The Broken Windows Economics of IT Security

To economists, the term “Broken Windows” refers to the question that if a shopkeeper pays a glazier to repair a broken window at his store, does this deliver an economic benefit to society? Many people would say yes, because it generates demand for glass and work for the glazier.

Have you ever been witness to the fury of that solid citizen, James Goodfellow, when his incorrigible son has happened to break a pane of glass? If you have been present at this spectacle, certainly you must also have observed that the onlookers, even if there are as many as thirty of them, seem with one accord to offer the unfortunate owner the selfsame consolation: “It’s an ill wind that blows nobody some good. Such accidents keep industry going. Everybody has to make a living. What would become of the glaziers if no one ever broke a window?

Excerpt from the 1850 essay “That Which is Seen and That Which is Unseen” By Frederic Bastiat Continue reading

Fear and Loathing in Davos


Few things can evoke more uncertainty and doubt than fear (here)…

The threat of cybercrime is rising sharply, experts have warned at the World Economic Forum in Davos.

Online theft costs $1 trillion a year, the number of attacks is rising sharply and too many people do not know how to protect themselves, they said.

On-line theft costs $1 trillion US dollars a year?  We have certainly come a long way since the Dark Avenger first crafted his polymorphic virus in the late 80’s but a $1 trillion a year? Seriously? Where the hell did the figure come from? To give you some perspective of size the total US GDP is about 14 trillion and that includes EVERYTHING.

But it gets worse…

“2008 was the year when cyber warfare began.. it showed that you can bring down a country within minutes,” one panelist said.

Cyber warfare began in 2008 – between which countries? It showed you can bring down a country within minutes? Seriously, bring down a country, really, are you kidding? Is this some kind of sick world economic forum humor or just sheer ignorance?

So people are unable to browse to youtube or update facebook, or download Goth porn, or make their way over to my blog and up my readership – these things are all terrible, no question, but bring down a country? I can hear the threats now “Either your country surrenders or we will DoS you back to 1995”, just doesn’t have the same kick as “bomb you back to the stone age” does it.

There is no question that we have a problem, the increased reliance on technology, the ubiquitous nature of broadband connectivity and more digital commerce all create an environment that will breed crime. I believe that awareness is important, people should understand the dynamics and risks inherent in this new digital environment, but FUD doesn’t work, it drives up hysteria and then it crashes into ambivalence, FUD is the drug of the security industry and apparently many are addicted.

Cloud Computing – The Good, The Bad, and the Cloudy

And on the second day God said “let there be computing – in the cloud” and he gave unto man cloud computing…on the seventh day man said “hey, uhmm, dude where’s my data?”

There has been much talk lately about the “Cloud“. The promise of information stored in massive virtual data centers that exist in the ethereal world of the Internet, then delivered as data or services to any computing device with connectivity to the “Cloud“. Hoff recently ranted poetic on the “Cloud” (here) and asked the question “How does one patch the Cloud” (here)

So what the hell is the cloud anyway and how is it different from ASPs (application service providers) and MSPs (managed service providers) of yesteryear, the SaaS/PaaS/CaaS (crap as a Service) “vendors” of today and the telepathic, quantum, metaphysical, neural nets of tomorrow?

I am not going to spend any time distinguishing between services offered by, or including the participation of, a 3rd party whether they take the name ASP, SOA, Web services, Web 2.0, SaaS/PaaS, or cloud-computing. For whatever label the ‘topic du jour’ is given, and regardless of the stark differences or subtle nuances between them, the result is the same – an organization acquiesces almost complete visibility and control over some aspect of their information and/or IT infrastructure.

There should be no doubt that the confluence of greater computing standardization, an increasing need for service orientation, advances in virtualization technology, and nearly ubiquitous broad-band connectivity enable radical forms of content and service delivery. The benefits could be revolutionary, the fail could be Biblical.

Most organizations today can barely answer simple questions, such as how many assets do we own? How many do we actively manage and of these how many adhere to corporate policy? So of course it makes sense to look to a 3rd party to assist in creating a foundation for operational maturity and it is assumed that once we turn over accountability to a 3rd party that we significantly reduce cost, improve service levels and experience wildly efficient processes – this is rarely the case, in fact most organizations will find that the lack of transparency creates more questions than they answer and instill a level of mistrust and resentment within the IT team as they have to ask whether the company has performed something as simple as applying a security patch. The “Cloud” isn’t magic, it isn’t built on advanced alien technology or forged in the fires of Mount Doom in Mordor, no it is built on the same crappy stuff that delivers lolcats (here) and The Official Webpage of the Democratic Peoples Republic of Korea (here), that’s right the same DNS, BGP, click-jacking and Microsoft security badness that plague most everybody – well plague most everybody – so how does an IT organization reliably and repeatably gain visibility into a 3rd parties operational processes and current security state? More importantly when we allow services to be delivered by a third party we lose all control over how they secure and maintain the health of their environment and you simply can’t enforce what you can’t control.

