Domain: econinfosec.org
Stories and comments across the archive that link to econinfosec.org.
Comments · 9
-
Re:Can calculated tokens be used somehow?
There were ideas to make sending email "expensive", would it be possible to apply this here? Use a calculation that is expensive to solve but where the solution is easy to test, such as factoring a large number. The biggest problem with the scheme is that a solver has to be added to the browser somehow.
That's proof of work. Proof of work doesn't work unless you use the equivalent of price discrimination. To do price discrimination, you'll need a trust network, so proof of work may work with mail, but not with web services unless the website is very popular.
If you're going to use proof of work, use something that's memory bound instead of CPU bound - the acceleration rate (Moore's law constant) for memory access times is longer than for CPU processing speed, so you don't hurt old computers as much. -
Re:Hashcash?
That won't work, because Javascript interpreters use some processing power of their own. Say there's a 9x slowdown from native code. Then the spammer can just write a C implementation of the hashcash mechanism, and then have the effective power of nine computers. Even if, by some miracle, Javascript interpreters become as fast as compilers (but without the compilation stage), the hashcash solution has two drawbacks. First, it'll hurt ordinary users that don't upgrade their computer every Moore's law cycle (and if there was a way to signal that "I have an old computer, give me an easier problem", spammers would spoof that). Second, it wouldn't actually help, since the spammers would just use their zombie network to calculate the hashcash. See Proof of Work Proves Not To Work.
There's a way around the zombie problem: you can have a reputation network and then make known "bad apples" pay more, but that would be hard to set up for websites. For the application to mail, see Proof of Work Can Work. The Moore problem can be somewhat mitigated by using a function bound by memory access time (since that improves more slowly), but the problem will still be there. -
Re:The ratio is completely wrong for that.
In order to make it economically unsound for the spammers, you'd have to make it economically annoying for the rest of humanity. More annoying than simply putting up with the spam.
Not necessarily. If you have a trust network or database telling you which sources are more likely to spam (like RBL but with degrees instead of "either you're a spammer or you're not"), mail servers could demand more of sources that are likely to spam. Just connect this thing to another network of cryptographic time stamp servers (who, themselves, don't permit a single address to get more than a single token in a given interval), and demand that legitimate users send no more than say, 10 mails per minute and spammy users send no more than 0.1 mail messages per minute. Boom, spam zombies are slowed down by 100x.
That's an economic solution to the degree that the cryptographic timestamp servers print money and the RBL-alikes lets one adjust supply and demand. If you can't trust the timestamp servers, a poor man's approximation could be proof of work (like Hashcash, but use something memory bound since memory speed doubles more slowly than CPU power). See this paper about that strategy. -
Competition for VCP and ZDI
This will be interesting to see how it plays out. The two main legitimate vulnerability purchasers at the moment are iDefense's VCP (http://labs.idefense.com/vcp/) and Tippingpoint's ZDI (http://www.zerodayinitiative.com/). An open market place for researchers to sell their work is a good thing if implemented correctly. Previously their is little or no room to negotiate a fair price and all the information must be disclosed to the buyers first (Trust is assumed they will not use the information if they decied not to buy). Having a third party running an auction/fixed price sell will hopefully bring out the legitimate market for this kind of research. On the flip side, their is a large can of ethics laden worms being opened up and again I will be interested to see in a years time if the WabiSabiLabi marketplace is still operating successfully. Here is an interesting paper on The Legitimate Vulnerability Market : http://weis2007.econinfosec.org/papers/29.pdf
-
Re:The study's methodology seems flawed to me
Read the fucking paper before commenting on the methodology. The name "Privacy Finder" was changed to "Shopping Finder." Participants were given no information about the nature of our research (our lab is in a nondescript room, in a building occupied by multiple departments), and were certainly not told this was a privacy study. Do you honestly believe that if all the results could be attributed to the Milgram effect this paper would have been accepted into any major peer-reviewed conferences?
Here, educate yourself: http://weis2007.econinfosec.org/papers/57.pdf -
Re:Error: Subject Conformation
Actually, we embedded the purchasing tasks in a long and large series of search tasks. We also framed the study as a "Usability test of a Shopping Search Engine" so that there was not a privacy priming effect. Feel free to read the paper. All the study materials are available in the Appendices.
http://weis2007.econinfosec.org/papers/57.pdf
Janice Tsai -
Re:Shoppers *Not* Willing to Pay More for Privacy
Here's a link to the researchers' actual report. (Never trust a press account of any study of anything. Or a slashdot summary, for that matter.)
This was a controlled experiment, and I agree with your point about real-world relevance. It appears to me that the researchers are claiming that if privacy information was made more prominent and easily digestible (as it was in their experiment), people would pay more for privacy. I don't think they are claiming that privacy policies influence people in the current real world.
-
Greedy, but not necessarily stupid
There was an excellent paper at the Workshop on Economics and Information Security a few weeks ago which showed that stock pump-and-dump spam works. It was also shown that as more people are discovering this fact they are riding the band-waggon, thereby making it work even better. If you can spot the scam, perpetrated by others, early in the cycle then you can trade the stock yourself and make a profit and not actually be breaking any securities laws, since you're not the one promoting the stock.
-
Next econ & security workshop is in October
The next workshop on economics & info security will be held in October. So if you have strongly held views in this area (and who on slashdot lacks strongly held views), then think about submitting. You don't have to be an academic to submit a paper, although arguments should be carefully constructed and well organized.
The Workshop on the Economics of Securing the Information Infrastructure (WESII)- Workshop: October 23-24, 2006, Washington DC
- Papers due: August 6, 2006
Suggested topics (not intended to be comprehensive):- The economics of deploying security into:
- The Domain Name System (DNS)
- BGP & routing infrastructure
- Email & spam prevention
- Programming languages
- Legacy code bases
- User interfaces
- Operating systems
- Measuring the cost of adding security
- Models of deployment penetration
- Empirical studies of deployment
- Measuring/estimating damages
- Code origin authentication
- Establishing roots of trust
- Identity management infrastructure
- Data archival and warehousing infrastructure
- Securing open source code libraries
- Adding security to/over existing APIs
- Liability and legal issues
- Internet politics
- Antitrust Issues
- Privacy Issues