Everything I needed to know about game theory, I learned from Italian publishers

There is an Italian version of More Than Two. Or rather, there is, in an alternate universe in which the Italian publisher who published the Italian-language edition of More Than Two was honest and abided by its agreements, an Italian version of More Than Two. Alas, that universe is not this universe.

In the universe we live in, the publisher signed an agreement, but then never made the payment that would have activated the rights transfer. They also added a foreword without consulting with us first, something explicitly forbidden in the agreement.

Okay, so that’s shitty and all, but the place where things get especially weird is that so far, every Italian person we’ve talked to about this has nodded sagely and said, “Well, yes. That’s Italy.”

Since things have gone sideways with the Italian publisher, I’ve heard a number of stories of commiseration from Italians. This is, it seems, about par for the course when one sets out to do business in Italy.

Which is really weird, when you think about it.

But I didn’t come here to complain about the Italian publisher of More Than Two. I came here to talk about game theory.


Say you’re a businessperson who deals with a certain…unsavory element buying and selling products you legally oughtn’t. Say that, for your security and that of your clients, you always do business anonymously. You don’t know who your clients are, they don’t know who you are, and never the two of you shall meet. You do business indirectly: you leave a suitcase full of money under the tree stump at the old Dearborn farm, and your client leaves a sack with the shady goods under a trestle out by the abandoned railroad bridge.

This is a variant on the Prisoner’s Dilemma problem, which I’ve touched on before in the context of polyamory. This is a classic problem in game theory. You have a choice: leave your money or leave an empty suitcase. Your mystery client has a choice: leave the goods or leave an empty sack. If you both leave what you’re supposed to leave, you both benefit. If one of you leaves what you’re supposed to leave and the other leaves nothing, then whoever left nothing makes out double–he gets the money and the goods. And if you both leave nothing, neither of you loses but neither of you gains, either.

In game theory terms, you each have a choice: cooperate (C) or defect (D). Each of you chooses C or D. If you both choose C, you both benefit a little; if you both choose D, neither of you benefits but you also don’t lose; if one chooses C and once chooses D, the person who chooses C loses and the person who chooses D gains.

The temptation, then, is very strong to defect.

Ah, but what if you don’t have just a single exchange? What if you have a standing arrangement where you do the transaction every Friday night at midnight? If your mystery partner defects, you will naturally lose trust, and you’ll have no reason to cooperate. But if both of you defect all the time, neither of you is getting what you want! Presumably you want the goods more than you want the money, and presumably they want the money more than they want the goods, or else you’d never agree to the exchange. So what benefit is there in both of you practicing an all-defect strategy?

So the calculation is a bit different in one-off exchanges (where there’s strong incentive to defect) vs. an ongoing relationship (where there’s incentive to cooperate).


These situations play out all the time in real life. Every day, we have choices to cooperate or defect, where defecting might give us short-term gain, but at the cost of long-term success. Some of those choices are made in situations where there won’t be an ongoing relationship, and some in situations where there will.

Most of the time, we know the other player in these games; it’s rare the other side is totally anonymous. It’s also rare each side is powerless to seek redress if one party defects. In fact, you could make a case for the notion that’s what civilization is: a system designed to prevent people from practicing an all-defect strategy without consequence.

We are a social species. Social entities have to work together. If everyone defects all the time, social structures break down. This is, in fact, hypothesized as the root of altruism: for social species, altruism has positive survival value. Working together, we can accomplish more, and survive challenges we can’t survive apart. (There’s a book about this, in fact; it’s called The Evolution of Cooperation.)

But there’s no getting around the fact that defecting does offer a short-term payoff, especially if you do it and your partner doesn’t. And there’s a huge penalty for cooperating if your partner defects. Them’s the facts.

In most human societies, most people cooperate most of the time. In some societies, however, it seems people are more prone to defect.

