The $7 million settlement Microsoft won against spammer Scott Richter is all over the news, as it should be. Microsoft says it will dedicate $5 million of that to further spam fighting. Go Microsoft!
One story says that the spammer’s insurance company will help pay. If there was ever anything that should be excepted from insurance coverage, deliberately spamming (as opposed to your computers being used without permission by somebody else) should be it.
Continue readingCringely has a PBS column of 4 August 2005 about The New Robber Barons that revolves around the Sarbanes-Oxley Public Company Accounting Reform and Investor Protection Act (SOX) and other recent legislation. The key to his argument is that:
These laws, especially the Gramm-Leach-Bliley Act of 1999 (GLBA), now make the victim of cyber theft into a criminal. And under Sarbanes Oxley, directors are held liable and can be sent to jail.So suppose you’re a small financial institution, such as a credit union. It’s hard to keep track of everything, and eventually you’re likely to have some information stolen. You can try to keep it from the public, but you can’t keep it from your accounting firm. Continue reading
TippingPoint (owned by 3Com) and iDefense (owned by Verisign) are both offering bounties for disclosure of vulnerabilities. Both firms apparently intend to reveal the disclosures to the affected vendors, rather than to the public. Mozilla has for some time been paying $500 per bug found.
And of course there are numerous other organizations looking for flaws in everyone’s code; many of these organizations won’t tell the vendor first.
Maybe it’s better to encourage as many friendly eyes to look at your code so they’ll tell you before somebody else uses a vulnerability as an exploit or tells the public before they tell you. Hm, this sounds a lot like open software.
-jsq
Doubtless anyone who follows Internet security has heard by now of the case of Michael Lynn, currently under a restraining order by Cisco and Internet Security Systems (ISS). While working for ISS, Lynn discovered a vulnerability in Cisco router code and told Cisco about it in April. Apparently the flaw was fixed shortly afterwards. Lynn was scheduled to give a presentation on the flaw at the Black Hat Conference in Las Vegas this week, with the cooperation of Cisco and ISS. However, Cisco decided not to permit that, and went so far as to have its employees physically remove the ten page presentation from the already-printed conference proceedings.
Nonetheless, within two hours of the scheduled presentation time, Lynn quit his job with ISS and proceeded to give the presentation anyway, wearing a white hat labelled Good. Shortly afterwards, Cisco and ISS slapped a restraining order on Lynn and the conference to stop them from distributing the presentation or discussing it.
The rest of the chattering classes were not under restraining order, however, and within two days of the presentation a PDF of Michael Lynn’s slides was available on the Internet
Update: that link now displays a cease-and-desist letter and a copy of the injunction; a copy of the slides has turned up in Germany.
and discussions were rampant everywhere from security professionals such as Bruce Schneier, who could be expected to defend Lynn, to the Wall Street Journal (WSJ).
Continue readingInteresting article in the Inquirer in the U.K.: Intel to cut Linux out of the content market by Charlie Demerjian, 15 July 2005. It says Intel is preparing to release, with a third of a billion dollar ad campaign, a digital media platform called East Fork. And that East Fork won’t support Linux; it will, of course, support Microsoft, specifically Microsoft Media Center 2006 (MCE 2006).
“I say captive because although it will support other shells that are not MCE 2006, it will only support other shells, but not programs. This is not the same as being open in any way shape or form, you are locked in, period. That’s not to say that there will not be choices. There have to be at least two providers in each country where it launches to provide the content, but the blessed ones are the only ones.”
Two providers aren’t enough different from a monopoly. Especially when both providers are subject to the same content restrictions, i.e., they’re basically mandated to supply the same thing.
Why would Intel want to lock down a music and movie player? Because it implements Digital Rights Management (DRM) that limits what you can do with the content. If you could run Linux on it, doubtless somebody would try to come up with a way around the DRM.
So why not just use Linux on another platform? It’s not clear that is still legal, considering all the legislation passed or pending about DRM. If DRM is so good, why does it need legislation to prevent people from circumventing it?
The bigger question is still why the music and motion picture industries can’t
a. produce more content people actually want to buy
b. come up with a business model that incorporates digital distribution via the Internet and other media instead of trying to legislate it out of existence; Steve Jobs has proved it’s possible with the iPod; is he really the only content mogul who can do it?
In any case, it’s not clear to me how DRM brings anybody security. A few companies will profit off it in the near term, after which either it will die because people will find a way to circumvent it anyway, even though some people will go to jail and legal and legislative resources will be wasted on such cases that could have been spent on dealing with real security issues. Or DRM will become the standard, which will mean that it will become one of the biggest targets for crackers; think of all the bots they could make out of networked media players….
-jsq
Here’s an interesting paper that says that while diversification as in portfolio management or pooling as in insurance does not usually reverse the expected risk, that diversification in information systems is different.
“Exploiting externalities unique to information systems, we show that diversification can not only reduce loss variance but also minimize expected loss.”
—Software Diversity for Information Security, by Chen, Kataria and Krishnan, Fourth Workshop on the Economics of Information Security, Kennedy School of Government, Harvard University, 2 – 3 June 2005.
The paper takes into account both positive effects of less exploits and negative effects of less ease of use because of less uniformity. It takes into accounts benefits to the firm that implements diversity, and benefits to society.
The paper concludes that benefit of diversity accrue even if a firm adds only one piece of software to its incumbent monoculture software, and even if the new software is not as secure as the incumbent software.
Of course, if we’re talking operating systems, any of the alternatives to the incumbent OS have greater security, as the paper demonstrates.
So software diversity in information systems would be good even in a world of worse alternatives to incumbent software, and is even better in our actual world.
