<?xml version="1.0" encoding="UTF-8"?><rss version="2.0"
	xmlns:content="http://purl.org/rss/1.0/modules/content/"
	xmlns:wfw="http://wellformedweb.org/CommentAPI/"
	xmlns:dc="http://purl.org/dc/elements/1.1/"
	xmlns:atom="http://www.w3.org/2005/Atom"
	xmlns:sy="http://purl.org/rss/1.0/modules/syndication/"
	xmlns:slash="http://purl.org/rss/1.0/modules/slash/"
	>

<channel>
	<title>economics of security &#8211; Noise</title>
	<atom:link href="https://noise.getoto.net/tag/economics-of-security/feed/" rel="self" type="application/rss+xml" />
	<link>https://noise.getoto.net</link>
	<description>The collective thoughts of the interwebz</description>
	<lastBuildDate>Fri, 02 Aug 2024 23:00:05 +0000</lastBuildDate>
	<language>en-US</language>
	<sy:updatePeriod>
	hourly	</sy:updatePeriod>
	<sy:updateFrequency>
	1	</sy:updateFrequency>
	<generator>https://wordpress.org/?v=6.8.2</generator>
	<item>
		<title>The CrowdStrike Outage and Market-Driven Brittleness</title>
		<link>https://noise.getoto.net/2024/07/25/the-crowdstrike-outage-and-market-driven-brittleness/</link>
		
		<dc:creator><![CDATA[Bruce Schneier]]></dc:creator>
		<pubDate>Thu, 25 Jul 2024 18:37:40 +0000</pubDate>
				<category><![CDATA[economics of security]]></category>
		<category><![CDATA[externalities]]></category>
		<category><![CDATA[incentives]]></category>
		<category><![CDATA[risk assessment]]></category>
		<category><![CDATA[Uncategorized]]></category>
		<guid isPermaLink="false">https://www.schneier.com/?p=69194</guid>

					<description><![CDATA[<p>Friday’s massive internet outage, caused by a mid-sized tech company called CrowdStrike, disrupted major airlines, hospitals, and banks. Nearly <a href="https://www.independent.co.uk/tech/microsoft-outage-crowdstrike-global-it-flights-banks-windows-b2582964.html">7,000 flights were canceled</a>. It took down 911 systems and factories, courthouses, and television stations. Tallying the total cost will take time. The outage affected more than 8.5 million Windows computers, and the cost will surely be in the <a href="https://www.theguardian.com/technology/article/2024/jul/24/crowdstrike-outage-companies-cost">billions of dollars</a>­—easily matching the most costly previous cyberattacks, such as <a href="https://www.wired.com/story/notpetya-cyberattack-ukraine-russia-code-crashed-the-world/">NotPetya</a>.</p>
<p>The catastrophe is yet another reminder of how brittle global internet infrastructure is. It’s complex, deeply interconnected, and filled with single points of failure. As we experienced last week, a single problem in a small piece of software can take large swaths of the internet and global economy offline...</p>]]></description>
		
		
		<enclosure url="" length="0" type="" />

			</item>
		<item>
		<title>Backdoor in XZ Utils That Almost Happened</title>
		<link>https://noise.getoto.net/2024/04/11/backdoor-in-xz-utils-that-almost-happened/</link>
		
		<dc:creator><![CDATA[Bruce Schneier]]></dc:creator>
		<pubDate>Thu, 11 Apr 2024 11:01:51 +0000</pubDate>
				<category><![CDATA[backdoors]]></category>
		<category><![CDATA[cybersecurity]]></category>
		<category><![CDATA[economics of security]]></category>
		<category><![CDATA[essays]]></category>
		<category><![CDATA[hacking]]></category>
		<category><![CDATA[infrastructure]]></category>
		<category><![CDATA[linux]]></category>
		<category><![CDATA[Malware]]></category>
		<category><![CDATA[national security policy]]></category>
		<category><![CDATA[open source]]></category>
		<category><![CDATA[Social Engineering]]></category>
		<category><![CDATA[ssh]]></category>
		<category><![CDATA[supply chain]]></category>
		<category><![CDATA[Uncategorized]]></category>
		<guid isPermaLink="false">https://www.schneier.com/?p=68771</guid>

