Economists have long understood the corollary concept of Coase's ceiling, a point above which organizations collapse under their own weight -- where hiring someone, however competent, means more work for everyone else than the new hire contributes. Software projects often bump their heads against Coase's ceiling: recall Frederick P. Brooks Jr.'s seminal study, The Mythical Man-Month (Addison-Wesley, 1975), which showed how adding another person onto a project can slow progress and increase errors.

What's new is something consultant and social technologist Clay Shirky calls "Coase's Floor," below which we find projects and activities that aren't worth their organizational costs -- things so esoteric, so frivolous, so nonsensical, or just so thoroughly unimportant that no organization, large or small, would ever bother with them. Things that you shake your head at when you see them and think, "That's ridiculous."

Sounds a lot like the Internet, doesn't it? And that's precisely Shirky's point. His new book, Here Comes Everybody: The Power of Organizing Without Organizations, explores a world where organizational costs are close to zero and where ad hoc, loosely connected groups of unpaid amateurs can create an encyclopedia larger than the Britannica and a computer operating system to challenge Microsoft's.

Shirky teaches at New York University's Interactive Telecommunications Program, but this is no academic book. Sacrificing rigor for readability, Here Comes Everybody is an entertaining as well as informative romp through some of the Internet's signal moments -- the Howard Dean phenomenon, Belarusian protests organized on LiveJournal, the lost cellphone of a woman named Ivanna, Meetup.com, flash mobs, Twitter, and more -- which Shirky uses to illustrate his points.

The book is filled with bits of insight and common sense, explaining why young people take better advantage of social tools, how the Internet affects social change, and how most Internet discourse falls somewhere between dinnertime conversation and publishing.

Shirky notes that "most user-generated content isn't 'content' at all, in the sense of being created for general consumption, any more than a phone call between you and a sibling is 'family-generated content.' Most of what gets created on any given day is just the ordinary stuff of life -- gossip, little updates, thinking out loud -- but now it's done in the same medium as professionally produced material. Unlike professionally produced material, however, Internet content can be organized after the fact."

No one coordinates Flickr's 6 million to 8 million users. Yet Flickr had the first photos from the 2005 London Transport bombings, beating the traditional news media. Why? People with cellphone cameras uploaded their photos to Flickr. They coordinated themselves using tools that Flickr provides. This is the sort of impromptu organization the Internet is ideally suited for. Shirky explains how these moments are harbingers of a future that can self-organize without formal hierarchies.

These nonorganizations allow for contributions from a wider group of people. A newspaper has to pay someone to take photos; it can't be bothered to hire someone to stand around London underground stations waiting for a major event. Similarly, Microsoft has to pay a programmer full time, and Encyclopedia Britannica has to pay someone to write articles. But Flickr can make use of a person with just one photo to contribute, Linux can harness the work of a programmer with little time, and Wikipedia benefits if someone corrects just a single typo. These aggregations of millions of actions that were previously below the Coasean floor have enormous potential.

But a flash mob is still a mob. In a world where the Coasean floor is at ground level, all sorts of organizations appear, including ones you might not like: violent political organizations, hate groups, Holocaust deniers, and so on. (Shirky's discussion of teen anorexia support groups makes for very disturbing reading.) This has considerable implications for security, both online and off.

We never realized how much our security could be attributed to distance and inconvenience -- how difficult it is to recruit, organize, coordinate, and communicate without formal organizations. That inadvertent measure of security is now gone. Bad guys, from hacker groups to terrorist groups, will use the same ad hoc organizational technologies that the rest of us do. And while there has been some success in closing down individual Web pages, discussion groups, and blogs, these are just stopgap measures.

In the end, a virtual community is still a community, and it needs to be treated as such. And just as the best way to keep a neighborhood safe is for a policeman to walk around it, the best way to keep a virtual community safe is to have a virtual police presence.

Crime isn't the only danger; there is also isolation. If people can segregate themselves in ever-increasingly specialized groups, then they're less likely to be exposed to alternative ideas. We see a mild form of this in the current political trend of rival political parties having their own news sources, their own narratives, and their own facts. Increased radicalization is another danger lurking below the Coasean floor.

There's no going back, though. We've all figured out that the Internet makes freedom of speech a much harder right to take away. As Shirky demonstrates, Web 2.0 is having the same effect on freedom of assembly. The consequences of this won't be fully seen for years.

Here Comes Everybody covers some of the same ground as Yochai Benkler's Wealth of Networks. But when I had to explain to one of my corporate attorneys how the Internet has changed the nature of public discourse, Shirky's book is the one I recommended.

This essay previously appeared in IEEE Spectrum.

He makes the argument that the Digital Theft Deterrence and Copyright Damages Improvement Act of 1999 is very much unconstitutional, in that its hefty fines for copyright infringement (misleadingly called "theft" in the title of the bill) show that the bill is effectively a criminal statute, yet for a civil crime. That's because it really focuses on punitive damages, rather than making private parties whole again. Even worse, it puts the act of enforcing the criminal statute in the hands of a private body (the RIAA) who uses it for profit motive in being able to get hefty fines.

