Economists have long understood the corollary concept of Coase's ceiling, a point above which organizations collapse under their own weight -- where hiring someone, however competent, means more work for everyone else than the new hire contributes. Software projects often bump their heads against Coase's ceiling: recall Frederick P. Brooks Jr.'s seminal study, The Mythical Man-Month (Addison-Wesley, 1975), which showed how adding another person onto a project can slow progress and increase errors.

What's new is something consultant and social technologist Clay Shirky calls "Coase's Floor," below which we find projects and activities that aren't worth their organizational costs -- things so esoteric, so frivolous, so nonsensical, or just so thoroughly unimportant that no organization, large or small, would ever bother with them. Things that you shake your head at when you see them and think, "That's ridiculous."

Sounds a lot like the Internet, doesn't it? And that's precisely Shirky's point. His new book, Here Comes Everybody: The Power of Organizing Without Organizations, explores a world where organizational costs are close to zero and where ad hoc, loosely connected groups of unpaid amateurs can create an encyclopedia larger than the Britannica and a computer operating system to challenge Microsoft's.

Shirky teaches at New York University's Interactive Telecommunications Program, but this is no academic book. Sacrificing rigor for readability, Here Comes Everybody is an entertaining as well as informative romp through some of the Internet's signal moments -- the Howard Dean phenomenon, Belarusian protests organized on LiveJournal, the lost cellphone of a woman named Ivanna, Meetup.com, flash mobs, Twitter, and more -- which Shirky uses to illustrate his points.

The book is filled with bits of insight and common sense, explaining why young people take better advantage of social tools, how the Internet affects social change, and how most Internet discourse falls somewhere between dinnertime conversation and publishing.

Shirky notes that "most user-generated content isn't 'content' at all, in the sense of being created for general consumption, any more than a phone call between you and a sibling is 'family-generated content.' Most of what gets created on any given day is just the ordinary stuff of life -- gossip, little updates, thinking out loud -- but now it's done in the same medium as professionally produced material. Unlike professionally produced material, however, Internet content can be organized after the fact."

No one coordinates Flickr's 6 million to 8 million users. Yet Flickr had the first photos from the 2005 London Transport bombings, beating the traditional news media. Why? People with cellphone cameras uploaded their photos to Flickr. They coordinated themselves using tools that Flickr provides. This is the sort of impromptu organization the Internet is ideally suited for. Shirky explains how these moments are harbingers of a future that can self-organize without formal hierarchies.

These nonorganizations allow for contributions from a wider group of people. A newspaper has to pay someone to take photos; it can't be bothered to hire someone to stand around London underground stations waiting for a major event. Similarly, Microsoft has to pay a programmer full time, and Encyclopedia Britannica has to pay someone to write articles. But Flickr can make use of a person with just one photo to contribute, Linux can harness the work of a programmer with little time, and Wikipedia benefits if someone corrects just a single typo. These aggregations of millions of actions that were previously below the Coasean floor have enormous potential.

But a flash mob is still a mob. In a world where the Coasean floor is at ground level, all sorts of organizations appear, including ones you might not like: violent political organizations, hate groups, Holocaust deniers, and so on. (Shirky's discussion of teen anorexia support groups makes for very disturbing reading.) This has considerable implications for security, both online and off.

We never realized how much our security could be attributed to distance and inconvenience -- how difficult it is to recruit, organize, coordinate, and communicate without formal organizations. That inadvertent measure of security is now gone. Bad guys, from hacker groups to terrorist groups, will use the same ad hoc organizational technologies that the rest of us do. And while there has been some success in closing down individual Web pages, discussion groups, and blogs, these are just stopgap measures.

In the end, a virtual community is still a community, and it needs to be treated as such. And just as the best way to keep a neighborhood safe is for a policeman to walk around it, the best way to keep a virtual community safe is to have a virtual police presence.

Crime isn't the only danger; there is also isolation. If people can segregate themselves in ever-increasingly specialized groups, then they're less likely to be exposed to alternative ideas. We see a mild form of this in the current political trend of rival political parties having their own news sources, their own narratives, and their own facts. Increased radicalization is another danger lurking below the Coasean floor.

There's no going back, though. We've all figured out that the Internet makes freedom of speech a much harder right to take away. As Shirky demonstrates, Web 2.0 is having the same effect on freedom of assembly. The consequences of this won't be fully seen for years.

Here Comes Everybody covers some of the same ground as Yochai Benkler's Wealth of Networks. But when I had to explain to one of my corporate attorneys how the Internet has changed the nature of public discourse, Shirky's book is the one I recommended.

