Economists have long understood the corollary concept of Coase's ceiling, a point above which organizations collapse under their own weight -- where hiring someone, however competent, means more work for everyone else than the new hire contributes. Software projects often bump their heads against Coase's ceiling: recall Frederick P. Brooks Jr.'s seminal study, The Mythical Man-Month (Addison-Wesley, 1975), which showed how adding another person onto a project can slow progress and increase errors.

What's new is something consultant and social technologist Clay Shirky calls "Coase's Floor," below which we find projects and activities that aren't worth their organizational costs -- things so esoteric, so frivolous, so nonsensical, or just so thoroughly unimportant that no organization, large or small, would ever bother with them. Things that you shake your head at when you see them and think, "That's ridiculous."

Sounds a lot like the Internet, doesn't it? And that's precisely Shirky's point. His new book, Here Comes Everybody: The Power of Organizing Without Organizations, explores a world where organizational costs are close to zero and where ad hoc, loosely connected groups of unpaid amateurs can create an encyclopedia larger than the Britannica and a computer operating system to challenge Microsoft's.

Shirky teaches at New York University's Interactive Telecommunications Program, but this is no academic book. Sacrificing rigor for readability, Here Comes Everybody is an entertaining as well as informative romp through some of the Internet's signal moments -- the Howard Dean phenomenon, Belarusian protests organized on LiveJournal, the lost cellphone of a woman named Ivanna, Meetup.com, flash mobs, Twitter, and more -- which Shirky uses to illustrate his points.

The book is filled with bits of insight and common sense, explaining why young people take better advantage of social tools, how the Internet affects social change, and how most Internet discourse falls somewhere between dinnertime conversation and publishing.

Shirky notes that "most user-generated content isn't 'content' at all, in the sense of being created for general consumption, any more than a phone call between you and a sibling is 'family-generated content.' Most of what gets created on any given day is just the ordinary stuff of life -- gossip, little updates, thinking out loud -- but now it's done in the same medium as professionally produced material. Unlike professionally produced material, however, Internet content can be organized after the fact."

No one coordinates Flickr's 6 million to 8 million users. Yet Flickr had the first photos from the 2005 London Transport bombings, beating the traditional news media. Why? People with cellphone cameras uploaded their photos to Flickr. They coordinated themselves using tools that Flickr provides. This is the sort of impromptu organization the Internet is ideally suited for. Shirky explains how these moments are harbingers of a future that can self-organize without formal hierarchies.

These nonorganizations allow for contributions from a wider group of people. A newspaper has to pay someone to take photos; it can't be bothered to hire someone to stand around London underground stations waiting for a major event. Similarly, Microsoft has to pay a programmer full time, and Encyclopedia Britannica has to pay someone to write articles. But Flickr can make use of a person with just one photo to contribute, Linux can harness the work of a programmer with little time, and Wikipedia benefits if someone corrects just a single typo. These aggregations of millions of actions that were previously below the Coasean floor have enormous potential.

But a flash mob is still a mob. In a world where the Coasean floor is at ground level, all sorts of organizations appear, including ones you might not like: violent political organizations, hate groups, Holocaust deniers, and so on. (Shirky's discussion of teen anorexia support groups makes for very disturbing reading.) This has considerable implications for security, both online and off.

We never realized how much our security could be attributed to distance and inconvenience -- how difficult it is to recruit, organize, coordinate, and communicate without formal organizations. That inadvertent measure of security is now gone. Bad guys, from hacker groups to terrorist groups, will use the same ad hoc organizational technologies that the rest of us do. And while there has been some success in closing down individual Web pages, discussion groups, and blogs, these are just stopgap measures.

In the end, a virtual community is still a community, and it needs to be treated as such. And just as the best way to keep a neighborhood safe is for a policeman to walk around it, the best way to keep a virtual community safe is to have a virtual police presence.

Crime isn't the only danger; there is also isolation. If people can segregate themselves in ever-increasingly specialized groups, then they're less likely to be exposed to alternative ideas. We see a mild form of this in the current political trend of rival political parties having their own news sources, their own narratives, and their own facts. Increased radicalization is another danger lurking below the Coasean floor.

There's no going back, though. We've all figured out that the Internet makes freedom of speech a much harder right to take away. As Shirky demonstrates, Web 2.0 is having the same effect on freedom of assembly. The consequences of this won't be fully seen for years.

