[Dailydave] The monetization of information insecurity

Dennis Groves dennis.groves at gmail.com
Tue Sep 9 14:23:52 EDT 2014

With all due respect, 

> Any object of nontrivial complexity is non-optimum, in the sense that it
can be improved in some way (while still remaining non-optimum)
> -- Donald Knuth from https://www.tug.org/TUGboat/tb35-1/tb109knut.pdf

Donald Knuth states perfectly why bug bounties do not work. And our industry
is filled with security people finding clever ways to *improve* non-optimal
solutions, while they still remain non-optimum! Do nothing and profit!!! I
believe that AV has already been mentioned, however, we all know they are
not the only security vendors who make their livings this way... 

I'll give you three additional reasons why bug bounties do not work:

* It assumes all security issues are software, which is just plain false.
Have you seen how devastating bumpkeys and social engineering and PSYOPS can

* Entropy - software is of nontrivial complexity. Further it does not remain
static, but rather it is always in a state of change, features are always
being added bugs are patched, databases grow in size etc... bounded
rationality alone causes requirements to change during development! An
infinite problem space has infinite problems. (e.g. Turing completeness,
Godel, etc...) Software is used in ways the designers never imagined or
intended them to be used. There is no software utopia.

* It assumes we can patch all of the issues bug bounties identify, however
we don't control the supply chain! 
	- Systems are coming pre-manufactured with vulns by DESIGN. 
	- Systems are compromised in route to deployment so three letter
agencies can do their intelligence work.

Bug bounties are simply the latest way for multi-national corporations to
get hundreds of security researchers to do work for free. Don't confuse
economic systems with security systems, they are not the same. Bug bounties
are about reducing the cost of security, while maintaining the appearances
of doing something about it. It is the same old PR approach in new clothing.

You want to know what would work? Holding software producers legally liable
for their software bugs, because only if they have consequences for their
actions will they ever start taking things seriously!

Dennis Groves, MSc

-----Original Message-----
From: dailydave-bounces at lists.immunityinc.com
[mailto:dailydave-bounces at lists.immunityinc.com] On Behalf Of Brad Spengler
Sent: Monday, September 8, 2014 3:12 PM
To: dave aitel
Cc: dailydave at lists.immunityinc.com
Subject: Re: [Dailydave] The monetization of information insecurity

[----8<----- ]

We need to change course.  Let's resolve to put the monetary focus of the
industry to where it really belongs: bug bounties.  Let's ensure fuzzers are
employed for the next decade while we reap the bountiful rewards of their
endless trickle of bugs.  If we make sure this strategy dominates, we can be
sure we don't hamstring the industry by focusing efforts on what produces
real improvement.
We know bug bounties work because their associated monetary offerings
continue to increase -- the market has spoken.

If we take our cues from such visionaries, I think we can avoid the
parasitic growth of the infosec industry and break the chain of strategies
that haven't worked for their entire reign.

Respectfully submitted for your consideration, -Brad

On Mon, Sep 08, 2014 at 10:07:02AM -0400, dave aitel wrote:
> So I'm heading to a conference shortly and I was going to promote them 
> in this email but they're apparently not a public conference.
> I'm on a panel called "Identification of Emerging and Evolving 
> Threats" with some non-US Government people who seem pretty nice.
> Anyways, now that I've guaranteed myself an exciting visit from 
> security services, I wanted to point out the one question everyone 
> should be asking when they go to any conference and a new technology 
> of any kind is proposed as any kind of forward movement for defense.
> And that is this: "How can we avoid making the mistake of Anti-Virus" 
> ever again?
> Because much like the Internet has been hamstrung at birth by the 
> parasitic growth of the advertising industry, the information security 
> community has been devastated for almost its entire existence by the 
> dominance of anti-virus companies and products which demonstrably 
> haven't worked for almost their entire reign, and in theory never 
> could have scaled. They are broken by design. And because they sucked 
> all the money and research and people from the defensive community, no 
> actual defenses were ever created for IT that had a hope of working.
> So the only question any team of government executives working on 
> defense needs to be thinking about is "How is this different from 
> Anti-Virus in the long term? How can we avoid making that mistake ever 
> again?" Because until you know how that mistake was made, and can 
> avoid it for the next generation, "Emerging and Evolving"
> threats will always be beyond your power to stop.
> -dave
> _______________________________________________
> Dailydave mailing list
> Dailydave at lists.immunityinc.com
> https://lists.immunityinc.com/mailman/listinfo/dailydave

This email is free from viruses and malware because avast! Antivirus protection is active.

More information about the Dailydave mailing list