Tuesday, June 7, 2016

Is there really a market if no one is buying?

Apparently, there is a massive cyber-security market waiting just 'round the corner this year. Or was it last year? Or was it the year before that? The perennial theory is the cyber-security market being on the verge of blowing up due to consumer demand. I have a much more dire synopsis. What the market currently is, is what we will always have; relatively speaking.

I know this is a fairly bold assertion. I say "relatively speaking" because general marketplaces have the tendency to grow as population and wealth grow. Specific marketplaces, such as the one from the old buggy whip story in "Other People's Money" can shrink or expand depending on current technology/desires. Danny DeVito used the "buggy whip" parable to illustrate obsolescence destroying thr company he was brought in to liquidate a la Bain Capital. If you haven't seen his speech to the stockholders from that movie, go watch it now. I'll wait. Okay, are you back? Good. Moving on then.

While I was doing a podcast, SAHASays, I stammered into an analogy about starting a business for the homes in my neighborhood I thought neatly explained the current cyber-security market. When I grew up, all of the houses I saw had some sort of screen door. However, my current house does not have one. The last one I lived was also absent a screen door. Then, I looked around at the houses near mine. Surprise, surprise - they had no screen doors either! My first thought, being the Devil's advocate that I am, was, "My God, the screen door market here must be huge since there are none on these homes!". Immediately I suggested we change gears from cyber-security to screen door sales. The homes would clearly benefit from the addition of such a door. It allows for a breeze through the house. You can have the paperboy put your dailies between the two doors. Oh, the possibilities!

Sad to say, this venture was failed from the start. Even though there are benefits to having a screen door on their houses, no one wants one. Barring the aesthetic reasons, my neighbors simply don't think they need one. Any perks they receive are not worth the cost of the purchase. It didn't matter how many marketing slicks I had. No sale. I tried showing them my shiniest doors with all sorts of bells and whistles. No interest. I even tried to bundle every door sale with maintenance and training on how to use said door. No takers. Then, I went on the speaking circuit, touting the overall necessity of screen doors. Still, no phone calls. Finally, I phoned my congressman, demanding screen door mandates. The chortles on the end of the line suggested my demands wouldn't make it on the agenda.

My screen door fallacy is actually a very apt way of explaining how the cyber-security market has evolved over time. We started with seeing an obvious issue, every one needs some level of our service. We tried to explain to them how much they needed it. After the explanations failed, we moved on to jazzing up the offering with items like "we'll do it for you". Then comes the lecture circuit, where we all slap one another on the back over our own technical prowess and chat about how bright the future looks. Those clouds forming on the horizon? Don't worry about those. They'll break up before they hit us.

My belief, is we have an imbalance of capital in the cyber-security field. The accessible money is heavily on the company and product creation side instead of the direct consumer side.  Due to the complexity, and relative newness of the field, it is easy to pair an engineer with a technical sales person with the goal of pitching a novel idea or platform. The sales person gives a beautiful overview. They make the potential investor feel comfortable in the room. Once the talk turns to "how does your product work?", the engineer is there to plow enough facts down their throat to halt any further doubts. Both engineer and sales assure the investor that this is a growing market. They pull out reports stating "Cyber-security market to grow by infinity billion dollars by year 2XXX". The investor hears a good pitch, sees an incredibly technical solution, and decides to plow their money from selling .com domains in 1999 into this new market.

The imbalance noted above, explains the hiring free-for-all for security engineers. All of these new companies need labor, as do existing companies when pushing a new product.What happens when the promises of an expanding market never come to fruition? Security engineers are expensive. Maintaining a team of good security product developers is an even greater cost. When the invoices don't come in, and the investor needs to do a cost-benefit analysis, they are going to correct that mistake. No one wants to lose all of their money. Most hate losing even the first dollar.

The key to success in any venture is a consistent separation of a consumer from their money. As it has been in the past, it is very difficult to get a client to make room in their budget for your new security product or service. Currently, we have the additional over-investment driver that comes along with being the "best option available". Out of all the options for investment returns right now, funding a new product line or start up looks better to a large swath of investors than the alternatives. Get the company, sell the company. Does anyone remember the game of hot potato we played with the subprime mortgage market? The first groups in line were able to pass along bad paper to the next groups. Last firm in line bore the cost of not having any value in their investment. This is the same in the cyber-security market.