Here Comes Everybody covers some of the same ground as Yochai Benkler's Wealth of Networks. But when I had to explain to one of my corporate attorneys how the Internet has changed the nature of public discourse, Shirky's book is the one I recommended.

This essay previously appeared in IEEE Spectrum.

The 32nd episode of The Silver Bullet Security Podcast features founder and Chief Technology Officer of WhiteHat Security, Jeremiah Grossman. Gary and Jeremiah discuss clickjacking, cross-site request forgery, why 50% of web problems can’t be discovered reliably automatically, and which conferences Jeremiah most enjoyed on his 2008 world tour.

• Jeremiah Grossman
• Clickjacking
• Adobe 0-day Browser Exploit
• Cross-Site Request Forgeries: Exploitation and Prevention [PDF]
• Web Spoofing: An Internet Con Game by Edward W. Felten, Dirk Balfanz, Drew Dean, and Dan S. Wallach.
• Web application scan-o-meter
• The “Wall of Fame”

Barracuda continues their poker game with Sourcefire today raising their $7.50 all cash bid to $8.25.  Are Dean and company just bluffing for publicity or are they willing to keep playing and stay in this game until all the cards are on the table?  I don't know for sure, but find it interesting that Barracuda did say to Sourcefire that they would be willing to explore ways that would show Sourcefire's increased value to Barracuda and based upon that increase their offer.  Of course $8.25 is still to low, but it is getting closer.  If the offer gets near 10 bucks, Sourcefire has some serious decisions to make.  In the meantime, Barracuda will again reap the PR bounty from having a seat at the hottest poker game in security.

Barracuda continues their poker game with Sourcefire today raising their $7.50 all cash bid to $8.25.  Are Dean and company just bluffing for publicity or are they willing to keep playing and stay in this game until all the cards are on the table?  I don't know for sure, but find it interesting that Barracuda did say to Sourcefire that they would be willing to explore ways that would show Sourcefire's increased value to Barracuda and based upon that increase their offer.  Of course $8.25 is still to low, but it is getting closer.  If the offer gets near 10 bucks, Sourcefire has some serious decisions to make.  In the meantime, Barracuda will again reap the PR bounty from having a seat at the hottest poker game in security.

It’s a huge undertaking with 10 domains chock full of every security topic you can imagine, 20 contributing SMEs from all over the worls, a handful of editors and 1 man to bring it all together. Our team leader, Dean Bushmiller has been the Project Manager for both versions 8 and 9 of the CISSP courseware and does an amazing job.

Each of the SMEs and editors have put a lot of thought and time into the materials, in an effort to create the best and most relevant content, topic arrangement and flow possible. You’ve seen how big these books are- that’s a lotta’ stuff to pull together and I admire the group, especially the domain wranglers and Dean, for keeping it all on track.

It’s a strange and exciting project. I can’t say it’s completely foreign to me, many years ago I created content for advanced Microsoft Office courses and developed official Computer Competency Training for K-12s for use in schools here. However, a project with this much mass is definitely unique.

So, that’s another little project I’ve been working on for the past several months… and will be continuing for several more. On those occasions I drop off the face of Blog World, it’s sometimes because I’m using every free moment to try and keep up with these types of projects and deadlines.

# # #

Interesting interview with the CEO of Trend, Eva Chen at PC World on the Barracuda patent infringement suit that Trend has brought. A couple of things are pretty clear reading Chen's responses to the questions:

1. This law suit is being fought as much in the court of public opinion as it is in the courts of law.  For that Dean and the Barracuda crew deserve credit. They have done a good job of making this a Trend versus open source community suit.  From Chen's answer it seems Trend was taken totally by surprise by Barracuda's aggressive PR and their ability to turn elements of the open source community against Trend.  The pity for Trend is that Chen actually does make clear the difference between just Clam AV being a virus scanner and the way Barracuda uses Clam AV as part of the gateway. If they would stick to that and not about who makes money from it, they might be able to get the open source community to leave this one alone.

2. In Trend's view this is not about open source  but about money.  I think Chen shoots Trend in the foot with this argument.  She seems to say that because Barracuda is a for profit company that is why they are suing them. If ClamAV was making money, they would sue them too is dangling metaphor there. Here is what Chen says, "But we were not suing ClamAV. Barracuda is a for-profit company. They are taking ClamAV, putting it on their gateway and making money out of it. It's not free software that we are suing, it's Barracuda." So it is all about the money than. If ClamAV was making money Trend would sue them too?

