Amateurs study cryptography; professionals study economics.

Ian has a fine post over at financial cryptography:

The only thing I’m unsure of is whether it should be economics or risk. But as I roll it around my mind, I keep coming back to the conclusion that in the public’s mind, the popular definition of economics is closer to the image that we are trying to convey. Which is to say, when we say economics, people think of something close to risk.

Economics. There’s more to our dismal work than risk management: There’s the study of signaling, investment choices, and a host of issues which are broader than just risks.

Worms swamp security

Security experts take it as a truism that you can’t defend everything. So you have to make choices about what attacks to worry about, and which ones to ignore. A study released today claims that unprotected hosts are attacked once per second. (USA Today reports on the study, and avantgarde.com is utterly swamped. So I have not read the study as I write this. From their news page:

Working with Kevin Mitnick and USAToday, Avantgarde released a study on November 29th that showed that automated ‘bots,” worms and other threats pummeled six computer platforms over a two-week period with 305,955 total attacks. Results also revealed, and that an inadequately protected computer fell victim to an actual compromise within four minutes of first plugging into the Internet.

The results are not particularly surprising. Attack frequency has been on the rise for quite some time, and attacks encoded in worms don’t need to sleep. One thing that this means is that a prime goal of security management is to prioritize response by predicting and respond to those issues which are likely to become worms. Given that worms are now actively spreading to PCs when people visit web sites, a good firewall and a quarantine system are not enough. (Telling people to only visit ‘trusted’ websites isn’t enough. Even the most trusted web sites are vulnerable to compromised. If you’re a home user, Install Firefox. Firefox is not vulnerable to the same set of issues as IE is.)

From the security research perspective, I think there are more interesting questions. There are more vulnerabilities discovered than are turned into worms. Some issues are harder than others to exploit. Some issues exist in a broader set of targets than others. Some issues have exploit code published sooner than others. Which of these factors is predictive as to how worms spread?

Lycos’ attack spammers@home

I’d like to add one bit about Lycos’ new attack spammers screensaver. Ed Felten writes most of what needs to be said about it:

This is a serious lapse of judgment by Lycos. For one thing, this kind of vigilante attack erodes the line between the good guys and the bad guys. Spammers are bad because they use resources and keep people from getting to the messages they want to read. If you respond by wasting resources and keeping people from getting to the websites they want to read, it’s hard to see what separates you from the spammers.

This kind of attack can be misdirected at innocent parties. The article says that Lycos is attacking sites on the SpamCop blocklist. That doesn’t fill me with confidence — this site has been on the SpamCop blocklist at least once, despite having nothing at all to do with spam. (The cause was an erroneous complaint, coupled with a hair-trigger policy by SpamCop.)

I’d like to add that the screensaver might somewhat usefully do nothing, while promising to strike at spammers. This gives its users the satisfaction of thinking they’re fixing the problem, without actually doing any harm. Its better to get that result by folding them into a network that applies human discrimination to the spam problem, such as the one made by Cloudmark. (Cloudmark uses a cool reputation and voting system that’s much like Google’s Pagerank: Spam is what the accurate voters say spam is. (Shades of the beauty contest problem, but that’s ok here.)

Anyway, Jordan Ritter, who’s one of the founders of Cloudmark, pointed out that people love to feel they’re involved. Lycos’ screensaver could usefully do nothing, while pretending to attack spammers. Of course, it would be far more useful to spend that CPU on evolving new anti-spam algorithms, or weather prediction, or something else.

Paralyzed woman walks again

A SOUTH Korean woman paralysed for 20 years is walking again after scientists say they repaired her damaged spine using stem cells derived from umbilical cord blood.

Hwang Mi-Soon, 37, had been bedridden since damaging her back in an accident two decades ago.

Last week her eyes glistened with tears as she walked again with the help of a walking frame at a press conference where South Korea researchers went public for the first time with the results of their stem-cell therapy.

(From the Herald Sun.)

Wikinews

SteveC, whose comments are broken, says:

“wikinews is demoing here. When you have a hammer, everything looks like a nail. I can’t wait for wiki… wiki… wikigovernment. Or something. We could all edit the laws. yay!”

Me, I want WikiAirlineSchedules.

CIA funded overthrows?

Cryptome points to a fascinating article in The Guardian about how the US is training young activists to undermine corrupt regimes:

Funded and organised by the US government, deploying US consultancies, pollsters, diplomats, the two big American parties and US non-government organisations, the campaign was first used in Europe in Belgrade in 2000 to beat Slobodan Milosevic at the ballot box.

In the centre of Belgrade, there is a dingy office staffed by computer-literate youngsters who call themselves the Centre for Non-violent Resistance. If you want to know how to beat a regime that controls the mass media, the judges, the courts, the security apparatus and the voting stations, the young Belgrade activists are for hire.

The usually fractious oppositions have to be united behind a single candidate if there is to be any chance of unseating the regime. That leader is selected on pragmatic and objective grounds, even if he or she is anti-American.

