National Security Risks of Late-Stage Capitalism

Early in 2020, cyberspace attackers apparently working for the Russian government compromised a piece of widely used network management software made by a company called SolarWinds. The hack gave the attackers access to the computer networks of some 18,000 of SolarWinds’s customers, including US government agencies such as the Homeland Security Department and State Department, American nuclear research labs, government contractors, IT companies and nongovernmental agencies around the world.

It was a huge attack, with major implications for US national security. The Senate Intelligence Committee is scheduled to hold a hearing on the breach on Tuesday. Who is at fault?

The US government deserves considerable blame, of course, for its inadequate cyberdefense. But to see the problem only as a technical shortcoming is to miss the bigger picture. The modern market economy, which aggressively rewards corporations for short-term profits and aggressive cost-cutting, is also part of the problem: Its incentive structure all but ensures that successful tech companies will end up selling insecure products and services.

Like all for-profit corporations, SolarWinds aims to increase shareholder value by minimizing costs and maximizing profit. The company is owned in large part by Silver Lake and Thoma Bravo, private-equity firms known for extreme cost-cutting.

SolarWinds certainly seems to have underspent on security. The company outsourced much of its software engineering to cheaper programmers overseas, even though that typically increases the risk of security vulnerabilities. For a while, in 2019, the update server’s password for SolarWinds’s network management software was reported to be “solarwinds123.” Russian hackers were able to breach SolarWinds’s own email system and lurk there for months. Chinese hackers appear to have exploited a separate vulnerability in the company’s products to break into US government computers. A cybersecurity adviser for the company said that he quit after his recommendations to strengthen security were ignored.

There is no good reason to underspend on security other than to save money—especially when your clients include government agencies around the world and when the technology experts that you pay to advise you are telling you to do more.

As the economics writer Matt Stoller has suggested, cybersecurity is a natural area for a technology company to cut costs because its customers won’t notice unless they are hacked ­—and if they are, they will have already paid for the product. In other words, the risk of a cyberattack can be transferred to the customers. Doesn’t this strategy jeopardize the possibility of long-term, repeat customers? Sure, there’s a danger there—­ but investors are so focused on short-term gains that they’re too often willing to take that risk.

The market loves to reward corporations for risk-taking when those risks are largely borne by other parties, like taxpayers. This is known as “privatizing profits and socializing losses.” Standard examples include companies that are deemed “too big to fail,” which means that society as a whole pays for their bad luck or poor business decisions. When national security is compromised by high-flying technology companies that fob off cybersecurity risks onto their customers, something similar is at work.

Similar misaligned incentives affect your everyday cybersecurity, too. Your smartphone is vulnerable to something called SIM-swap fraud because phone companies want to make it easy for you to frequently get a new phone—and they know that the cost of fraud is largely borne by customers. Data brokers and credit bureaus that collect, use, and sell your personal data don’t spend a lot of money securing it because it’s your problem if someone hacks them and steals it. Social media companies too easily let hate speech and misinformation flourish on their platforms because it’s expensive and complicated to remove it, and they don’t suffer the immediate costs ­—indeed, they tend to profit from user engagement regardless of its nature.

There are two problems to solve. The first is information asymmetry: buyers can’t adequately judge the security of software products or company practices. The second is a perverse incentive structure: the market encourages companies to make decisions in their private interest, even if that imperils the broader interests of society. Together these two problems result in companies that save money by taking on greater risk and then pass off that risk to the rest of us, as individuals and as a nation.

The only way to force companies to provide safety and security features for customers and users is with government intervention. Companies need to pay the true costs of their insecurities, through a combination of laws, regulations, and legal liability. Governments routinely legislate safety—pollution standards, automobile seat belts, lead-free gasoline, food service regulations. We need to do the same with cybersecurity: the federal government should set minimum security standards for software and software development.

In today’s underregulated markets, it’s just too easy for software companies like SolarWinds to save money by skimping on security and to hope for the best. That’s a rational decision in today’s free-market world, and the only way to change that is to change the economic incentives.

This essay previously appeared in the New York Times.

Posted on March 1, 2021 at 6:12 AM49 Comments


Winter March 1, 2021 6:57 AM

Similar misaligned incentives affect your everyday cybersecurity, too. Your smartphone is vulnerable to something called SIM-swap fraud because phone companies want to make it easy for you to frequently get a new phone — and they know that the cost of fraud is largely borne by customers.

A similar problem plagued banks over here where customers could lose money due to malfunctioning ATMs with money stuck in the machine, only to be paid out at the next customer. Customers could not prove they did not receive the money and were out of luck.

Then the rules were changed. Now it was the bank that had to prove that the money was paid out. The problem was solved very quickly.

Here too. When the phone companies have to pay up for all losses of fraudulent IM-swaps, they will:
1) Ensure only the right person gets the new SIM
2) Make clear unambiguously that a Text Message is not a good authentication, and provide a more secure alternative.

insecureArAnyClockSpeed March 1, 2021 7:01 AM

Yes, yes, and yes. Thank you for sharing this nessage – please keep telling it.

It is possible to do so much more but it is generally seen as too costly in time, money, or effort to do so; especially in the context of lost opportunity when not focusing on delivering (non-security) ‘value’ or reducing costs.

Even if most people wanted ‘better security’ or ‘better privacy’ – it would be difficult for some to measure and assess. The small and unclear differences in these factors between products today means it is unlikely ‘voting with our dollars’ is impactful or that there is any incentive to differentiate in the security dimension. It seems like the information asymmetry you discuss has created a market of lemoms.

What can we as somewhat informed citizens proactively do about it?

What can we as engineers, architects, and front-line managers in these companies making these trade-offs do? Our livelihoods are often tied up in delivering quarterly growth to shareholders. “Slow down and deliver security” is job stagnating, if not career threatening — even in “top” cybersecurity and government/defense focused companies.

How do we make this better?

jbmartin6 March 1, 2021 7:43 AM

Doesn’t this strategy jeopardize the possibility of long-term, repeat customers?

