Schneier on Security

bob • February 6, 2007 1:40 PM

@quincunx
“The large price spread between the legal and black market ipso facto proves that the freedom difference is quite great.”

Hogwash. It proves no such thing.

All it “proves” is that some buyers are willing to pay more for something rare with a limited lifespan, like say a Chateau Lafitte Rothschild 1957. Neither Vista bugs nor Chateau Lafitte’s are fungible commodities.

Microsoft (or anyone else in the defender’s role) may decide that $50K or $10K or even $1K is too much because they have other means. The defender can simply wait for the attack to surface in the wild (cost: $0), then respond to it at that time. If it takes a week for 5 developers to find and fix the bug, that’s still probably not $50K out of the department budget. ($10K/week would be $520K/year, a VERY lucrative development post indeed).

The defender is also in the position of having an exploit be an externality. It affects the defender’s customers, and the defender’s reputation, but it doesn’t affect the defender’s revenue stream all that much. Besides, any really serious showstopping flaw is likely to have even MORE resources into fixing it than the normal bug-response. That is, more than 5 developers and a week’s worth of time. So even really big holes can still be patched without affecting revenue.

Anyone in the attacker’s role is in a different boat.

For the attacker to receive an ROI, the bug has to be remotely exploitable (not all of them are). It also has to be sufficiently non-obvious that someone else won’t find it and sell it to the defender before your attack is ready to deploy. There’s both a time factor in that (an unfound bug might be fixed), and a complexity factor (automated bug-finding techniques like “fuzzing” can’t stumble over it).

There’s also the reputation of the target itself: Vista is supposed to be much harder to exploit. Only time will tell if that’s really true or not, but the attacker still has to assume that easily exploitable holes don’t exist. That raises the bar for skill of entrants who want to find bugs in the first place.

The attacker may also be paying a premium over and above the free-market price (all else being equal, which it isn’t). That premium is the cost of overcoming the seller’s moral misgivings, i.e. the cost of turning a non-criminal into a criminal (or at least an accessory to a criminal), which has its attendant costs and risks. If I were selling to a criminal buyer, I’d want compensation for my risk of being caught and jailed.

I think the general idea is right: it’s the economics. I just think you’ve completely missed the breadth and depth of the economic analysis here, only a modest portion of which I’ve outlined above.

bob • February 7, 2007 3:09 PM

@quincunx

Both the defender and offender wish to acquire the SAME thing – after
which, you are correct their actions will be different.

To say differently is to suggest that buying Steel for making tanks and
making bunkers would somehow lead to a unit price difference because one is
for attack and the other is for defense.

No, that’s not what I’m saying or suggesting.

You seem to be saying that the item for sale, a Vista bug, is a fungible commodity, like steel, and then doing an economic analysis based on that premise.

I’m saying that a Vista bug isn’t a commodity at all, and analyzing its economics like a commodity is completely wrong.

A Vista bug is more like a limited edition rare book or print, of which there are fewer instances than potential buyers. And unlike a book, which continues to exist after purchase, a Vista bug has a limited lifetime of usefulness because it can be patched without you doing a single thing. In other words, owning information isn’t the same as owning an artifact.

Someone else might discover the bug and report it for fixing rather than selling to the highest bidder. Or the developer could find it and fix it. In any case, after an exploit is deployed, the developer will definitely find and fix it.

To analogize these to the rare book or print example, finding the bug and reporting it is like someone else finding a crate of identical copies of the book that was thought to have only one copy left. What happens to the price of your one book? It goes down. And if Microsoft finds and fixes the bug itself, that’s like a print maker saying they’ll reprint the previous limited-run of 100, because they really saved the lithographic stone. Again, the price goes down.

So the value of that original book to someone who’s secretly sitting on a crate of them is less. Likewise, the value of a print from the original 100 to someone who has the lithographic stones is less. From an economic viewpoint, the value differs depending on who is buying and what information or artifacts they have, not on regulation of the marketplace.