The Italian publisher applied and all-defect strategy with us. They defected when they didn’t pay us, and defected again when they added a foreword. When we complained, they said they’d stop selling the book until we resolved our differences; and while we were in the process of negotiating with them to do so, they defected yet again, continuing to sell and advertise the book when they’d said they’d stop. And then, when we complained again, they said, “Ok, sue us, Italian courts are so slow it’ll never go to trial–and even if it does, we don’t have any money anyway.”

So finally, we stopped trying to negotiate, issued a statement, and started filing takedown requests. From the publisher’s perspective, this probably felt like a defection. And neither we nor the publisher got what we wanted. And everyone shrugged and said, “Yeah, that’s Italy for you.”

Worse, the fact that we pulled the plug probably validated the publisher’s idea. “See,” they might say, “this is why we behave the way we do–because, look, people are always screwing us!” When you practice an all-D strategy, your partners are going to defect too. Which means you should defect, because they’re going to defect, so why should you be the only chump cooperating?


But here’s the thing: Since we are, arguably, evolved to be cooperative; since most of the encounters we have are not one-off exchanges (and even if they are, word gets around–if you screwed your last ten customers, the eleventh might not want to deal with you); and since societies need some minimum level of cooperating in order to function…why do we occasionally see places where people appear to play an all-D strategy?

One person Eve and I have spoken to has suggested that Italy has such a long history of corrupt, dysfunctional politics and essentially broken legal systems that people have developed a habit of breaking rules, simply because in a corrupt society, you must break rules simply to get anything done. This pattern has played out in Russia as well, another place where, it seems, all-D strategies are common. If that’s true, it would seem to create a perfect storm of positive feedback: people begin to defect routinely, as a matter of course, because the social systems have become dysfunctional. This causes the social systems to become more dysfunctional, because societies in which many people tend to defect are intrinsically dysfunctional. That increased dysfunction causes more people to defect more often in their exchanges with others, which leads to greater dysfunction, and so it goes.

Which, if that’s true, bodes ill.

There is, right now, in the US White House, a person who has made a career of defecting. The Cheeto-in-Chief is notorious for screwing his contractors, his vendors, and his financial backers; that’s why he ended up in bed with Russian banks–American banks refuse to do business with him. His Orangeness has surrounded himself with people who also tend to practice all-D strategies; indeed, one could argue that the Tea Party was virtually built on a foundation of all-D behavior.

I fear that, if this idea becomes entrenched enough in US society, it will become normalized to defect as a matter of course, in all kinds of business and social interactions. Once that positive feedback loop sets in, I’m not sure how, or if, it can be reversed.

And people will sigh, and nod, and say, “You got screwed by an American company? Yeah, that’s the Americans for you.”

A society that works this way will never remain a world power. (Russia, I’m looking at you here.)

The Return of the Spam Tsunami

As regular readers of this blog know, I am an amateur infosec researcher, and I track spam and malware as a hobby. And, as many of you know, there are certain names–ISPs, people, affiliate networks, content delivery networks–that tend to come up again and again whenever you do a deep dive into the seedy, twisted world of spam and malware.

A while back, I wrote a blog post about a prolific spammer named Mike Boehm, who makes money sending spam emails that advertise affiliate links on affiliate Web sites. Every time someone clicks a link in one of his spam emails, they’re redirected through a network of computers, all designed to put distance between the spam email and the final site, until eventually arriving at an affiliate Web site, which pays Mr. Boehm for the referral.

Lately, I’ve found myself buried under a blizzard–nay, dare I say, a tsunami–of spam emails that all have very similar characteristics. They advertise a site, usually with a cheap top level domain that nobody wants such as .stream or .science or .faith. Visiting the site shows a plain white page with an animated “Loading” graphic. Then, after a few seconds, you end up on a completely different site, the one actually advertised in the spam.

These spam emails have some but not all of the characteristics of Mike Boehm spam. It’s been hard to track them, because they use complex JavaScript to attempt to hide how the redirection works, what affiliate network they’re using, and where they redirect to. I’ve been collecting examples, and as the number of these spam emails arriving in my inbox has risen, so too has my blood pressure.

