This week I went to London to speak at the Anti-Phishing Working Group meeting. I can’t tell you who else presented or what they said, but I can say I spoke about Visualization for Data Sharing, or,  Seeing the Undead. Botnets, that is: zombie PCs, especially as used for phishing. If we can visualize them, we can see patterns that can help catch the perpetrators.

In the travel section of the Guardian, on the same page as a story about Fiji, was a writeup about Austin. It seems the Guardian sends a correspondant to Austin every year for the SXSW conference, and he thihnks Austin is the kind of place that Britain wants to be. I never knew I lived in such an exotic locale. When I explained about the bats the expressions people got convinced me that maybe I do. But it seems the problems of the Internet are the same everywhere.

-jsq

Jared Diamond has written a new book, Collapse: How Societies Choose to Fail or Succeed. The author examines societies from the smallest (Tikopia) to the largest (China) and why they have succeeded or failed, where failure has included warfare, poverty, depopulation, and complete extinction. He thought he could do this purely through examining how societies damaged their environments, but discovered he also had to consider climate change, hostile neighbors, trading partners, and reactions of the society to all of those, including re-evaluating how the society’s basic suppositions affect survival in changed conditions.

For example, medieval Norse Greenlanders insisted on remaining Europeans to the extent of valuing the same food animals and plants in the same order, even though the local climate was not propitious for hogs and cows and grain crops, and the sea nearby was full of fish and seals.  When the climate became colder, their marginal way of life became even more so.  Meanwhile, colder weather led the Inuit to move southwards until they contacted the Norse, who reacted adversely, producing hostile relations. And cold weather stopped the trading ships from Norway. The Greenland Norse never learned to use kayaks, harpoons, ice spears, or dogs. In the end, they all died.

Europeans are capable of learning all these things, as the Danes who rediscovered Greenland several hundred years later demonstrated. The medieval Norse Greenlanders stuck so slavishly to their presuppositions that they doomed themselves. It’s true that they survived for more than four hundred years, which is a long time as civilizations go, but they didn’t have to die; all they had to do was to become a bit more flexible.

Many corporations are larger than the tiny island nation of Tikopia, where the inhabitants are almost always in sight of the sea. Many have more people than the entire population of Norse Greenland. And many corporations operate in cultural strait-jackets as severe as that of the Norse Greenlanders: stovepiped departments, top-down comand-and-control hierarchy, and fast profit instead of long-term investment, to name a few.

To get a bit more concrete, let’s look at a few of the one-liner objections Diamond says he encounters to the importance of environmental concerns.

“The environment has to be balanced against the economy.”
Or risk management has to be balanced against near-term profit. Indeed, no corporation can spend all its profit on risk management, but if it doesn’t spend enough on risk management, it risks there being no profit because there may be no corporation. Plus, risk management can be a competitive advantage. With the London Stock Exchange requiring corporations to have risk management plans to be listed, and the U.S. SEC considering the same thing, at the least risk management is becoming a requirement to play capitalism. The first corporations to have good plans can also gain marketing advantages. In addition, the kinds of information a corporation needs to make a good plan can also be used to improve connectivity, lessen risk, and improve customer satisfaction, all of which should have some positive benefit on the bottom line.

“Technology will solve all our problems.”
This is what corporations have been assuming: buying more Internet security technical solutions will solve Internet security problems. Recent history indicates otherwise. Every corporation needs some forms of technical security, just like every building needs fire control mechanisms, but a building can still burn down and Internet connections can still fail.

“If we exhaust one resource, we can always switch to some other resource meeting the same need.”
This is the attitude I’ve seen with people who think that if the U.S. is attacked via the Internet, we’ll just cut off Internet connectivity at the edges of CONUS (continental United States). Such an attitude ignores the basic fact that there is no way to do that successfully, because there are always more ways in or out than you were keeping track of, not to mention that a great deal of U.S. commerce and even emergency communication measures would suffer. It’s also the attitude of corporate executives who think they’ll find something to replace the Internet so they don’t have to deal with Internet problems; for example, they’ll put up private communication links to their business partners, or they’ll build perfect virtual private networks on top of the Internet.  Both of these approaches have certain applications, but neither of them can replace the Internet as a globally accessible communications medium.

Not all of the one-liners Diamond lists are so obviously parallel with Internet problems and denials, but these three may be suffficient to illustrate the point. The point is that business as usual isn’t enough for Internet business risk management   planning. Traditions need to be re-examined in order to construct and implement new strategies that will work.

-jsq 

I posted the text below on Dave Farber’s Interesting People list and am now blogging it here. The specific subject of the thread was an article in the Boston Globe about Harvard Business School (HBS) rejecting 119 applicants because they viewed their admission status before they were suposed to: “Harvard rejects 119 accused of hacking” By Robert Weisman, Globe Staff  |  March 8, 2005. Farber particularly liked the starred paragraph, which was pointed out to me by Peggy Weil, a Harvard graduate who is an adjunct professor at USC; she heard it from one of her students. If it’s not obvious what this post has to do with Internet business risk management, I can explain further.

Tim Finan’s message is the first I’ve seen in this thread that referred to the original meaning of the word hacker: someone who enjoys stretching the capabilities of a system and solving hard problems.

It’s true that many people who pick up scripts and use them to attack systems (script kiddies) and others who do nothing but try to break systems (crackers) and others who systematically exploit system weaknesses for financial gain (organized crime) may call themselves hackers, but they’re flattering themselves.

Eric Raymond’s article about “The Hacker Milieu as Gift Culture” makes clear the difference.

Real hackers have given us Unix and Emacs and the Macintosh and apache and BSD and Linux and sendmail and numerous other high quality gifts, because that’s what they enjoy and that’s how they build their reputations.

Given the results, it’s useful to distinguish between real hackers (whom I’d think Harvard Business School would want to encourage, considering their activities benefit the economy) and crackers.

******* Also, as an admissions consultant noted in the original article:

"Kreisberg said some applicants may had inadvertently tried to access the files, without realizing they were looking for confidential information, after they were e-mailed directions from other students who had copied them from the BusinessWeek message board."

If that actually happened, some of the applicants may have simply thought they were participating in the gift culture when they and Harvard Business School (HBS) were actually victims of a rogue patch, resulting in reputation damage to them and HBS of the sort described in Eric Raymond’s paper.

Maybe HBS should spend a bit more resources increasing value offered to students by getting up to speed on present-day online culture rather than pursuing cost-cutting too far by outsourcing critical functions such as applications to a company that failed to keep them secure. The former might result in better improvements to the bottom line.

-jsq

Eric Raymond is back in Austin, this time for a talk at the University of Texas Business School, CBA, 3rd floor, Classroom 3.2000, 3:30 PM Tuesday March 8th, 2005.

I haven’t heard a specific topic, but given that it’s esr, we can assume open source, and given that the talk is being organized by Prof. Andy Whinston, whose research is in pricing of networks and services, we can assume some intersection of those two things. Quantified diversity, if you will. It should be good for risk management.

-jsq

Here’s an article from December about Rethinking Internet Risk Management, in Phone+ Magazine.

-jsq

I’m teaching a class at U. Texas today, in the business school.
Maybe this is yet another sign of increasing interest in this topic.

-jsq