Not quite, there is no such thing as ‘repeat customer.’ You buy it once as a ‘capital expenditure’ and then pay ridiculous annual license renewals which are auto-approved as maintenance costs in the budget. If the team using the product wants to switch, they have to go through a laborious process of justifying a new ‘capital expense’ to senior management. ‘We want to switch because the product has poor security.’ isn’t worth bringing up. It is the difference of $200k in the budget versus $20k renewal. The software vendors know full well that this model greatly increases switching costs and makes it extremely difficult for the users of the product to switch to another one, especially if it isn’t “revenue generating”. This is also why support for such products is generally horrible, they know perfectly well that investing in tech support analysts isn’t worth the money, management won’t approve a new purchase because ‘their support sucks.’

René Bastien March 1, 2021 7:50 AM

I like your approach. It should be noted, however, that the underlying issue is one of externality, an economics term. It is like the carbon economy, where the carbon producers never bear the direct cost of polluting. The cost of carbon capture is always borne by an external party, hence the term. As long as the consequences of insecure products are not borne by the producer, there is no interest in making the product secure in the first place.

Clive Robinson March 1, 2021 9:19 AM

@ Bruce, ALL,

The hack gave the attackers access to the computer networks of some 18,000 of SolarWinds’s customers, including US government agencies

First of SolarWinds had around 300,000 customers world wide if what has been previously said is true.

Of this 18,000 potentially compromised, it’s never been made clear how many were “US” sites.

Other data puts the number of sites actually compromised down around 1,200 and again it’s not been said how many of these were US Government sites.

We also know that various US Gov entities made unsuportable claims “It wos Russia wot dunit” the evidence was not there then and from what people are saying it’s still not there now.

As has been pointed out before the US Gov has the bad habit of not just “jumping the gun” and getting it wrong, but geberally lying about cybersecurity for political reasons in a kind of Orwellian 1984 style.

Whilst previously private security organisations went along wirh such claims, this time they are pretty much distancing themselves from it. In fact at one point the only commercial organisation supporting the US political line of “It wos Russia wot dunnit” was a Russian AV company…

Since then there has been some very odd foot shufling from one or two US Corps, that very definately are making people think they have not just something, but a lot to hide, and are at best being very economical with the truth.

Thus questions have arisen, such as was the ability to plant this exploit actually a prepland “bug-door” and if so on who’s behalf it was put there…

The overiding impression left by those investigating currently is that those doing it were taking Operational Security to an almost extream level.

Thus the question has to come up,

“Was part of that extream operational security, a false flag misdirector?”

If the answer to that is “yes” then they have done fairly well at it…

But if that is the case it brings up the question of “Who?”. Well several State / Level III attackers come to mind most of which are Extended Five-Eyes and one in particular the US Gov entity we call the NSA…

Which begs a further question, which is “Was this bug-door discovered by others and exploited?”. If it was than the high levels of opsec could be down to not wanting to loose the attack vector..

I guess we are going to have to wait a while on this, but based on the later “loose lips” on Stuxnet, the chances are some one in the US will leak it within three years or so if for no other reason “political advantage”…

Untill we have actual testable evidence that would be not just presentavle but survive in a criminal trial I’d advise caution.

There is a reason the commercial companies are not falling in line with the US Gov political lie of “It wos Russia wot dunnit”… We do not yet know why and that alone I suspect is going to prove to be a very interesting story.

AlanS March 1, 2021 10:10 AM

Did the NYT come up with the “Late-Stage Capitalism” in the headline? What makes it late-stage? Aside from looming catastrophic global environmental failure, is late-stage any different from early- or mid-stage capitalism? Surely, without regulation–and the people who are supposed to be regulating are nearly always bought–it has always been about extracting maximum profit by transferring risks and costs to others. That’s the way it works and has always worked.

Michele March 1, 2021 10:30 AM

Thoma Bravo bought Barracuda back in 2017, and Barracuda never published another Security bulletin, and ultimately removed the Security Bulletin page entirely.

When I see Thoma Bravo involved in a company/product, I assume security is no longer a priority.

I thought it was interesting when they bought Sophos in March last year. I hoped they might be trying to turn the reputation around. But it appears not.

Petre Peter March 1, 2021 10:49 AM

Governments don’t have to wait until people start dying. They have to propose legislation before something tragic happens.

Otto March 1, 2021 11:18 AM

@AlanS, while capitalism’s world view and objectives have always been the same, the worse of its consequences become apparent only in its late stages. Late as in “before collapse”. There’s a nice (if brief) discussion about the term in Wikipedia (under “Late capitalism”). Important to point out, this is not the first time that capitalism has been declared doomed and/or near complete collapse, but that’s what people mean by “late stage”.

xcv March 1, 2021 11:19 AM

@ O.P.

“privatizing profits and socializing losses.” Standard examples include companies that are deemed “too big to fail,” which means that society as a whole pays for their bad luck or poor business decisions.

There’s plenty of that, you’re calling it “late stage capitalism,” that is to say you’re essentially forecasting a terrible economic crash, as not since 1929.

The privatization of profits and socialization of losses sounds like a lot of greed at the top together with an excessive tax burden on consumers and average working class people who have to pay for the adverse societal decisions imposed and enforced by a great and high ruling class of magistrates, lawyers, business executives, and law enforcement officers.

There’s a lot of money in various public-private partnerships with taxpayer-finance crony capitalism where the companies deemed “too-big-to-fail” as you mention have essentially become what are known as “State Owned Enterprises” or “Government Run Businesses.”

Clive Robinson March 1, 2021 11:41 AM

@ Petre Peter,

They have to propose legislation before something tragic happens.

I have a lovely bridge in London if you want to buy it…

Governments work on the same sort of mechanism as those suspect business.

In short,

1, Proactive to bringing money and power in,

2, Reactive to handing money and power out.

When it looks like they are being proactive with handing out money and power, you can be assured that the real reason is they expect it to get them reelected or big kick backs off of it.

Yes it sounds cynical but a life time of observing and looking at many generations of history tells me the same thing. Powervand money accumulstes to the center, and power is only devolved outwards when it saves the center spending money or will divert dislike to other people.

In the UK for instance when Tony Blair was the Prome Minister in power the government “devolved power”, for many things including large parts of social welfare. What he realy did was give others responsability for what were no win situations and absolutly no resources to even have the slightest chance of resolving them or even make them safe…

Thus when the inevitable happened, central government had washed their hands of responsability so could make their own noise on TV and in MSM about how iresponsible people that had had responsability pushed onto them but neither authority or resources to resolve the develooing crisis…

You have to look behind the curtain to see what is realy going on. And trust me when I say the Government is every bit as much your enemy, as they appear to think you the voters are. The difference is they have the power and the Guard Labour and you have everything to loose and no chance of winning…

Impossibly Stupid March 1, 2021 11:53 AM


Aside from looming catastrophic global environmental failure, is late-stage any different from early- or mid-stage capitalism?

