[H|Cr]acker Insurance

Spellbinder writes "yahoo has an article on Hacker insurance, also known as "network risk insurance," has been on the market for about three years, but is expected to explode from a $100 million sideshow into a $2.5 billion behemoth by 2005, according to insurance industry projections."

Wow

If they'll pay that much for insurance, I wonder how much they'd pay for a SysAdmin that secures things properly.

Re:Wow

Nothing! Linux developers work for free. That is the beuty of Open Source. All teh wasted monies and a free solution is there, it will solve our economy.

Re:Wow

why is microsoft advertising on slashdot?

Re:Wow

[WPIDalamar]

I bet not as much... These companies are looking for financial stability. So they make X number of dollars no matter what.

When a company buys insurance they are 100% guarenteed to recover losses from a crack.

When a company spends that money on an admin, the chance for being broken into goes down, but will never be 0%

Disclaimer: This assumes the company negotiates a "good" insurance contract, and fullfills all of their requirements.

Re:Wow

[error0x100]

When a company buys insurance they are 100% guarenteed to recover losses from a crack.

When a company spends that money on an admin, the chance for being broken into goes down, but will never be 0%

Taking out h/crack insurance, then, lowers the incentive for additionally investing in proper network security (e.g. a decent sysadmin). The companies, if the insurance leaves them feeling "financially safe" from an attack, will be even less inclined than they are now to implement proper security. In "normal" insurance, this sort of thing amounts to negligent/deliberate behaviour that in some cases will make the insurer decide not to pay. If enough people leave their networks vulnerable, and the insurers are struggling to stay afloat as a result, then they are going to start getting more strict about the conditions of the insurance vs premiums (as happens in auto insurance, more security features on a car imply general lower risk and thus lower premiums). I don't see why it should be any different here. If companies are making almost no effort whatsoever to secure their networks (as many companies do now), then the insurer either should refuse to cover them, or they should have to pay much larger premiums. (Although then it starts to look like the old "then whats the point of insurance" argument; disability insurance providers in my country routinely refuse to even consider covering people with a medical past that includes things like even very minor back problems. In other words, they will only cover people who do not represent much of a risk at all). However, in the case of 'network insurance', its deliberately irresponsible behaviour that places one in a high risk group (e.g. like smoking).

Re:Wow

[Tackhead]

> If they'll pay that much for insurance, I wonder how much they'd pay for a SysAdmin that secures things properly.

These are PHBs we're talking about.

The answer is "$35,000, and $36,000 if he has an MCSE".

Re:Wow

[pmz]

When a company buys insurance they are 100% guarenteed to recover losses from a crack.

What is the value of a lost reputation? What is the value of a system administrator that built that reputation?

Insurance is for the short-sighted.

Re:Wow

[rgmoore]

I bet not as much...

You are most likely wrong. Insurance companies aren't stupid, and they're not going to charge everyone the same rate any more than auto insurance companies charge everyone the same rate regardless of their driving record. They'll give better rates to companies that have good security practices and good track records than ones with bad practices and records. They may even refuse to offer insurance unless the companies follow specified practices; I'd guess that hiring certified administrators would be one required practice. This is similar to the way that insurance companies won't sell you auto insurance if you don't have a driver's license, or some homeowners insurance companies won't sell burglary insurance unless you have a home security system. I'd also expect that a well run insurance company would not offer 100% coverage. They'll probably only offer 80-90% coverage, so that companies still have a strong incentive to protect themselves.

FWIW, there was some discussin of these insurance policies on /. in the past. One article pointed out that insurance companies were charging more if a company used Windows than if it ran Linux or a Unix variant because of Windows's inferior security track record. If they're already smart enough to do that, you can bet that they'll be smart enough not to let companies slack off in their efforts to secure their computers after they've bought the insurance.

Re:Wow

[patter]

The companies, if the insurance leaves them feeling "financially safe" from an attack, will be even less inclined than they are now to implement proper security

Nope. You don't understand much about insurance if you think that :).

I worked in that industry for 5+ years, this is a second/third career for me.

