Interesting article in the Inquirer in the U.K.: Intel to cut Linux out of the content market by Charlie Demerjian, 15 July 2005. It says Intel is preparing to release, with a third of a billion dollar ad campaign, a digital media platform called East Fork. And that East Fork won’t support Linux; it will, of course, support Microsoft, specifically Microsoft Media Center 2006 (MCE 2006).

“I say captive because although it will support other shells that are not MCE 2006, it will only support other shells, but not programs. This is not the same as being open in any way shape or form, you are locked in, period. That’s not to say that there will not be choices. There have to be at least two providers in each country where it launches to provide the content, but the blessed ones are the only ones.”

Two providers aren’t enough different from a monopoly. Especially when both providers are subject to the same content restrictions, i.e., they’re basically mandated to supply the same thing.

Why would Intel want to lock down a music and movie player? Because it implements Digital Rights Management (DRM) that limits what you can do with the content. If you could run Linux on it, doubtless somebody would try to come up with a way around the DRM.

So why not just use Linux on another platform? It’s not clear that is still legal, considering all the legislation passed or pending about DRM. If DRM is so good, why does it need legislation to prevent people from circumventing it?

The bigger question is still why the music and motion picture industries can’t

a. produce more content people actually want to buy

b. come up with a business model that incorporates digital distribution via the Internet and other media instead of trying to legislate it out of existence; Steve Jobs has proved it’s possible with the iPod; is he really the only content mogul who can do it?

In any case, it’s not clear to me how DRM brings anybody security. A few companies will profit off it in the near term, after which either it will die because people will find a way to circumvent it anyway, even though some people will go to jail and legal and legislative resources will be wasted on such cases that could have been spent on dealing with real security issues. Or DRM will become the standard, which will mean that it will become one of the biggest targets for crackers; think of all the bots they could make out of networked media players….

-jsq

Here’s an interesting paper that says that while diversification as in portfolio management or pooling as in insurance does not usually reverse the expected risk, that diversification in information systems is different.

“Exploiting externalities unique to information systems, we show that diversification can not only reduce loss variance but also minimize expected loss.”
—Software Diversity for Information Security, by Chen, Kataria and Krishnan, Fourth Workshop on the Economics of Information Security, Kennedy School of Government, Harvard University, 2 – 3 June 2005.

The paper takes into account both positive effects of less exploits and negative effects of less ease of use because of less uniformity. It takes into accounts benefits to the firm that implements diversity, and benefits to society.

The paper concludes that benefit of diversity accrue even if a firm adds only one piece of software to its incumbent monoculture software, and even if the new software is not as secure as the incumbent software.

Of course, if we’re talking operating systems, any of the alternatives to the incumbent OS have greater security, as the paper demonstrates.

So software diversity in information systems would be good even in a world of worse alternatives to incumbent software, and is even better in our actual world.

-jsq

Thanks to Dan Geer for pointing out this paper.

The first question that occured to me when I read this story, “CIA Overseeing Three-Day War Game To Mimic Response To Crippling Internet Attack” By Ted Bridis May 26, 2005, was why wasn’t Homeland Security doing this, instead of the CIA?

Then I remembered the Homeland Security Partnering Conference of last month, in which I was reminded that a bit more than one percent of DHS’s funding goes to Cyber Security, and about the same amount to Critical Infrastructure Protection; if you rummage about on DHS’s web pages, you’ll find pie charts about this. The conference attendance reflected DHS’s real priorities. The attendees were heavily from national laboratories and large research universities. The talks were mostly about nuclear, chemical, and biological threats. All real concerns, and ones DHS should be dealing with.

Still, I was troubled by a question from a law enforcement attendee at lunch, which was more or less why is there anything here at all about the Internet; you can’t do terrorism through the Internet!

It’s true it’s hard to kill people directly through the Internet, and I’m glad of that. However, it’s not so hard to disrupt systems through the Internet, as phishers are demonstrating. A well-timed pharming attack on financial services DNS servers could create quite a bit of disruption.

Plus increasing amounts of the electrical power grid’s SCADA (Supervisory Control and Data Acquisition) system runs on top of the Internet, and from what I’ve heard with minimal security. We saw only a couple of years ago the kind of cascade failure a single accidental malfunction caused in the Northeast power outage.

Sceptics will note that few people died in the northeast power outage, and indeed we were fortunate. But terrorism isn’t really about killing: it is about achieving political ends. It’s worth reading what John Robb has been writing about petroleum pipeline and electrical outages related to the Chechen situation. If Robb is right, a few carefully placed explosions that killed nobody are near accomplishing what many years of bloody warfare did not.