					<description><![CDATA[<p>Last week, the Internet dodged a major nation-state attack that would have had catastrophic cybersecurity repercussions worldwide. It’s a catastrophe that didn’t happen, so it won’t get much attention—but it should. There’s an important moral to the <a href="https://arstechnica.com/security/2024/04/what-we-know-about-the-xz-utils-backdoor-that-almost-infected-the-world/">story of the attack</a> and its <a href="https://www.nytimes.com/2024/04/03/technology/prevent-cyberattack-linux.html">discovery</a>: The security of the global Internet depends on countless obscure pieces of software written and maintained by even more obscure unpaid, distractible, and sometimes vulnerable volunteers. It’s an untenable situation, and one that is being exploited by malicious actors. Yet precious little is being done to remedy it...</p>]]></description>
		
		
		<enclosure url="" length="0" type="" />

			</item>
		<item>
		<title>In Memoriam: Ross Anderson, 1956–2024</title>
		<link>https://noise.getoto.net/2024/04/10/in-memoriam-ross-anderson-1956-2024/</link>
		
		<dc:creator><![CDATA[Bruce Schneier]]></dc:creator>
		<pubDate>Wed, 10 Apr 2024 11:08:10 +0000</pubDate>
				<category><![CDATA[cryptanalysis]]></category>
		<category><![CDATA[Cryptography]]></category>
		<category><![CDATA[cybersecurity]]></category>
		<category><![CDATA[economics of security]]></category>
		<category><![CDATA[security conferences]]></category>
		<category><![CDATA[security engineering]]></category>
		<category><![CDATA[Uncategorized]]></category>
		<guid isPermaLink="false">https://www.schneier.com/?p=68760</guid>

					<description><![CDATA[Last week, I posted a short memorial of Ross Anderson. The Communications of the ACM asked me to expand it. Here&#8217;s the longer version.
EDITED TO ADD (4/11): Two weeks before he passed away, Ross gave an 80-minute interview where he told his life ...]]></description>
		
		
		<enclosure url="" length="0" type="" />

			</item>
		<item>
		<title>Ross Anderson</title>
		<link>https://noise.getoto.net/2024/04/01/ross-anderson/</link>
		
		<dc:creator><![CDATA[Bruce Schneier]]></dc:creator>
		<pubDate>Mon, 01 Apr 2024 00:21:09 +0000</pubDate>
				<category><![CDATA[cryptanalysis]]></category>
		<category><![CDATA[Cryptography]]></category>
		<category><![CDATA[cybersecurity]]></category>
		<category><![CDATA[economics of security]]></category>
		<category><![CDATA[security conferences]]></category>
		<category><![CDATA[security engineering]]></category>
		<category><![CDATA[Uncategorized]]></category>
		<guid isPermaLink="false">https://www.schneier.com/?p=68683</guid>

					<description><![CDATA[<p><a href="https://www.cl.cam.ac.uk/~rja14/">Ross Anderson</a> unexpectedly passed away <a href="https://www.lightbluetouchpaper.org/2024/03/29/rip-ross-anderson/">Thursday night</a> in, I believe, his home in Cambridge.</p>
<p>I can’t remember when I first met Ross. Of course it was before 2008, when we created the <a href="https://www.schneier.com/blog/archives/2023/06/security-and-human-behavior-shb-2023.html">Security and Human Behavior</a> workshop. It was well before 2001, when we created the <a href="https://econinfosec.org/">Workshop on Economics and Information Security</a>. (Okay, he created both—I helped.) It was before 1998, when we <a href="https://www.schneier.com/academic/archives/1997/04/the_risks_of_key_rec.html">wrote about</a> the problems with key escrow systems. I was one of the people he brought to the Newton Institute, at Cambridge University, for the six-month cryptography residency program he ran (I mistakenly didn’t stay the whole time)—that was in 1996...</p>]]></description>
		
		
		<enclosure url="" length="0" type="" />

			</item>
		<item>
		<title>Google Pays $10M in Bug Bounties in 2023</title>
		<link>https://noise.getoto.net/2024/03/22/google-pays-10m-in-bug-bounties-in-2023/</link>
		