The reason for this disparity is that an attacker can only FIND bugs in Vista, it can’t ADD bugs. The defender, however, can find bugs and fix them (and also add them). So there’s a different relationship to the information of where and what a particular bug is. That difference in the relationship to information leads to the price disparity. Over-regulation or under-regulation has nothing at all to do with it.

That said, if Microsoft or any other defender decides to bid for bugs on the open market (i.e. includes the black market), that’s their choice. If they decide not to, that’s also their choice. But since they hold different cards than the attackers, their view of what a bug is worth differs from the attackers.

However the seller of the vulnerability is not really the criminal. It is
the one who unleashes it. Or at the least – no one cares until its
unleashed.

Agreed.

Except that sometimes one can be prosecuted for contributing to or facilitating criminal acts. In that case, knowingly selling to someone who intends to exploit the bug for criminal purposes could be considered a crime.

bob • February 15, 2007 7:05 PM

@quincunx

I will skip points that I think have been adequately addressed by Paranoid.

You are correct (which is why I reject IP),

IP is irrelevant to this question. Information possession IS relevant, crucial even, but I don’t think that’s what you mean by “IP”.

but there is still a labor scarcity.

Yes, there is a scarcity of labor skilled enough to find bugs in Vista. Duh. That’s why the price for a Vista bug is higher than for, say, W95.

There is also expected to be a large population of Vista users to exploit, hence the price for a Vista bug is higher than for, say, a Mac OS X bug.

Someone has to think it is worthwhile to pursue, and then who to sell it to.

Duh. There are always opportunities for finding bugs in software. There isn’t always the skill, nor is there necessarily a bug in the code being prospected. It’s like any prospecting venture: skill, luck, and location are all involved.

Of course someone is going to think it’s worthwhile, while someone else will not. What does that have to do with the price? A higher price attracts more prospectors, but that’s obvious. Equally obvious is that a higher price is more likely to seduce a white-hat into becoming a black-hat.

Neither of those has anything to do with the price DISPARITY between attackers and defenders, though.

Well what about bananas? They spoil too but the economic analysis works exactly the same, although the entrepreneurial procedures have changed.

Bananas and steel share one important attribute: they are physical. Information is not physical.

The only way there can be “spoilage” of bug information is if someone else finds the same bug and submits it for fixing. If no one else is looking for bugs, then the information can’t “spoil” or degrade. That’s because the software that has the bug doesn’t change or alter over time. It doesn’t spoil because it’s information, too. So until someone else finds and fixes the bug, it will remain there.

But since the price does exists we can not conclude that it is happening in sufficient quantity.

This sentence makes no sense. That WHAT is happening in sufficient quantity. I think some words are missing.

You do not get a software discount at say BestBuy if you tell them you like to hack around and you have a lot of programs installed.

I may not get a discount at BestBuy, but I DO get a hardware discount from Apple if I’m a developer enrolled in their program. Why would Apple do this? Because I write software that runs on Macs, and that helps sell Macs, so Apple is interested in helping me write software.

And maybe I WOULD get a discount at BestBuy if I wrote some database sales software for them. Or I might not get a hardware discount at BestBuy, but I certainly know some system builders who are more than happy to give discounts if I write or modify some software for them. I don’t consider this strange; it’s just barter.

None of this has anything to do with the price disparity, though.

What you’ve got is irrelevant to a sale. The only thing that matters is what you are offering and whether the other party agrees.

Dead wrong, and almost certainly a fundamental flaw in your reasoning. It matters VERY MUCH what I’ve already got. “Who pays for services they can do without?”

Indeed, who pays for ANYTHING they can do without?

Microsoft has the source for Vista, so their view of what they can do without, or how much to pay if they do want it, is quite different from someone who doesn’t have Vista’s source.