Imagine a statute which, in the name of deterrence, provides for a $750 fine for each mile-per-hour that a driver exceeds the speed limit, with the fine escalating to $150,000 per mile over the limit if the driver knew he or she was speeding. Imagine that the fines are not publicized, and most drivers do not know they exist. Imagine that enforcement of the fines is put in the hands of a private, self-interested police force, that has no political accountability, that can pursue any defendant it chooses at its own whim, that can accept or reject payoffs in exchange for not prosecuting the tickets, and that pockets for itself all payoffs and fines. Imagine that a significant percentage of these fines were never contested, regardless of whether they had merit, because the individuals being fined have limited financial resources and little idea of whether they can prevail in front of an objective judicial body.

Another news story.

After 26 days, and almost 350 million e-mail messages, only 28 sales resulted -- a conversion rate of well under 0.00001%. Of these, all but one were for male-enhancement products and the average purchase price was close to $100. Taken together, these conversions would have resulted in revenues of $2,731.88 -- a bit over $100 a day for the measurement period or $140 per day for periods when the campaign was active. However, our study interposed on only a small fraction of the overall Storm network -- we estimate roughly 1.5 percent based on the fraction of worker bots we proxy. Thus, the total daily revenue attributable to Storm's pharmacy campaign is likely closer to $7000 (or $9500 during periods of campaign activity). By the same logic, we estimate that Storm self-propagation campaigns can produce between 3500 and 8500 new bots per day.

Under the assumption that our measurements are representative over time (an admittedly dangerous assumption when dealing with such small samples), we can extrapolate that, were it sent continuously at the same rate, Storm-generated pharmaceutical spam would produce roughly 3.5 million dollars of revenue in a year. This number could be even higher if spam-advertised pharmacies experience repeat business. A bit less than "millions of dollars every day," but certainly a healthy enterprise.

Of course, the authors point out that it's dangerous to make these sorts of generalizations:

We would be the first to admit that these results represent a single data point and are not necessarily representative of spam as a whole. Different campaigns, using different tactics and marketing different products will undoubtedly produce different outcomes. Indeed, we caution strongly against researchers using the conversion rates we have measured for these Storm-based campaigns to justify assumptions in any other context.

Spam is all about economics. When sending junk mail costs a dollar in paper, list rental, and postage, a marketer needs a reasonable conversion rate to make the campaign worthwhile. When sending junk mail is almost free, a one in ten million conversion rate is acceptable.

News articles.

I am in Barcelona, Spain with Michael Howard and Adam Shostack at the TechEd EMEA: Developers Conference.

In addition to teaching and attending security sessions, we are in Barcelona to formally announce the launch of the SDL Optimization Model, SDL Pro Network and the Microsoft SDL Threat Modeling Tool Beta!   For those of you who are unaware of these initiatives here’s a description of each…

SDL Optimization Model: The SDL Optimization Model was created to facilitate gradual, consistent and cost-effective implementation of the SDL in development organizations outside of Microsoft. It allows development managers and IT policy-makers to assess the state of the security in development and create a vision and road map for reducing customer risk.

Specific objectives of the model include the following:

·         Enable organizations outside of Microsoft to create more secure and privacy-enhanced software by successfully implementing the SDL

·         Allow organizations to self-assess current software development security practices and create a strategy for gradual improvement

·         Provide SDL Pro Network service providers with a consistent and effective framework for providing SDL services

SDL Pro Network: The SDL Pro Network is a group of security service providers that specialize in application security and have substantial experience and expertise with the methodology and technologies of the Microsoft SDL. SDL Pro Network service providers will guide and support organizations in implementing the SDL into their environments.

The primary focus area for all members, both now and in the future, will be to deliver on the program’s commitment to make the SDL available outside Microsoft, specifically focusing on these issues:

·         Protecting the customer - Helping customers adopt the SDL or general secure coding practices.

·         Improving the SDL - Leveraging member knowledge to understand how the SDL is used by customers, what needs to be modified and what customer needs must be met in the future.

SDL Threat Modeling Tool Beta: The Microsoft SDL Threat Modeling Tool Beta allows for structured analysis, proactive mitigation and tracking of potential security and privacy issues in new and existing applications.  Microsoft developed the tool and we use it internally on many of our products. This tool offers a threat modeling methodology that any software architect can lead effectively — in contrast with other processes, which are more expert-dependent. A few quick notes about the features:

·         Automated guidance and feedback in drawing threat diagrams

·         Guided analysis of threats and mitigations based on the STRIDE taxonomy

·         Integration with bug-and issue-tracking systems like Visual Studio Team Foundation Server

To learn more about these, visit the SDL portal, http://www.microsoft.com/sdl.

By the way, if you are in Barcelona and want to stop by and chat, the session list is below:

SDL Theater Sessions:

·         Getting started with the new SDL Threat Modeling Tool                             

Adam Shostack, Theater 1, Tuesday, Nov. 11, 15:20 – 15:40

·         You could do that but it would be wrong – a discussion of pros/cons of threat mitigations

Michael Howard & Adam Shostack, Theater 1, Thursday, Nov. 13, 10:20 – 10:40

General Sessions:

·         DVP308  How I Learned to Stop Worrying and Love Threat Modeling      Nov. 12, 10:45 – 12:00

·         DVP309  How to Review Your Code and Test for Security Bugs                  Nov. 13, 3:15 – 4:30

·         DVP312  Top Ten Strategies to Security Your Code                                       Nov. 14, 10:45 – 12:00