Insurance companies are above all else cautious. They make money by not paying claims. That is not to say they do not pay legitimate ones, they do do that, contrary to popular opinion.

The do however analyse risk, and charge money to their customers to offset the potential payout that risk represents.

I would be willing to bet that a prerequisite for obtaining said 'crack' insurance would be passing an audit by one of their security folks, particularly when obtaining big policies with large potential payouts.

It's no different than fire insurance, if you want a million dollars of fire insurance, they're going to come down, and make sure you're not running an explosives factory in which everyone smokes at their 'station'.

Insurance doesn't encourage sloppiness, in fact, in North America, many of the early fire brigades were sponsored by and run by insurance companies themselves.

Insurers don't want to pay those claims any more than you want to be put out of business by a cracker. They'll ensure you've got an adequate plan, and they'll ease the financial blow, but believe me, what they won't do is let you drop all pretense of security, just because you're insured.

In fact, just before Y2K, the entire industry rushed to put in 'exclusions' -- i.e. they wouldn't pay a penny for Y2K related catastrophes, unless you paid HUGE dollars to them (because they hadn't had the benefit of collecting money for that specific risk).

This is just a sign of the times, Insurance companies are getting more in tune with technology, and likely have a panel of experts they can call on for inspecting/auditing, and assessing claims against that kind of risk.

Re:Wow

[salemnic]

I'm not really sure that it's 100% recovery - since there will always be an adjuster that comes in to determine how much you should be compensated by the insurance company for the loss.

I think a big question is how are "losses" tallied? How much is your web site/IT infrastructure really worth for a day? How much should your techs be paid to put the whole thing back together?

Cheers,

S

Re:Wow

[ChrisTaylor2904]

I'm an actuary by training, and we call this issue "moral hazard".

One of the best ways to reduce the risk to the insurance company is to introduce "self-insurance" where the customer has claim to bear some of the cost of any claim - like the excess on your car insurance policy. For these policies, the customer's probably liable for something like the first $5 or $10 million of any claim.

I'd also expect the insurance company to follow up any large claims with another audit, to see if any of the security controls and procedures had become lax since the time the policy was taken out, and there'll be a standard clause to reduce/invalidate the claim if anything's found in this audit.

Risks...

[Corporate+Troll]

If running Microsoft SQL Server 2000 or IIS.... augment risk with 1000%.

Re:Risks...

[Greedo]

A nerd without Karma is like a pretty girl without breasts.

That would make you ... Kate Moss?

Re:Risks...

[capt.Hij]

Running Redhat without advanced server: augment risk 500% unless you upgrade more than once a year and drive your sysadmins nuts.

Re:Risks...

*cough* he said *pretty*, not *coked-out*, that being said This looks as though it is still fairly half-baked at this stage, concidering how the article states first the client needs to pony up for an independant security probe (read bend over and take it to the tune of $50,000), and the pay outs are only about 25 to 1 .... christ I can get car liability insurance of a quarter million for just over a grand annually.... in New Jersey! and finally apparently all of that cash seems to be used for throwing into the mouth of a hungry fire considering how often certain attacks will be deemed unisurable. I repeat not yet ready for prime time.

Re:Risks...

[godzilla808]

ACTUALLY... you might want to mod the above informative. I have seen quotes that are more expensive for businesses running Windows Servers.

Re:Risks...

[berzerke]

...I have seen quotes that are more expensive for businesses running Windows Servers...

The one thing the article doesn't mention, but I (at least) would find interesting is how the rates vary by OS (and distriubtion). Anyone have any info?

First lame insurance post.

How about claiming millions of dollars in damage just because the ceo got a virus? Sounds like a good business model to me.

Re:First lame insurance post.

[macdaddy357]

Hacker insurance. What a scam. Just like paying protection to the mob.

So, did the insurance industry unleash the slapper worm on companies that would not buy "network risk insurance?" I would not suprise me at all.

Imagine what we as a society could do with the billions and billions we piss away on vapor products like insurance if we spent it on something that benefits society in a tangible way like health care, or replacing our crumbling infrastructure.

Re:First lame insurance post.