		<dc:creator><![CDATA[Bruce Schneier]]></dc:creator>
		<pubDate>Fri, 22 Mar 2024 11:01:39 +0000</pubDate>
				<category><![CDATA[economics of security]]></category>
		<category><![CDATA[google]]></category>
		<category><![CDATA[Uncategorized]]></category>
		<category><![CDATA[vulnerabilities]]></category>
		<guid isPermaLink="false">https://www.schneier.com/?p=68644</guid>

					<description><![CDATA[<p>BleepingComputer has the <a href="https://www.bleepingcomputer.com/news/google/google-paid-10-million-in-bug-bounty-rewards-last-year/">details</a>. It’s $2M less than in 2022, but it’s still a lot.</p>
<blockquote><p>The highest reward for a vulnerability report in 2023 was $113,337, while the total tally since the program’s launch in 2010 has reached $59 million.</p>
<p>For Android, the world’s most popular and widely used mobile operating system, the program awarded over $3.4 million.</p>
<p>Google also increased the maximum reward amount for critical vulnerabilities concerning Android to $15,000, driving increased community reports.</p>
<p>During security conferences like ESCAL8 and hardwea.io, Google awarded $70,000 for 20 critical discoveries in Wear OS and Android Automotive OS and another $116,000 for 50 reports concerning issues in Nest, Fitbit, and Wearables...</p></blockquote>]]></description>
		
		
		<enclosure url="" length="0" type="" />

			</item>
		<item>
		<title>Drones and the US Air Force</title>
		<link>https://noise.getoto.net/2024/03/18/drones-and-the-us-air-force/</link>
		
		<dc:creator><![CDATA[Bruce Schneier]]></dc:creator>
		<pubDate>Mon, 18 Mar 2024 11:03:14 +0000</pubDate>
				<category><![CDATA[defense]]></category>
		<category><![CDATA[Department of Defense]]></category>
		<category><![CDATA[drones]]></category>
		<category><![CDATA[economics of security]]></category>
		<category><![CDATA[Uncategorized]]></category>
		<category><![CDATA[war]]></category>
		<guid isPermaLink="false">https://www.schneier.com/?p=68618</guid>

					<description><![CDATA[<p>Fascinating <a href="https://warontherocks.com/2024/03/drones-the-air-littoral-and-the-looming-irrelevance-of-the-u-s-air-force/">analysis</a> of the use of drones on a modern battlefield—that is, Ukraine—and the inability of the US Air Force to react to this change.</p>
<blockquote><p>The F-35A certainly remains an important platform for high-intensity conventional warfare. But the Air Force is planning to buy 1,763 of the aircraft, which will remain in service through the year 2070. These jets, which are wholly unsuited for countering proliferated low-cost enemy drones in the air littoral, present <i>enormous</i> opportunity costs for the service as a whole. In a set of comments <a href="https://www.linkedin.com/posts/kevin-murray-1507a055_deadly-cheap-and-widespread-how-iran-supplied-activity-7162108210366119938-VVMi">posted on LinkedIn...</a></p></blockquote>]]></description>
		
		
		<enclosure url="" length="0" type="" />

			</item>
		<item>
		<title>The Security Vulnerabilities of Message Interoperability</title>
		<link>https://noise.getoto.net/2023/03/29/the-security-vulnerabilities-of-message-interoperability/</link>
		
		<dc:creator><![CDATA[Bruce Schneier]]></dc:creator>
		<pubDate>Wed, 29 Mar 2023 11:03:27 +0000</pubDate>
				<category><![CDATA[academic papers]]></category>
		<category><![CDATA[authentication]]></category>
		<category><![CDATA[economics of security]]></category>
		<category><![CDATA[Privacy]]></category>
		<category><![CDATA[psychology of security]]></category>
		<category><![CDATA[Uncategorized]]></category>
		<guid isPermaLink="false">https://www.schneier.com/?p=67129</guid>

