Thursday, February 17, 2011

Economic benefit: Build vs Break

I have one friend who I swear, is trying to inflame me with my whole build vs break rhetoric. He knows who he is, so this post is for him.

Recently events in the news, finishing economics, and some other personal events has fired me up enough to forego my original post on WAFs (for now) and discuss some economic basics again. Mostly some random idea I have been toying with, applying some economic theory to common problems. I don't know if this will solve anything - some of these ideas are very much in their infancy but perhaps by putting it out there, someone else might take the ball and run with it.

Basically, the economics of security are stuffed. I don't mean just "slightly broken" - I mean completely, utterly and currently, irrevocably stuffed. To try and phrase it as an economist might, the marginal cost of fixing software exceeds the marginal benefit - no matter which way you slice it or dice it. I know this isn't revolutionary - David Rice in his book "Geekonomics" covered it pretty good (apparently - I haven't read it in its entirety yet). But from what I can tell, "building" (as I refer to it) is dead.

Yes that's right. Building is dying.

I've been asked (as recently as today even) whether I think its dying. I always say that same - no it never will. I have always maintained that. But I guess I've been a lot my critical of my work lately and what I can do to improve what I do.
I think it has been for a long, long time but none of us really paid any attention.

I'll try to illustrate with some examples:

On one side of the fence, black hats make uber money and get off with slap on the wrists:

This is one fraudster perpetuated a $10million USD heist, on a scale unprecidented in human history - 280 cities, 2,100 ATMs, all within 12 hours. His punishment? 2 years suspended sentence.

Entire towns loaded with cyber criminals driving Mercs:
The cops themselves acknowledge:
  “You arrest two of them and 20 new ones take their place,” he said. “We are two police officers, and they are 2,000.”
Of course, it doesn't stop there. It's now being reported that fake AV companies can make more profit than legit ones

If you don't want to move into fraud - no problem. There's a huge black market for vulnerabilities, databases, malware, botnets, pwn3d hosts, etc. You name it. Just leave the moral conundrum at home, do your work, enjoy the craft and don't ask questions about who pays for your warez.

On the other we have conference after conference after conference, celebrating security researchers whose primary objective is to break all security that is created. It used to be that the idea of breaking stuff was to find ways to innovate and make it better. Somewhere along the way that all got lost. How many good conferences are there where interesting ideas about building and creating are there? I can think of only one and its largely unsung to the best of my knowledge (yet looking at the lineup of some of the speakers you know there are some legends in attendence). Is it no wonder we are making no progress?

If you want to make money building, you're options are to open to the public (Open Source) be a pauper but get some recognition. Unless you are willing to build a product and sell it, commoditise it (WAFs, firewalls, etc) it just becomes Yet Another Product, which creates its own issues. If you want to make money however, there's plenty to be made. Just look at Mozilla, ZDI, IDefence, and so one. They'll all pay you to find the holes.

But you know what - let's assume that you dismiss all that, you decide to build stuff just for the love of it all. Really, whats the point? Take a look at the tragedy that is the NSW Privacy Commissioner's findings into Vodafone. They don't even really take action, even when its proven that a company acted negligently. Economically, you can applaud Vodafone's actions. They took the cheapest, lamest, most pathetic way out (changing passwords every 24 hours). Forget VPNs, forget two factor authentication. They did it El Cheapo and the Privacy Commissioner said "yep, good enough." As security professionals this is an utter disgrace and our own efforts as an industry are actively undermined by government.

Unless the incentives are reversed, unless companies are finded for insecure software, vulnerability researchers then actively rewarded for finding bugs using the taxes collected from vendors, then the driver to innovate, improve and truly create will never really happen. This would disincentivise firms into producing bug ridden software, entice legitimate security research and spur more spending to areas where it is truly needed - better APIs, better education, better business practises and processes, etc.

But, until that day comes, you are economically better off breaking. That's just a fact. You will probably have more fun. You will make more money. Get more recognition if that's what you want and worst case scenario, if you find yourself lining up for unemployment, you know that you'll never go hungry. Ever. Unless an asteroid hits earth, destroys the Internet and sends us all hurtling back to the Dark Ages but if that happens we have bigger fish to fry.

- J.

EDIT: As a postscript to this, I remember when I used to work in Network Abuse, there was a story from one of my team mates who was chatting with one of the big time spammers at the time as they had infiltrated some of their private forums. My team mate asked the spammer over chat one time "aren't you afraid of going to jail?" The guy replied "I am 21 years old, I have $2 million in cash, in garbage bags, buried where no-one will find it. Even if I go to jail, I'll serve a minimum of two years in jail in a white collar resort. I'll then get out maybe in 6 months with good behaviour, move to Mexico and retire." This is stretching back a bit now, but the principle still applies.

His (the spammer's) point was that the laws were not sufficiently harsh to punish his crimes that it was worth the time to do the crime. Comparing it to modern day fraudsters, we're at the same point. If you get caught in a Western country, you'll do big time. But more to some country in the Balkans, Russia, Romania and chances are, given the levels of corruption and organised crime, you'll probably be fine.


Drazen Drazic said...

You can't go wrong reading David Rice's book! He doesn't really need to update it and sadly, we'll probably be saying the same thing in a few years. (albeit a few new cases studies he can add).

There's a few generalisations in your post I don't disagree with, but not necessarily see this as a complete picture upon which to base an argument in the broad scope you have. Makes a counter-argument or even comment somewhat difficult to start unless you go into an essay length response.

Case may not be as relevant in a more regulated environment. (One area where @sergicles and I seem to agree).

Plenty of well rewarded people in high CSO positions in this country who are worth zip in terms of their benefit to their organistions - in fact, a big negative.

Lack of effective regulation and law enforcement allowing new markets to exist. etc etc etc etc...

Thanks for the dedication. :) Builder v Breaker term annoys me as you know. Needed to add that. It's not reflective of our business, our people and our approach to the industry and thus why it cops such a response from us.

Love your work J. You put it out there!


Andrew Jamieson said...

Interesting post.

I will (briefly) touch on this subject during my talk at AusCert this year - how the economics of build are >> those for break, and how this needs to be built into your business case from day 1.

The problem is that quantification of risk for infosec is hard. Motivations for the attackers are often not financially based, which makes an already skewed equation even worse.

Anonymous said...

I would take slight, casual exception to some of your post.

1. In security, if you don't have breaks, you don't need anything built. This is arguable, and I personally wouldn't pursue it, but does warrant some thinking.

2. I think you may need to make a distinction between leading a productive life and being a rock-star in the industry. There are plenty of "builders" in every-day roles in organizations doing security-related tasks for at least part of their days. They often are well-paid and probably don't have look over their shoulders very often, like a "breaker" may. Also, I'd suggest you define "breaker" a bit better...I'm not sure if you're talking black hat criminal or "security researcher" who develops exploits. While the "breakers" may gain more renown and in small instances become B-list rock stars, I think the average "breaker" is a flashpan kiddie who, if he's lucky, has a day job as a builder.

Likewise, all us builders don't want to hear more about building when off on a break at a conference (how often are these conferences "work" and how often are they vacation?!); by nature of security (I think), breaking things is far more entertaining and, in our direct relationship to one another, in our best interests.

3. That spammer being a data point is a bit misleading. I would be more interested in the mean/average take for a spammer, including all the little ones who have a toe in the water and nothing much else. I would contend that sure, a regular joe builder may not make nearly as much as one of the top spammers, but joe may make more than most spammers and not have to worry about the law.


(BTW, it might sound like I'm being argumentative, but really, I like the post and think the discussion is valid!)