Tag Archives: Andrew B. Whinston

Reputation as Public Policy for Internet Security @ TPRC 2012

Saturday I presented Reputation as Public Policy for Internet Security Cover at the 40th Telecommunications Research Policy Conference (TPRC) hosted by George Mason University School of Law, Arlington, VA. Attendees seemed to appreciate our efforts to deal with heteroskedasticity with a wild cluster bootstrap-t procedure. The presentation, along with the abstract and the paper, are available from the SpamRankings.net website.

Blog readers will notice the TPRC presentation excerpted Festi Up Grum botnet is staging a comeback and extended Festi botnet infesting the world, July 2012 as well as making use of the numerous medical posts, while attempting to pull that and other material together in aid of motivating and describing the intended field experiments and their potential policy implications. As Prof. Andrew B. Whinston said to Network World a couple of months ago:

We’re not trying to solve the spam issue. We’re trying to deal with the broader issue of whether companies should publicly report security issues.


Krebs on SpamRankings.net

Brian Krebs wrote on his blog, Naming & Shaming Sources of Spam:
A new resource for spotlighting organizations that are unwittingly contributing to the global spam problem aims to shame junk email havens into taking more aggressive security measures.

SpamRankings.net is a project launched by the Center for Research in Electronic Commerce at the University of Texas at Austin. Its goal is to identify and call attention to organizations with networks that have been infiltrated by spammers.

Andrew Whinston, the center’s director, said the group initially is focusing on health care providers that appear to be infected with spam bots. “Nobody wants to do business with a bank or hospital or Internet hosting company that has been hijacked by spammers,” Whinston said. “It’s an environment in which user data can be stolen or compromised.”

The rest of his writeup quotes me quite a bit, and everyone knows I’m quite shy, so please go read his blog!

I will add that May data is live now on SpamRankings.net. Also, organizations that do better over time may want to brag, as has happened with a couple of U.S. organizations in May.

Here’s Krebs’ final paragraph:

I applaud this effort, and hope that it gains traction. I remain convinced that the Internet community would benefit from a more comprehensive and centralized approach to measuring badness on the Web. There are many existing efforts to measure reputation and to quantify badness online, but most of those projects seek to enumerate very specific threats (such spam or hacked Web sites) and measure the problem from a limited vantage point. What is lacking is an organization that attempts to collate data collected by these disparate efforts and to publish that information in near real-time.


Transparency in Rome

Here’s my presentation, Transparency as Incentive for Internet Security: Organizational Layers for Reputation, from RIPE 61 in Rome. This presentation summarizes the two previous RIPE Labs papers about proposed new organizational layers and outbound spam ranking experiments.

RIPE-NCC is the oldest of the Regional Internet Registries (RIRs), and RIPE is the deliberately unorganized association of interested parties that meets twice a year and holds discussions online in between. It’s a mix of operations, research, and socializing. Topics range from obscure details of deploying IPv6 to organizational proposals such as what I was talking about. 430 people attended the meeting in Rome, which was quite a few more than the dozen or two of the first RIPE meeting I went to many years ago.

Interesting questions were asked. I may blog some of them.