Monday, November 3, 2008

A Security Market for Lemons

Prelude...
Today, I attended a talk by Dr. Prabhakar Raghavan, the head of Yahoo research. It was quite interesting and a main take away point for me was we, as scientists/engineers, need to seriously consider economic aspects (mainly monetization) along with technical details (correctness, scalability, responsiveness, security, etc.) when designing/developing systems. He nicely explained how Yahoo was loosing money 2 years ago because of not considering other factors (such as click rate) along with bid prices to order the list of ads shown to users. (Companies are charged only when users click on their ads, but not for showing them. Companies can bid high for their ads and have a top spot in the ads bar even though the ads may not be very relevant to users' intent. They continue to enjoy top spot (as user's hardly click on irrelevant links) at the cost of more relevant ones not getting the due attention. However, such top ads gets the unfair attention of users over others as conveying their brand plays a big part of initial selection of products by users. To prevent such an unfair or kind of lemon market for ads, you need to consider other factors in addition to the bid they make.) Now they have corrected this. Here's how Google ranks ads.

Now to the $subject...
I was curious to find out what a lemon market is all about - especially how it affects security. I must admit that my knowledge on economic concepts is very limited. However, I found some good reference about it on the web [1, 2, 3]. Let me try to explain the core:

The concept of lemon markets was introduced by George Akerlof, the joint Nobel price winner in Economics in 2001, in his 1970 paper "The market for lemons: Quality uncertainty and the market mechanisms" (Has about 5000 citations and counting in Google Scholar).

What is a lemon market? How are they get formed?
The basic idea is that in a market (in author's terminology, with asymmetric information) where sellers have more information than buyers about the product (and no buyers can accurately assess the quality of the product), bad products can drive away good products from the market creating a lemon market for lemons (low quality products). This happens because buyers get some kind of incentive (e.g. lower price) in exchange of lemons. You can find the detailed requirements for its formation in the paper.

Akerlof uses used car market as an example to explain this concept. There are good used cars and defective used cars (lemons). Sellers know what is what, but buyers don't know until at least they purchase them. Sparing the technical details mentioned in the paper, buyers position their perceived price for a good car a little over the price of an average used car in the hope that they will trade for a good used car. Since good used cars are priced higher than what buyers may be willing to pay, good used cars do not get sold and the lemons (the crappy ones) take over the market.

I think, the key reason for such formation of lemon markets is the lack of credible disclosure of the quality of the products being sold. If we have a trusted independent party to assert the quality, we may prevent lemon markets. For example, we have kbb here in USA to check prices for used cars; it gives a trust worthy measure of how much a used car actually worth. Even though it has some subjective components in its evaluation, it is better to have something like that than nothing.

Does marketing create lemon markets? I think it contributes towards that; with competition, marketing companies may bend the facts to get a more favorable perception among buyers for certain products. However, it is not quite sure if they will survive in the long run. You can find a detailed treatment of it here. With many major online companies providing customer reviews/ratings for products, I think people become more informed about lemons. When I buy from Amazon or other sites, first thing I do is to go through customer reviews to see their experience with the product - so fat it has been quite reliable way of avoiding lemons.

What are the imprecations of lemon markets on security? I found this interesting post regarding this. In this, Schneier points out some good examples. The bottom line is that there is no market for good security (since mediocre security is cheaper and companies base their decisions mainly on price) unless there is some sort of "signal" (example: warranty, a third-party verification, etc) that informs buyers about differences in the same product in the market. Of course, the "signal" should be trustworthy in order for it to work.

From the lemon paper - the cost of lemon markets:
"The cost of dishonesty, therefore, lies not only in the amount by which the purchaser is cheated; the cost also must include the loss incurred from driving legitimate business out of existence".

Sunday, November 2, 2008

Slideshare: Efficient Filtering in Pub-Sub Systems using BDD

The presentation was prepared for a security seminar on logic. It is based on the paper Efficient Filtering in Pub-Sub Systems using Binary Decision Diagrams by Campailla et. al. 2001. As the title suggests, as far as I know, this paper is the first of its kind to introduce OBDD's (Ordered BDD's) to represent and manipulate subscriptions in content based pub-sub systems.

Update: Removed the embedded code from the Slideshare as it brings my blog to its knees. (Slideshare does not seems to scale well and it sucks for large presentations)

Slideshare: Pub-Sub Systems and Confidentiality/Privacy

The presentation was prepared for a group meeting in the last semester to give an introduction to pub-sub systems with an emphasis on security issues.

Update: Removed the embedded code from Slideshare.

Saturday, November 1, 2008

The SQ3R Method

The following was extracted from the Web. Seems to be an interesting methodical way to improve the effectiveness of learning. But still, I think nitty-gritty details of how you actually follow this SQ3R method is highly subjective and may vary from person to person.

Here's the extract:

The SQ3R method has been a proven way to sharpen study skills. SQ3R stands for Survey, Question, Read, Recite, Review. Take a moment now and write SQ3R down. It is a good slogan to commit to memory in order to carry out an effective study strategy.

Survey - get the best overall picture of what you're going to study BEFORE you study it in any detail. It's like looking at a road map before going on a trip.

If you don't know the territory, studying a map is the best way to begin.

Question - ask questions for learning. The important things to learn are usually answers to questions. Questions should lead to emphasis on the what, why, how, when, who and where of study content. Ask yourself questions as you read or study. As you answer them, you will help to make sense of the material and remember it more easily because the process will make an impression on you. Those things that make impressions are more meaningful, and therefore more easily remembered.

Don't be afraid to write your questions in the margins of textbooks, on lecture notes, or wherever it makes sense.

Read - Reading is NOT running your eyes over a textbook. When you read, read actively. Read to answer questions you have asked yourself or questions the instructor or author has asked. Always be alert to bold or italicized print. The authors intend that this material receive special emphasis. Also, when you read, be sure to read everything, including tables, graphs and illustrations. Often times tables, graphs and illustrations can convey an idea more powerfully than written a text.

Recite - When you recite, you stop reading periodically to recall what you have read. Try to recall main headings, important ideas of concepts presented in bold or italicized type, and what graphs charts or illustrations indicate. Try to develop an overall concept of what you have read in your own words and thoughts. Try to connect things you have just read to things you already know. When you do this periodically, the chances are that you will remember much more and be able to recall material for papers, essays and objective tests.

Review - A review is a survey of what you have covered. It is a review of what you are supposed to accomplish, not what you are going to do. Rereading is an important part of the review process. Reread with the idea that you are measuring what you have gained from the process. During review, it's a good time to go over notes you have taken to help clarify points you may have missed or don't understand.

The best time to review is when you have just finished studying something. Don't wait until just before an examination to begin the review process. Before an examination, do a final review. If you manage your time, the final review can be thought of as a "fine-tuning" of your knowledge of the material. Thousands of high school and college students have followed the SQ3R steps to achieve higher grades with less stress.

Slideshare: A Structure Preserving Approach to Secure XML Documents

I've just created an account at Slideshare. I'm going to upload some of the presentations I've prepared here.

The following is from the talk I did at TrustCol 2007 workshop in NY, USA. It is based on our paper "A Structure Preserving Approach to Secure XML Documents". It proposes a new approach to encrypt and sign XML documents without destroying their structure.