[Tackhead]

> Imagine what we as a society could do with the billions and billions we piss away on vapor products like insurance if we spent it on something that benefits society in a tangible way like health care, or replacing our crumbling infrastructure.

Imagine the billions and billions we wouldn't have to piss away on insurance if we clamped down on the trial lawyers.

When a medical malpractice suit can cost $100M, a doctor can't afford to diagnose a common cold without malpractice insurance.

And when that lawsuit can cost his malpractice insurance company $100M, no insurance company is going to write a policy unless your doctor pays $100K/year in premiums.

And when your doctor's paying $100K/year in premiums, is it any wonder that he charges you $100 to diagnose a common cold?

Gee, when it costs you $100 to get a common cold diagnosed, anyone with sprog can't afford to get medical care... without insurance. (Gee, what a coincidence :)

We need to break the trial lawyers by putting caps on the Landshark Lottery.

Re:First lame insurance post.

Yes, high insurance premiums are caused by lawyers suing on behalf of sick people.

The price collusion in the insurance industry and their exemptions from anti-trust law have NOTHING to do with it.

Re:First lame insurance post.

[goldspider]

I wonder if hacker/cracker insurance is anything like robot insurance.

Re:First lame insurance post.

[macdaddy357]

Lawyer bashing is very easy to do, that is why the insurance industry is doing it. This tactic is what magicians call misdirection. Insurance companies nearly went broke gambling on stocks like Enron and Worldcom, and are now gouging policyholders to recover their losses.

Malpractice insurance is something no competent health care provider needs anyway, only the quacks need it, and it gives them a license to be careless. Tort is the only recourse the public has for medical malpractice, dangerous products, negligence, and many other things with no criminal penalties. Tort reform could give the incompetent and unscrupulous a license to do vast harm to an even greater degree than the insurance industry does. It is not the solution the corporate media, who are strongly tied to insurance companies make it out to be.

By the way, lawyers aren't the ones who decide how much in compensatory damages should be given to victims, or how much in punitive damages should be charged to perpetrators. Juries do that.

Abolishing lawyers is not the answer. Abolishing punitive damages is not the answer unless criminal penalties will be substituted for them. Strict regulation the insurance industry, including bans on shakedowns like malpractice insurance and hacker insurance,however, would be a great idea.

Re:First lame insurance post.

[uncoveror]

Lawyers and insurance companies have set a bad example that has inspired organized crime to create a whole new racket, Prepaid Illegal Services. Check it out!

Re:First lame insurance post.

[danoatvulaw]

Imagine the billions and billions we wouldn't have to piss away on insurance if we clamped down on the trial lawyers. When a medical malpractice suit can cost $100M, a doctor can't afford to diagnose a common cold without malpractice insurance.

This is complete garbage. There is no need to crack down on anyone but bad doctors, not the lawyers. People who have injuries should be compensated for the wrongdoings of the actor who caused it, plain and simple. All this talk about capping "non-economic" damages at 250k is likewise garbage. Do me a favor - think about how much your legs are worth to you. Now think about if the doctor mistakenly diagnosed something, say an infection, causing you to lose both of them. Or if that infection caused you to go into cardiac arrest, go blind, or become paralyized on 50% of your body. That and similar things happen more frequently then you would like to believe.

Tell me again why that doctor should not pay for his mistake? We take medicine as an exact science in today's world, and there's absolutly nothing wrong with that. Doctors hold themselves out as trained professionals, able to diagnose your health related issues and make judgments that will directly affect your well being. Doctors can and should be made to compensate those that they undertake to care for. If your skills are not up to par, dont become a doctor.

Now I will concede that there are frivolous lawsuits, and those attorneys should be reprimanded themselves. And it is also true that jury awards will be excessive sometimes. However, everyone tends to lose sight of the fact that awards are made by juries, composed of regular people. THEY decide how much to award in pain and suffering, not the attorneys. And more often then not, when you see a verdict for 10 Mil, that is significantly reduced on appeal, because juries cannot make grossly excessive awards, nor can the award based on emotion.

Now that i've ranted enough, i'm done.