Back to the the article about war games:

“"Livewire," an earlier cyberterrorism exercise for the Homeland Security Department and other federal agencies, concluded there were serious questions about government’s role during a cyberattack, depending on who was identified as the culprit — terrorists, a foreign government or bored teenagers.

“It also questioned whether the U.S. government would be able to detect the early stages of such an attack without significant help from private technology companies.”

Private companies are already having to deal with systems disruption such as phishing and pharming and spam and DDoS attacks. More robust and diverse private methods and players dealing with such problems would make government’s job a lot easier, by doing a lot of it already.

One could well argue that government will never be able to do the job alone, because of the worldwide, distributed, open source nature of the perpetrators. Only a similar array of worldwide, distributed, and diverse countermeasures can succeed. Private industry is already having to produce such countermeasures for problems such as phishing, where law enforcement, much less homeland security or intelligence agencies or military, have not yet become engaged.

The catch is that nobody wants to pay for such a large set of projects. Government can play a role by seed funding innovation; after all, that’s how the Internet got started. Then the trick is to make the new projects pay for themselves. Private industry is already working on that, too.

-jsq 

Phishing is a big problem these days: those annoying messages in your electronic inbox that  say your Ebay or Paypal account or your online bank login need updating, but which actually direct you to a fake web page that steals your identity so as to steal your money; or just to steal your identity for later use.

Visualizing the topological and performance relations of phishing servers and zooming in on each one permits discovering patterns such as several in the same hosting center or ones pretending to be in one country when they’re actually in another.

-jsq

Passing by Telcordia last Monday, I learned from Will Leland (who discovered the self-similarity of network performance) about a committee on network science that includes several people I may hve mentioned in this blog before, such as Albert L. Barabasi, author of Linked, and Thomas W. Malone, author of The Future of Work. The committee has members from many fields, ranging from biochemistry to sociology. The subject matter is network science that applies to all those fields.

The committee has a questionnaire to see if respondants think there is a network science, and, if so, what is it?

-jsq

This week I went to London to speak at the Anti-Phishing Working Group meeting. I can’t tell you who else presented or what they said, but I can say I spoke about Visualization for Data Sharing, or,  Seeing the Undead. Botnets, that is: zombie PCs, especially as used for phishing. If we can visualize them, we can see patterns that can help catch the perpetrators.

In the travel section of the Guardian, on the same page as a story about Fiji, was a writeup about Austin. It seems the Guardian sends a correspondant to Austin every year for the SXSW conference, and he thihnks Austin is the kind of place that Britain wants to be. I never knew I lived in such an exotic locale. When I explained about the bats the expressions people got convinced me that maybe I do. But it seems the problems of the Internet are the same everywhere.

-jsq

Jared Diamond has written a new book, Collapse: How Societies Choose to Fail or Succeed. The author examines societies from the smallest (Tikopia) to the largest (China) and why they have succeeded or failed, where failure has included warfare, poverty, depopulation, and complete extinction. He thought he could do this purely through examining how societies damaged their environments, but discovered he also had to consider climate change, hostile neighbors, trading partners, and reactions of the society to all of those, including re-evaluating how the society’s basic suppositions affect survival in changed conditions.

For example, medieval Norse Greenlanders insisted on remaining Europeans to the extent of valuing the same food animals and plants in the same order, even though the local climate was not propitious for hogs and cows and grain crops, and the sea nearby was full of fish and seals.  When the climate became colder, their marginal way of life became even more so.  Meanwhile, colder weather led the Inuit to move southwards until they contacted the Norse, who reacted adversely, producing hostile relations. And cold weather stopped the trading ships from Norway. The Greenland Norse never learned to use kayaks, harpoons, ice spears, or dogs. In the end, they all died.

Europeans are capable of learning all these things, as the Danes who rediscovered Greenland several hundred years later demonstrated. The medieval Norse Greenlanders stuck so slavishly to their presuppositions that they doomed themselves. It’s true that they survived for more than four hundred years, which is a long time as civilizations go, but they didn’t have to die; all they had to do was to become a bit more flexible.

Many corporations are larger than the tiny island nation of Tikopia, where the inhabitants are almost always in sight of the sea. Many have more people than the entire population of Norse Greenland. And many corporations operate in cultural strait-jackets as severe as that of the Norse Greenlanders: stovepiped departments, top-down comand-and-control hierarchy, and fast profit instead of long-term investment, to name a few.

To get a bit more concrete, let’s look at a few of the one-liner objections Diamond says he encounters to the importance of environmental concerns.