-jsq
Thanks to Dan Geer for pointing out this paper.
The first question that occured to me when I read this story, “CIA Overseeing Three-Day War Game To Mimic Response To Crippling Internet Attack” By Ted Bridis May 26, 2005, was why wasn’t Homeland Security doing this, instead of the CIA?
Then I remembered the Homeland Security Partnering Conference of last month, in which I was reminded that a bit more than one percent of DHS’s funding goes to Cyber Security, and about the same amount to Critical Infrastructure Protection; if you rummage about on DHS’s web pages, you’ll find pie charts about this. The conference attendance reflected DHS’s real priorities. The attendees were heavily from national laboratories and large research universities. The talks were mostly about nuclear, chemical, and biological threats. All real concerns, and ones DHS should be dealing with.
Still, I was troubled by a question from a law enforcement attendee at lunch, which was more or less why is there anything here at all about the Internet; you can’t do terrorism through the Internet!
It’s true it’s hard to kill people directly through the Internet, and I’m glad of that. However, it’s not so hard to disrupt systems through the Internet, as phishers are demonstrating. A well-timed pharming attack on financial services DNS servers could create quite a bit of disruption.
Plus increasing amounts of the electrical power grid’s SCADA (Supervisory Control and Data Acquisition) system runs on top of the Internet, and from what I’ve heard with minimal security. We saw only a couple of years ago the kind of cascade failure a single accidental malfunction caused in the Northeast power outage.
Sceptics will note that few people died in the northeast power outage, and indeed we were fortunate. But terrorism isn’t really about killing: it is about achieving political ends. It’s worth reading what John Robb has been writing about petroleum pipeline and electrical outages related to the Chechen situation. If Robb is right, a few carefully placed explosions that killed nobody are near accomplishing what many years of bloody warfare did not.
Back to the the article about war games:
“"Livewire," an earlier cyberterrorism exercise for the Homeland Security Department and other federal agencies, concluded there were serious questions about government’s role during a cyberattack, depending on who was identified as the culprit — terrorists, a foreign government or bored teenagers.
“It also questioned whether the U.S. government would be able to detect the early stages of such an attack without significant help from private technology companies.”
Private companies are already having to deal with systems disruption such as phishing and pharming and spam and DDoS attacks. More robust and diverse private methods and players dealing with such problems would make government’s job a lot easier, by doing a lot of it already.
One could well argue that government will never be able to do the job alone, because of the worldwide, distributed, open source nature of the perpetrators. Only a similar array of worldwide, distributed, and diverse countermeasures can succeed. Private industry is already having to produce such countermeasures for problems such as phishing, where law enforcement, much less homeland security or intelligence agencies or military, have not yet become engaged.
The catch is that nobody wants to pay for such a large set of projects. Government can play a role by seed funding innovation; after all, that’s how the Internet got started. Then the trick is to make the new projects pay for themselves. Private industry is already working on that, too.
-jsq
I happened to run across two articles yesterday that mesh in an odd sort of way.
Chris Anderson writes in his blog: Is the Long Tail Full of Crap? Chris has for a while now been writing about the long tail of distribution. Take movies, for example. Traditionally, there are only so many movie screens and so much shelf space in video stores. Movies that are popular enough to draw a mass audience get on the screens and on the shelves. A movie doesn’t have to be as popular to get on the shelves as on the screen, but the idea is the same: beyond the fat head of distributed movies there’s a long tail of movies that fewer people want to see and that don’t get on the shelves. Yet many movies in the back catalog are high quality, and some people would want to see them if they could get them, as for example Netflix has demonstrated. The total value of the long tail is probably as high as that of the short head. Chris’s current post is largely about filters to pick out of the long tail what a given potential audience would consider quality.
Meanwhile, Clay Shirky in his blog writes about Situated Software. He gives examples of how throwing away the Web School virtues of scalability, generality, and completeness lets Internet product designers take advantage of small groups as testers, customers, and reputation systems, thus building small products fast that make their small group customers very happy.
It seems to me that Clay Shirky is talking about building quality products for the long tail; quality products that are already filtered for their target customers.
What does all this have to do with Internet business risk management? Maybe one way of dealing with risks outside the firewall is to tailor an enterprise’s (or customer’s) Internet connection for maximal utility and least risk for that particular customer, maybe by selecting the best-fitting connection, and maybe by constructing an insurance policy to cover problems that are likely to occur, especially where it doesn’t fit so well. Maybe the best way to build Internet insurance isn’t to make a few big policies; maybe it’s better to tailor a policy for each customer’s Internet situation.
Now tailoring has connotations of handmade, and there probably would be a professional services aspect to this. But what if that aspect consisted largely of presenting a few automatically-generated tailored policies for the customer to choose from?
-jsq
Phishing is a big problem these days: those annoying messages in your electronic inbox that say your Ebay or Paypal account or your online bank login need updating, but which actually direct you to a fake web page that steals your identity so as to steal your money; or just to steal your identity for later use.
Visualizing the topological and performance relations of phishing servers and zooming in on each one permits discovering patterns such as several in the same hosting center or ones pretending to be in one country when they’re actually in another.
-jsq
Passing by Telcordia last Monday, I learned from Will Leland (who discovered the self-similarity of network performance) about a committee on network science that includes several people I may hve mentioned in this blog before, such as Albert L. Barabasi, author of Linked, and Thomas W. Malone, author of The Future of Work. The committee has members from many fields, ranging from biochemistry to sociology. The subject matter is network science that applies to all those fields.
The committee has a questionnaire to see if respondants think there is a network science, and, if so, what is it?
-jsq