This essay previously appeared in IEEE Spectrum.

The latest Microsoft patch MS08-68 is a great example. It is a problem with NTLM authentication where the attacker can force a client to authenticate to him and the credentials, while not exposed in cleartext, can be relayed to another server or brute forced to obtain the cleartext. This is a very classic crypto protocol vulnerability. It’s not the crypto algorithms that are the problem, but the protocol implementation.

Microsoft recently fixed the problem, perhaps due to the availability of exploit code, the availability of an easy to use Metasploit implementation, or perhaps Microsoft’s changed tolerance for vulnerabilities. We can sum it up as a change in the threat space that made it worth fixing. But make no mistake, this is a very old problem.

News reports have been citing Sir Dystic’s SMBrelay tool, which was published in March, 2001, as the first knowledge of this vulnerability. Eric Shultze who worked at MSRC in 2001 just yesterday is quoted as saying, “I have been holding my breath since 2001 for this patch.” Obviously it is a long time coming. But this wasn’t the first publication of the problem. In 2000, one of my collegues on the research team at @stake, Christian Rioux (aka Dildog) published the telnet NTLM authentication vulnerability.

Rioux’s advisory has a great description of the credential relay and cracking weaknesses. I have talked to him and he says he discovered these problems independently, but he didn’t find them first. Dominique Brezinski published exactly these NTLM vulnerabilities in the SMB protocol in 1996 in a paper titled, “A Weakness in CIFS Authentication”. The earliest reference I can find on the paper on the net is here where it is included in another paper published in 1997. Such is the ad-hoc world of independent security research of 12 years ago which still continues today.

It seems ridiculous that a field like security research, which is so important to the running of modern society is so ad-hoc. Shouldn’t we know who discovered a vulnerability? Shouldn’t all researchers and engineers know about it? More importantly if someone implements a tool that takes advantage of a vulnerability shouldn’t they credit the discoverer? Don’t get me wrong. Implementation takes a lot of work and sometimes makes all the difference in makeing people aware of a security problem. After all when I was at the L0pht our slogan was, “Making the theoretical, practical”. I still think researchers should get credit when credit is due.

The security community has gotten better at documentating our research but I still see instances of independent discovery, misplaced credit, and tools giving no credit to researchers. I hate to say it but getting a bit more academic is in order. Credit is the currency of a researcher and placing it well will reward the right people and we will all benefit.

This is just ridiculous. Of course the bad guys will use all the communications tools available to the rest of us. They have to communicate, after all. They'll also use cars, water faucets, and all-you-can-eat buffet lunches. So what?

This commentary is dead on:

Steven Aftergood, a veteran intelligence analyst at the Federation of the American Scientists, doesn't dismiss the Army presentation out of hand. But nor does he think it's tackling a terribly seriously threat. "Red-teaming exercises to anticipate adversary operations are fundamental. But they need to be informed by a sense of what's realistic and important and what's not," he tells Danger Room. "If we have time to worry about 'Twitter threats' then we're in good shape. I mean, it's important to keep some sense of proportion."

A similar arrogance is happening in CEP-land, where, it seems, each and every financial services event processing application is now a “CEP application” just because someone in capital markets puts “CEP” in the same paragraph. I find it ridiculous that the same market of folks who have helped destroy the global economy are now the world’s self-proclaimed authorities on complex event processing. Amazing, if you really think about it, isn’t it?

I read many posts these days by folks in the capital markets trading world, claiming their message routing application is “CEP,” or their algo trading application is “CEP,” - feeds and speed, typical of what “turns on” the financial services folks. As an editorial note: I recall when I worked for a software company, folks on the same team who worked on Wall Street would look down on folks with many years of IT experience outside of financial services. Some would say “he is only a security guy” in their attempt to put down anyone who does not have trading floor IT experience on their resume. I found it all quite ridiculous and foolish.

My resume, for what it is worth, has a number of financial services companies, including either assessing, architecting or building large scale security systems for S.W.I.F.T, Chase or SBC. This experience does not seem to “count” with the trading floor folks, since security is more about getting things right, not just supporting a form of gaming or gambling with other peoples money, with more feeds and speeds the better.

Of late, as I have watched the CEP/EP space evolve, and unfortunately, I see a similar type of “capital markets virus” spreading into CEP-land. Folks on the trading side of financial services seem to think that whatever they say or do is right, and whatever others outside of the trading side do is wrong. These folks are quick to ridicule others who have far more experience than they do, outside of the trading floor of capital markets.

