Checks on Checks, or Shipping and Shipping Software

Paul Graham points out that big company checks on purchasing usually have costs, such as purchasing checks increase the costs of purchased items because the vendors have to factor in their costs of passing the checks.

Such things happen constantly to the biggest organizations of all, governments. But checks instituted by governments can cause much worse problems than merely overpaying. Checks instituted by governments can cripple a country's whole economy. Up till about 1400, China was richer and more technologically advanced than Europe. One reason Europe pulled ahead was that the Chinese government restricted long trading voyages. So it was left to the Europeans to explore and eventually to dominate the rest of the world, including China.

— The Other Half of "Artists Ship", by Paul Graham, November 2008

I would say western governments (especially the U.S.) subsidizing petroleum production and not renewable energy is one of the biggest source of current world economic, political, and military problems. Of course, lack of checks can also have adverse effects as we've just seen with the fancy derivatives the shadow banking system sold in a pyramid scheme throughout the world. It's like there should be a balance on checks. Which I suppose is Graham's point: without taking into account the costs of checks (and I would argue also the risks of not having checks), how can you strike such a balance?

He doesn't neglect to apply his hypothesis to SOX:

Publicity about Internal Fraud: Still an Issue after 30 Years

Adam quotes a 30 year old book about computer security and notes that the IRS then and now doesn't adequately protect taxpayers' information and promises to do better. His quote that I like best, though is:

Top management people in large corporations fear that publicity about internal fraud could well affect their companies' trading positions on the stock market, hold the corporation up to public ridicule, and cause all sorts of turmoil... (Computer Capers, page 72)

— Computer Capers: Tales of electronic thievery, embezzlement, and fraud, by Thomas Whiteside, Ty Crowell Co., 1978

That's why corporations fear a breach reporting reputation system. That's also why we need one.

-jsq ~

Mastery and Secure Coding

Brooks extended:

Each thing we are trying to push for in secure coding these days requires mastery, Cardspace, static analysis, threat modeling, web service security, and friends are very deep individual domains, and when applied to an enterprise they get wide as well. Let me underline that - to deploy any of the current cutting edge stuff in software security at scale, requires technical depth and deployment width. This automatically limits your resource pool of who can deliver this stuff.

So what I have seen work well is using a decentralized, specialist team approach with a very specific agenda and goals. Note the team can be very small, 2 or 3 people even if they are empowered.

— Go Wide and Deep, Incrementally, Gunnar Peterson, 1 Raindrop, 10 JJan 2008

Not only can't you make a late project on time by throwing people at it, you can't really make a project secure by throwing people at it.

-jsq

Cisco Open IOS

In quite a change from 2.5 years ago, when Cisco went to great lengths to try to prevent Michael Lynn from revealing details of Cisco's code, Cisco is opening its software:

Since its debut more than 20 years ago, IOS has largely been a closed, proprietary, tightly guarded jewel in Cisco's lockbox. But the company's ambitions to make the network the platform for all IT operations and become a software force are in turn forcing Cisco to give up a little in return – like making IOS more than just a platform for Cisco-developed services.

"It's a significant step forward for us," said Don Proctor, senior vice president of Cisco's newly formed Software Group, at last week's C-Scape 2007 analyst conference. "Software turns out to be a key way that we can do what [we've] been talking about for some time, which is link business architecture to technology architecture in a meaningful way."

— Cisco opening up IOS, Looks to make software third-party friendly, Network World, 12/12/07

Wow, who could have imagined that technology architecture could be related to business architecture?

SCO Delisted

Suing your customers could be a risk of getting your stock delisted:

The SCO Group, Inc. ("SCO") (Nasdaq: SCOX - News), a leading provider of UNIX® software technology and mobile services, today announced that it received a Nasdaq Staff Determination letter on December 21, 2007 indicating that as a result of having filed for protection under Chapter 11 of the U.S. Bankruptcy Code, the Nasdaq Listing Qualifications Panel has determined to delist the company's securities from the Nasdaq Stock Market and will suspend trading of the securities effective at the open of business on Thursday, December 27, 2007.

— SCO Receives Nasdaq Notice Letter, Yahoo! Finance, Thursday December 27, 1:24 am ET

This is not unexpected after SCO's recent layoffs. The trouble started much farther back, when SCO decided to sue for intellectual property infringement instead of producing a product people wanted to buy.

-jsq

Disruptive Innovation Viewed as Good Risk Management

As expected, the FCC approved more media consolidation, this time of newspapers and TV stations. That's one approach to disruptions in a market: game the regulatory apparatus to permit consolidation of two failing industries (even though one of them, the one being bought, newspapers, is still hugely profitable).

