Today at the Anti-Spyware Coalition (ASC) public workshop in DC, StopBadware, the ASC, and the National Cyber Security Alliance (NCSA) launched the "Chain of Trust" initiative. From the press release:

Developed by the Anti-Spyware Coalition (ASC), National Cyber Security Alliance (NCSA) and StopBadware.org, the Chain of Trust Initiative will link together security vendors, researchers, government agencies, Internet companies, network providers, advocacy and education groups in a systemic effort to stem the rising tide of malware.

[snip]

The first order of business in the Chain of Trust Initiative is to map the complex, interdependent network of organizations and individuals that make up the chain. Only by identifying all the vulnerable links and understanding how they connect to one another can malware fighters get a handle on the problem and begin to develop consensus solutions.

For those interested in ideas coming out of the workshop, feel free to follow the tag #asc09 on Twitter, flickr, and other tag-enabled sites.

There’s still time to register for the Anti-Spyware Coalition public workshop next week in Washington, DC. And, best of all, press, government, ASC members, educational and nonprofit attendees attend free! (Corporate attendees pay only $250 for a great all-day workshop.)

Complete details and registration links can be found here.

Register now for the Anti-Spyware Coalition public workshop on May 19 in Washington, DC. The workshop should be excellent, with keynotes from U.S. cybersecurity chief Melissa Hathaway, Consumer’s Union security specialist Jeff Fox, and Washington Post security columnist Brian Krebs. It will also feature several interesting panels, including one that I’ll be facilitating on the topic "Who owns the problem?" That panel will feature:

• Jeffrey Troy, Chief of the Cyber Criminal Section, Federal Bureau of Investigation
• Sam Fleitman, Chief Operations Officer, SoftLayer Technologies, Inc
• Bob Bruen, KnujOn
• Kevin Haley, Director of Product Management, Symantec Security Response
• Alissa Cooper, Center for Democracy and Technology
• Andy Steingrubel, Manager of Secure Development, PayPal Information Risk Management

 I hope to see you there!

The Anti-Spyware Coalition, of which StopBadware.org is a member, will host its 5th public workshop on May 19 in Washington, DC. The workshop will be focused around creating a chain of trust online, and how good actors can cooperate in order to protect users. I will be facilitating one of the panels, focused on the question "Who owns the problem?"

The agenda and registration for this event are now online at http://antispywarecoalition.org/events/may2009.php. Press, government, educational and nonprofit attendees register for free.

After interviewing a few folks, including me, last week, Mary E. Shacklett posted a nice piece at Internet Evolution about the difficult issue of how to effectively get malicious websites taken down.

As noted in the article, I’ll be moderating what promises to be a lively and fascinating panel discussion on this topic at the Anti-Spyware Coalition conference in Washington, DC on May 19. Stay tuned for details.

StopBadware.org is a member of the Anti-Spyware Coalition (ASC), and I’m currently serving on the ASC’s “global issues subgroup.” The group’s purpose is to try to understand how spyware and other malware are viewed by consumers in other countries.

We’ve put together the following survey to get people’s perspective. If you have insight into a particular country, please send your responses to the survey below to Heather West at heather@cdt.org. Please also feel free to forward the survey along to others who may be able to help.

—

Where are you located?

How big a concern is:

• spyware? malware? viruses?
• privacy of personal information?
• identity theft?
• financial fraud?
• machine slowdown?

Are people worried about doing these things online?

• online banking
• e-commerce
• web based email
• social networking
• blogging

What is the most important/valuable thing users will store on their computer?

What kind of personal information are people worried about keeping safe, in general?

What is the incidence of identity theft?

Do most users own computers?

How do users generally connect to the internet?

Who enforces against deceptive practices or takes action against spyware?

Have any spyware enforcement cases happened in this country?

What laws are in place having to do with computer fraud and cybersecurity?

What are the legal implications of calling programs spyware?

Are there legal protections in place to protect anti-spyware vendors?

Are there legal protections for watchdog groups?

The Anti-Spyware Coalition, of which StopBadware is a member, will hold its next public workshop on January 31 in Washington, DC. The theme for the day will be “Spyware: What’s Worked, What’s Left, and What’s Coming.”

The ASC’s last conference was held here at Harvard, and proved to be an excellent opportunity for a meeting of minds in the anti-spyware space. You can read StopBadware staffers’ notes from that event here.

For more info about the January event, including planned panels and registration, head to the ASC website at antispywarecoalition.org.

Debate over several proposed U.S. federal anti-spyware laws continued at the Anti-Spyware Coalition conference last week at Harvard. In a panel on public policy moderated by StopBadware’s own John Palfrey, panelists from the Center for Democracy and Technology and the Federal Trade Commission disagreed on the best way forward for legislation that combats spyware.

The three potential bills at stake are the I-Spy Act and the Spy Act, both recently passed in the House, and the Counter Spy Act, recently re-introduced in the Senate after failing to pass in previous sessions. Ari Schwartz, deputy director of the CDT, said that the CDT supports all three bills, on the principle that any further clarification of the illegality of spyware is a good thing. Tracy Shapiro, an attorney at the FTC, said that the FTC feels it already has enough legal power at its disposal and that further legislation might actually cause confusion.

InfoWorld highlights the debate in an article here. You can also read more about the I-Spy and Spy acts in earlier StopBadware blog posts here.

Recordings of sessions at the Anti-Spyware Coalition conference, which took place this past Wednesday at Harvard Law School, are now available:

Part 1
Part 2
Part 3

You will need Real 10 Player to play the recordings (free download available here).

We have one more panel’s worth of notes from our blogging of yesterday’s Anti-Spyware Coalition conference. Here, StopBadware researcher Oliver Day shares his notes on the Trends panel, which closed out the day at the conference:

Google:

• The interstitial page. Creates a way to warn users of the search engine when a website is possibly infected.
• The Ghost in the Browser paper by Niels Provos et al. Technical paper on the methodologies used by Google to determine “badness”
• Safe browsing API overview. Opening up more information to the end users
• Online security blog. Tech oriented blog that is a day to day journal of the group.

Truste:

• Program whitelists
• Affiliate networks offloading responsibility

StopBadware:

• Educating consumers
• Guideline creation and security tips for site owners
• Community building via discussion groups, etc.

Site Advisor:

• Built for consumers by MIT engineers
• Bots testing for annoying behaviors

Questions:

How do all these pieces fit together in the security ecosystem?
Orgs like Truste try to fill in particular niches like deep product reviews. Google is trying to make searching safer. Stopbadware is in a unique position as a non-profit to act as a watch dog against corporations (see AOL report).

Are we acting as arbiters of the Internet? What happens when we get something wrong? Versions change often (think updates) so how valid are product certifications?

Google claims near zero False Positives based on vetting through partners. No one should surf securely feeling that they are protected from all things. How does one “look both ways” when you are browsing web pages?

False positives can be dealt with on a programmatic level. Creating decays on bans, white lists, etc.

Will/do consumers want their computers to be like appliances?

Porn is a vehicle for a badware codec.

How do we compensate for human stupidity?

How do we evade the bad guys when they know where we are (IP address)?

Community helps develop reputation systems.

What is the opinion of these groups for certifications by other groups? Things marked bad by different orgs are likely to be bad. Things marked good should still be viewed with skepticism.