Officially, the US government spent $41m (£21.7m) organising and funding the year-long operation to get rid of Milosevic from October 1999. In Ukraine, the figure is said to be around $14m.

Apart from the student movement and the united opposition, the other key element in the democracy template is what is known as the “parallel vote tabulation”, a counter to the election-rigging tricks beloved of disreputable regimes.

Maybe there’ll be blowback, and these folks will come monitor the next US elections? Read the whole thing.

Music economics

Naxos is a classical music company. They bill themselves as the world’s leading classical label. They have a fascinating business model, which is that they find great ensembles, often in eastern Europe, have them record interesting music, and then sell it cheaply.

I’ll often buy 2 or 3 Naxos CDs as experimentation. When they’re 7 bucks a pop, three costs about the same as the new U2 cd. There’s an interesting article about them commissioning new music from a British composer in the New York Times:

What’s really remarkable, however, is the involvement of a record company in commissioning new music. The conventional wisdom at most major labels is that it’s hard enough to sell new music. Going out and helping it come into being is virtually unprecedented.

“Like all recordings of contemporary music,” said Klaus Heymann, Naxos’s founder and chief executive, “this is a not-for-profit project.”

Naxos specializes in bucking conventional wisdom – and is now widely acknowledged as a rare success story in a struggling industry. A budget label – its CD’s retail for about $7 in the United States – it works with a cadre of less-known (but often first-rate) artists like the Maggini Quartet and concentrates on familiar and unusual repertory, with surprising results. A disk of Walter Piston’s violin concertos has sold 12,000 copies in the United States alone, and William Bolcom’s “Songs of Innocence and Experience,” a three-CD set released in October, made it to the Billboard classical budget chart.

Containment?


America’s Secret War, by George Friedman, is reviewed in the Australian:

The Americans had established and then strengthened a military presence in countries surrounding Saudi Arabia – Yemen, Oman, Qatar, Bahrain and Kuwait. Invasion of Iraq would complete the encirclement.

“From a purely military view,” Friedman adds, “Iraq is the most strategic single country in the Middle East, [bordering] six other countries: Kuwait, Saudi Arabia, Jordan, Syria, Turkey and Iran.”

Professor Bainbridge comments:

I would really like to believe US policy is this well thought out. At the moment, I’m intrigued but skeptical. Nothing to do, I guess, but buy the book and find out. And, while you’re waiting for Friedman’s book to arrive, be sure to go read Devine’s whole column – it’s quite stimulating.

Now, I like what I’ve read of Stratfor (which George Friedman founded), but this makes no sense. If our goal is to address the problem of Saudi Arabia, why not invade…Saudi Arabia? The reason for containment as a policy was that a war weary world didn’t want a war with the Soviet Union in the aftermath of the second world war. There’s an argument that the arab street would rise up if their holy places were taken over, but the US could have used a mercenary army, a seige, or accepted that problem. Invading Iraq has seemingly drawn out those who think fighting the US is a fine idea. Iraq is providing them with a training ground, much the way the Soviet invasion of Afghanistan brought today’s generation of jihadis together.

There’s a sentence in the review:

An invasion of Saudi Arabia presented the tactical problem of waging war against a country of vast area and the strategic one of disrupting the world’s oil supplies.

But Iraq has these same problems, plus the minor difficulty that they were already effectively contained. (Yes, they were straining against that, but Iraq had failed to rebuild its weapons programs, and was effectively unable to field an army when the US invaded.)

Eaglespeak offers the more convincing explanation that we’re containing Iran, not Saudi Arabia. That makes more sense. The Iranians have been exporting terror against the US for 25 years. They had direct contact with Al Qaeda going back to the Afghan war against the Soviets. They provided Bin Laden with support and training. But again the question, why not invade Iran? There’s going to be a good answer soon, which is that they will be a nuclear power, and that’s very scary. It’s scary because the Iranian regime, from its takeover of the US embassy, onto the bombing of the US Marines in Beruit, to its support of Hizbollah and Al Qaeda, has always acted on their stated policy of exporting the Islamic revolution.

There’s also the argument, not addressed in the review, that we should have remained focused on Afghanistan and possibly Pakistan until we captured or killed Bin Laden and his close aides.

US-Electronic-Passports

The CBC reports on documents that the US tried to bury by releasing the day after Thanksgiving, admitting that “…Canada, Germany, the Netherlands and Britain share the suspicion that the international standard set for the electronic passports inadequately protects privacy and security.”

These chips can be read from 30 feet away, today. That’s the opinion of experts inside the US Government. (Phil Libin quotes from a NIST report.) The only reasons to support these things are if you want to be reading out who’s in a crowd at a distance.

The documents go on to say that “We are still hard at work at ensuring the security and integrity of the data on the chip,” [Frank] Moss [deputy assistant secretary of state for passport services] said. However, we plan to start issuing these passports before that’s done, and then back-compatability issues will prevent any security at all.

The right security measure is contact. If passports need chips, and I’ve yet to see anyone explain why they do, require that the chip be in contact with the reader. Simple, cheap, easy.