Monthly Archives: August 2008

How to lose 25,000 customers

There is an old joke in software:

If it wasn’t for those pesky customers, this job would be easy!

Now the UK entertainment industry plans to make that joke a reality by planning to sue 25,000 alleged file sharers:

A government-backed deal was struck last month between Britain’s six biggest Internet service providers and the entertainment industry under which file-sharers would be sent warning letters.

Taking direct action against file-sharers will become an “important and effective” weapon to tackle online piracy, Gore added.

The number of people prosecuted by Davenport Lyons for sharing games could reach 25,000, according to a report in the Times on Wednesday. They would be offered the chance to pay 300 pounds each to settle out of court, the report added.

The first 500 who ignored the letters would face immediate legal action brought on behalf of five games developers, including Atari, Techland and Codemasters, it said.

They must be inspired by how well this strategy is working in the US. Which is to say, not very well at all.

Anytime your business strategy depends on suing your customers in mass, your business is not long for this world. I would suggest they invest that 300 pounds/customer wisely. It may have to last for a while.


When obscurity fails

Frank Pasquale has this interesting take on what happens when security through obscurity fails (hat tip to Instapundit) :

Two recent stories illustrate the web’s disruptive potential. Farhad Manjoo of Slate covers the recent uptick in lockpicking fan sites, and Jeffrey R. Young of the Chron describes a new test clearinghouse. Both raise tough questions about what happens when “security via obscurity” starts breaking down.

With the internet, when security through obscurity fails, it fails in a big noisy way. In a way these two examples (locks and tests) are example of areas where obscurity failed in small ways many years ago, but now is failing in a much larger fashion because of the information amplification of the internet.

Thinking the unthinkable

I thought my latest unthinkable thought recently when reading this in an article about what the law demands on IT security:

For most IT organizations, securing corporate data against compromise is priority No. 1. Girding the enterprise against breaches is a constant, thankless task requiring foresight, vigilance, and much in the way of IT expenditures. Keep up with the latest threats, or find your company in the headlines — and your job on the line.

Such is the shift in attitude toward security in IT. In the Wild West, when Jesse James and Butch Cassidy robbed banks, we felt sorry for the banks and hunted down the outlaws. Today, when someone breaks into a company’s computer system, our response is totally different: We blame the company for failing to provide adequate security.

It does seem strange. While it’s reasonable to hold companies responsible for failing to provide adequate security there seems to be an attitude that nothing can be done against the criminals themselves. If the attacks originate (as most seem to) from a handful of countries run by kleptocratic governments the criminals are viewed as untouchable. It’s as if the money was stolen by martians.

But this is nothing but a failure of will on the part of the civilized world.

So here is my unthinkable though for the day: How much less security risk worldwide would there be if Russia was given a year to crack down on the cyber criminals there or be disconnected from the internet at large?

Kind of like a reverse firewall. The point is not to prevent the crimes themselves but to establish a penalty against the countries that provide safe harbor to the criminals.

I only point out Russia because they are one of the worst offenders and their recent behavior in Georgia calls into question their willingness to be a civil part of the global community. But there are also other countries could likewise be sanctioned with the Internet Death Penalty.

Unthinkable? Perhaps. Impossible? No. All it takes is the will to do something about.

Me and Fay

If you don’t hear from me in the next couple of days, it’s probably Fay’s fault.

The Laws of Identity, Cliff Notes Version

Kim Cameron has published a shortened, simpler version of his Laws of Identity here.

Great stuff. Hopefully this will make these laws more accessible to those outside of the identity community.

A strange lesson in security

XKCD has this very funny bit on the security of electronic voting machines. There is a very interesting lesson here, but probably not the one you think. Think about these questions:

Why is there such a hyper-focus and concern about the security of the electronic voting machines when most states don’t even require an ID to vote? Why are we concerned about someone hacking a voting machine when states accept absentee ballots with absolutely no verification of the sender? And has anyone looked into the software that is used to tally and report votes after Election Day?

The point is that security must be about the total life-cycle of the process, not just a specific point in the process. The security of the electronic voting machine is important. But without a reliable way to scrub the voting roles of those no longer eligible to vote, identifying the physical person casting the vote or submitting an absentee ballot, and tallying and reporting the vote after Election Day, you won’t have a secure process.

I don’t believe that there has never been a documented case of electronic vote tampering. That doesn’t mean that it hasn’t or won’t happen. But if you are looking for the most likely place for voting fraud, the inside of the machine is not it.

Close elections have been decided by the cemetery vote long before electronic voting.

AFCYBER put on ice

It looks like the recently created AFCYBER command may become a victim of inter-service rivalry:

The Air Force Cyber Command (AFCYBER) is a provisional unit that was being developed to take on the challenge of finding ways to use and safeguard Internet infrastructure during military conflicts. AFCYBER was announced in 2006 and the unit, after some delays, was expected to stand up in October of this year. That launch has now been put on hold while the Air Force’s new leadership reviews the plans. Some analysts speculate that the program may be embroiled in a dispute over which branch of the military should have authority over cyberspace.

Which probably means that the brass in the other services have started to believe that this is serious business.