Yes. Even though Bruce says “Like all for-profit corporations, SolarWinds aims to increase shareholder value by minimizing costs and maximizing profit.”, that is itself a marker for late-stage capitalism. It isn’t necessary to run a business that way, and indeed wasn’t the modus operandi for American capitalism in the 1950s, and isn’t how capitalism is currently practiced in places like China. The key difference is in who the company is set up to serve: the community/society, the customers, or the shareholders.

And while Bruce also says “The only way to force companies to provide safety and security features for customers and users is with government intervention.”, I would argue that other mechanisms could be brought to bear. The problem, though, is that businesses have let things go too far. They’ve become downright unprofessional. So, yeah, sadly, we’re at the stage where the government must step in, because it still remains accountable to The People in a way that corporations no longer feel obligated to be.

insecureAtAnyClockSpeed March 1, 2021 11:56 AM

Petre Peter – “Governments don’t have to wait until people start dying. They have to propose legislation before something tragic happens.”

Haven’t deaths been occuring for some time already, be it bugs in medical equipment (Therac), flight control software, or due to ransomware attacks on hospitals or other infrastructure?

I think your sentiment is sound and also that ship seems to have sailed.

jones March 1, 2021 12:24 PM

Part of the problem has to be the defacto non-existence of product liability in software.

The status of software is ambiguous under the Uniform Commercial Code, and the end-user agreements eliminate a lot of liability because they act as contracts, which causes the law to regard software as a service.

Further, if you need certain pieces of software for work — Photoshop or Word, for example — that contract is coerced.

Software needs explicit liability laws that cannot be erased through coerced contracts.

Clive Robinson March 1, 2021 12:57 PM

@ xcv,

you’re calling it “late stage capitalism,” that is to say you’re essentially forecasting a terrible economic crash, as not since 1929.

It very nearly happened with the banking crisis…

Apparently the only thing keeping some liquidity in the US economy was “drugs money” being “laundered”…

So I would say “worse than 1929 is easily possible if not probable”

The problem is the US Gov combined with the FED are printing money so fast the printing presses are not keping up…

The result is a hugh Tsunami of bad financial news staved off only because the US is still for now the world trading currancy. If it looks like the Dollar might get replaced then the US goes to war.

Hence the invasion of Iraq, and the deliberate policy of destabalising the middle east to create waves of refugees to destabalise Europe.

And why Trumps European Ambassador told EU Ambassadors he was there to destroy Europe.

The target was actually the Euro which Iraq the then second largest producer of oil in the world had gone to the EU to effrctivrly say “I’ll only sell oil in Euro’s if you get the US neo-cons economic sanctions of my back”.

This “trade war” with China has been an attempt to again protect the Dollar from another Currancy.

If you want to know where the US is most likely to start a war just look for any country or region that threatens either the Dollar or the cheap access to oil for the US.

As long as the world has to be paid in Dollars the US can not go bankrupt it just prints the money to pay. If however the world says “enough” and stops accepting dollars, then the US effectively goes into hyper inflation selling off real assets to buy foreign currency to pay for food and energy…

You only have to look at several nations that were infact quite wealthy mismsnage things slightly, others to lose faith in their currency, cause a run on it and inflation goes up fast.

If you want an example look back to when the UK tried to join the Euro via the ERM in the earky 1890’s.

German reunification caused significant currancy upset in Europe and they had to rescue their economy and did so at the price of most other EU nations. The currancy traders decided they were going to profit, they short sold sterling like crazy. The UK had almost instant inflation going up by 5% in half a day on “Black Wednesday”. It could have been worse… The UK ended up getting an opt-out from joining the Euro, and almost immediately gained economic improvments.

Other European nations in the South who stayed in via financial trickery just built up financial tsunami and are now suffering the very significant consequences. But for George Soros and other currency traders it had been a good pay day, he personally was atleast a billion better off (around 8billion in todays money).

The fact that the UK had entered the ERM as part of the European Treaty deal was a bad thing to do, as it forced financial mismanagement on an otherwise functioning economy which down turned for more than two years, finally being nearly catastrophic. Which is why on leaving the ERM things almost immediately improved with the result the UK economy improved to near what it should have been within a relatively short time, not that the pokiticians survived, there was too much distrust, and their then pro EU stance counted against them, during two terms out of power a significant part of the party flipped over to being anti-EU. Whilst they managed to keep the stress lines hidden and got reelected, the party had fractured and the split became obvious mistakes were made to try to buy unity the result was it in effect destroyed first one party then the other and Brexit happened.

What is going to happen in the EU now is rather open to debate… Some thibk the Southern EU nations that are visably fed up with Germany, and Mummy Merkel retiring this year may will cause a political blood bath. That will then spread and soak the North, East and South Europe, with the North West of Europe possibly fracturing off to form their own economic block much as the EEC was supposed to be nearly four decades ago.

Joe K March 1, 2021 1:09 PM

“This machine rewards failure” is an motto that suits a depressingly broad range of institutions.

OS March 1, 2021 1:23 PM

Well . . . while the issue of misaligned incentives is definitely true, there’s a problem with the proposed solution regarding liability: what about open source software? Wouldn’t your proposal force everyone to install (inefficient) and badly designed propiertary software? Would a “open source exemption” open some loopholes?

I don’t have an answer, but I personally can live with the current situation as long as I can install my own software stack that enables me to work efficiently (and avoid Word etc.).

Robert D Keeney March 1, 2021 1:28 PM

The market isn’t under regulated. We have nothing remotely like a free market. All of these problems are directly attributable to government protecting corporations from the consequences of their actions, crony capitalism.

James March 1, 2021 2:15 PM

“the federal government should set minimum security standards for software and software development.”

Bruce, there will be people who doubt this is workable but there is something you could do right here and now:

Start a company or a nonprofit institution that reviews software using whatever criteria you think the federal government should use. If something passes your review, the producer gets to put a label on their product that says something to the effect of

“Bruce Schneier’s organization has evaluated this product. They have no authority to ban anything but even if they did, they would not ban this product because they find it safe, secure, etc.”

