Checks on Checks, or Shipping and Shipping Software

Paul Graham points out that big company checks on purchasing usually have costs, such as purchasing checks increase the costs of purchased items because the vendors have to factor in their costs of passing the checks.
Such things happen constantly to the biggest organizations of all, governments. But checks instituted by governments can cause much worse problems than merely overpaying. Checks instituted by governments can cripple a country’s whole economy. Up till about 1400, China was richer and more technologically advanced than Europe. One reason Europe pulled ahead was that the Chinese government restricted long trading voyages. So it was left to the Europeans to explore and eventually to dominate the rest of the world, including China.

The Other Half of “Artists Ship”, by Paul Graham, November 2008

I would say western governments (especially the U.S.) subsidizing petroleum production and not renewable energy is one of the biggest source of current world economic, political, and military problems. Of course, lack of checks can also have adverse effects as we’ve just seen with the fancy derivatives the shadow banking system sold in a pyramid scheme throughout the world. It’s like there should be a balance on checks. Which I suppose is Graham’s point: without taking into account the costs of checks (and I would argue also the risks of not having checks), how can you strike such a balance?

He doesn’t neglect to apply his hypothesis to SOX: Continue reading

Confusopoly, or Scott Adams, Prophet of Finance

While sitting in a small room perusing a book from the bottom of the stack, The Dilbert Future, I idly looked again at Scott Adam’s prediction #2:
In the future, all barriers to entry will go away and companies will be forced to form what I call “confusopolies”.

Confusopoly: A group of companies with similar products who intentionally confuse customers instead of competing on price.

OK, good snark. But look at the list of industries he identified as already being confusopolies:
  • Telephone service.
  • Insurance.
  • Mortgage loans.
  • Banking.
  • Financial servvces.
Telephone companies of course since then have gone to great lengths to try to nuke net neutrality.

And the other four are the source of the currrent economic meltdown, precisely because they sold products that customers couldn’t understand. Worse, they didn’t even understand them!

It gets better. What industry does he predict will become a confusopoly next? Electricity! And this was in 1998, before Enron engineered confusing California into an electricity-price budget crisis.

For risk management, perhaps it’s worth considering that simply selling something the customer can understand can rank way up there. Certainly for the customer’s risk. And given how much the FIRE companies drank their own Kool-Aid, apparently it’s good risk management for the company itself. Especially given that the Internet now gives the customer more capability to find out what’s going on behind a confusopoly and more ability to vote with their feet.

To actually make a product the customer wants, and then provide good customer service: how old-fashioned! And how less risky and more profitable in the long term.

Crossing the Street in Cyberspace: Michael Kaiser and the National Cyber Security Alliance

If you grew up in a small town, you’d likely cross the street without stopping to look each way. Try that in New York City, and you’ll end up in the hospital. Similarly, most of us grew up in meatspace and clicking on any old link in cyberspace often ends up with our bank account in the hospital.

OK, that was my mangled simile, but it illustrates what Michael Kaiser and the National Security Alliance are trying to do: educate the public about what to do and not do in cyberspace without losing their audience with technical details or lengthy pedantic instructions. In his talk at APWG he had all sorts of interesting points, such as address different audiences (K-12, small business, elderly, etc.) differently, and that it’s not just unlearning bad habits (including ones that would be good habits in other contexts), it’s teaching good habits. ANd changing habits of any kind requires repetition and persistence. As Kaiser said, look at the CDC and its ongoing campaigns of prevention of HIV, domestic violence, etc.

Personally, I think staysafeonline.org could use more graphics and less text, or, more importantly, more storyline. It seems a tad pedantic to me. More poets in prevention! Or more marketing in staying safe. Or something.

But it’s a useful site already.

Teachable Moment: APWG/CMU Phishing Education Landing Page program

Phishing? Fail!

When you take down a phishing domain or server, don’t just take it off the net: redirect it to this education page so victims of phishing can learn in the act of being suckered by a phisher that they should be more careful what they click on.

As someone in the audience pointed out, whatever you do don’t redirect phishing pages back to the actual sites being phished, i.e., if the phisher was pretending to be a bank, don’t take down the phisher’s redirect and replace it with a redirect to the bank itself. THat just teaches people the wrong thing, to follow a bad link.

Instead, link to the APWG/CMU landing page. Which could use a catchier name (how about Phishing: Fail!), but it’s already a really good service.

MySpace Anti-Phishing

Shing Yin Khor of Fox Interactive Media, which owns MySpace, gave an entertaining talk at APWG in which she gave a good case that MySpace has mostly eliminated phishing ads on MySpace and is busily suppressing other phishing.
Throwing money at the issue of phishing actually works.
MySpace’s anti-phishing forces include former law enforcement people, including a former federal and state prosecutor, a former L.A. D.A., and a former FBI agent. They have successfully sued spam king Scott “ringtones” Richter and his CPA empire.

MySpace does have an advantage in actually hosting all displays and messages. It’s good to be a many-hundred-million shopping mall. She didn’t say that; I did. She did say they use MySpace specific measures such as education via Tom’s profile. Tom was one of the founders of MySpace. Every new user gets Tom as a friend, so his online persona (pictured) has 240 million friends, so that’s a channel that reaches most of their users. She did say:

Education is just as important as technical measures.
What works on MySpace will work on other social network sites.

But Shing’s theme of pro-active measures against phishing and spam is one other organizations could take to heart. Don’t think you can do nothing: you can.

