The Computer and Communications Industry Association (CCIA), which represents many of the largest technology companies, has posted a scathing retort to the White House:

The White House’s IP czar Victoria Espinel is calling on Congress to further expand and toughen U.S. intellectual property law, which is already among the most sweeping and strictest in the world.

[…]

The legitimate desire to address some serious counterfeiting abuses – such as medications or industrial components used in defense products – has been hijacked to create draconian proposals to alleviate the content industry of the burden of protecting its own interest using its own extensive resources. The government’s role in protecting the public’s right to safe medicine and component parts should not be allowed to morph into supplanting the responsibility of private companies to use existing legal remedies to remove possibly infringing content online and bring legal action against those involved.

“The government has shown how its zeal leads to carelessness in its unprecedented efforts to widely seize domain names for IP enforcement, which ICE undertook this year. Sites were wrongfully shut down based on allegations the user was engaged in criminal conduct deemed lawful by their courts. We are concerned the same low threshold will be used in making decisions to spy on U.S. citizens.

“Some in Congress and the White House have apparently decided that no price is too high to pay to kowtow to Big Content’s every desire, including curtailing civil liberties by expanding wiretapping of electronic communications. Even the controversial USA PATRIOT Act exists because of extraordinary national security circumstances involving an attack on our country. Does Hollywood deserve its own PATRIOT Act?

[…]

“This is the latest indication of the extent to which the content industry has infiltrated this administration and managed to turn the Administration’s IP agenda into a policy which protects old business models at the expense of consumers, citizens’ rights and our most innovative job creating industries.”

Wham. Blam. Zowie.

Espinel’s post was created by the Prioritizing Resources and Organization of Intellectual Property (Pro-IP) Act of 2008 signed into law by President Bush.

The legislation was vigorously opposed by the Department of Justice, find their position here courtesy of the EFF. The main objection is that the DOJ will now have the power to bring civil actions and is forced to turn the proceeds over to private industry, essentially making what is now a private system of enforcing copyright and trademark laws a government function. The DOJ also felt that appointment of an IP Czar with the duties described in the legislation would violate the principle of separation of powers between the Executive and Legislative branches of government.

The Justice Department mandate was removed to ease their objections. The IP Czar post remained and Espinel was appointed in 2009; the CCIA is clearly not impressed with her direction.

I can’t say I’m impressed either. Hard to believe she studied at the LSE — first they are caught red handed on Libya, now this? I would caution the White House not only on grounds of questionable justification (who really believes IP alone has the same risk calculation as terrorism or assassination?) but on the fact that broadening the wiretap for vague commercial interests will seriously weaken national security.

Interesting paper from IsecLab (Institute Eurécom, University of California Santa Barbara, Ruhr University Bochum, Northeastern University): “The Underground Economy of Spam: A Botmaster’s Perspective of Coordinating Large-Scale Spam Campaigns”.

Based on the value of the products and services that we previously described, we can estimate on a high level the cost of operating Cutwail’s spam campaigns, and approximate the transaction volume related to such an operation. As we discussed in Section 3, there were an average of 121,336 unique IPs online per day. Thus, the Cutwail operators may have paid between $1,500 and $15,000 on a recurring basis to grow and maintain their botnet (assuming they did not develop their own loads system). If we estimate the value of the largest email address list (containing over 1,596,093,833 unique records) from advertised prices, it is worth approximately $10,000–$20,000. Finally, we estimate the Cutwail gang’s profit for providing spam services at roughly $1.7 million to $4.2 million since June 2009 (contingent on whether bulk discounts were provided to customers).

Unfortunately this Infographic called “How to Spot a Liar” would not be very useful in online scams like 419 Fraud. The references hint that technology may have been left out of focus; do people really lie more often on the telephone than with email or IM?

Spoiler alert, this is their list:

1. Listen to how they say what they say
2. Watch their body language
3. Detect irregular emotional patterns
4. Recognize awkward interactions
5. Study subtle facial expressions
6. Understand eye movements

First, although this Infographic says it will help you spot a liar, the list is nearly impossible to use with online fraud as I pointed out above. That seems to me a strange oversight. That is why I titled this post how to detect fraud in-person. It still seems useful that regard.

Second, however, it appears to fail to bridge cultural differences, the very foundation of 419 fraud — attackers can use differences to exploit victims through social engineering. If you expect an African to have funny body language because you don’t know much about Africa or Africans, then you will be unable to use their #2 recommendation. In fact, you might be more likely to be a victim because you think #2 is a good test but you also think you have to disable it because you are more convinced that Africans have funny body language.

Third, the list gives examples from a baseline that may not fit your situation. It comes from a particular view which may not be suited to every environment. It suggests to watch for people who repeat what you say, for example. Yet I have found this to be common in some rural communities. As an outsider from the city I may find it unusual but I am not about to suggest that rural inhabitants should be trusted less because they behave differently from me. I see a tendency in the Infographic to assume that time in a zone is the same thing as time.

Overall it’s a good presentation on specific fraud vectors and specific detection methods. It would be easy to add the the above points to the Infographic and make it more flexible, as we have described in our paper and presentations.

Attacks by scammers appear to make sophisticated use of language ideology to abuse trust relationships. Language that indexes Africans allows perceived ‘authenticity’ to be constructed in a way that breaks down a victims’ defenses — a variety of linguistic devices are used as attack tools.

In the meantime it serves as a good illustration of how a fraud detection system could backfire or fail a simple change of environment.

Calculating availability is a fairly well-worn path. It is a matter of dividing up time and then applying cost values.

I often hear large enterprise architects arguing that building to three nines (99.9% Uptime) is a necessity to avoid the high cost of outages. However, the cost of building a highly available infrastructure must also be weighed against the risk of confidentiality loss. In other words, how much will they increase the risk of sensitive data exposure in order to get from 99.5% to 99.9%? Regulations should help companies more clearly weigh the options (e.g. a $250,000 minimum fine for each incident in California is higher than a $100,000 outage).

This is not to suggest that confidentiality is more valuable than availability but rather, confidentiality should not be sacrificed for a particular architecture to achieve availability. The best solution is one that provides high confidentiality and availability, but it is likely to cost more than a solution that sacrifices one to achieve the other.