At that point, the software buyers who see a benefit to your idea can self impose any ban that your organization would impose if it could.

Initially you would have to fund this on your own but since it is your idea it seems fair that you put some of your own wealth at risk. If software buyers started taking your organization seriously, you could probably get funding from some mix of fees and government grants.

Maybe you could even get the federal government to take over your organization but I would hope not. Some people (like me) doubt that some federal government could run such a program very effectively. Maybe they don’t keep current on technology or they wind up being manipulated by the companies they are supposed to regulate. Maybe they cannot even get a big tech company like Microsoft to comply. (Imagine the EULA: You may not use this software to impose legal restrictions on the company that produced it.) If the organization remained in private hands and started doing things wrong, someone else could always start a competitor. If the organization was an arm of the federal government, it would have a monopoly and it would be far more difficult to start a competing organization.

David Leppik March 1, 2021 2:53 PM


The “Late-Stage Capitalism” headline is Bruce’s. It’s his blog. NY Times had a much more mundane headline that emphasized SolarWinds. Also, the Times often changes the headline, so what you see in the paper version is less attention-grabbing than what shows up online, and the online one may get revised a few times.

SpaceLifeForm March 1, 2021 4:18 PM

@ Clive, name.withheld.for.obvious.reasons

There is a reason the commercial companies are not falling in line with the US Gov political lie of “It wos Russia wot dunnit”… We do not yet know why and that alone I suspect is going to prove to be a very interesting story.

Possible Dot: Amazon declined to appear at hearings. Suspect because they were open hearings.

SpaceLifeForm March 1, 2021 4:46 PM

@ Clive, Bruce, ALL

Old Man Yells at Cloud

(you can call me Homer)


[ see JamCovid ]

John Blommers March 1, 2021 5:02 PM

From the article we read: “The only way to force companies to provide safety and security features for customers and users is with government intervention.”

The late great Milton Friedman exlained that attitude as follows:

“Underlying most arguments against the free market is a lack of belief in freedom itself.”

Clive Robinson March 1, 2021 5:56 PM

@ SpaceLifeForm,

Suspect because they were open hearings.

That may be it in part, but Amazon are over due as good a kicking as Facebook and Alphabet/Google combined have got.

As the old saying has it “The fastest way past momma bear is the long way around”.

So I suspect not walking into the bear’s den is one way to keep your skin intact.

However at some point the old over paid duffers kept alive by the best healthcare in the US are going to do an “Uncle Sam” finger point at Amazon and the call will have to be answered, and something tells me “No comment, commercial in confidence only” is not going to sit well with such a committee who are mostly there to be “heard by their public” or other reason for grandstanding.

Clive Robinson March 1, 2021 7:24 PM

@ SpaceLifeForm,

Old Man Yells at Cloud

In the words of all the best movies,

“You are not alone.”

But when you see,

“The report’s authors and outside experts had recommendations for how to address some of these risks of cloud-based app development.

Ideally, security should be incorporated as early into the development cycle as possible, including pre-production.”


Oh brother they still do not get it and I’ve been saying it for so long it must be getting on for three decades,

Security is a Quality Process
It must be fully in place on project day -1.

That is you should have a fully in place security process just like you have a fully in place quality process. That is before you even think about a project, let alone think about drawing up a pre 20,000ft overview “wish list”.

Just as with a quality process every thing should be seen through the lens of security, if the risk is judged to be there and not subject to sufficient mitigation then it gets cut from the “wish list”, no iffs, no buts, no maybes, it’s gone as is everything dependent on it.

If you find you don’t have a viable project at this point, be thankfull you’ve not spent X weeks “coding for the garbage truck”. You realy have to be totally ruthless at this stage, otherwise you are starting a “Tsunami of security debt” that will come back and wipe you out.

When you’ve got a solid spec and you are going to start coding… What should be step 1?

Answer : you lock the target platform down so tight even a mouses fart could not get out.

As you develop and go through both quality and security process steps you will usually get to a point where you have to loosen some things up for the development to work. Such changes must be on the “minimum to work whilst still being secure” basis. That is if you find you have to change something that will stop it still being secure then either axe that aspect of the project/product or put the mitigations in first.

That way you are always keeping the RATs at bay.

Now you would have thought this was a common sense way to proceed, but if what that article says the report has found is true, then it sounds like common sense, is not comman at all in developers, or it has for some reason been over ridden by some other authority…

But that should not happen in an organisation with properly in place Quality and Security processes, because step one of those is

“Full buy in from the top C to the lowest scored on the hymn sheet every one is playing from.”

Winter March 2, 2021 12:34 AM

@ Clive Robinson, John Blommers,
““Underlying most arguments against the free market is a lack of belief in freedom itself.”
Milton Friedman”

There is not a single free market in the world, and never has been, that was not backed by a strong force. Without the armed force of a regulator, every market is captured by goons. The best illustration is the illegal drug market, which operates outside government regulations and is divided into mass-murdering cartels. They are among the most unfree markets existing.

And Milton Friedman did not believe in freedom much as he and his school backed Pinochet, a dictator who got students raped, tortured, and murdered for their opinions.

tfb March 2, 2021 3:41 AM

Several comments have suggested that one or both of ‘a proper free market’ or ‘proper product liability’ will somehow magically protect us from these problems. Neither will.

Imagine this scenario: Company A sells software whose job is to scan for security vulnerabilities, check for regulatory compliance and so on. Companies B-Z buy this software. Unfortunately the way the software works is to fetch descriptions of vulnerabilities and how to check for them from company A’s systems, and to run these checks across the estates of companies B-Z. This happens at least daily: after all it is important to know about vulnerabilities promptly. To allow this, company A recommends unconstrained privileged access to all systems of its customers.

So, the obvious happens: a bad actor gets into company A and crafts a new ‘vulnerability’. The process of checking for this ‘vulnerability’ conveniently involves compromising the system being checked. A few hours later every system of companies B-Z is compromised.

Companies B-Z invoke company A’s excellent product liability clause, claiming a huge multiple of company A’s value. Company A now immediately goes bankrupt. Company A’s insurer immediately goes bankrupt.

But in fact none of this happens, because companies B-Z are the entire banking system of the west. What happens instead is what didn’t happen, quite, in 2008: the zombie apocalypse.