“The environment has to be balanced against the economy.”
Or risk management has to be balanced against near-term profit. Indeed, no corporation can spend all its profit on risk management, but if it doesn’t spend enough on risk management, it risks there being no profit because there may be no corporation. Plus, risk management can be a competitive advantage. With the London Stock Exchange requiring corporations to have risk management plans to be listed, and the U.S. SEC considering the same thing, at the least risk management is becoming a requirement to play capitalism. The first corporations to have good plans can also gain marketing advantages. In addition, the kinds of information a corporation needs to make a good plan can also be used to improve connectivity, lessen risk, and improve customer satisfaction, all of which should have some positive benefit on the bottom line.

“Technology will solve all our problems.”
This is what corporations have been assuming: buying more Internet security technical solutions will solve Internet security problems. Recent history indicates otherwise. Every corporation needs some forms of technical security, just like every building needs fire control mechanisms, but a building can still burn down and Internet connections can still fail.

“If we exhaust one resource, we can always switch to some other resource meeting the same need.”
This is the attitude I’ve seen with people who think that if the U.S. is attacked via the Internet, we’ll just cut off Internet connectivity at the edges of CONUS (continental United States). Such an attitude ignores the basic fact that there is no way to do that successfully, because there are always more ways in or out than you were keeping track of, not to mention that a great deal of U.S. commerce and even emergency communication measures would suffer. It’s also the attitude of corporate executives who think they’ll find something to replace the Internet so they don’t have to deal with Internet problems; for example, they’ll put up private communication links to their business partners, or they’ll build perfect virtual private networks on top of the Internet.  Both of these approaches have certain applications, but neither of them can replace the Internet as a globally accessible communications medium.

Not all of the one-liners Diamond lists are so obviously parallel with Internet problems and denials, but these three may be suffficient to illustrate the point. The point is that business as usual isn’t enough for Internet business risk management   planning. Traditions need to be re-examined in order to construct and implement new strategies that will work.

-jsq 

I posted the text below on Dave Farber’s Interesting People list and am now blogging it here. The specific subject of the thread was an article in the Boston Globe about Harvard Business School (HBS) rejecting 119 applicants because they viewed their admission status before they were suposed to: “Harvard rejects 119 accused of hacking” By Robert Weisman, Globe Staff  |  March 8, 2005. Farber particularly liked the starred paragraph, which was pointed out to me by Peggy Weil, a Harvard graduate who is an adjunct professor at USC; she heard it from one of her students. If it’s not obvious what this post has to do with Internet business risk management, I can explain further.

Tim Finan’s message is the first I’ve seen in this thread that referred to the original meaning of the word hacker: someone who enjoys stretching the capabilities of a system and solving hard problems.

It’s true that many people who pick up scripts and use them to attack systems (script kiddies) and others who do nothing but try to break systems (crackers) and others who systematically exploit system weaknesses for financial gain (organized crime) may call themselves hackers, but they’re flattering themselves.

Eric Raymond’s article about “The Hacker Milieu as Gift Culture” makes clear the difference.

Real hackers have given us Unix and Emacs and the Macintosh and apache and BSD and Linux and sendmail and numerous other high quality gifts, because that’s what they enjoy and that’s how they build their reputations.

Given the results, it’s useful to distinguish between real hackers (whom I’d think Harvard Business School would want to encourage, considering their activities benefit the economy) and crackers.

******* Also, as an admissions consultant noted in the original article:

"Kreisberg said some applicants may had inadvertently tried to access the files, without realizing they were looking for confidential information, after they were e-mailed directions from other students who had copied them from the BusinessWeek message board."

If that actually happened, some of the applicants may have simply thought they were participating in the gift culture when they and Harvard Business School (HBS) were actually victims of a rogue patch, resulting in reputation damage to them and HBS of the sort described in Eric Raymond’s paper.

Maybe HBS should spend a bit more resources increasing value offered to students by getting up to speed on present-day online culture rather than pursuing cost-cutting too far by outsourcing critical functions such as applications to a company that failed to keep them secure. The former might result in better improvements to the bottom line.

-jsq

Eric Raymond is back in Austin, this time for a talk at the University of Texas Business School, CBA, 3rd floor, Classroom 3.2000, 3:30 PM Tuesday March 8th, 2005.

I haven’t heard a specific topic, but given that it’s esr, we can assume open source, and given that the talk is being organized by Prof. Andy Whinston, whose research is in pricing of networks and services, we can assume some intersection of those two things. Quantified diversity, if you will. It should be good for risk management.

-jsq

Here’s an article from December about Rethinking Internet Risk Management, in Phone+ Magazine.

-jsq