After all, mostly what they do on the trading side is route orders - and if a little old lady in a small town in Iowa loses her life savings because of a bad investment decision, it means little to the folks on the trading floor, the market folks are into feeds and speed - just keep the beast alive. Place your bet on this market or that one! Away we go, faster and faster!!!!

I am sometimes a little sad to observe the same audacity in the CEP world. Instead of focusing on the hard complex problems that require accuracy, the original set of problems defined when the phrase “complex event processing” was minted, the capital market folks have hijacked the term for their marketing purposes in algo trading and order managment systems. These same people ridicule others who are working to solve the (originally stated) complex event processing problems, problems the capital market traders seemingly cannot understand, since they have never worked on complex network or security management problems.

Nevermind, that these “ultra low latency” systems cannot accurately detect a complex money laundering scheme or an elaborate fraud. Nevermind that these “CEP engines” cannot accuracy insure that Average Joe does not lose his hard earned money in a fraud scheme.

I have no problem with folks in capital markets using the term CEP, but they should not ridicule those in technical areas that are not focused on keeping the “trading beast” alive so people can lose their life savings in a blink of an eye; but instead focused on solving complex problems such as the class of problems called out when the three letter acronym “CEP” was created.

Fourth US airline to go Wi-Fi: Aircell says they have a fourth airline--after American, Delta, and Virgin America--on board for its in-flight Wi-Fi service. The aerial broadband provider's latest partner will be announced soon. Aircell's service went live in 15 American Airlines planes two weeks ago, and there's been a surprising lack of reporting from regular travelers or journalists since the big splash at the launch.

Microsoft, two universities research methods for better Wi-Fi handoff for vehicles: The researchers developed a method they call Vi-Fi, writes the Seattle Post-Intelligencer's Todd Bishop, which allows a system to maintain connections with several base stations at once, using a primary access point for traffic until a discontinuity is predicted or encountered. This allows seamless handoffs and continuous voice conversations.

Speaking of autos and Wi-Fi, concerns raised about Chrysler's in-car Wi-Fi option: Randall Stross wrote nearly two weeks ago in The New York Times about the problem of distraction. With the Internet at your fingertips, can you restrain yourself? The only problem with the humorous and accurate analysis is that millions of business travelers have 3G access via laptop cards already, so you'd think we'd already be seeing the bad effects of automotive area networks.

A Wi-Fi booster can't post availability signs on highway: The Nebraska town of Louisville has free Wi-Fi downtown, and wanted to post "Visitor Wi-Fi" on a highway sign as another amenity. The state highway department has a policy that doesn't allow the promotion of Wi-Fi, because they believe they'd be inundated. A resident who runs a local Internet firm installed his own signs on the highway; the roads department removed them; he remounted them; they were removed again. The idea of zoning and mounting a billboard apparently hasn't come to the city officials' minds (or perhaps they're prohibited).

The folks spreading misinformation about Wi-Fi health effects cause Ulster school to disable network: I can understand why non-technical folks might think that Wi-Fi has been proven to be unsafe, given the kind of information that's available on the Internet about wireless safety. While there are ongoing studies about the safety of cellular signals--and I'm convinced at this point there's no increased risk to an adult's health by using a cell phone--there is no specific and credible research linked to Wi-Fi, which broadcasts signals at a far lower level than a cell phone, most of the time in most uses.

Washington state shuts down rest-area Wi-Fi: The $3 for 15 minutes, $7 per day, or $30 per month Wi-Fi service at 28 of Washington's 42 rest areas has been turned off after a year for lack of use. Figures. The fees charged by Parsons and Road Connect aren't unreasonable for a nationally scoped plan, but are ridiculous for limited use. States should either bite the bullet and offer these service for free, partner with national roaming operators who can resell service into large networks of business travelers, or use ads to support the service. Highways in remote areas can typically pick up cell data networks, and ongoing costs should be minimal to operate such networks.

IEEE approves fast-roaming standard, 802.11r: This new standard is designed to improve the handoff of devices between base stations. This is accomplished in part by allowing base stations to communicate security and quality of service information so that a VoIP over WLAN phone can immediately reassociate without the delay of authentication and other handshaking.

Denver airport sees 7,000 connections on a single day last week due to Democratic National Convention: FreeFi released the usage figures recently to show how their service is operating. The network started with about 600 daily users when the switchover from fee to free happened 10 months ago, and now carries about 3,500 daily connections.

