Aug 10, 2007

russians hackers and the cost of security

Recently I analyzed a security of a big site and found an issue that is not easy to notice, but it lets people do a bit more then they should. I did it for fun and for a "prove of concept" that I can find it, not for destruction, but it made me think.

Security is measured with the cost one has to spend to break it. Let's take a good American programmer with $150 thousands per year salary building up the system.
Let's take a good Russian programmer who makes $1 or 2 thousands per month.
It is obvious that a Russian will be ready to spend a month to exploit the system and make $4000, while an American company spends 12 thousands for a month of work of it's employee.

Why not Indians or Chinese? Well, they too, but Russians historically have a solid mathematical, engineering and computing schools, and half of major IT companies in US have Russians among founders and chief developers.

I don't really know a solution for a short period. In the long run the income will more and more depend on qualification rather then on geographical location, as Bill Gates wrote in his book.
But for now the only way for companies is to accept the problem and earn more then lose.

Anyway, good programmers respect professional growth and creativity, not cash or destruction.

1 comment:

Neil Davis said...

I am a US programmer. I use your class. Very nice. I'm learning to do this stuff in C and this code illustrates some of the things you need to think about.

I sort of fell into programming professionally but have been doing it since I was 13.

About Russian security breakers... people every where do it. The fact that you are a continent away sort of makes the US an attractive playground ROFL.

If I wanted to break things I'd probably hack at the hosts in some place where the government doesn't care or something, preferably nondestructively.

Like you however, I like to build things, not break them. I'm not bored enough to try.