But how would they cover the debt....

if everyones site went down - as it almost did with the latestVuln in MSSQL - how would anyone ever cover the losses?

fp

Re:But how would they cover the debt....

[PhxBlue]

Better yet, how do you even determine the losses? The only science I've seen of it to date is: Company A says, "We lost $x amount when we lost our connection for 2 hours because of this attack," with nothing to back up the dollar figure.

This insurance idea could be a good one, simply because it might force businesses to justify their losses when network attacks occur. I'm not going to hold my breath, though.

Re:But how would they cover the debt....

[bleckywelcky]

Although I do agree with you that whenever someone's systems or networks go down they start throwing around random numbers indicating their losses, it would be pretty easy to calculate the loss to a relative accuracy. Just get all the numbers for the amount of business done during that period using the systems that are down and average to the time period that the systems were down. Say company XYZ does business through a phone system and a website. Say they make $730 dollars a year and that $365 of that come from the phone system and $365 of that comes from the website. Now, say the website goes down for a single normal business day (not some holiday or otherwise, just a random normal day) and that normally their website is up 24/7/365.

Loss = ($365/year)*(1 year/365 days) = $1/day on average So, they lost $1 for that single day.

Now, for example, let's say that this is the company Dell. From Aug 2, 2001 to Aug 2, 2002 Dell took in revenues equalling $32.054 Billion. So, they bring in ($32.054)/(365) = $0.087819 Billion per day, or $87.819 Million in one day. Now, let's approximate that %50 of that is from various computer networks (kiosks at office stores, home users online, business users online, etc) and %50 is from their phone systems (I really have no idea as I could not find any actual percentages). That means that if Dell's networks all went down for a single day, they would lose $43.910 Million in sales.

The really hard part is estimating how network slow downs effect the business. But then again you could just see what the average expected sales for that day were and then what the actual sales for that day were and find the difference. If you have some data, statistics can handle the rest. But it sure does seem like some of these CEOs pull numbers out of their arses and throw them around to get sympathy or something. :\

Re:But how would they cover the debt....

[bmajik]

Good question.

This is what actuaries do. They determine how to make money off of policies, they determine risk exposure and how to mitigate that risk, etc etc.

To have an actuary that could successfully do a plausible job at this, you'd need one that was a computer security and loss expert.

My father was the youngest person to become an FSA (Fellow of the Society of Actuaries) and last year was the Computer Science chairperson for the SOA (Society of Actuaries).

As both an accomplished actuary (to say the least) and an accomplished computerphile (are you fluent in 360 assembler ?) i feel like he's pretty well versed to speak on this matter.

I can tell you quite confidently that the cross section of actuaries, and people who are computer security experts in the united states is roughly:

0 persons.

When the "hacker insurance costs more for IIS" article came out a year ago i talked it over with my dad. He said it was, "bullshit", and went into a small rant about how ridiculous and sensationalist it was.

Re:But how would they cover the debt....

[matth2]

This is too high. You are assuming that everyone who tries to buy a Dell computer from their website on a day that it is down decides not to buy a computer or goes to a competitor. Chances are the customer tries to place his order later.

I think that Dell would find their sales figures higher than average on the days following an outage. So their loss would be less than $43.910M.

Re:But how would they cover the debt....

[ChrisTaylor2904]

There's a cap on the cost of the claim in any individual company's case - the company chooses how much cover it wants (see article - you get $25m of cover for $1m premium, and there's probably also a limit to x% of the company's annual profits).

The insurance company will itself be insured against very big losses from a single event (although that's really just passing some of the buck, to mangle a metaphor, as SOMEONE's got to pay eventually - several reinsurance companies posted huge losses due to 11th September claims).

I would expect that there would be some clause to limit the amount of a claim in the event of a domino effect like this, in the same way as "regular" policies don't cover nuclear war - which is what something like this would amount to in terms of effect on the Net.

Re:But how would they cover the debt....

[bleckywelcky]

Yeh, but I'm sure Dell wouldn't pay me a 6-figure salary to do the calculations I just did. Their financial people should be able to handle the numbers and make those sorts of corrections. The only question then is whether or not they will or if Dell will simply find the way to report the largest loss figure (for whatever reason).