Company A exists. I don’t know how many financial institutions use its product, but some do.

What will protect us from this is what protects us from cars which explode or from lead and worse in our drinking water: regulation. Company A are doing something which should be illegal.

Ollie Jones March 2, 2021 5:59 AM

Underspending on security by private-sector companies is certainly part of the picture, and short-term incentives to save money are indeed a problem.

But what about supposedly white-hat quasi-military government-sponsored organizations? Outfits like the National Security Agency gather up big pools of dangerous secrets (day-zero exploits and so forth) to bolster their offensive capabilities. But even they can’t keep those secrets forever, because they make decisions based on convenience. Example: hiring contractors like Booz Allen to do system administration, and granting root access to contract admins in places like Hawaii (Snowden).

And hoarding exploits like Eternal Blue.

I’d like to see governments and politicians shoulder more of the blame for this information security mess. Maybe government infosec should spend more and do more on defensive security.

Oh, and lest we forget, it’s dmr’s (Dennis Ritchie’s) language, C, that came into being with the null-terminated text strings that made most of this hackery possible.

Clive Robinson March 2, 2021 8:13 AM

@ Ollie Jones,

Oh, and lest we forget, it’s dmr’s (Dennis Ritchie’s) language, C, that came into being with the null-terminated text strings that made most of this hackery possible.

No it was not the null-terminated or any other “in band signalling” “that made most of this hackery possible”.

That is like saying “people get shot brcause lead is an element”.

The real reason and I realy wish people would get this through their heads was and nearly always still is,

“Due to a limited resource issue”.

To see why you could hack executables from Wirth’s Pascal which did not have null terminated strings or inband signalling as easily.

Also the type of hack that takes advantage of the code libraries that have not been “defensively written” was known about before Multic’s got going, it was known in Algol 68 and various computers were designed with hardware locks so that such exploits would not happen.

The downside of such hardware changes were that you could not easily develop “evolving during execution” code. Yes it upset the Hard AI guys. But the real problem that upset people was the 2^16 memory limit. Which ment you had to do the likes of paging in software which ment you could not have the hardware locks.

I could go on but each time you find at the bottom of it a “resource issue” that gets mitigated in an insecure fashion.

Back in the 1950’s through 1980’s and still in the early 90’s engineers kept hitting resource issues one way or another, and their options were almost always resource bound (hence the insecure library code etc). The choice was stark and the price difference between secure and not secure was about a quater of a million dollars…

Thus security got mitigated other ways by things like “Air Gaps” and similar issolation techniques. Which “gets in the way of business” not just these days but back into the late 1980’s when LAN’s started poping up in accounts and HR Departments. In part it’s also why we still are overly reliant on the very crappy “perimeter defence” notion for security and the four decades of problems that has given.

So you can see why bad code in libraries hung around for so long, and likewise why memory protection by hardware was not really used untill well into this century, just over a decade ago.

I realy do not expect security to improve for another half century unless something overwhellmingly forces us to drop all legacy code and go to a properly designed Bastion Host model. Till then “business as usual” for attackers as they slowly munch their way through the low hanging fruit…

Oh and with regards Snowden, bad example to pick, try all those seniors and politicians that do a lot worse than “whistle blow” and just walk away or get given a pardon… At the very least they were the primary cause why the NSA and other Intel / Mil / Diplomatic orgs are so insecure that a “kiddy with a can opener can walk right through”…

Winter March 2, 2021 8:51 AM

“Due to a limited resource issue”.

Bounds checks are still a drain on resources. The security of Rust comes with a peformance cost:

However, many of the bounds checks cannot be elided like one of the two in the above example. To measure their effect, we made a macro fast!((array)[index]) to toggle between the safe operator[] on slices or else the unsafe get_unchecked() method, depending on whether a –features=unsafe flag was passed to the rust-brotli build. Activating unsafe mode results in another gain, bringing the total speed up to 249MB/s, bringing Brotli to within 82% of the C code.

AlanS March 2, 2021 9:45 AM

@Otto, Impossibly Stupid, David Leppik

Finally catching up on my post yesterday:

I took a look at Wikipedia:

Late capitalism, or late-stage capitalism, is a term first used in print by German economist Werner Sombart around the turn of the 20th century. Since 2016, the term has been used in the United States and Canada to refer to perceived absurdities, contradictions, crises, injustices, and inequality created by modern business development.

Extracting value for shareholders at the wider expense of the community is old. And most modern corporations are fairly tame compared to companies such as the East India Company, famous in America for having their tea dumped in Boston harbor but infamous elsewhere for looting India (as some wit pointed out, they even looted the word loot), causing numerous famines in which millions died, and forcing opium on the Chinese. the EIC pre-dates the term capitalism, which didn’t come into general use until the 1840s, would have been known as a mercantilist company. But as William Dalrymple writes it’s the model for what followed:

The East India Company no longer exists, and it has, thankfully, no exact modern equivalent. Walmart, which is the world’s largest corporation in revenue terms, does not number among its assets a fleet of nuclear submarines; neither Facebook nor Shell possesses regiments of infantry. Yet the East India Company – the first great multinational corporation, and the first to run amok – was the ultimate model for many of today’s joint-stock corporations. The most powerful among them do not need their own armies: they can rely on governments to protect their interests and bail them out. The East India Company remains history’s most terrifying warning about the potential for the abuse of corporate power – and the insidious means by which the interests of shareholders become those of the state. Three hundred and fifteen years after its founding, its story has never been more current.

For a critique of the “absurdities, contradictions, crises, injustices, and inequality” of mercantilism see Adam Smith’s Wealth of Nations. One can talk about getting the incentive structure correct but how do you do that? You have to do it through regulation and creating institutional structures but as Smith observed it only works in degrees as legislators and others are often bought. A large number of British MPs held shares in the EIC and if they didn’t have an ownership interest in it directly, the company was lobbying them and stuffing money in their pockets. Plus ça change, plus c’est la même chose.

Winter March 2, 2021 10:01 AM

“the EIC pre-dates the term capitalism, which didn’t come into general use until the 1840s, would have been known as a mercantilist company. ”

The British EIC was a child of the older Dutch United EIC, which was the first stockholder company traded on the first stock exchange (in Amsterdam). It was in everything the father of the EIC, including having an armed fleet and committing the worst of atrocities, including genocide.