					<description><![CDATA[<p>Jenny Blessing and Ross Anderson have <a href="https://www.lightbluetouchpaper.org/2023/03/24/interop-one-protocol-to-rule-them-all/">evaluated</a> the security of systems designed to allow the various Internet messaging platforms to interoperate with each other:</p>
<blockquote><p>The Digital Markets Act ruled that users on different platforms should be able to exchange messages with each other. This opens up a real Pandora’s box. How will the networks manage keys, authenticate users, and moderate content? How much metadata will have to be shared, and how?</p>
<p>In our latest paper, <a href="https://arxiv.org/abs/2303.14178">One Protocol to Rule Them All? On Securing Interoperable Messaging</a>, we explore the security tensions, the conflicts of interest, the usability traps, and the likely consequences for individual and institutional behaviour...</p></blockquote>]]></description>
		
		
		<enclosure url="" length="0" type="" />

			</item>
		<item>
		<title>What Will It Take?</title>
		<link>https://noise.getoto.net/2023/02/14/what-will-it-take/</link>
		
		<dc:creator><![CDATA[Bruce Schneier]]></dc:creator>
		<pubDate>Tue, 14 Feb 2023 12:06:06 +0000</pubDate>
				<category><![CDATA[cybersecurity]]></category>
		<category><![CDATA[economics of security]]></category>
		<category><![CDATA[essays]]></category>
		<category><![CDATA[infrastructure]]></category>
		<category><![CDATA[laws]]></category>
		<category><![CDATA[Uncategorized]]></category>
		<guid isPermaLink="false">https://www.schneier.com/?p=66756</guid>

					<description><![CDATA[<p>What will it take for policy makers to take cybersecurity seriously? Not minimal-change seriously. Not here-and-there seriously. But really seriously. What will it take for policy makers to take cybersecurity seriously enough to enact substantive legislative changes that would address the problems? It’s not enough for the average person to be afraid of cyberattacks. They need to know that there are engineering fixes—and that’s something we can provide.</p>
<p>For decades, I have been waiting for the “big enough” incident that would finally do it. In 2015, Chinese military hackers hacked the Office of Personal Management and made off with the highly personal information of about 22 million Americans who had security clearances. In 2016, the Mirai botnet leveraged millions of Internet-of-Things devices with default admin passwords to launch a denial-of-service attack that disabled major Internet platforms and services in both North America and Europe. In 2017, hackers—years later we learned that it was the Chinese military—hacked the credit bureau Equifax and stole the personal information of 147 million Americans. In recent years, ransomware attacks have knocked hospitals offline, and many articles have been written about Russia inside the U.S. power grid. And last year, the Russian SVR hacked thousands of sensitive networks inside civilian critical infrastructure worldwide in what we’re now calling Sunburst (and used to call SolarWinds)...</p>]]></description>
		
		
		<enclosure url="" length="0" type="" />

			</item>
		<item>
		<title>Hacking the Tax Code</title>
		<link>https://noise.getoto.net/2023/02/10/hacking-the-tax-code/</link>
		
		<dc:creator><![CDATA[Bruce Schneier]]></dc:creator>
		<pubDate>Fri, 10 Feb 2023 11:24:37 +0000</pubDate>
				<category><![CDATA[economics of security]]></category>
		<category><![CDATA[hacking]]></category>
		<category><![CDATA[laws]]></category>
		<category><![CDATA[loopholes]]></category>
		<category><![CDATA[Uncategorized]]></category>
		<guid isPermaLink="false">https://www.schneier.com/?p=66754</guid>

					<description><![CDATA[<p>The tax code isn’t software. It doesn’t run on a computer. But it’s still code. It’s a series of algorithms that takes an input—financial information for the year—and produces an output: the amount of tax owed. It’s incredibly complex code; there are a bazillion details and exceptions and special cases. It consists of government laws, rulings from the tax authorities, judicial decisions, and legal opinions.</p>
<p>Like computer code, the tax code has bugs. They might be mistakes in how the tax laws were written. They might be mistakes in how the tax code is interpreted, oversights in how parts of the law were conceived, or unintended omissions of some sort or another. They might arise from the exponentially huge number of ways different parts of the tax code interact...</p>]]></description>
		
		
		<enclosure url="" length="0" type="" />

			</item>
		<item>
		<title>SolarWinds and Market Incentives</title>
		<link>https://noise.getoto.net/2023/02/08/solarwinds-and-market-incentives/</link>
		