Remember that attackers cannot ADD bugs to Vista. They can only find and use the EXISTING bugs. It’s like prospecting for gold or any other rare physical commodity. All you have is your prospecting skills and some luck. You don’t decide where the gold is. Its location is determined by forces beyond your control, just as the location of Vista bugs is for attackers.

But the location of bugs and fixes is NOT beyond Microsoft’s control, so their view of what to pay differs from that of attackers. Essentially, Microsoft believes they would be paying for something they can do without.

What I’m saying is that there is a third option available: arbitration.

Huh? What does arbitration have to do with anything, if I’m trying to sell my information to maximize my profit?

If you work for a defender and receive information, you can just resell it to a higher bidder.

They could indeed. One might question their ethics, but nothing is stopping them from reselling it. They could also amortize their costs by selling a service to other customers who want to find out about bugs and fixes. Which is what Gleg and iDefense do.

Still not relevant to the price disparity, though.

That’s why it’s a problem.

That’s why WHAT is a problem? The ethics of the defender? The ethics of the seller? The ability to resell information while still retaining the original information?

Sure. They can do what they want to, but they will not clear the market.

They don’t HAVE to clear the market. Microsoft has Vista’s source: they can ELIMINATE the market for a reported bug, so in a very real and concrete sense, they CONTROL the market for Vista bugs. If you want a regulatory body for Vista bugs, at least consider what Microsoft can do.

They can apply the information from a reported bug to eliminate it, and destroy the market for that bug by making it disappear. Eliminate the bug in the product and you eliminate the entire market for exploits of that bug. You can’t exploit a bug that’s no longer present. Nothing could be more obvious.

In reality, not even Microsoft can TOTALLY eliminate the market for a given bug. There are always stragglers who don’t upgrade. But Microsoft can most definitely crash the general market price for a bug: they issue a patch.

IRS. Less money for government = higher offering price to bug hunters.

You’re making this up. In what way does the IRS regulate the price for bugs? Less money for govt in what way? Taxes on reported income?

I’ve reported many bugs over the years, some of which had monetary bounties. Some years I’d make over $1000 in bug bounties. Because I’m a mindless fool, I reported it as ordinary income and was taxed for it. If I’d sold it on the black market, I would have demanded a cash payment and NOT reported the income. There’d be no way the IRS could have caught me, so there’s no way the IRS could be said to be regulating the black market price for bugs. Anyone who reports illegal income to the IRS deserves what they get for being such an idiot.

A much more plausible explanation for the price disparity is that attackers are willing to pay more because they understand they are at a disadvantage relative to MS. That, and they also believe that Vista has fewer exploitable bugs in the first place. Therefore there is scarcity pricing (both in number of bugs and skill level needed to find them), and there is the price differential for attacker/defender information disparity.

There’s no need to conjure a regulatory boogieman out of thin air, when it can all be explained quite well with perfectly ordinary business economics.

Also, less legal assault (both in the US and Europe) would probably help too.

Duh. That’s the difference in price for risking criminal prosecution. Already mentioned in prior posts, but still not relevant to the price that Microsoft would be willing to pay.

Other defenders may well be willing to pay the offering price on the black market. They may even consider it a bargain. Presumably they can amortize the costs among their direct customers, and also report the bug to Microsoft. But if the defenders are operating legally, reporting their income and their costs, then in what way does the IRS “regulate” the price of bugs they decide to purchase?

I’m not seeing the IRS influence even for law-abiding players, because it’s just a deductable business expense for them, and they only pay taxes on the difference between income and expenses. Since players like iDefender charge their customers a lot, you’d expect any single bug to easily be amortized, and so iDefender would be willing to pay MORE for a single bug.

True, but an offer is not a sale.

Now you’re just being silly. OK, so let’s say Microsoft BOUGHT the bug at the open market selling price. What regulatory agency is involved in that transaction? Certainly not the IRS, because MS isn’t evading taxes. The seller may be evading taxes, but that’s not MS’s concern.