While we have several good companies and products in our field, those items need clients willing to fork over their hard-earned dollars. If no one is buying the peace of mind we are selling, it's the same outcome as owning portions of worthless mortgages. Sure, there are different reasons that the investment is worthless, but the result is the same.

I'm not trying to assail my entire industry with accusations of malfeasance. The only thing I am outlining is an increased need for business discipline. The traditional investment model incorporating whether or not the company you wish to buy has the correct formula for separating customer from cash needs to remain the largest factor in your decision. If you are not tech-savvy, make sure you have access to a good technical adviser who specializes in cyber-security. They will be able to tell you if what you just heard had merit and marketability. Getting such an adviser who also has a bit of business and sales background is even better.

Wednesday, April 20, 2016

Holding Down Startup Security Costs

So you're part of a fancy new startup. You have fancy new equipment, and fancy new friends. There's a fancy office with other startups who also have varying degrees of fanciness. What is this new thing you have to be concerned with again? You know, that thing hovering over your head like a drone with low batteries about to swan dive through your cranium? Yes, it's the potential money pit known as security.

Capital is scarce in the startup environment, especially for security due to the emphasis being on getting a product to market. Lately, I've seen a larger push from early investors for their startups to keep more equity in the pool. This takes one of the juicier reasons for a good security person to work with you, for lower-than-normal pay, off of the table. Some of the savvier investors are even requiring *ahem* security reviews of the companies/products they bankroll. Perish the thought.

 Here are some suggestions that can help you balance your scant budget with your security needs.

#1 Put the cost of security up front

Try to have someone on retainer instead of a full hire. Do an initial session for a pre-negotiated rate where you lay out everything your product or business does. A good security veteran should be able to put together a notional outline of all the policies and procedures you will need to stay out of trouble. Barring that, they can probably point you to someone who can. Once you are comfortable with the information gathered via Googling or further consult, you have a couple of options. Either pay your existing contractor to flesh out the documentation and stand-up some basic infrastructure, or shop around for a better deal. Putting the policies and procedures for the security of your business/product up front allows your developers and early administrative hires to know what is expected of them. Speaking of developers knowing what is expected of them...

#2 Always separate testing from production.

Do not let your devs operate on the production systems. You don't need to spin up costly AWS instances to create a bastion on which to test. Use lower cost solutions where up-time isn't 5 9's or cobble together some refurbished workstations to get the job done. If you have to cram all of your creative needs into one small group of betrodden individuals, make sure their eventual screw-ups don't take down the production servers. It's probably a good idea to have stricter control over the credentials to all things production as well. Some of those you hire may not be as keen on later decisions you have to make. Use your own imagination on what could happen there. Development costs mad loot, but losing investment capital on a bungled push or vengeful colleague costs crazy mad loot. Crazy mad loot being equal to the entire balance of your credit cards, mortgage, grocery money and corporate account - mathematically speaking. Not only is this division good development practice overall, it leads ever so gently into...

#3 Tackle the low hanging fruit with a bug bounty program.

If you have exposed web services, or a downloadable app, put some bounties on those puppies. Dedicate a few grand to standing up a bug bounty program. It's cheaper to 1099 a security guru to outline a bug bounty program than it is to have a full time reverse-engineer or seasoned code-reviewer. Pay a small retainer to someone experienced who can assign which class of vulns qualify for what level of payout. Have them write down specific guidelines for when you get multiple submissions for the same bug. Ask them to break down the payouts into how helpful the researcher who found the bug was. If they give you a full PoC with patch, give them the max. If you find someone who reports a flaw, but no assistance in reproducing it or a fix, give them considerably less. Depending on the complexity of your system/app, five grand worth of bounty funds could be well worth six-figures of full-time expertise. You'll never catch everything, at least this way you can catch the obvious. BugCrowd and ExploitHub exist for a reason. Use them to lower your vuln discovery costs.

