Comments on: Non-cooperation in the fight against phishing http://www.lightbluetouchpaper.org/2008/10/16/non-cooperation-in-the-fight-against-phishing/ Security Research, Computer Laboratory, University of Cambridge Fri, 10 Feb 2012 17:31:40 +0000 http://wordpress.org/?v=2.9.2 hourly 1 By: Clive Robinson http://www.lightbluetouchpaper.org/2008/10/16/non-cooperation-in-the-fight-against-phishing/comment-page-1/#comment-29975 Clive Robinson Sat, 25 Oct 2008 07:25:56 +0000 http://www.lightbluetouchpaper.org/?p=440#comment-29975 @ Eric Olson, "I believe their prescription is exactly the wrong one. Rather than improve protection for banks and consumers, this proposal would in fact have the opposite effect." As a first order effect I think you are probably correct on this. Also I very much agree with you on the current likley outcome, "Those with the best technology and people will simply devote their staff, budget and expertise to other products where they are not being told to give away the value they have worked so hard to create." However I would look on this as an issue that should be dealt with differently. First and formost the banks should not be alowed to externalise the risk of the services they provide onto their service users (customers and merchants). Secondly the user technology real realy must be sorted out both the browser and the service provision on the banks servers (Googles Chrome may be a step in this direction). Thirdly there is already examples from other financial services of "pooling of resources". There are various organisations like credit refrence checking services medical and other insurance claims databases that are effectivly industry funded as comercial propersitions. It would be better for both the banks and their customers if there would effectivly be one or two organistons actually doing the take down process. The economy of scale and the efficiency of dedulication of effort would provide sufficient margin to reduce costs to the banks and be profitable for independent organisations. @ Eric Olson,

“I believe their prescription is exactly the wrong one. Rather than improve protection for banks and consumers, this proposal would in fact have the opposite effect.”

As a first order effect I think you are probably correct on this.

Also I very much agree with you on the current likley outcome,

“Those with the best technology and people will simply devote their staff, budget and expertise to other products where they are not being told to give away the value they have worked so hard to create.”

However I would look on this as an issue that should be dealt with differently.

First and formost the banks should not be alowed to externalise the risk of the services they provide onto their service users (customers and merchants).

Secondly the user technology real realy must be sorted out both the browser and the service provision on the banks servers (Googles Chrome may be a step in this direction).

Thirdly there is already examples from other financial services of “pooling of resources”. There are various organisations like credit refrence checking services medical and other insurance claims databases that are effectivly industry funded as comercial propersitions.

It would be better for both the banks and their customers if there would effectivly be one or two organistons actually doing the take down process. The economy of scale and the efficiency of dedulication of effort would provide sufficient margin to reduce costs to the banks and be profitable for independent organisations.

]]> By: Eric Olson http://www.lightbluetouchpaper.org/2008/10/16/non-cooperation-in-the-fight-against-phishing/comment-page-1/#comment-29948 Eric Olson Wed, 22 Oct 2008 21:05:25 +0000 http://www.lightbluetouchpaper.org/?p=440#comment-29948 I completely agree that time is the critical matter in taking down phishing sites. Unfortunately, I respectfully have to differ with your suggested method for improving those times. I believe their prescription is exactly the wrong one. Rather than improve protection for banks and consumers, this proposal would in fact have the opposite effect. Speed in detection and takedown both take technology, staff, and expertise, in other words, investment and lots of it. Mandating that the strongest players undermine their own return on that investment by giving away the data (derived at huge expense) to their feebler competitors will only incent the competent players to exit the market. Those with the best technology and people will simply devote their staff, budget and expertise to other products where they are not being told to give away the value they have worked so hard to create. he banks that rely on these providers will thus be left with only the least efficient, least competent vendors to choose from, and the performance and protection offered will suffer, not improve. For a more complete explanation of this differing opinion, including a discussion of why the A/V industry is not in fact a proper analog for this suggestion, please see <a href="http://www.cyveillanceblog.com" rel="nofollow">A Contrary Perspective --­ Forced Data Sharing Will Decrease Performance and Reduce Protection</a> Respectfully, Eric Olson - Vice President, Cyveillance, Inc. I completely agree that time is the critical matter in taking down phishing sites.