3. After already suing and winning against IBM, McAfee and most of all Fortinet, Trend is very confident that their patent is the real deal in a court of law. If the Xie brothers couldn't find anything to throw this out, they are not worried about the likes of Dean Drako.  But as I said, while litigating this Trend is taking black eyes and body shots in the public opinion arena every day.

4. The last thing they want is to get Sourcefire involved in this suit.  You can't tell me that at this stage of the game Chen would not know if they have cut a deal with Sourcefire or not, the owners of ClamAV. Yet she plays as if she never even heard of them and would have to ask her lawyers. I suspect this is because they think that Sourcefire has more open source "chops" than Barracuda and this would turn this thing into a PR disaster for Trend.  It could be this same reason that played apart (I think is the big reason) in Barracuda bidding for Sourcefire.

In any event it will be interesting to see how PR and public opinion play in the eventual outcome of this suit.

Interesting interview with the CEO of Trend, Eva Chen at PC World on the Barracuda patent infringement suit that Trend has brought. A couple of things are pretty clear reading Chen's responses to the questions:

1. This law suit is being fought as much in the court of public opinion as it is in the courts of law.  For that Dean and the Barracuda crew deserve credit. They have done a good job of making this a Trend versus open source community suit.  From Chen's answer it seems Trend was taken totally by surprise by Barracuda's aggressive PR and their ability to turn elements of the open source community against Trend.  The pity for Trend is that Chen actually does make clear the difference between just Clam AV being a virus scanner and the way Barracuda uses Clam AV as part of the gateway. If they would stick to that and not about who makes money from it, they might be able to get the open source community to leave this one alone.

2. In Trend's view this is not about open source  but about money.  I think Chen shoots Trend in the foot with this argument.  She seems to say that because Barracuda is a for profit company that is why they are suing them. If ClamAV was making money, they would sue them too is dangling metaphor there. Here is what Chen says, "But we were not suing ClamAV. Barracuda is a for-profit company. They are taking ClamAV, putting it on their gateway and making money out of it. It's not free software that we are suing, it's Barracuda." So it is all about the money than. If ClamAV was making money Trend would sue them too?

3. After already suing and winning against IBM, McAfee and most of all Fortinet, Trend is very confident that their patent is the real deal in a court of law. If the Xie brothers couldn't find anything to throw this out, they are not worried about the likes of Dean Drako.  But as I said, while litigating this Trend is taking black eyes and body shots in the public opinion arena every day.

4. The last thing they want is to get Sourcefire involved in this suit.  You can't tell me that at this stage of the game Chen would not know if they have cut a deal with Sourcefire or not, the owners of ClamAV. Yet she plays as if she never even heard of them and would have to ask her lawyers. I suspect this is because they think that Sourcefire has more open source "chops" than Barracuda and this would turn this thing into a PR disaster for Trend.  It could be this same reason that played apart (I think is the big reason) in Barracuda bidding for Sourcefire.

In any event it will be interesting to see how PR and public opinion play in the eventual outcome of this suit.

Synopsis:  Blue Box #79: Asterisk vulnerabilities, VoiceCon/VON coverage, eavesdropping, FBI, ZFone, P2P, VoIP security news and more

Welcome to Blue Box: The VoIP Security Podcast #78, a 32-minute podcast  from Dan York and Jonathan Zar covering VoIP security news, comments and opinions.   

Download the show here (MP3, 15MB) or subscribe to the RSS feed to download the show automatically. 

NOTE: This show was originally recorded on March 27, 2008. Yes, that was over two months ago... we know...

You may also listen to this podcast right now:

Show Content:

• 00:20 - Intro to the show, contact information and how to provide comments.  Welcome to all the new listeners - and to all those listeners who have been here for so long! 
• MANY thanks for all the offers of audio production assistance


• Dan met with Craig Bowser down at VoiceCon, also David Endler, Mark Collier, etc.


• Jonathan met with Dean Elwood, Martyn Davies, etc.