There's another approach, from the wilds of south Georgia:

The statewide papers from Atlanta and Jacksonville have pulled out of this market back to their own communities leaving a void of state and national news from a print media. When I was growing up, The Atlanta Journal “covered Dixie like the dew” and the Atlanta Constitution covered Atlanta. Today the “dew” stops in Macon and the Journal is now just the Constitution. The Florida Times-Union several years ago started the Georgia Times-Union with distribution across the bottom third of our state. Now, with the pullback coming soon, their distribution will be limited to Southeast Georgia or east of Waycross.

— From the publisher: Disruptions are opportunities, By Sandy Sanders, Valdosta Daily Times, Published December 09, 2007 01:28 am -

So what does this small city newspaper do? Run to Congress or the state legislature to let it merge with a TV station? Nope:

Traffic Control Viewed as ISP Risk

Certain ISPs plan to spend a lot of money throttling, stifling, policing copyrights, campaigning and lobbying to control content of information flow through their networks. They might want to look at what's happening in China:

Beijing has recently added a new weapon to its arsenal of surveillance technologies, a system it believes to be a modern marvel: the Golden Shield. It took eight years and $700 million to build, and its mission is to "purify" the Internet — an apparently urgent task. "Whether we can cope with the Internet is a matter that affects the development of socialist culture, the security of information, and the stability of the state," President Hu Jintao said in January.

The Golden Shield — the latest addition to what is widely referred to as the Great Firewall of China — was supposed to monitor, filter, and block sensitive online content. But only a year after completion, it already looks doomed to fail. True, surveillance remains widespread, and outspoken dissidents are punished harshly. But my experience as a correspondent in China for seven years suggests that the country's stranglehold on the communications of its citizens is slipping: Bloggers and other Web sources are rapidly supplanting Communist-controlled news outlets. Cyberprotests have managed to bring about an important constitutional change. And ordinary Chinese citizens can circumvent the Great Firewall and evade other forms of police observation with surprising ease. If they know how.

— The Great Firewall: China's Misguided — and Futile — Attempt to Control What Happens Online, By Oliver August, WIRED MAGAZINE: ISSUE 15.11, 10.23.07 | 12:00 AM

And if they don't know how, that article provides tips.

Sony Rootkitting: How It Happened

Here's a paper about Sony and the Rootkit:

While Sony BMG's customers first became aware of the dangers posed by the rootkit through media reports following Russinovich's October 31 announcement, the company was on notice that its product contained a rootkit, at the very least, four weeks earlier.12 Finnish anti-virus software developer F-Secure contacted Sony BMG on October 4, 2005, alerting it to the presence of the rootkit.13 Of course, First4Internet, as the developer that chose to incorporate the rootkit into its design, necessarily knew of its presence from the outset.

— THE MAGNIFICENCE OF THE DISASTER: RECONSTRUCTING THE SONY BMG ROOTKIT INCIDENT, By Deirdre K. Mulligan & Aaron K. Perzanowski

Yet Sony apparently thought that they could still sneak a rootkit onto CDs its customers paid for. The customers knew better, because Amazon reviews told them, and sales CDs plumetted as soon as rootkit-infested versions were issued.

This maybe illustrates three points:

Firing Range or Virus Aquarium?

DARPA wants to build cyber firing ranges:

DARPA is interested in the full spectrum of network range capabilities, from network simulations and virtual test ranges that simulate future range architectures and protocols, to physical implementation of networks. Additionally, DARPA is interested in the full spectrum of testing environments – from individual hosts, to single enclaves and local area networks, to world-wide Wide Area Networks (WAN).

— DARPA seeks network firing ranges for cyber weaponry, Keep out, war-warez test in progress, By Lewis Page, The Register, Published Tuesday 4th December 2007 13:50 GMT

Hey, looks like Randall Munro already proposed the single enclave part of this in his comic, xkcd. Somebody's going to make a bundle selling cyber ant farms and leasing DARPA the rights to shoot cyber bullets at them.

-jsq

ResNet for the Home: Why Don't Last-Mile ISPs Detect, Clean, and Insure Home Machines?

Colleges and universities often provide residential networks (resnets) for their students. There are companies that do that, such as Apogee Networks, plus value added services such as patching, installing, and configuring secure and virus-free software. Last-mile ISPs could do that too. They could go farther: they could detect, clean, and insure home machines.

Now they may not want to do this because they might incur legal liability. But that's what insurance is for. And they might not want to do it because it's not their core competence. But they could offer such services through a third party. Why don't they?

-jsq