Moving Ahead in the War Against Botnets, 12 Sep 2006, the blogger Darknet comments on an article that says that Gadi Evron, manager of the Israeli CERT, started a public mailing list back in March:
Over the last year, the group has done its work quietly on closed, invite-only mailing lists. Now, Evron has launched a public, open mailing list to enlist the general public to help report botnet C&C servers.

The new mailing list will serve as a place to discuss detection techniques, report botnets, pass information to the relevant private groups and automatically notify the relevant ISPs of command-and-control sightings.

Hunt Intensifies for Botnet Command & Controls By Ryan Naraine, EWeek March 2, 2006

This is a good example of collective action against aggregate damage.

The same article quotes Dan Hubbard about Websense’s botnet-spotting features in its products. This is a good example of how commercial products can complement for-free collective activities such as mailing lists.

-jsq

PS: Thanks to Wendy Nather for this one.

Costs Less, Works Better!

Another confusopoly, the very agent of confusion used by other confusopolies, is being affected by the Internet:

What Wanamaker [the inventor of modern mass-market advertising] could not have foreseen, however, was the internet. A bevy of entrepreneurial firms—from Google, the world’s most valuable online advertising agency disguised as a web-search engine, to tiny Silicon Valley upstarts, many of them only months old—are now selling advertisers new tools to reduce waste. These come in many exotic forms, but they have one thing in common: a desire to replace the old approach to advertising, in which advertisers pay for the privilege of “exposing” a theoretical audience to their message, with one in which advertisers pay only for real and measurable actions by consumers, such as clicking on a web link, sharing a video, placing a call, printing a coupon or buying something.

Internet advertising: The ultimate marketing machine Jul 6th 2006, From The Economist print edition

For example, Google made $6.1 billion last year on online contextual advertising, which pays google only when the ad reader clicks on the ad.

Continue reading

Another Confusopoly Disintermediated

Adam Shostack blogs a New York Times article, The Last Stand of the 6-Percenters? that describes how online real estate listings such as RedFin, ZipRealty, and BuySideInc.com, are letting home buyers find houses to buy without using real estate agents; needless to say, said agents are not happy about likely losing their traditional 6% commission. So yet another confusopoly, as Scott Adams calls companies that deliberately use secrecy and confusion to hide differences in products so customers have to use experts to purchase, bites the dust, like traditional stock trading, car sales, and even to some extent telephone services and insurance.

I predict the agents who learn how to use such listings to do more volume at lower commissions will thrive and prosper; I can think of a few specific examples. Those who stonewall against the new paradigm won’t do so well.

-jsq

Linking Brains

Valdis Krebs likes following back links to his work, in which he discovered:

Research reveals how knowledge is accessed within organisations:

  • Employees brains 42 per cent
  • Paper documents 26 per cent
  • Electronic documents 20 per cent
  • Electronic knowledge bases 12 per cent

(Source: The Delphi Group)

The complex knowledge held in people’s brains is what gives an organisation its competitive advantage. It is context sensitive and cannot be codified, written down and stored.

5 Creating a knowledge-sharing culture Government Communication Network

Well, that’s interesting.  What does it mean?

Continue reading

Metcalfe’s Law and Net Neutrality

Metcalfe’s Law is a hot topic of discussion right now, because of a paper in IEEE Spectrum that says:
Remarkably enough, though the quaint nostrums of the dot-com era are gone, Metcalfe’s Law remains, adding a touch of scientific respectability to a new wave of investment that is being contemplated, the Bubble 2.0, which appears to be inspired by the success of Google. That’s dangerous because, as we will demonstrate, the law is wrong. If there is to be a new, broadband-inspired period of telecommunications growth, it is essential that the mistakes of the 1990s not be reprised.