Product liability instead

[azoidx]

what about product liability? automakers, drug manufacturers and every other manufacturer is liable for their products in some way. How come software companies are exempt from this?

Re:Product liability instead

How come software companies are exempt from this?

Because you clicked "Yes, I agree".

Re:Product liability instead

[phorm]

Automotive: Your car crashes due to a defect, you die
Drugs (medical): Your pharmacist doesn't check to find that the drug prescribed is something you're listed as being highly allergic to, you die.

SQL Server crashes: You lose money, you require stress leave, but in most cases it isn't life or death.

Re:Product liability instead

If someone steals a F-150 and runs over a person, is Ford liable? If someone takes 50 valium, can the drug company be sued? People are taking an existing product, and vandalizing it to cause damage to someone else. The person who should be sued is the perp not the oem.

Re:Product liability instead

[ramas]

I am just curious here and therefore my question here must be seen in that context. In the case of the slammer worm and with various other virus related incidents, the victim has almost always been shrink wrapped, standard off-the-shelf products (even if one includes operating systems in this league). So the argument could go that product liability is inappropriate because here you were given a tool if you like and its up to you to do what you wanted with it. Yes I admit that fundamental flaws should not be present but I am not sure if I am on terra firma on that ground alone.

Anyway, now what about bespoke software of the kind that runs banking systems? Surely there is a leap of faith here. When a company commissions software from another firm, apart from contractual agreements are there any standard practices that one can quote here to say this is how the industry handles the risk arising out of product defects that could potentially knock the person out of business or worse liable for external damages too?

Re:Product liability instead

[TheTomcat]

1) End-User License Agreements (EULAs)
2) We don't REALLY want this. It's incredibly expensive to have crash-tests / drug-tests done; Open Source software would suffer greatly if it was "controlled" in this way.

S

Re:Product liability instead

3) Profit!!!

Re:Product liability instead

If someone gets a gun and shoots someone, is the gun maker liable? (Maybe not, but it doesn't prevent the family of the shootee from suing the gun maker...)

Re:Product liability instead

[jackdoodle]

I completely agree...and insurance is likely one of the best ways to force this sort of responsibility. Bruce Schneier (quoted in the article) has been talking about this for a long time; his monthly newsletter addresses the subject at reasonable length, in the section "Liability and Security", from his April CryptoGram. http://www.counterpane.com/crypto-gram-0204.html

Re:Product liability instead

[QuantumRiff]

Take a look at This article

If my local 911 was drastically slowed down like this, and a family member died because info didn't get to the right people fast enough, i'd be pretty ticked. Especially if it was because of yet another bug in a supposedly "commercial grade" database.

Re:Product liability instead

[workindev]

Why would a software company be liable for the illegal actions of hackers?

Re:Product liability instead

Why would a safe-maker be liable for the illegal actions of safecrackers? Because the customer should have a reasonable expectation of security, since that's part of what the product is for.

If someone picks your lock, then maybe the lockmaker ripped you off.

Re:Product liability instead

[epyT-R]

Liability would work for proprietary software vendors since there is someone for the insurance companies to extract money from, but how would one hold an open source project responsible? After all, OSS is usually provided 'as-is' and 'without warranty expressed or implied.'

My guess is that the responsibility would fall back on the company in question thereby making OSS uninsurable. This might have a negative impact on OSS adoptance by IT depts if this 'hacker insurance' idea takes off. This also might add another bullet point on Microsoft's I-hate-OSS-and-you-should-too campaign flyer.

I guess my opinion is that people need to take responsibility for their problems. There seems to be an increasing need for people to blame someone else instead. Its why the lawyers and insurance companies are making a killing right now.

Re:Product liability instead

[Fulcrum+of+Evil]

If SQL server ships with sever security flaws that enable a worm to lay waste to the interneet for a couple of days and, furthermore, fails to release reliable* patches that don't down the server, is Microsoft liable?

* for values of reliable including not breaking anything else nor removing fixes to previous vulnerabilities.

duh!