With its pioneering institutional innovations and powerful roles in global business history, the company is often considered by many to be the forerunner of modern corporations. In many respects, modern-day corporations are all the ‘direct descendants’ of the VOC model. It was its 17th-century institutional innovations and business practices that laid the foundations for the rise of giant global corporations in subsequent centuries – as a highly significant and formidable socio-politico-economic force of the modern-day world – to become the dominant factor in almost all economic systems today. It also served as the direct model for the organisational reconstruction of the English/British East India Company in 1657. The company, for nearly 200 years of its existence (1602–1800), had effectively transformed itself from a corporate entity into a state or an empire in its own right.[i] One of the most influential and extensively researched business enterprises in history, the VOC’s world has been the subject of a vast amount of literature that includes both fiction and nonfiction works.

Impossibly Stupid March 2, 2021 11:20 AM

@Ollie Jones, Clive Robinson, Winter

I’d argue it’s not C or resource constraints that are limiting software security, but more fundamental issues in computing, like the halting problem and von Neumann architectures. The fact that data and instructions are largely interchangeable has huge security implications, and it’s largely at the root of why so many web sites using scripting languages like PHP are easily exploited.


Extracting value for shareholders at the wider expense of the community is old.

The main issue is widespread adoption, not the age. Outright theft is old, too, and it still happens, but it’s not a “late-stage” problem for a society unless everyone sees it as normal part of their daily activity. That’s where we are with corporate malfeasance in America. Long gone are the days when one person could support an entire family in a middle-class lifestyle by loyally working for one company for their entire career. The issue is not that the executives (and board members and shareholders) are compensated 10x or 20x what the average worker makes, it’s that they expect (and get!) 300x and bonus golden parachutes after intentionally bankrupting a company.

So, yeah, government (to the degree corporate influence has not fully corrupted it) has the power to regulate that. But we also have the power to not do business with companies and their executives that actively undermine the very fabric of a civil society. Of course, that’s easier said than done, and I can’t help but think that some of the fundamental choices that make security hard for software are the same mechanisms that make stability hard in a democracy.

Winter March 2, 2021 12:11 PM

@ Impossibly Stupid, Ollie Jones, Clive Robinson
“late stage capitalism”

An important aspect of this is the distribution of income and savings. All the money is in the hands of the older generation. Young people have low incomes, high student debts (or no education). Meanwhile, housing has become extremely expensive as the older generation has the money to bid high.

There is a glut of savings in the world, but little investment and little growth.

Young people with no prospects in the future, a recipe for disaster.

Another confounding factor is the Mathew effect: All the money is flowing to the higher reaches of income.

Last time we had such a horrible disequilibrium of wealth was on the eve of WW I. That did not end well.

JonKnowsNothing March 2, 2021 2:27 PM


re: All the money is in the hands of the older generation.

While this may has some truth to it there is more nuance than this statement provides.

Sources of historic wealth reside with Old Social Structures still in place around the world. This group includes Monarchs (of all types except butterflies) and date from early civilization. Plenty of this group is still about. Age is irrelevant because the Wealth is Handed Down. So King or Duke of XYZ gets their wealth from the Previous King or Previous Duke of XYZ (styled XYZ the Nth of that Name).

Modern wealth is not handed down. It hasn’t been around long enough for this to happen very much. The old Robber Barons amassed great wealth and some attempted to start dynasties, most of which failed to maintain their wealth because they did not have the same generational education on the preservation of capital of the Titled-Entitled.

Short Term wealth is currently stored in the vaults of Oligarchs both Tech and Others. This wealth does not contribute to anything. It’s like a dead weight. It does nothing for anyone. It’s stored in digital imprints or in the case of Drug Lords, they have to deal with paper fiat money in large quantities.

There is nothing “old” about these last groups. They are current and contemporary.

The only wealth the older generation has outside of the above groups is some small inheritance from the prior 2 generations. (great grandparents, grand parents) who managed to save a small amount of capital enough so that their children could buy into the Real Estate Market and purchase a single family home. This is a pretty small group but it is the target of all NeoLiberal-Libertarian-Economic Policies to strip these assets as quickly as possible. These assets will likely evaporate by the end of the COVID-19 pandemic.

(note: Focused postings on this can be found in the archives or WayBack machine on The Bank of Mom and Dad, or MSM current reports on COVID-19, debt, eviction)

What you might have meant is that a 20yo does not have the same resources as Jeff Bezos and is not likely to ever get even a fractional amount of that level of wealth in their lifetime (presuming they outlive COVID-19).

You might have also meant to include the vast majority of the world’s population that is neither wealthy nor rich. For this group, living beyond today is their focus.

Chris Rock made a very good observation about the difference between being Rich and being Wealthy.

Clive Robinson March 2, 2021 3:56 PM

@ JonKnowsNothing, ALL,

Chris Rock made a very good observation about the difference between being Rich and being Wealthy.

I used to joke when younger that I looked forward to being a millionaire, but I was never going to be rich.

It was in effect a comment on inflation and the devaluation of “money” wealth not “asset” wealth.

What many do not realise is the difference between “fiscal/money wealth” such as numbers in a computer and “real/asset wealth” such as land and other “hard assets” that hold their value against the vagaries of fiscal policies.

It also explains,

[I]t is the target of all NeoLiberal-Libertarian-Economic Policies to strip these assets as quickly as possible.

Thus move into a “rent seeking economy” where inflation and monetary policy are used to divide the population into “Barons” and “Itinerants”.

Forming a society where every whim of a Baron carries the force of law with an itinerant simply because the Baron can deny them income, thus effectively turn them into criminals to survive, thus have them hunted down and hung.

There are many economies like that which have survived in many ways into the modern age, take a look around places like India where a very high petcentage of the population only eat in the evening from what they have earned in the day. No earnings, no food, thus punishment and eventual early death.

This is the ultimate idea behind the neo-con ideas and believe it or not it has nothing what so ever to do with wealth, that is just the tool to obtain power that ultimately gives “status”.

Ultimately those that follow the “espoused neo-con” thinking would happily vote to make their assets worth only half what they are today if at the same time they make yours became worth only a quater. Simply because it magnifies “The Status Gap”.