		<dc:creator><![CDATA[Bruce Schneier]]></dc:creator>
		<pubDate>Wed, 08 Feb 2023 11:46:43 +0000</pubDate>
				<category><![CDATA[breaches]]></category>
		<category><![CDATA[Data Breaches]]></category>
		<category><![CDATA[economics of security]]></category>
		<category><![CDATA[essays]]></category>
		<category><![CDATA[Uncategorized]]></category>
		<guid isPermaLink="false">https://www.schneier.com/?p=66762</guid>

					<description><![CDATA[<p>In early 2021, <em>IEEE Security and Privacy</em> asked a number of board members for brief perspectives on the SolarWinds incident while it was still breaking news. This was my response.</p>
<p>The penetration of government and corporate networks worldwide is the result of inadequate cyberdefenses across the board. The lessons are many, but I want to focus on one important one we’ve learned: the software that’s managing our critical networks isn’t secure, and that’s because the market doesn’t reward that security.</p>
<p>SolarWinds is a perfect example. The company was the initial infection vector for much of the operation. Its trusted position inside so many critical networks made it a perfect target for a supply-chain attack, and its shoddy security practices made it an easy target...</p>]]></description>
		
		
		<enclosure url="" length="0" type="" />

			</item>
		<item>
		<title>Insurance Coverage for NotPetya Losses</title>
		<link>https://noise.getoto.net/2022/02/28/insurance-coverage-for-notpetya-losses/</link>
		
		<dc:creator><![CDATA[Bruce Schneier]]></dc:creator>
		<pubDate>Mon, 28 Feb 2022 12:26:10 +0000</pubDate>
				<category><![CDATA[cyberattack]]></category>
		<category><![CDATA[cybersecurity]]></category>
		<category><![CDATA[economics of security]]></category>
		<category><![CDATA[insurance]]></category>
		<category><![CDATA[russia]]></category>
		<category><![CDATA[Ukraine]]></category>
		<category><![CDATA[Uncategorized]]></category>
		<guid isPermaLink="false">https://www.schneier.com/?p=65171</guid>

					<description><![CDATA[Tarah Wheeler and Josephine Wolff analyze a recent court decision that the NotPetya attacks are not considered an act of war under the wording of Merck&#8217;s insurance policy, and that the insurers must pay the $1B+ claim. Wheeler and Wolff argue tha...]]></description>
		
		
		<enclosure url="" length="0" type="" />

			</item>
		<item>
		<title>An Examination of the Bug Bounty Marketplace</title>
		<link>https://noise.getoto.net/2022/01/17/an-examination-of-the-bug-bounty-marketplace/</link>
		
		<dc:creator><![CDATA[Bruce Schneier]]></dc:creator>
		<pubDate>Mon, 17 Jan 2022 12:16:18 +0000</pubDate>
				<category><![CDATA[economics of security]]></category>
		<category><![CDATA[hacking]]></category>
		<category><![CDATA[reports]]></category>
		<category><![CDATA[Uncategorized]]></category>
		<guid isPermaLink="false">https://www.schneier.com/?p=64907</guid>

					<description><![CDATA[<p>Here’s a fascinating report: “<a href="https://datasociety.net/wp-content/uploads/2022/01/BountyEverythingFinal01052022.pdf">Bounty Everything: Hackers and the Making of the Global Bug Marketplace</a>.” From a <a href="https://datasociety.net/library/bounty-everything-hackers-and-the-making-of-the-global-bug-marketplace/">summary</a>:</p>
<blockquote><p>…researchers Ryan Ellis and Yuan Stevens provide a window into the working lives of hackers who participate in “bug bounty” programs­ — programs that hire hackers to discover and report bugs or other vulnerabilities in their systems. This report illuminates the risks and insecurities for hackers as gig workers, and how bounty programs rely on vulnerable workers to fix their vulnerable systems.</p>
<p>Ellis and Stevens’s research offers a historical overview of bounty programs and an analysis of contemporary bug bounty ...</p></blockquote>]]></description>
		
