Disruptive Innovation Viewed as Good Risk Management

As expected, the FCC approved more media consolidation, this time of newspapers and TV stations. That's one approach to disruptions in a market: game the regulatory apparatus to permit consolidation of two failing industries (even though one of them, the one being bought, newspapers, is still hugely profitable).

There's another approach, from the wilds of south Georgia:

The statewide papers from Atlanta and Jacksonville have pulled out of this market back to their own communities leaving a void of state and national news from a print media. When I was growing up, The Atlanta Journal “covered Dixie like the dew” and the Atlanta Constitution covered Atlanta. Today the “dew” stops in Macon and the Journal is now just the Constitution. The Florida Times-Union several years ago started the Georgia Times-Union with distribution across the bottom third of our state. Now, with the pullback coming soon, their distribution will be limited to Southeast Georgia or east of Waycross.

— From the publisher: Disruptions are opportunities, By Sandy Sanders, Valdosta Daily Times, Published December 09, 2007 01:28 am -

So what does this small city newspaper do? Run to Congress or the state legislature to let it merge with a TV station? Nope:

ResNet for the Home: Why Don't Last-Mile ISPs Detect, Clean, and Insure Home Machines?

Colleges and universities often provide residential networks (resnets) for their students. There are companies that do that, such as Apogee Networks, plus value added services such as patching, installing, and configuring secure and virus-free software. Last-mile ISPs could do that too. They could go farther: they could detect, clean, and insure home machines.

Now they may not want to do this because they might incur legal liability. But that's what insurance is for. And they might not want to do it because it's not their core competence. But they could offer such services through a third party. Why don't they?

-jsq

Medical Object Panopticon: Hospital Real-Time Location System (RTLS)

Mostly increased monitoring provokes privacy concerns. But what if it's objects that are being monitored?

Carolinas HealthCare System (CHS), the third-largest public healthcare system in the US, has completed the first phase of an asset tracking program that is believed to be one of the largest healthcare real-time location system (RTLS) deployments in the US. Currently about 5,000 assets are being tracked over 1.4 million square feet at five facilities.

CHS plans to extend the WiFi-based RTLS system throughout its network, which includes 15 hospitals and medical centers in the Carolinas. Additional facilities totaling about 3 million square feet are scheduled to go live by the end of the quarter.

"As a healthcare organization, we're required to upgrade or perform preventive maintenance regularly on medical equipment," Clay Fisher, director of information service at Carolinas HealthSystem, told RFID Update. "Imagine trying to find one specific IV pump when you have thousands of them across multiple facilities. We have reduced our 'time-to-find' for individual pieces of equipment from hours to less than ten minutes."

— Carolinas HealthCare Launches Huge RTLS System, RFID Update, Tuesday October 9th, 2007

One odd side effect is that CHS says if your wireless network isn't configured for VoIP, you should add that, because then it will have enough coverage to do RTLS.

Now if they can find a way to track patient orders between nursing shifts, and which doctors sign off on drugs without seeing their patients....

-jsq

Myanmar Destablized by Chinese Imports

Well, not quite yet, but this could be the start:

"It is learnt that taking advantage of the inability of the Myanmar military junta to provide satisfactory and affordable mobile phone services in the Shan State and the Kachin State areas of North Myanmar, Chinese companies have been operating mobile phone services in Yunnan for the benefit of the people of North Myanmar."

— Chinese Mobile Phone Services in North Myanmar, By B. Raman, Paper no. 2470, South Asia Analysis Group, 21-Nov.-2007, quoted in Lots More Reasons Why China is the New America, By Bruce Sterling, Beyond the Beyond, Wired Blogs, November 23, 2007 | 8:35:27 AM

This bears watching, also because while I've been predicting the U.S. may end up buying fast Internet access from Japanese companies, just like cars, actually it could be Chinese companies.

-jsq

Wealth of Internet Miscreants: Beyond Law Enforcement to Disrupting the Criminal Economy

How to get rich quick through ecrime:

This paper studies an active underground economy which specializes in the commoditization of activities such as credit card fraud, identity theft, spamming, phishing, online credential theft, and the sale of compromised hosts. Using a seven month trace of logs collected from an active underground market operating on public Internet chat networks, we measure how the shift from "hacking for fun" to "hacking for profit" has given birth to a societal substrate mature enough to steal wealth into the millions of dollars in less than one year.

— An Inquiry into the Nature and Causes of the Wealth of Internet Miscreants Jason Franklin, Vern Paxson, Adrian Perrig, and Stefan Savage. Proc. ACM CCS, October 2007.

How to stop it? Law enforcement is good, but insufficient. Ditto traditional technological Internet security methods. We already knew that. What now?

Real progress will be made by disrupting the criminal economy by poisoning trust. Read the paper for the authors' suggestions of Sybil attacks and slander attacks. Make the criminals' identities unreliable and poison their reputations.

This is considered the paper of the year by some prominent computer security professionals, and for good reason.

-jsq

Better Products Bootstrap

Gunnnar notes the formation of a software vendor security best practices consortium and asks:

Why not bootstrap a Fortune 500 Secure Coding Initiative to drive better products, services and share best practices in the software security space?