In the best case an organization will be able to focus already taxed IT resources on solving tomorrows problems while the problems of today are outsourced, but in the worst case using SaaS or cloud-computing might end up as the digital equivalent of driving drunk through Harlem while wearing a blind fold and waving a confederate flag with $100 bills stapled to it and hoping that “nothing bad happens”. Yes cloud-computing could result in revolutionary benefits or it could result in failures of Biblical proportions, but most likely it will result in incremental improvements to IT service delivery marked by cyclical periods of confusion, pain, disillusionment, and success, just like almost everything else in IT – this is assuming that there is such a thing as the “Cloud

Update: To answer Hoff’s original question “How do we patch the cloud?” the answer is – no different than we patch anything, unfortunately the problem is in the “if and when does one patch the cloud” – which can result in mistmatched priorities between the cloud owners and the cloud users.

The Art of Security and Why Security Vendors are the Root of All Internet Evil

I was reading a book entitled “A Whole New Mind: Why Right-Brainers Will Rule the Future”, it isn’t terribly well written and has the flow of an idea that was shoe-horned into a literary context, but interesting none the less. Anyway against the backdrop of DNSgate (btw – exploit code has been posted – here – thanks guys!) and the complete and utter failure of the security industry to offer anything beyond a never-ending hamster wheel of suites, widgets, add-ons, and modules, the book gave me pause as I reflected on what, for the most part, is a feeling of defeat and despair among security professionals.

This is a feeling that ebbs and flows with the conference season and peaks generally around mid-year with the introduction of clever methods of attack and exploitation presented in the carnival like atmosphere of a Blackhat or *con.

“Come one, come all, see the bearded lady swallow a flaming sword whilst revealing the latest virtual exploit guaranteed to introduce a completely undetectable malicious hypervisor as she rides on the shoulders of the worlds strongest man, who will devastate the entire Internet infrastructure in 10 seconds with a single finger”

Undetectable hyper-visors? 10 seconds to Internet destruction? 1,001 ways to craft a nefarious browser attack? Conceptually these are pretty scary, especially if you are reading your email and Robert Graham singles you out during one of his side-jacking presentations and shows the world how easy it is to own you and how careless you are for being owned – you wall of sheep know who you are – honestly who wouldn’t want to throw in the towel and acquiesce internet dominance to a 15 year old svelte Norwegian hacker with a bad skin condition or a gang of Nigerian spammers.

It would appear that doing business on the internet is like Dom Deluise swimming naked through shark-infested waters with an open wound while wearing a necklace of dead penguins and carrying a 3 lb salami.

It has been argued time and again that the bad-guys have the advantage, that we are on the losing side of the OODA loop, that for the most part we are simply sitting ducks and the best we can do is choose to not sit so close to the gaping jaws of a large crocodile and pray that we do not become prey. I contend that feeling is misguided and incorrect.

Although it has either been lost as inconsequential or we have been so blinded by the constant carpet-bombing of FUD marketing and the ongoing orgy of disclosure that we are simply numb to it, but we have an inherent advantage in that we use the right side of our brains, whereas the bad guys really have no need to, we are clever, we use art with science, we are driven to find the edge cases, we strive to find the unique and obscure – we believe it is the other way around, but that is a result of the complete incompetence of the major security vendors, who like the Diabetes product vendors, will forever keep us in a never-ending cycle of finger-pricking and insulin injecting security practices instead of actually trying to solve problems.

Wait, what, we have the advantage? I know it sounds like security blasphemy, but don’t jump off the roller-coaster of semi-rational fun just yet, we still need to ride through the loop de loop.

  • The majority of ground breaking security research and discoveries, especially of the “holy shit” variety, come from the good guys, not the bad
  • According to the recent Verizon breach disclosure statistics 85% of attacks are opportunistic, which leads one to believe that a. there is no reason for bad guys to find unique ways to exploit and b. we are still our own worst enemy.
  • There is no end in sight for the lack of security prowess ensuring an endless supply of easy targets for the bad guys to attack – remember if we believe that attacks are becoming more financially motivated then there is a cost-benefit analysis that will drive an attacker to take the easiest, least risky path to exploit.

The internet is resilient, business is even more so, and the good guys tend to spend more time on the problem than the bad guys.