Unfortunately, I respectfully have to differ with your suggested method for improving those times. I believe their prescription is exactly the wrong one. Rather than improve protection for banks and consumers, this proposal would in fact have the opposite effect. Speed in detection and takedown both take technology, staff, and expertise, in other words, investment and lots of it. Mandating that the strongest players undermine their own return on that investment by giving away the data (derived at huge expense) to their feebler competitors will only incent the competent players to exit the market.

Those with the best technology and people will simply devote their staff, budget and expertise to other products where they are not being told to give away the value they have worked so hard to create.

he banks that rely on these providers will thus be left with only the least efficient, least competent vendors to choose from, and the performance and protection offered will suffer, not improve. For a more complete explanation of this differing opinion, including a discussion of why the A/V industry is not in fact a proper analog for this suggestion, please see

A Contrary Perspective –­ Forced Data Sharing Will Decrease Performance and Reduce Protection

Respectfully,
Eric Olson – Vice President, Cyveillance, Inc.

]]> By: Tyler Moore http://www.lightbluetouchpaper.org/2008/10/16/non-cooperation-in-the-fight-against-phishing/comment-page-1/#comment-29927 Tyler Moore Mon, 20 Oct 2008 15:14:09 +0000 http://www.lightbluetouchpaper.org/?p=440#comment-29927 @Chris: Thanks for your comment. The purpose of this paper was to empirically measure the effect of not sharing phishing URLs. Modeling the trade-offs game-theoretically, as you suggest, is a natural thing to do. We chose to leave this as future work out of space considerations. @Chris: Thanks for your comment. The purpose of this paper was to empirically measure the effect of not sharing phishing URLs. Modeling the trade-offs game-theoretically, as you suggest, is a natural thing to do. We chose to leave this as future work out of space considerations.

]]> By: Chris http://www.lightbluetouchpaper.org/2008/10/16/non-cooperation-in-the-fight-against-phishing/comment-page-1/#comment-29905 Chris Fri, 17 Oct 2008 17:54:08 +0000 http://www.lightbluetouchpaper.org/?p=440#comment-29905 Maybe it's me, but when I read the paper, I immediately thought of it as describing an Assurance Game. Is there a reason you didn't more formally articulate the choices facing the take-down firms game-theoretically? It seems as though you -- in stark contrast to others doing related work -- have actual data to use in constructing payoff matrices. I don't mean this to sound like a "Why didn't you write the paper I would have written?" comment. My very sincere apologies if it does. Maybe it’s me, but when I read the paper, I immediately thought of it as describing an Assurance Game. Is there a reason you didn’t more formally articulate the choices facing the take-down firms game-theoretically? It seems as though you — in stark contrast to others doing related work — have actual data to use in constructing payoff matrices.

I don’t mean this to sound like a “Why didn’t you write the paper I would have written?” comment. My very sincere apologies if it does.

]]> By: Martijn Grooten http://www.lightbluetouchpaper.org/2008/10/16/non-cooperation-in-the-fight-against-phishing/comment-page-1/#comment-29901 Martijn Grooten Thu, 16 Oct 2008 16:38:53 +0000 http://www.lightbluetouchpaper.org/?p=440#comment-29901 Good work! And let's hope the take-down companies will follow your advice. I'm not sure where the anti-virus industry would have been without strong cooperation, but perhaps the virus threat would have been so immense, people would have gone back to writing important documents in longhand. Good work! And let’s hope the take-down companies will follow your advice. I’m not sure where the anti-virus industry would have been without strong cooperation, but perhaps the virus threat would have been so immense, people would have gone back to writing important documents in longhand.

]]>