Skip to content
Home ยป legislation


IT security vs. the construction industry

On the Risky Business podcast last week, Andrew Wilson, the CEO of Australian cryptography gear maker Senetas, stated that many businesses see the bad things that happen from poor IT security as just a cost of doing business.

Nothing revolutionary there. We’ve all seen it. Target is paying a steep price right now, but what about Michaels and Nieman Marcus? They got breached at the same time as Target, and nobody’s talking about them. Maybe Target thinks the cost of doing business got too high, and they’ve hired a CISO and I hear they’re hiring lots of new security personnel–I have coworkers and former coworkers in the Minneapolis area who tell me as much–but for Michaels and Nieman Marcus, the cost, at least so far, appears to have been manageable.

But Wilson added something that I hadn’t heard anywhere else before. Fifty years ago, he said, construction workers dying while building a large building was considered a cost of doing business. Fifty years ago that was normal. Today it’s unacceptable.

Read More »IT security vs. the construction industry

CISPA is trying to solve a legitimate problem

I read yet another anti-CISPA piece today. I’m not comfortable trying to read it and decide whether it’s a good or bad piece of legislation, but I do understand the problem it’s trying to solve.

Those who have tried to paint CISPA as the new SOPA or PIPA are misunderstanding the problem CISPA is trying to solve. CISPA isn’t supposed to be about stopping the scourge of teenaged boys using the Internet to copy music and movies. It’s actually chasing something nefarious.

Let me give you an example.
Read More »CISPA is trying to solve a legitimate problem

Digital distribution, not SOPA and PIPA, is the best long-term solution for the MPAA declared victory yesterday, saying that SOPA and PIPA have been dropped. Their e-mail said some other important and interesting things, but most importantly, it made some references to China. Communist China. Totalitarian Communist China.

The distinction is important.
Read More »Digital distribution, not SOPA and PIPA, is the best long-term solution for the MPAA

And it seems that today things worked how they’re supposed to

Today, the Web protested SOPA and PIPA in various ways. And though momentum seemed to start shifting as long as a week ago, the protest went on, and some Washington politicians started changing sides, suggesting that maybe, just maybe, sometimes representative government can’t be bought.

I even saw a quote somewhere–I wish I’d written down where–that attributed one side-changer as saying it’s more important to get this legislation done right than to get it done fast.Read More »And it seems that today things worked how they’re supposed to

Fighting spam two ways

I read a statement in a very right-leaning publication not long ago that made me really mad. It made the statement that government regulation is never the solution to a problem, and the problem of spam should be dealt with through software, not legislation.
This is a statement from a very clueless knee-jerk conservative. Don’t get me wrong; I’m conservative too, but I have a brain and I’m going to use it, even when I’m not towing the party line. Software does absolutely nothing to solve the problem of spam taking up 50% of the SMTP traffic coming in through my employer’s T1 line. That problem probably isn’t big enough to cost anyone a job yet. But is spam costing some people their annual keep-up-with-inflation raises? I think it could be.

Missouri has an anti-spam law. I think that’s a very good thing. Spam that doesn’t have a subject line that begins with the four-letter string adv: is illegal in Missouri. Spam with adult content that doesn’t begin with the eight-character string adv:adlt is illegal in Missouri. There are a few other regulations as well. The punishment? A $5,000 fine per message, not to exceed $25,000 per day.

I hope that amount is high enough to fund a decent-sized army of spam hunters in Jefferson City.

So if you live in Missouri, or work in Missouri, or there’s a decent chance that your mail server is in Missouri, or you can get your mail server moved to Missouri, or can determine that your spam originated from Missouri (you must be really

The problem with spam is that it costs next to nothing to do it. But if a spammer gets five complaints a day from Missourians, that amounts to over $9 million a year. Even the Alan Ralskys of this world may have difficulty with that bill. Spam has made some people multi-millionaires, but it’s hard to imagine Ralsky being able to foot that bill.

There’s a precedent in Missouri. Missouri had a no-call list before the embattled federal no-call list came into existence. There was a body shop not far from me that was literally sued out of business due to this law. A couple of poor-little-small-business-being-picked-on-by-the-government stories predictably showed up in the local press, but I’m still trying to figure out why he was picked on. He broke the law and couldn’t afford the consequences.

And that’s what we need to do with spammers. I won’t shed a tear, but I might throw a party.

In the meantime while I wait for Jay Nixon to sue some spammers out of business, I need a technical solution. Mozilla provides a mail client with built-in Bayesian spam filtering. It works pretty well. But there are situations where you may be pretty much forced to use Outlook in an Exchange environment, or some other product that doesn’t have built-in spam filtering. For those situations there’s POPFile, and if you need POPFile to work with Outlook in Corporate Workgroup mode, there’s Outclass. They work pretty well once trained. I’ve been using Outclass and POPFile for a number of months, and since I get between 30-50 spam messages per day, intermixed with legit stuff (of which I get several hundred a day), it probably saves me an hour or two a day, even when it classifies stuff wrong. But the latest Outclass has whitelisting, which will help that. (For some reason earlier versions of Outclass always classified mail from my boss as spam. I whitelisted him after I upgraded.)

The ultimate solution is 50 different states with 50 incompatible sets of regulations (such as some states requiring the exact string “[adv]” and others requiring “adv:”), making it virtually impossible to comply and still make a profit. Those who do manage will be so small as to probably not be bothersome. I’m not so eager for the Feds to step in simply because then it would be easier to be universally legal.