		
		<enclosure url="" length="0" type="" />

			</item>
		<item>
		<title>WEIS 2021 Call for Papers</title>
		<link>https://noise.getoto.net/2021/02/18/weis-2021-call-for-papers/</link>
		
		<dc:creator><![CDATA[Bruce Schneier]]></dc:creator>
		<pubDate>Thu, 18 Feb 2021 20:14:51 +0000</pubDate>
				<category><![CDATA[conferences]]></category>
		<category><![CDATA[economics of security]]></category>
		<category><![CDATA[Uncategorized]]></category>
		<guid isPermaLink="false">https://www.schneier.com/?p=61950</guid>

					<description><![CDATA[The 20th Annual Workshop on the Economics of Information Security (WEIS 2021) will be held online in June. We just published the call for papers.
]]></description>
		
		
		<enclosure url="" length="0" type="" />

			</item>
		<item>
		<title>Should There Be Limits on Persuasive Technologies?</title>
		<link>https://noise.getoto.net/2020/12/14/should-there-be-limits-on-persuasive-technologies/</link>
		
		<dc:creator><![CDATA[Bruce Schneier]]></dc:creator>
		<pubDate>Mon, 14 Dec 2020 20:03:03 +0000</pubDate>
				<category><![CDATA[economics of security]]></category>
		<category><![CDATA[essays]]></category>
		<category><![CDATA[marketing]]></category>
		<category><![CDATA[national security policy]]></category>
		<category><![CDATA[propaganda]]></category>
		<category><![CDATA[Uncategorized]]></category>
		<guid isPermaLink="false">https://www.schneier.com/?p=60589</guid>

					<description><![CDATA[<p>Persuasion is as old as our species. Both democracy and the market economy depend on it. Politicians persuade citizens to vote for them, or to support different policy positions. Businesses persuade consumers to buy their products or services. We all persuade our friends to accept our choice of restaurant, movie, and so on. It&#8217;s essential to society; we couldn&#8217;t get large groups of people to work together without it. But as with many things, technology is fundamentally changing the nature of persuasion. And society needs to adapt its rules of persuasion or suffer the consequences...</p>]]></description>
		
		
		<enclosure url="" length="0" type="" />

			</item>
		<item>
		<title>The 2020 Workshop on Economics and Information Security (WEIS)</title>
		<link>https://noise.getoto.net/2020/12/04/the-2020-workshop-on-economics-and-information-security-weis/</link>
		
		<dc:creator><![CDATA[Bruce Schneier]]></dc:creator>
		<pubDate>Fri, 04 Dec 2020 20:21:47 +0000</pubDate>
				<category><![CDATA[conferences]]></category>
		<category><![CDATA[economics of security]]></category>
		<category><![CDATA[Uncategorized]]></category>
		<guid isPermaLink="false">https://www.schneier.com/?p=60480</guid>

					<description><![CDATA[The workshop on Economics and Information Security is always an interesting conference. This year, it will be online. Here&#8217;s the program. Registration is free.
]]></description>
		
		
		<enclosure url="" length="0" type="" />

			</item>
		<item>
		<title>2020 Workshop on Economics of Information Security</title>
		<link>https://noise.getoto.net/2020/10/14/2020-workshop-on-economics-of-information-security/</link>
		
		<dc:creator><![CDATA[Bruce Schneier]]></dc:creator>
		<pubDate>Wed, 14 Oct 2020 11:09:54 +0000</pubDate>
				<category><![CDATA[conferences]]></category>
		<category><![CDATA[economics of security]]></category>
		<category><![CDATA[Uncategorized]]></category>
		<guid isPermaLink="false">https://www.schneier.com/?p=60319</guid>

					<description><![CDATA[The Workshop on Economics of Information Security will be online this year. Register here.
]]></description>
		
		
		<enclosure url="" length="0" type="" />

			</item>
	</channel>
</rss>

<!--
Performance optimized by W3 Total Cache. Learn more: https://www.boldgrid.com/w3-total-cache/

Object Caching 40/264 objects using Memcached
Page Caching using Disk: Enhanced 
Lazy Loading (feed)
Database Caching using Memcached

Served from: noise.getoto.net @ 2025-12-11 08:14:09 by W3 Total Cache
-->