Coffee Bean & Tea Leaf goes free: The chain of about 700 cafes will have free Wi-Fi installed by now in all its company-owned stores (about 300).

The lawsuit claimed that the students’ planned presentation would violate the Computer Fraud and Abuse Act (CFAA) by enabling others to defraud the MBTA of transit fares. A different federal judge, meeting in a special Saturday session, ordered the trio not to disclose for ten days any information that could be used by others to get free subway rides.

“The judge today correctly found that it was unlikely that the CFAA would apply to security researchers giving an academic talk,” said EFF Staff Attorney Marcia Hofmann. “A presentation at a security conference is not some sort of computer intrusion. It’s protected speech and vital to the free flow of information about computer security vulnerabilities. Silencing researchers does not improve security — the vulnerability was there before the students discovered it and would remain in place regardless of whether the students publicly discussed it or not.”

This sets a good precedent for future cases, and perhaps next time a similar situation arises, a judge will not be so quick to issue a gag order. It’s not a happy ending yet though, as the original lawsuit is still in effect.

As Chris Wysopal pointed out last week, the MBTA’s ire is misdirected. Rather than suing the vendor who sold them the defective system, they sued and attempted to silence the students who discovered the weakness. This is 2008, not 1988 — did they honestly think a gag order would prevent the information from reaching the general public? The DEFCON presentation was already available on the Intertubes prior to the injunction being issued, and the MBTA attorneys included a copy of the confidential whitepaper with their filing, thereby making it public.

I guess you wouldn’t expect that a transit authority would have paid any attention to theCiscogate fiasco from a few years ago. That presentation never got out either, did it? All that taxpayer money the MBTA spent on ridiculous lawsuits and restraining orders could have been put toward fixing the security flaws. What a concept.

1. DNS + Karma = Boom! Enuf said. Also, hear Pete Linstrom squeal.
2. Fun essay on "blocking" and risk. Is it our job to stop'em from using Facebook?
3. MS Exploitability Index. Smart ... or misguidedly focused on "vulnerability release" (and not creation)
4. Chip-n-PIN, a PCI killer? I don't think so!
5. Mike R revisits "good enough security" - read it, then review your IR plans (...for you will be 0wned)
6. Very fun RSA survey here; data leakage beats malware again, people still not report incidents (to whom???)
7. More and more and more people point at idiocies of academic security research... Read the whole w00t 08 thread here. Weep. Laugh.
8. Neosploit has a bad quarter... breaks support "contracts" ... shuts down? Ah, the economy :-)
9. Awesome stuff from  Richard Bejtlich: CAER.
10. "The Network Firewall is a Consensual Hallucination" :-)
11. More GRC-ball-kicking: here, here ("IT-GRC "vendors" are not IT-GRC vendors") - both are pretty insightful for GRC-lovers and GRC-haters)
12. More SIEM-ball-kicking: here ("underwhelming","ridiculous", "missing the point"), here ("dead ...unless","cripple")
13. Fun DLP portal launches.
14. Final word (?) on TerryChilds-gate here. "When management starts controlling the actions of admins, things start to fall apart." Huh? When management loses control of the business, it dies. Folks, IT vs IT security gap IS real. I never quite believed it, but this taught me a lesson. Some common security sense for a change (also here).

Enjoy.

Does this surprise anyone? This is what I wrote about electronic passports two years ago in The Washington Post:

The other security mechanisms are also vulnerable, and several security researchers have already discovered flaws. One found that he could identify individual chips via unique characteristics of the radio transmissions. Another successfully cloned a chip. The State Department called this a "meaningless stunt," pointing out that the researcher could not read or change the data. But the researcher spent only two weeks trying; the security of your passport has to be strong enough to last 10 years.

This is perhaps the greatest risk. The security mechanisms on your passport chip have to last the lifetime of your passport. It is as ridiculous to think that passport security will remain secure for that long as it would be to think that you won't see another security update for Microsoft Windows in that time. Improvements in antenna technology will certainly increase the distance at which they can be read and might even allow unauthorized readers to penetrate the shielding.

Facebook has removed the popular word game Scrabulous from its U.S. and Canadian sites after Hasbro sued the online game makers.

The social networking site said Scrabulous creators Rajat Agarwalla and Jayant Agarwalla and their company RJ Softwares made the decision after Hasbro said Scrabulous infringes on its intellectual property by copying and threatening to diminish its Scrabble brand.

This is pretty ridiculous. They may be similar games, but they’re still different experiences — I doubt having an online version would “diminish” the board game brand.