People think I am mad when they first here this but if they think about it they realise the truth of it. Those status seekers would give up all the benifits of modern life if it would gain them what they see as the power and status of Barrons and Monarchs. But there is a problem with their dreams.

What most of them fail to see through their misty eyed romanticism of past glories is that you had to be a certain type of person to maintain such a position. With such romanticism almost automaticaly making then the “Useful fools” of those who are realy that type of person.

Worse the misty eyed romantic status seekers fail to realise that the first target that, that type of person will go after, is them and all their assets including their lives.

Those that exploit them call it “Eminent Domain” on the excuse of “Divine Right”. Or in modern parlance, of the street thug and drug gang lord “I want it, you’ve got it, your dead, now I’ve got it”.

There is no dealing no negotiating with people of that type other than by “accidents” and “high velocity lead poisoning” or similar. All of which they expect so guard against in one way or another usually by aranging an accident or similar for others first.

The difference between tyrants and despots is often small and it is their ability to project superficial charm for the gullible, romantic and misty eyed… Those nearer the bottom tend to see the brut reality.

Clive Robinson March 2, 2021 5:55 PM

@ Impossibly Stupid, ALL,

I’d argue it’s not C or resource constraints that are limiting software security, but more fundamental issues in computing, like the halting problem and von Neumann architectures.

The halting problem is one visable asspect of a more fundemental problem that applies to many many systems that the Cantor’s Diagonal Argument[1] gets closer to. Like the laws of physics it’s something we have to live with and mitigate where we can.

However the von Neumann -v- Harvard and other architectures realy was decided on “resource issues”, and it can be shown that even seperate code and data stores are not sufficient for security. That is if the code implements some kind of interpreter or even statemachine the functioning of which is data dependent, then the data in the data store becomes code…

The real problem is, trying to write code the execution of which is not controled by data, is actually a lot harder than many think, a lot lot harder.

What you mostly end up with is “filters” not “programs” the most common examples around us are to be found in Digital Signal Processing(DSP) which isvbecoming ubiquitous. Where data in the, frequency, sequency or complex planes (z and s planes[2]) are manipulated for what is essentially complex filtering,
Which has all sorts of hidden complexity issues[3] making the development of such filters temptingly “data dependent”… Thus bringing the “data as code” issue back in again…

[1] Cantor’s Diagonal Argument is usually talked about with regards to infinite sets and infinite infinities, however it’s a bit more general than that and can be used for rather more down to earth arguments. It was used by both Alan Turing and Kurt Gödel in the 1930’s with both of their works being quite fundemental and pthus placing limits on the capabilities of the yet to be invented electronic computers. There are also ways you can use the diagonal argumrnt to show why the likes of AI is NOT going to deliver on a number of it’s supposed promises, and also indicate a whole bunch of other limitations in many apparently unrelated systems.

[2] Brief overview of s-plane versus z-plane with respect to audio signals etc,

For various reasons the s-plane is not as favoured as it once was, and real world usage of the z-plane has zoomed ahead, which has effected engineering teaching. Admittedly for some of what I do, I find the z-plane way more useful and intuative, even though exponentials are the very nature of life through growth.

[3] Where strange things can happen… Take an input waveform such as a squarewave that is limited at the “end stops” ie to the maximum range expressable by the range of a signed integer. Most should know from high school science and mathmatics that a square wave is actually an infinite sum of sinewaves added together. What most do not remember is that “added” has both positive and negative implications, sine waves added together at a phase shift of pi radians add together “destructively” not “constructively” thus can cancel out compleatly. Well if you filter all the harmonics of a squarewave the resulting sinewave has a higher amplitude than the squarewave even though in real terms it has less energy. Well that excess amplitude has to go somewhere, and if your algorithm does not have “the head room” then it will get truncated as a sort of squarewave which has harmonics across the frequency spectrum which in real terms puts energy across the spectrum that relates to how much of the sinewave got clipped off. Other strange effects are “amplitude modulation” in effect becomes “phase modulation” under similar circumstances. Which is kind of important when the amplitude modulating signal is noise, as this results in increased phase noise which critically effects the ability to recover digital signals.

Winter March 3, 2021 2:45 AM

“Ultimately those that follow the “espoused neo-con” thinking would happily vote to make their assets worth only half what they are today if at the same time they make yours became worth only a quater. Simply because it magnifies “The Status Gap”.”

An advise to become wealthy and happy that has been floating around is to move to a neighborhood where everyone is poorer than you.

I you want to really feel miserable, move to a neighborhood where everyone is richer than you.

Another truism that most people never really get is that money follows power, not the other way around. You get rich when you wield power, your money will be taken from you when you are powerless.

Clive Robinson March 3, 2021 7:15 AM

@ Winter,

I you want to really feel miserable, move to a neighborhood where everyone is richer than you.

Perversely that has always made me happy for two reasons,

The first as a much wealther snd more titled friend observed with a big grin o n his face on helping me move all my antennas and such “Hear goes the neighbourhood”. But I used to get on realy well with the neighbours by taking time to say hello and be helpfull when they needed a hand. A friendly smile a cheerful nod usually melts the hardest of frosts, especially when you have the reputation of getting on well with the “grumpy old git” (which unfortunatly now appears to be roll in life 😉

Secondly looking like the poorest house in the road I never got burgled…

Conversly tidying things up puting a bit of brass on the door and generally looking wealthier or atleast spend more money on the property got me not just burgled but stabbed in the head by a couple of them with the result I have a scar on my scalp and another on my ear.

Oddly I’ve been in some of the most dangerous places in the world when they were at there most dangerous and have had shrapnel and bullets flying around and apart from the odd graze from hitting the dirt by jumping out of second floor windows and the like I’ve not got a scratch… Almost always when I’ve been attacked and hurt occasionaly very badly it’s been within walking distance of my front door…

Now my beard is catching up with Bruce’s in the “grey stakes” race, at least I now can say “Ah you don’t want me to tell you about that… It’ll turn your hair whiter than my old grey beard” in a slightly piratical voice for the last bit followed by a large enough grin and twinkle in the eye. But even though I have the crutches, I don’t do the “Oh arghhh…” because that would be over doing it 😉

Winter March 3, 2021 1:57 PM

“Perversely that has always made me happy for two reasons,”

If you do not care whether people think you can not keep up with the Joneses, you will be fine among the wealthy, like you tell.

