Tuesday, January 12, 2016

Powerball lessons for infosec

"Powerball" is a 44-state lottery whose prize now exceeds $1 billion, so there is much attention on it. I thought I'd draw some lessons for infosec.

The odds of a ticket winning the top prize is 1 in 292-million. However, last week 440-million tickets were purchased. Why did nobody win?

Because most people choose their own numbers. Humans choose numbers that are meaningful and lucky to them, such as birthdays, while avoiding meaningless or unlucky numbers, like 13. Such numbers clump. Thus, while theory tells us there should've been at least one winner if everyone chose their number randomly, in practice a large percentage of possible numbers go unchosen. (Letting the computer choose random numbers doesn't increase your odds of winning, but does decrease the odds of having to sharing the prize).

The same applies to passwords. The reason we can crack passwords, even the tough ones using salted hashes, is because we rely upon the fact that humans choose passwords themselves. This makes password guessing a tractable human problem, rather than an intractable mathematical problem.

The average adult in lottery states spends $300 a year on the lottery. The amount spent on lotteries is more than sports, movies, music, and books combined. Buying a single lottery ticket can be justified on the argument that it's entertainment, but the vast spending (primarily by the poor) points to a much graver problem, such as gambling addiction and bad planning.

Organizations have much the same bad planning. The decision makers at the top, those with the least cybersecurity knowledge, convince themselves about what they want to believe. Corporate executives live a fantasy world where they won't get hacked, or they won't pay the consequences, similar to the fantasies of lottery players.

Even at the bottom of the organization, among techies, planning is often no better. They have a passion for infosec that leads to emotional decisions, rather than a dispassionate view of risk. They'll often treat it as binary, something is either secure or insecure, much like the lottery player's view of their own chances of winning ("you can't win if you don't play"). We need to become more dispassionate and less prejudicial about our own risk analysis.

States justify lotteries by claiming the profits go to worthwhile causes, like schools. In practice, every time lotteries fund schools, states reduce school funding to compensate, spending the money on other things. Thus, no matter how much you try to earmark lottery funds, they really become just another tax. That's a good thing because this tax is voluntary, though also a bad thing because more than half of all tickets are purchased by those in the lower third of income levels ("a tax on the poor").

Something similar happens in security. The security team will spend a lot of money upgrading the network with better firewalls and intrusion prevention, but that just means everyone else will just take more risks. They'll stop doing code audits for SQL injection because the WAF handles it, or they'll allow executable attachments because the email antivirus will catch it. Thus, the money spent on cybersecurity is more fungible than you realize. It may mean saving even more money somewhere else, or get defeated by insecure practices somewhere else.

The lottery is big business, not only for the huge companies that run the lottery, but also throughout the retailers who sell tickets. Many local shops are otherwise merely "break even" except for the money they earn from the lottery. These companies spend a huge amount of money lobbying government, which is why it won't be made illegal, and why other forms of gambling ("competition") remain illegal. Despite all the ills of corrupt state-run gambling, there is simply no way to dislodge it.

The same thing is true in infosec. We don't have an independent infosec community, but instead one that is wholly dominated by vendors of security products and services. You see that as the posh sales rep from Big Firm gives the manager in charge two box seat tickets to the next local sports game. You see that in phrases like "defense in depth", which you think is a technical concept, but which is really how every vendor talks about their product: you never have enough layers, but could always use one more, such as this fancy product I'm selling you. You'd think that analysts like Gartner would be independent, but they have been wholly corrupted by the system, and perpetuate the problem. Vendors never call out Gartner's "Magic Quadrant" for the snake oil that it is because they are all still hoping that Gartner will put them in that quadrant.

Finally, there is this last bit, where I get all judgey on you for buying that ticket. People play the lottery because they fantasize about being ultra rich -- but without having to earn it. Teenage hackers have the same dream, wanting to be elite hackers that can walk ninja-like through computer systems -- but without having to learn all those unnecessary technical details. I think this is a horrible view on life. It's grand achievements we should work toward. And we can achieve grand things. I look throughout the landscape of infosec and see it on a daily basis. I go to conferences, not for the talks (which are boring), but for "bar-con" and "hallway-con", where I get one-on-one discussion of people doing great things that makes me feel really jealous. Yes, we see young kids get lucky with that really cool thing they didn't put much work into, but the  majority of cool things happen by people who put in the long slog to get there.

So yea, that billion dollar cash prize is out there, waiting to be claimed by somebody. But you've got twenty times more chance of getting eaten by a shark or becoming president, so don't go for it. Instead, spend the time and effort becoming better at infosec, and fantasize how you are going to take down ISIS by hacking the shit out of them.

5 comments:

Ben Karel said...

FWIW USA Today quoted the MSLA as saying that 75% of tickets are computer-picked, and 75% of winners are computer-picked tickets.

Ericlaw said...

Great post, but I'm curious about the data backing your claim that lottery sales cash is why most shops aren't just "break even"?

Jeff said...

"But you've got twenty times more chance of getting eaten by a shark or becoming president, so don't go for it."

Perhaps it's a bit pedantic, but I have a 0% chance of getting eaten by a shark and a near-zero percent chance of becoming president. The shark bite won't happen because I've never been a part of the population exposed to that risk (ocean swimming, aquarium employee, etc). I can't claim with 100% certainty that I won't be president because even though I'm not part of the population of people _running_ for the office, there is a snowballs chance in hell that one year, everyone can put me down as a write-in. It would still be legit. Therefore I'm still a participant in the group of people with the potential to become president.

The lottery is more like the shark example. Buying a lottery ticket makes me a part of people with possible exposure to winning. Not buying a ticket guarantees that I'm definitely not a part of the group who can become a winner. It's analogous to your shark example - surfers, people on boats, swimmers, oceanographers, aquarium employees, etc have some tiny risk of getting bit by a shark. All things equal however, there is a zero percent chance of a shark walking to my *very* land locked house in MN to bite me and run away.

I get the other points your making though. I just think it's entertaining to read all of these "you chances are better at 'X' than winning" stats in the MSM when not all of their analogies hold up. Thought I'd throw this out there as food for thought. In reality I also do have some exposure to risk of getting a sharkbite since I fly in planes over the ocean, etc. :-)

Unknown said...

Because of this huge jackpot, I even changed to my favorite lottery! Tomorrow, instead of checking Wednesday Lotto results I'll wait for the results of Powerball!

Georgie Lynton said...

All in all, no matter how slim the chances are, there were three ticket matching the required numbers. They state they there were 1.5 billion tickets sold ( thelotter review). Supposed that each player bought one ticket than it accounted for one forth of the Earth population.