There’s been a certain amount of research into the value of security holes in the past few years (for a starter bibliography see the “Economics of vulnerabilities” section on Ross Anderson’s “Economics and Security Resource Page”).

Both TippingPoint and iDefense who currently run vulnerability markets for zero day exploits are somewhat coy about saying what they currently pay (and they both have frequent contributor programmes to try and persuade people not to stick with one buyer, which will distort the market).

The idea is that the firms will bid for the vulnerability, pay the finder (who will keep it quiet) and then work with the vendor to get the hole fixed. In the meantime the firm’s customers will get protection (maybe by a firewall rule) for the new threat — which should attract more customers, and will hopefully pay for buying the vulnerabilities in the first place. The rest of the world gets to hear about it when the vendor finally ships a fix in the form of patches.

It was reported that when TippingPoint came in (giving the impression that they’d be paying out various multiples of $1000) iDefense promptly indicated they’d be doubling what they paid… which one source indicated was usually around $300 to $1000. So competition seems to have affected the market; but the prices paid are still quite low.

However, last December eWEEK reported that some enterprising Russians were offering a 0-day exploit for the Microsoft WMF vulnerability for $4,000 (and it might not have been exclusive, they might sell it to several people).

And now — until the end of March — iDefense are offering an extra $10,000 on top of what they’d normally pay if when Microsoft eventually issue a patch they label a vulnerability as “critical” (viz: you could use it to construct a worm that ran without user interaction).

eWEEK have an interesting article on this, the quotes in which deserve some attention for the (non)grasp of economics that appears to be involved. First off they quote Microsoft as saying “We do not believe that offering compensation for vulnerability information is the best way [researchers] can help protect customers”. That’s an interesting viewpoint — perhap’s they will be submitting a paper to support their view to WEIS 2006?

eWEEK say (they don’t have an exact quote) that Michael Sutton of iDefense “dismissed the notion that paying for vulnerabilities helps to push up the price for hackers who sell flaws on the illegal underground markets”. That suggests either a market in which communication of pricing information is extremely poor; or that Sutton has a new economic theory that will influence the Nobel committee!

In the same article, Peter Mell from NIST is quoted as saying it was “unfair” to concentrate on a single vendor (though I expect iDefense chose Microsoft for their market share and not by tossing a coin!). He was also apparently concerned about the influence on Bill Gates’ fortune, “A third party with a lot of money could cause stock price shifts if they want to”. That’s just “Stock Exchange Operations 101” so I think we can discount that as a specific worry (though WEIS 2005 attendees will of course recall that security holes do affect share prices).

I went to the Institute of Criminology yesterday afternoon. Prof Martin Gill of Leicester University gave a brilliant talk on their extensive study on assessing the effectiveness of CCTV in reducing crime.

This was a proper, scientifically-conducted study with plenty of field work and “user studies”—including fascinating simulations with cooperative shoplifters rigged up with hidden cameras and microphones, as well as interviews with convicted murderers.

The speaker had wonderful war stories on people protecting the wrong things, or the right things in the wrong ways, and generally failing to understand how criminals actually operate. He clearly speaks the same language as us and I told him I’d like to invite him to give a seminar here.

One gem among many was the shop that believed itself ultra-secure because it had a giant, scary-looking, 130-kg-of-muscle security guard at the exit; to which the expert shoplifter commented “I’ll have an easy time here! Their only protection is that enormous bloke over there that I can easily outrun!”. The chest size of the guard is only scary if you’re planning to pick a fight with him.

Another good point was that several of the murderers had acted on impulse (alcohol, jealousy, rage) and were not planning to kill anyone when they got up that morning. At the time of killing their victim they were not acting exactly rationally and even the presence of a machine-gun-armed guard wouldn’t have deterred them, let alone a camera.

Anyway, one of the interesting high level messages, and the reason why I file this under “Security economics”, is that the ubiquity of CCTV cameras in the UK is apparently a straightforward consequence of the plentiful availability of government money for CCTV. This created pressure to bid for CCTV installation grants regardless of their actual effectiveness, as an easy way to get at the allocated grant funds.

Obvious meta-questions would then be: why was CCTV so over-funded in the first place? who are the CCTV suppliers that made all the money? and is anyone in a position to reassure us that, as we’d like to believe, there were no links?

EarthLink, the US ISP, provides its users with a number of spam blocking and filtering systems. One of these systems, deployed since 2003 or so, is called “Suspect Email Blocking” and is one of those tedious and ineffective “Challenge-Response” systems. They might have made sense once, but now they just send out their challenges to the third parties whose identity has been stolen by the spammers.

Since the spammers have been stealing my identity a LOT recently — and since Earthlink is failing to detect their emails as spam — I have received several hundred of these Challenge-Response emails 🙁 Effectively, EarthLink customers are dumping their spam filtering costs onto me.

Well I’m now mad as hell and not going to take it any more. So I’ve been responding to these challenges, and whenever possible I’ve been sending along a message that indicates the practical effect of the system. Of course this will mean that the spam will be delivered (and the forged email address will be whitelisted in future) which is hardly what is desired! Since this should be quite noticeable, if everyone was to spend a few minutes each day responding to the challenges then Challenge-Response systems would die out overnight! So please join in!!

Howver, responding is rather tedious (the idea, after all, is that the spammers won’t be able to afford to do it — though in practice they would be able to keep sending their more profitable spam by using labour from the Third World). To avoid this tedium I’ve been working on the automation of my responses. However, the EarthLink web page on which you respond contains a visual CAPTCHA — specifically so as to prevent automatic responses to the challenges. Nevertheless, I got a lot slicker at answering the questions when I wrote some Perl and put up a little Tk widget to collect the answer to the CAPTCHAs.

The idea was to move on to some fancy image processing since there’s been a lot of success at this (see here and here for starters)… However, that won’t be necessary. It turns out, nearly 300 challenges later, that EarthLink only have 31 CAPTCHAs in total… although since some turn up a great deal more more rarely than others, it may be that there’s a few more to be collected!

01	02	03
04	05	06
07	08	09
10	11	12
13	14	15
16	17	18
19	20	21
22	23	24
25	26	27
28	29	30
31

For rather more detail, and the current totals for each CAPTCHA (some have turned up nearly 30 times, some just once) please see the detailed account which I’ve placed on my own webspace.

By the way: If you’re an EarthLink user reading this — then please turn OFF “Suspect Email Blocking”! You’re just annoying everyone else 🙁