Tag Archives: cooperation

Detection is much more important than prevention –Bruce Schneier

Reviewing Bruce Schneier’s 2004 book Secrets and Lies, much of which was written in 2000, reminds us of something really basic. You can’t just fix security. Security is a process, most of which is about knowing what’s going on. Detection is more important than prevention. To which I add that for detection we need comparable Internet-wide metrics on security performance so every organization can see what’s going on and will have incentive to do something about it because its customers and competitors can see, too. Sound familiar? That’s what SpamRankings.net is about.

Joe Zack posted in Joezack.com on Bastille Day, 14 July 2013, Secrets and Lies: Nine Years Later,

2. “Detection is much more important than prevention”

Schneier keeps coming back to this point. He had this epiphany in 1999 that “it is fundamentally impossible to prevent attacks” and “preventative countermeasures fail all the time.” Security is “about risk management, that the process of security was paramount, that detection and response was the real way to improve security.” (emphasis mine)

I had formerly thought of security as largely being about prevention. A year ago, if you have asked me about “InfoSec” I might have prattled on about firewalls, injection attacks, encryption and good passwords. That’s still important, but now I know that there’s a lot more to it.

Zack says he thinks Schneier was like Nostradamus for having such insight before NSA PRISM and even before Facebook. Sure, Bruce has always been ahead of his time. But that basic insight was not unique to him, and Continue reading

Davos discovers cyber attacks

Cyber attacks made the Davos Top 5 Global Risks in Terms of Likelihood. Davos, the annual conclave of the hyper-rich and famously elected, has also discovered Severe income disparity and Water supply crisis, so maybe they’re becoming more realistic.

However, in Figure 17 on page 25 they’ve got Cyber attacks as an origin risk, along with Massive incident of data fraud or theft and Massive digital misinformation. I think they’re missing the point, which is the real origin risk is poor infosec, and the origin of that is vendors like MSFT knowingly shipping systems with design flaws and people and organizations running them while hiding such problems.

Interesting comment on page 26: Continue reading

You can help Stop-eCrime

Stop-eCrime aims to reduce electronic crime by increasing transparency of information and communications technologies.

Born out of 2010 meetings organized by the Anti-Phishing Working Group and the IEEE Standards Association, Stop-eCrime has already been working on ecrime event data exchange standards and protocols, as well as operational protocols for dealing with computers compromised by ecrime.

Now Stop-eCrime wants you to help tie these technical and operational levels together into an ecrime detection and response system coordinated among the public, business, academia, and government. There’s plenty of work to be done on technical standards and operational protocols (such as glossaries, metrics, and monetary effects), plus Stop-eCrime needs educational materials and marketing to explain incentives for everyone to participate in reducing ecrime.

Here are the details.

If you want to help, or if you have questions, contact:

Chair: Paul Laudanski <paul@laudanski.com>


Transparency in Rome

Here’s my presentation, Transparency as Incentive for Internet Security: Organizational Layers for Reputation, from RIPE 61 in Rome. This presentation summarizes the two previous RIPE Labs papers about proposed new organizational layers and outbound spam ranking experiments.

RIPE-NCC is the oldest of the Regional Internet Registries (RIRs), and RIPE is the deliberately unorganized association of interested parties that meets twice a year and holds discussions online in between. It’s a mix of operations, research, and socializing. Topics range from obscure details of deploying IPv6 to organizational proposals such as what I was talking about. 430 people attended the meeting in Rome, which was quite a few more than the dozen or two of the first RIPE meeting I went to many years ago.

Interesting questions were asked. I may blog some of them.


Further Hardin Debunking

yacouba.jpg Regarding Perry’s comment to the previous post, the point is that the specific example on which Hardin based his thesis, the one everyone cites in support of it, is not borne out by the evidence, not that he presented any evidence for it in the first place.

Further, that it’s not a tragedy in the sense Hardin meant: that of a Greek tragedy in which a flaw of character inevitably leads to the demise of the protagonist. Individuals are not inevitably disposed to claw out their own at the expense of everyone else. Sometimes people realize that there really is such a thing as the common good; that benefiting everyone benefits themselves.

Yes, I know about the Sahara and the Sahel; I’ve been there; I’ve seen the goats gnawing away at everything.

The solution is not state central planning: you cite Chinese lakes; I’ll cite the Aral Sea.

The solution is also not privatization of the commons: look at the wildfires in the U.S. west exacerbated by subdivisions built in forests.

Solutions that work seem to involve combinations of innovation, education, and especially cooperation. Like this one:

In the late 1970s, when the problems of desertification, combined with population growth, drought and grinding poverty in West Africa first began to get sustained global attention, the prognosis was mostly gloom and doom. And as has been well documented, foreign aid has been less than successful in improving matters. In Yahenga, Reij and Fabore note, efforts to modernize agriculture through large-scale mechanized operations usually failed, for a variety of reasons. The spread of zai hole planting spearheaded by Sawadogo was mostly carried out by the local farmers themselves, with limited support from the government or foreign donors. Those with access to labor dug the holes, and used local sources of organic manure to fill them.

A tree grows in the Sahel, Andrew Leonard, How the World Works, Wednesday, Oct. 4, 2006 11:22 PDT

The “free market” isn’t enough. Cooperation on scales from local to global is also needed. And it does happen, despite Garrett Hardin’s myth that it can’t.