It is worse when you have kids though. They tend to be very sensitive to that kind of differences.

tfb March 3, 2021 5:06 PM

And, entertainingly, Company A has just had a breach. It looks as if it may only be into the admin parts of it, so far.

Patricia March 4, 2021 3:43 PM

Of course we’re in late-stage capitalism. We’re in late-stage global civilization, in fact! Most mineral resources (metals – even common ones, high-net-yield energy sources, waste-sinks, biosphere, scientific advances, climate stability, etc.) have basically peaked within the last decade or two. It’s generally agreed that civilization has overgrown the planet’s resources by at least 50%. We’re seeing formerly powerful nations struggling. China has two dust bowls each bigger than the US Dustbowl of a few generations ago, and they can’t seem get them under control. So food-grabs (aka, land-grabs) are the order-of-the-day.

But, of course, most IT/techie/managerial/banking/political folks are utterly unaware of the physical facts. The scientists I worked with at USAF/SMC were all living in a fantasy world as the Holocene falls apart. (The only reason civilization happened was due to the Holocene.) I can understand the denial – Only someone who has struggled to get funding would know how hard it would be to get funding if the facts were said out loud. And, of course, capitalism is doing nothing substantive about these problems, and they won’t go away on their own. So, ya, late stage capitalism.

Clive Robinson March 5, 2021 3:08 AM

@ Patricia,

So, ya, late stage capitalism.

Would you prefere “Last Gasp Capitalism”?

Or “Swan Song Capitalism”?

I’ve got others but yes some economies do burn brigh by burning through their continental resources in less than three centuries, then go to war looking to get more, rather than live within their rapidly diminishing means…

rts March 7, 2021 12:09 PM

Whether the targets are private or public does not matter anymore at this level: computer security has become a national defense matter. Even the most extreme ideologists don’t expect so-called “free markets” to address national defense entirely on their own.

In the “real” world every country has some Department of Defense but in the computer world the military seems to only care about offense. I suspect that’s because when you pay for military assets to defend yourself in the “real” world: 1. your enemies don’t gain anything from them, they’re only yours 2. these assets can be used for offense to. So the lack of public regulation and investment in computer defense is understandable but it’s very short-sighted because richer and more democratic nations have the most to lose – and they already lost A LOT.

Mr. Anon March 8, 2021 6:01 PM

Regarding cell providers and SIM swaps: Be sure to use a provider that makes it easy to place a SIM lock on your account. Even more important: It should be difficult to remove the SIM lock. Being able to call the provider and unlock the account makes it much too easy for “social engineering” exploits.

Consumer Cellular is an example of SIM locks done right. Customers can lock an account over the phone. An added bonus: You can use any passphrase you want, not just a simple PIN.

Once the customer support rep locks the SIM, the only way to unlock it or change the passphrase is to contact a specific Consumer Cellular customer security department by mail and providing certain information. I don’t recall the details but it includes things like a photocopy of a current driver’s license.

I know from personal experience that the customer support rep will not unlock a SIM. After I had supplied a PIN and immediately after the account had been locked, the rep informed me that I could have used a passphrase instead. I have no idea whey she did not tell me that earlier. . . So It Goes in the world of telephone customer support.

I asked if I could change the PIN to a passphrase. “No Way” she said. . . Her computer will not allow it, period. That’s when I found out about how the SIM lock can be changed/removed.

Anonymous March 16, 2021 10:28 PM

There is a basic need to make all forms of legal shield subject to good faith. Corporations, public officials, police, corporate employees and especially executives are all protected to one degree or other because they need to be able to do their jobs. But if, for example, a politician introduces or signs a bill that is blatantly unconstitutional they are acting outside the scope of their oath of office and should be personally liable for their actions. If an executive makes a decision to make money at the cost of lives they should be liable, and possibly those responsible for them. In some cases they are. But what if they just make, say technology that hurts some people? Maybe causing widespread moderate stress by privatizing a police state?
It comes with a lot of problems, most difficult where to draw the line. Not only do we often not have a good idea of where to draw the line, substituting emotion for logic (“I know pornography when I see it”), but our, that is to say us as a society and possibly a species if not sentience in general, have a habit of doing everything up to the line. It’s how this happens in the first place.
We could use a “neutral-zone,” an area where a person is no longer guaranteed safe, but is not automatically at fault, but it overrides the concept of basic legal fictions, like stare decisis. It simply makes decisions more complex, but not much more in the long run. And it hurts those without the power to effectively evaluate or compete in such decision making. (The same way corporate “political free speech” hurts those without the money and power to compete at that level, i.e., citizens–sentient beings who can take personal responsiblity.)
We could lengthen liability so that corporate employees are responsible for the long term effects of their actions, both criminally but for bonuses too. No more multi-million dollar bonuses for actions with long-term losses.
The only real benefit is in the extension of externality tracking. A company polluting the air or drilling for oil is not responsible for large parts of their actions financially or legally because there is no measure of a child’s health (for example) and what legal amounts are supposed are woefully inadequate. But such activities have a cost to society in the form of say research for pandemic vaccines, programs for asthma sufferers in inner cities, and lost GNP from people who can’t work, do inadequate work, or just have a lowered quality of life because they have to go to work sick and risk others.
Of course such things are also open to abuse as individuals argue that certain majors weaken the overall potential profitability of the state in that pseudo-communist way we’ve all come to know and roll our eyes at.
All we can really do is intentionally leave it vague, but work to balance the cost so anyone can complain or defend themselves against fraudulent complaints, but real issues are costly to defenders. There is no silver bullet or best way. Human civilization is the story of people making it up as they go along because like the uncertainty principle, by the time we figure something out we’ve already changed it.

Dave March 30, 2021 7:04 AM

Ok, it’s an interesting thought, but I think we shouldn’t forget that the level of national security is the government’s responsibility. There are so many situations that show the inability to provide a sufficient level of security not only in the virtual world but also in the real. I’ve found this article which seems to be interesting. Some serial killer stories contain information on how to protect yourself. Maybe the same situation is with cybersecurity.

Leave a comment


Allowed HTML <a href="URL"> • <em> <cite> <i> • <strong> <b> • <sub> <sup> • <ul> <ol> <li> • <blockquote> <pre> Markdown Extra syntax via

Sidebar photo of Bruce Schneier by Joe MacInnis.