#4 Keep the fridge stocked (bonus since it is not just related to security...maybe security-tangential)

Do you have any idea how far $500 at Costco can go production-wise? There's a reason Google has a cafeteria and places to play games. They keep the smart people at work longer. I am much more inclined to work an extra 10 hours a week if there's Monster in the fridge and Hot Pockets in the freezer. Try the following experiment sometime (not that I support human experimentation ESPECIALLY of the developer kind). Check the commits when you've exhausted your snacking reserves versus a post-Costco spendfest. Go ahead, do it. I won't tell if you don't. By the way, when you check the commits do not just check the count. Not all fixes are the same. I've seen one-liners that took a week to figure out while fifty lines was shat out in one jam session. All due to the fact that one was buried beneath a million rock layers of abstraction and the other was an easy feature request.

P.S. I know #2 was hard on devs, but I'm hoping you'll read into this piece that I mean all devs to include the founders/head-honchos if they are also the ones doing the development.


Saturday, April 2, 2016

Rethink Your Business Models if Piracy is a Concern

Certain products and items are easily copied in this day and age. Instead of whining about how so and so stole my intellectual property, let's look at the list of the serially offended to see where the problem really lies.


 All of the above are parts of a studio system where a few major production companies, through copyright abuse and various other IP laws, exist solely because they are protected by law. Is it really sensible that someone ought to be paid, perpetually or almost perpetually, for something that requires a team of lawyers to ensure their income stream? They should absolutely be paid for their investment in the artist, i.e. marketing and studio time, but can't they do that by just taking a percentage of the artist's earnings instead?

 I apologize to the actor or artist that they may actually have to do some work post-writing through acting or performing live. I know this screws up the dynamic of being able to write a good song or create a good show, and then watch as the replays earn you money. For 99.9% of the other industries out there, we don't get paid for the work we already did. If I built a car today, I have to build another one tomorrow in order to get paid. I don't have to pay Honda every time I use their car. Nor does Honda get any revenue from when I sell my car or give other people a ride in it. Jay-Z, though, wants a cut every time I play "Big Pimpin'".

The right way to do this is for the musician to show up to a venue and charge money to hear them live. Do not expect someone to pay you for something I can copy with two mouse-clicks. In the real world, I have to actually piece together a house. If I want another house, I have to piece that one together too. There was a considerable amount of real work done to recreate that house. For a house blueprint, on a computer, I simply Ctrl+C then Ctrl+V to make a copy. See how labor went into one effort, but not the other.

 What would a system without any type of piracy laws look like. For starters, large studio systems would not exist. Musicians would have to actually do concerts and sell merchandise to generate serious money. I believe several friends of mine who perform professionally would acknowledge that the bulk of their revenue comes from merchandise and live performances. Software companies already go to great lengths to protect their products. There are several licensing companies who exist solely to prevent unauthorized (unpaid) use. This system prevents 99% of the market from pirating their copies.

 I apologize if this means that we as individuals are going to have to be more market savvy on what people are willing to pay versus taking the easy road of DMCA take-downs and other threats. However, if you are always producing something tangible, a live concert experience, new features, etc. you will always have buyers if the price is right. Don't get swept up in Intellectual Property protectionism. It is very easy to lay back and let the lawyers do the work. Do you really want to your income dependent on subpoenas? A system reliant upon laws to support their business activities is a business which should never have existed.

Thursday, February 18, 2016

Old Immunity Debugger Class

Here is a deck I made years back for a quick class on debugging with Immunity.

Tuesday, February 9, 2016

Building a FreeBSD ARM Env for Shellcoding

In keeping with my fine tradition of having a ton of crap to do pre-SAHA!, I had to dust off an old presentation. There were a few decent notes here on configuring an ARM FreeBSD environment. Some of this is OBE since when I did this, there was no ARM FreeBSD port and thus no way to generate shellcode for it. The rough python code for shellack (a shell coding engine) is available at the end github link.

Sunday, January 10, 2016

KENS5 Interview

From late last year, here I am talking Anonymous and ISIS.

Friday, January 8, 2016

Linkedin Revival (Hypocrisy Reloaded)

Yes, even after my diatribe about LinkedIn being pointless, I have accepted a new position where it is not pointless. As a developer I only really needed IRC and Twitter to keep up with everything, but my move to more of a business development role necessitated a new account. To close, yes it is me on there, and no my account was not hijacked.