Metcalfe’s Law is Wrong Bob Briscoe, Andrew Odlyzko, and Benjamin Tilly, IEEE Spectrum, July 2006

Continue reading

Hammering Wasps

William Gibson nails (so to speak) the problem of conventional warfare against assymetrical warfare. He manages to say it all in his blog post title:
Hammer, Meet Wasp’s Nest
Then he explains why certain countries (U.S., Israel, U.K.) keep trying to solve a fourth generational warfare problem with conventional cold war solutions:
Myself, I keep going back to my no doubt sloppy and imperfect understanding of Thomas S. Kuhn’s The Structure Of Scientific Revolutions. If the theory of “fourth generation war” is viewed as a new paradigm (and it seems to me to meet the criteria) then this is more than a failure of perception on the part of neoconservatives.

HAMMER, MEET WASP’S NEST William Gibson, Saturday, July 29, 2006

Gibson quotes Wikipedia’s writeup on Kuhn’s idea of paradigm shifts to describe how the mindsets before and after a paradigm shift are not compatible or even commensurate. They don’t use the same metrics; they don’t even agree on what are the right questions to ask; they can’t be translated. Continue reading

Why Sen. Tubes Matters

The blogosphere and even the press have made hay out of Sen. Ted Stevens’ explanation of the Internet as a system of tubes. It’s funny, but does it really matter?

Yes:

For example, a bill – the Financial Data Protection Act of 2005 (H.R. 3997) – being considered by the House of Representatives would let the breached company decide whether it should notify customers of a breach; the company would need to notify customers only if it felt the data was going to be misused to cause them financial harm, not under any other conditions. Under this proposal, we will hear less about companies that are sloppy with data. With friends like these in Congress, it might be better to let them continue to fail to deal with the issue and keep the state laws in effect.

Congress fails to grasp security risk ‘Net Insider By Scott Bradner, Network World, 08/14/06

After millions of identities, ranging from those of credit card users to those of most active duty U.S. military personnnel, have been lost or stolen over the last few years, and the only reason we know about most of those breaches is that a California law requires affected companies to report them to the people whose identities they compromised, the best Congress can propose is to let the affected companies decide whether to notify. Continue reading

Slade Review

Rob Slade has reviewed my book:
There are three threads that are repeated again and again in the book: diversity, insurance, and mapping of the Internet. But there is much more: Quarterman does not address the standard picture of risk management, since he is pointing out that the Internet throws our usual tools for quantified risk analysis into disarray. Instead he notes areas that have been neglected, because of the difficulty of fitting them into standard models, and proposes new, if somewhat vague, risk paradigms. This is not a text that can be used as a reference for ordinary threat analysis, but should be thoroughly studied by anyone involved with information (and particularly communications) protection for a large company, anyone involved with the Internet in a big way, and anyone responsible for business risks in a rapidly changing environment.
Who am I to argue?

-jsq

U.S. DHS Unprepared for Internet Disruption

Could what happened to New Orleans happen to the Internet? If we were expecting U.S. DHS to prevent it, apparently so:
While the Homeland Security Department has been charged with coordinating cyberspace security and recovery, GAO found that the initiatives so far lack authority, and the relationship between the initiatives is unclear.

David Powner, GAO’s director of information technology management issues, told a Senate subcommittee during a hearing timed to coincide with the release of the report that it is unclear what government entity is in charge, what the government’s role should be and when it should jump in. “Despite federal policy requiring DHS to develop this public-private plan, today no such plan exists,” Powner said.

Report: U.S. unprepared for major Web disruption, By Heather Greenfield, National Journal’s Technology Daily 28 July 2006

Continue reading

Risk-Based Funding

I see Gunnar Peterson has beaten me to posting about Bryan Ware’s decision matrix that he uses to advise the U.S. DHS on investing in security. One axis is risk, high or low. The other axis is effectiveness, high or low, as in the likely effectiveness of the funded organization at actually doing something about the problem. High risk and high effectiveness spells best investment; High risk and low effectiveness not so much; Low risk and high effectiveness, invest some to incentivize high effectiveness, and low risk and low effectiveness “Apply minimal funding”.

Bryan mentioned that they have no data as to how well this risk-based funding scheme works, but at least they’re trying.

-jsq