• Four Asterisk vulnerabilities


• The Economist: Bugging The Cloud


• Forbes: How to Make Your Phone Untappable


• VoIP News: VoIP: Who Might Be Spying on Your Communications? (Hint – It’s Not Just the NSA


• VoIP News: Listen Up: 17 Signs That You Are Being Wiretapped


• eChannelLine: Businesses lagging in securing VoIP (also ComputerWeekly.com and news release )


• eChannelLine: Ingate launches enhanced security for VoIP and SIP (also Enterprise VoIPPlanet )


• Voice of VOIPSA: Hacking Zyxel Gateways


• Voice of VOIPSA: Vishing Attacks


• Voice of VOIPSA: FBI VoIP Surveillance Requirements Leaked (also in FierceVoIP and Slashdot )


• Voice of VOIPSA: Hackers Send Thousands of Fake Calls to Deaf People


• SnapVoIP: Unified Communications in Virtual Worlds to Solve ‘Tower of Babel’ for Intelligence Agencies


• Israeli-made Cryptophone attracts world spy agencies pointing to product site


• BlogInfoSec.com: Save The Whales (about a new form of phishing)


• Network Computing: Your Data and the P2P Peril


• NetQoS: VoIP Monitor 1.1 released


• PC World: FaceTime Security Product Scans Skype’s Encrypted IM and news release


• Sipera IPCS Solution for Teleworkers Rated ‘Avaya Compliant’


• Extreme Networks Boosts Security for Converged Voice and Data Networks with New Tools
• Review of the last week's traffic on the VOIPSEC public mailing list 


• Wrap-up of the show


• 32:27 - End of show 

Comments, suggestions and feedback are welcome either as replies to this post  or via e-mail to blueboxpodcast@gmail.com.  Audio comments sent as attached MP3 files are definitely welcome and will be played in future shows.  You may also call the listener comment line at either +1-415-830-5439 or via SIP to 'bluebox@voipuser.org' to leave a comment there. 

Thank you for listening and please do let us know what you think of the show.

Synopsis:  Blue Box #79: Asterisk vulnerabilities, VoiceCon/VON coverage, eavesdropping, FBI, ZFone, P2P, VoIP security news and more

Welcome to Blue Box: The VoIP Security Podcast #78, a 32-minute podcast  from Dan York and Jonathan Zar covering VoIP security news, comments and opinions.   

Download the show here (MP3, 15MB) or subscribe to the RSS feed to download the show automatically. 

NOTE: This show was originally recorded on March 27, 2008. Yes, that was over two months ago... we know...

You may also listen to this podcast right now:

Show Content:

• 00:20 - Intro to the show, contact information and how to provide comments.  Welcome to all the new listeners - and to all those listeners who have been here for so long! 
• MANY thanks for all the offers of audio production assistance


• Dan met with Craig Bowser down at VoiceCon, also David Endler, Mark Collier, etc.


• Jonathan met with Dean Elwood, Martyn Davies, etc.


• Four Asterisk vulnerabilities


• The Economist: Bugging The Cloud


• Forbes: How to Make Your Phone Untappable


• VoIP News: VoIP: Who Might Be Spying on Your Communications? (Hint – It’s Not Just the NSA


• VoIP News: Listen Up: 17 Signs That You Are Being Wiretapped


• eChannelLine: Businesses lagging in securing VoIP (also ComputerWeekly.com and news release )


• eChannelLine: Ingate launches enhanced security for VoIP and SIP (also Enterprise VoIPPlanet )


• Voice of VOIPSA: Hacking Zyxel Gateways


• Voice of VOIPSA: Vishing Attacks


• Voice of VOIPSA: FBI VoIP Surveillance Requirements Leaked (also in FierceVoIP and Slashdot )


• Voice of VOIPSA: Hackers Send Thousands of Fake Calls to Deaf People


• SnapVoIP: Unified Communications in Virtual Worlds to Solve ‘Tower of Babel’ for Intelligence Agencies


• Israeli-made Cryptophone attracts world spy agencies pointing to product site


• BlogInfoSec.com: Save The Whales (about a new form of phishing)


• Network Computing: Your Data and the P2P Peril


• NetQoS: VoIP Monitor 1.1 released


• PC World: FaceTime Security Product Scans Skype’s Encrypted IM and news release


• Sipera IPCS Solution for Teleworkers Rated ‘Avaya Compliant’


• Extreme Networks Boosts Security for Converged Voice and Data Networks with New Tools
• Review of the last week's traffic on the VOIPSEC public mailing list 


• Wrap-up of the show


• 32:27 - End of show 

Comments, suggestions and feedback are welcome either as replies to this post  or via e-mail to blueboxpodcast@gmail.com.  Audio comments sent as attached MP3 files are definitely welcome and will be played in future shows.  You may also call the listener comment line at either +1-415-830-5439 or via SIP to 'bluebox@voipuser.org' to leave a comment there. 

Thank you for listening and please do let us know what you think of the show.