Previous month:
February 2015
Next month:
April 2015

March 2015

Can we extend trust-based collaboration beyond handshakes and face-to-face?

I had the opportunity to participate in a panel at  Suits and Spooks, Washington DC 2015 last month. The panelists shared their perspectives on the perceived post-Snowden "breakdown of trust, and shared how they work on restoring trust from the ground up, one handshake at a time."

I struggled when preparing for this panel. While I  agree that we've had communications breakdowns (bows to Led Zeppelin), I'm not certain that Snowden's leaks constituted a breakdown of trust among US allies or their citizenry. Rather, I think the disclosures revealed erosion of trust over time, misplaced trust, or even naiveté (i.e., confusing trust with trusting). Whichever of these cases applies, each demonstrates a misconception of the nature of a trust relationship, the commitments individuals or organizations make when entering into trust relationships, and the need for reinforcement to sustain trust.

Bases for Trust Among Individuals

Vetting criteria for cybercrime investigations collaboration communities may serve as criteria or bases for formal trust relationships among private and public sector actors. In these trust circles, the individuals must be known by other community members to exhibit these personal characteristics:

  • behaves ethically, does not lie.
  • respects confidences, keeps secrets.
  • distinguishes fact from opinion.
  • is prepare to share data to corroborate what is claimed to be fact.
  • is willing to admit error or fault and be held accountable.
  • is willing to course correct.

By exhibiting these characteristics to other community members, individuals earn membership. By reinforcing these, individuals sustain membership. Most importantly, mutual trust by insisting these are characteristic of the community. 

I have the good fortune to work in several trust-based collaborative communities where criteria such as these are formulated into a vetting process. They work, and work well. 

Bases for Public-Private Trust Partnerships

At Suits and Spooks, I attempted to identify analogous criteria for public or private sector actors that might serve as the bases for public-private trust partnerships.


Many of these are serious challenges for actors who seek public-private partnerships. But absent trust frameworks that exhibit trust characteristics that are successful among ad hoc collaborative communities, governments and private organizations will continue to struggle to combat cybercrime, subdue terrorism, or contend with espionage.

Is it spam? This season in IRS tax scams

It's tax season in the US. This week's "Is it spam?" features spampaigns that attempt to attract mail recipients into revealing personal information, including Social Security numbers, or electronic filing PINs. These are only a few of the scams that the US  Internal Revenue Service (IRS) identifies annually in it's Dirty Dozen tax scams list.  Some of these emails may contain word documents that masquerade as official tax forms but contain malicious macros

HttptrusteesaleslvcomwpcontentthemesfilesindexhtmlThis season's scams contain Subject: lines such as:

[Issue #:IRS099283746] For Your Record

New Message from

Your IRS Online Services Update

Your 2015 Electronic IP Pin! 

View Your Tax Return Status

Tax Exemption Notification

Identity Verification

As you can tell by this sample of Subject lines, tax fraudsters use several methods to hook victims.  The most common are fear or uncertainty  (tax error or delinquency), and greed (exemption notices). Tax fraudsters also play on tax payer impatience (check tax return status) or appeal to tax filers who are always looking for ways to save on taxes.

IrsTax fraudsters treat the IRS as a "brand". They will use the IRS logo. They'll replicate official looking forms. In short, they use conventional phishing techniques, so please follow the "how to avoid being phished" recommendations I and others publish. However, be particularly suspicious of the following:

  • links that take you to sites containing official looking submission forms like those I show here. 
  • promises of larger or extraordinary refunds,  
  • offers to help you hide income or that will reveal hidden deductions for fees in advance

The IRS offers other specific advice for tax payers to avoid becoming a tax fraud victim. You may also want to check out IRS social media channels, including YouTube videos and IRS on Tumblr (search “scam” to find scam-related posts).

If you do receive an IRS phishing email, please report it to the IRS and the AntiPhishing Working Group (APWG). You can also join the user campaign against phishing: add your phish to PhishTank.