— Secure Coding Advocacy Group, Gunnar Peterson, 1 Raindrop, 23 October 2007

Yes, if the customers demanded it, that might make some difference, and the vendors do pay the most attention to the biggest customers. Of course the biggest customer is the U.S. government, and they seem more interested in CYA than in actual security. And I'm a bit jaded on "best practices" due to reading Black Swans. But regardless of the specific form of better such a group demanded, demanding better security might make some difference.

Maybe they could also demand risk management, which would including having watchers watching ipsos custodes. Not just in the circular never-ending hamster wheel of death style, but for actual improvemment.

-jsq

Chinese Firewall Viewed as Vacuum

In addition to the Chinese national firewall being used as a Panopticon that encourages self-censorship, other uses are now emerging:

Further to our earlier story on visitors to Google Blogsearch being redirected to Baidu in China, new reports have surfaced that would indicate that China has unilaterally blocked all three major search engines in China and is redirecting all requests to Baidu.

— Cyberwar: China Declares War On Western Search Sites, by Duncan Riley, TechCrunch, 18 October 2007

Sort of an involuntary proxy, going somewhere other than where you thought.

Note the distinction between censorship and this new action:

...the redirect to Baidu would indicate an economic motive; if the Chinese Government were serious about censorship alone we would have reports of page not found/ blocked messages, not redirects to Baidu. The Chinese Government is clearly using its censorship regime to the economic benefit of a Chinese owned (but NASDAQ listed) company.

And also remember that there are U.S. government sponsored web panopticon projects. Research so far, or so far as we know.

-jsq

PS: Seen on Dancho Danchev's blog.

Silver Bullet Security Considered Harmful

In the comment discussion about Linus's schedulers vs. security polemic, Iang mentioned a paper he's writing:

We hypothesize that security is a good with insufficient information, and reject the assumption that security fits in the market for goods with asymmetric information. Security can be viewed as in a market where neither buyer nor seller has sufficient information to be able to make a rational buying decision. These characteristics lead to the arisal of a market in silver bullets as participants herd in search of best practices, a common set of goods that arises more to reduce the costs of externalities rather than achieve benefits in security itself.

— The Market for Silver Bullets, by Ian Grigg, Systemics, Inc. $Revision: 1.27 $ $Date: 2005/11/05 18:25:54 $

Evidently security needs to find another precious metal for its bullets, given that the Storm Botnet is still out there after months, phishing becomes more expensive all the time, spam has killed electronic mail for a whole generation of users, and the best the monoculture OS vendor can come up with is a new release that attempts to push responsibility for all its bugs and design flaws back on the user.

What to do?

What It Will Take to Win

IT and Internet security people and companies act mostly as an aftermarket. Meanwhile, the black hats are a well-integrated economy of coders, bot herders, and entrepeneurs. This is what it will take for the white hats to win:

It can seem overwhelming for security people who are typically housed in a separate organization, to begin to engage with software developers and architects to implement secure coding practices in an enterprise. While the security team may know that there are security vulnerabilities in the systems, they have to be able to articulate the specific issues and communicate some ideas on resolutions. This can be a daunting task especially if the security team does not have a prior workign relationship with the development staff, and understand their environment.

...

The task seems daunting also because there are so many developers compared to security people. I am here to tell you though that you don't have to win over every last developer to make some major improvements. In my experience a small percentage of developers write the majority of code that actually goes live. The lead developers (who may be buried deep in the org charts) are the ones you need to engage, in many cases they really don't want to write insecure code, they just lack the knowledge of how to build better. Once you have a relationship (i.e. that you are not just there to audit and report on them, but are there to help *build* more secure code) it is surprisingly easy to get security improvements into a system, especially if the design is well thought and clearly articulated. You don't have get the proverbial stardotstar, each and every developer on board to make positive improvements, it can be incremental. See some more specific ideas on phasing security in the SD! LC here. In meantime, with security budgets increasing 20% a year, use some of that money to take your top developers out to lunch.

— Secure Coding - Getting Buy In, Gunnar Peterson, 1Raindrop, 17 Sep 2007

The start of what it will take.

-jsq

Online Crime Pays

Why Internet security professionals are losing:

Today, few malware developers use their own code. They write it for the same reason commercial software developers do: to sell it for a healthy profit. If you've ever bought anything online, buying from them may be disconcertingly familiar. If you want to break into a computer or steal credit card numbers, you can buy the necessary software online, just like almost anything else. More than that, you can find user friendly, point-and-click attack applications that have been pre-tested and reviewed by experts, and read through customer feedback before making your purchase.

You might even be able to buy technical support or get a money back guarantee. Some developers offer their malware through a software-as-a-service model. If you prefer an even more hands-off approach, you can simply buy pre-screened credit card numbers and identity information itself, or sign a services agreement with someone who will do the dirty work for you. As in many other industries, money has given rise to professionalism.

Online crime and malware development has become a full-blown and extremely profitable commercial enterprise that in many ways mirrors the legitimate software market. "We're in a world where these guys might as well just incorporate," says David Parry, Trend Micro's Global Director of Security Education. "There's certainly more money in the cybercrime market than the antivirus market. The internet security industry is a drop in the bucket; we're talking about hundreds of billions of dollars."

— Computer crime is slicker than you think, By David Raikow, CRN, 16 August 2007 08:04AM

Makes you wonder how long until traditional security companies get bought out by newly-IPOed offshore malware corps.

-jsq