Of course, if you have fewer than 200 million users, you may want to band together with other organizations, for example by joining APWG. Even MySpace does.

APWG Atlanta Buckhead

apwgfall08.jpg Five years of the Anti-Phishing Working Group! Dave Jevans gave a retrospective, followed by country reports:

Japan: Pretending to be grandchild to get bank account transfer is popular. ATM scams are the most lucrative.

Russia: Second biggest global source of spam. Ecrime economy is ten times the si ze of the anti-ecrime industry, and that’s a problem.

Brazil: Most phishing is done locally. Is all organized crime.

I don’t want to go into too much detail, even though the bad guys don’t seem to need any help. APWG continues to climb the ecrimeware curve, catching up with th e miscreants.

Further Hardin Debunking

yacouba.jpg Regarding Perry’s comment to the previous post, the point is that the specific example on which Hardin based his thesis, the one everyone cites in support of it, is not borne out by the evidence, not that he presented any evidence for it in the first place.

Further, that it’s not a tragedy in the sense Hardin meant: that of a Greek tragedy in which a flaw of character inevitably leads to the demise of the protagonist. Individuals are not inevitably disposed to claw out their own at the expense of everyone else. Sometimes people realize that there really is such a thing as the common good; that benefiting everyone benefits themselves.

Yes, I know about the Sahara and the Sahel; I’ve been there; I’ve seen the goats gnawing away at everything.

The solution is not state central planning: you cite Chinese lakes; I’ll cite the Aral Sea.

The solution is also not privatization of the commons: look at the wildfires in the U.S. west exacerbated by subdivisions built in forests.

Solutions that work seem to involve combinations of innovation, education, and especially cooperation. Like this one:

In the late 1970s, when the problems of desertification, combined with population growth, drought and grinding poverty in West Africa first began to get sustained global attention, the prognosis was mostly gloom and doom. And as has been well documented, foreign aid has been less than successful in improving matters. In Yahenga, Reij and Fabore note, efforts to modernize agriculture through large-scale mechanized operations usually failed, for a variety of reasons. The spread of zai hole planting spearheaded by Sawadogo was mostly carried out by the local farmers themselves, with limited support from the government or foreign donors. Those with access to labor dug the holes, and used local sources of organic manure to fill them.

A tree grows in the Sahel, Andrew Leonard, How the World Works, Wednesday, Oct. 4, 2006 11:22 PDT

The “free market” isn’t enough. Cooperation on scales from local to global is also needed. And it does happen, despite Garrett Hardin’s myth that it can’t.

-jsq

Debunking the Tragedy of the Commons

x7579e05.gif Interesting article here making a point that should have been obvious for forty years. When Garrett Hardin published his famous article about the “tragedy of the commons” in Science in December 1968, he cited no evidence whatsoever for his assertion that a commons would always be overgrazed; that community-owned resources would always be mismanaged. Quite a bit of evidence was already available, but he ignored it, because it said quite the opposite: villagers would band together to manage their commons, including setting limits (stints) on how many animals any villager could graze, and they would enforce those limits.

Finding evidence for Hardin’s thesis is much harder:

The only significant cases of overstocking found by the leading modern expert on the English commons involved wealthy landowners who deliberately put too many animals onto the pasture in order to weaken their much poorer neighbours’ position in disputes over the enclosure (privatisation) of common lands (Neeson 1993: 156).

Hardin assumed that peasant farmers are unable to change their behaviour in the face of certain disaster. But in the real world, small farmers, fishers and others have created their own institutions and rules for preserving resources and ensuring that the commons community survived through good years and bad.

Debunking the `Tragedy of the Commons’, By Ian Angus, Links, International Journal of Socialist Renewal, August 24, 2008

So privatization is not, as so many disciples of Hardin have argued, the cure for the non-existant tragedy of the commons. Rather, privatization can be the enemy of the common management of common resources.

What does this have to do with risk management? Well, insurance is the creation of a managed commons by pooling resources. Catastrophe bonds are another form of pooled resources, that is, a form of a commons.

On the Internet, the big problem with fighting risks like phishing, pharming, spam, and DDoS attacks is that the victims will fail if they go it alone. The Internet is a commons, and pretending that it isn’t is the problem. Most people and companies don’t abuse the Internet. But a few, such as spam herders and some extremist copyright holders (MPAA, RIAA), do. They need to be given stints by the village.

-jsq

Doing It Wrong: Antivirus Software on Voting Machines

doingitwrong.png Xkcd has a point. And I like the teacher analogy.

Continuing to fiddle with models of how electronic voting might work while leaving in place demonstrably broken hardware and software produced by companies that over years have demonstrated they either don't understand the problem or have no intention of fixing it: that's fiddling while Rome burns.

-jsq

Fast Flux Mapped

ffcrop.png Australian HoneyNet tracks Fast Flux nodes and maps them:
Below is the current locations of the storm Fast Flux hosts. This is updated every 15 minutes from our database.

I Had to change it to only show the last 6 hours of new nodes since GoogleMaps doesn't scale very well when your reaching past a few thousand markers on a map 🙂

—Fast Flux Tracking, Australian HoneyNet Project, accessed 7 Aug 2008

Fast Flux, in case you're not familiar with it, refers to various techniques used by bot herders, spammers, phishers, and the like to evade blocking by rapidly changing which IP addresses are mapped to which domain names.

-jsq