Today, it finally reached the point where I sat down and did the work to take apart the tricky JavaScript redirectors and figure out what’s happening.

Lo and behold, the JavaScript is used to redirect visitors through Clickbank, a favored affiliate network used by Mike Boehm in the past.

The system works like this:

Basically, the spamvertised site contains hidden iFrames and/or hidden divs that have a redirection JavaScript. The redirection JavaScript attempts to conceal where the page is redirecting to. The code on the Spamvertised pages looks like this:

<script type=”text/javascript” src=”hxxp://[spamvertised domain]/ajax/get_js/main/”></script>
<title>Loading…</title>
<meta hxxp-equiv=”content-type” content=”text/html; charset=UTF-8″ />
</head>
<body>
<div style=”position:absolute;top:-1000px;left:-1000px;height:0px;width:0px;”><a href=”hxxp://www.buzsounds.faith/tr11/6/685/416/510/81/26391725/index.htm” style=”border=0;”><div></div></a></div>
<div id=”show_loading”>
<center><br /><br /><img src=’hxxp://[spamvertised domain]/ajax/get_imgl/loading.gif/’ /></center>
</div>
<div id=”content” style=”display:none;”>
<iframe id=”content_window”>
<html>
<body>
<center><br /><br /><img src=’hxxp://[spamvertised domain]/ajax/get_imgl/loading.gif/’ /></center>
</body>
</html>
</iframe>
</div>
<script type=”text/javascript”>
$(document).ready(
function() {
if (ajax._loaded == false) {
var _doc = ajax.getIframeCW(document.getElementById(‘content_window’));
_doc.body.innerHTML = ‘<html><body><center><br /><br /><img src=\’hxxp://[spamvertised domain]/ajax/get_imgl/loading.gif/\’ /></center></body></html>’;
}
}
);
ajax.getMainPage(
param1,
param2,
param3,
param4,
param5,
param6,
param7,
qs
);
</script>

The JavaScript loaded from the script tag assembles a URL from the parameters, then loads the content of that URL.

getMainPage : function(m,l,li,s,u,o,c) {
var _u = “”;

if (u == ”) {
if (o == ” && c == ”) {
_u = host_name+’ajax_m/get_main_page/’+m+’/’+l+’/’+li+’/’+s+’/’;
}else{
_u = host_name+’ajax_m/get_main_page/’+m+’/’+l+’/’+li+’/’+s+’/’+o+’/’+c+’/’;
}
}else {
if (o == ” && c == ”) {
_u = host_name+’ajax_m/get_main_page/’+m+’/’+l+’/’+li+’/’+s+’/’+u+’/’;
}else{
_u = host_name+’ajax_m/get_main_page/’+m+’/’+l+’/’+li+’/’+s+’/’+u+’/’+o+’/’+c+’/’;
}

}

if(qs != ”) {
_u = _u+”qs/?”+qs;
}

$.ajax({
url: _u,
success: function(data) {

if (pg_st == 0) {
var _w = window;
_w.location = data;
}else{
$(‘#show_loading’).css(‘display’,’block’);
$(‘#content’).css(‘display’,’none’);
var _doc = document.getElementById(‘content_window’);
_doc.src = data;
_doc.onload = ajax.flip;
}
}
});
},

The URL that’s assembled contains nothing but a text string to yet another URL. And, as it turns out, that URL belongs–surprise!–to Clickbank.

In the past, Clickbank has been reasonably responsive to spam complaints. I won’t say they’re great (they’re slow and often don’t take action until I’ve complained multiple times), but they do eventually shut down spamming affiliates.

They shut Mike Boehm down multiple times, and for a while, I was seeing very little spam from him.

This new tsunami of spam, accompanied by the sneaky attempts to conceal the Clickbank redirects, suggests that he’s back to his old tricks, but this time trying to prevent anyone from complaining and having him shut down again.

I’ve managed to find the affiliate IDs he’s using and file complaints with Clickbank. I hope they shut him down again.

There’s a degree of entitlement among spammers I rarely see outside abusers.