Hacker News new | ask | show | jobs
by tptacek 3548 days ago
As regards software security vulnerabilities, defensive spending in the USG utterly and completely dwarfs offensive spending.

The median venture capitalist in the valley could outspend the US --- actually, probably the world --- on vulnerability acquisition. But there probably isn't an investor and there may not be a single tech company that outspends the USG on defensive security acquisitions.
1 comments
woodman 3548 days ago
I'd really love to know how you know this. I can think of a handful of very public DARPA, NIST, USN and NSA programs that are dedicated to hardening (most are little more than academic curiosities, measured in millions) - whereas the NSA's black budget (measured in billions) easily dwarfs those. Are you saying that the NSA is secretly spending large sums of money on hardening software outside of their black cube?

I don't disagree on the lack of private hardening spending, which is really beside the point, because obviously there is very little incentive for a company when all they have to do is budget for useless CYA lifelock service.

link
tptacek 3548 days ago
And? What do you think they're spending those billions on? Giant computing centers in Utah and all the signals intelligence the entire country does --- all the satellites, all the underseas cable taps, all the deployments of hardware implants on Chinese military computers.

Exploit development is a rounding error in that budget.

link
woodman 3548 days ago
Satellites and undersea cable taps fall to the NRO and the USN, though I'm sure the NSA pays for some of it. That is beside the point though, the issue is exploit to hardening ratio - not exploit to everything-else ratio.
link
tptacek 3548 days ago
Yes, and the USG (and DOD) spend vastly more on hardening than on offensive security. By orders of magnitude; note plural. Both in opex and (particularly) capex.

Is the money being spent wisely? Different question. But: nobody really knows how to effectively spend 100MM on hardening (a nice round number I picked at random).

link
woodman 3548 days ago
Nothing would make me happier than to be able to take your word for it, but I think your definition of "hardening" might be incredibly broad. DoD funding Ada development, SELinux, rainbow series, cyber grand challenge - hardening. DoD buying firewalls and maintaining Oracle licenses isn't hardening.
link
tptacek 3548 days ago
Yes, it is.

You're redefining "hardening" to "hardening I agree with".

link