[MissMyNewton]

the *best* insurance is a competent admin...

nothing else will do!

Re:duh!

[the_olo]

the *best* car insurance is a to drive slowly...

Re:duh!

[B3ryllium]

The "best" car insurance is a Hum-Vee.

Re:duh!

[B3ryllium]

See?

Re:duh!

[berzerke]

... the *best* insurance is a competent admin...

No, the best insurance is a competent admin and management that gives him the support he needs and listens to him (or her).

I speak from experience. At a company I used to work for, the "business manager" decided that connecting a server (admininstered by another company, I couldn't legally touch it) with NO root password (AIX, BTW) to a modem anyone could dial into (no logging either) was a good idea. I objected, in writing, but was overruled.

It was about a week before the hard drive suddenly went blank. The company administring it said it was a bad hard drive. I disagreed, and said someone had broken into it. Again, I was overruled, and they replaced the hard drive and restored the system from the last system backup (charging about $800 for this service). They put the modem back online.

Exactly a month later, same thing. This time the company says it's a bad controller card (and again won't listen to me). The company claimed it would take a very sophisicated attack to do what was happening. Apparently, they never heard of cron and "rm -rf /*"! Anyway, again they restored the last system backup (not checking anything either; I watched). Another bill (unknown amount).

Month 3, same time, same blank hard drive. Now they belived me and did an install off known good media. They refused scan the data backups for leftovers though. Fortunately, it doesn't appear like the visitor left anything there. The business manager also finally gave the ok to disconnect the modem.

They eventually did reimburse for some of the bills for non-faulty equipment, but the billing department (it was "their" server) was down for about 7 days. I have no idea how much that cost.

The best admin in the world can't protect squat if management ties his (or her) hands.

Re:duh!

[sean23007]

Well, you could have logged in and changed the root password...

Re:duh!

[berzerke]

I was sorely tempted. But then I would be doing something illegal. I already had my butt covered (my boss even co-signed my written objections). Looking back, I'm glad I didn't. It was fun to watch both the admin company and the business manager squirm.

Too bad it didn't lead to real changes.

Re:duh!

[Zachary+Kessin]

A competent admin is a good place to start. But If my company was riding on the servers, I would invest in an isurance policy too. I assume my bank has a big strong safe and lots of other security features. But they also have some insurance agenst bank robery.

The problem is that the tighter you make your security the harder the system will be to use. So you have to find some form of a midpoint. Plus even if the systems are good. It does not prevent someone from hacking the people.

After all airlines have insurance and they train their people like very well.

Hacker vs. Cracker

[GuyMannDude]

I can see it now: company tries to claim a loss due to having their network compromised.

Insurer: I'm sorry but we have rejected your claim.

Insured: What the hell do you mean? This is why we bought hacker insurance!!

Insurer: Yes, but you bought "hacker" insurance. If you wanted to be reimbursed for a loss like this, you should have bought our "cracker" insurance! But you're in luck! We've got a special offer now! If you buy cracker insurance and already have purchased hacker insurance from us, you will save 10%! I guess today is your lucky day after all!

Insured: You insurance companies are vultures! Profiting off our loss! Well, okay, I don't want to think any more about it. Just sell me whatever insurance you think is best for me.

Insurer: Just what I was hoping you'd say! Sign here, here, and here, please! No, don't bother reading that. It's just a bunch of legal jargon...

GMD

Re:Hacker vs. Cracker

[Tacomanator]

Insured: You insurance companies are vultures! Profiting off our loss! Well, okay, I don't want to think any more about it. Just sell me whatever insurance you think is best for me.

Lets get something straight, I hate insurance companies as much as the next joe, but your missing a step. Commercial Insurance is very different from commercial lines in this respect. I work at a commercial lines brokerage (meaning that the clients are our principals and we work for them, not the insurance company) who deals with this every day. Many 'wise' business-owners choose to leave their insurance needs in our hands because we will actually analyze what exposures they face and tell them what type of insurance they need, why they need it, and how much it will cost.

If the insured has a loss, it is OUR job to see that not only the claim is paid in a timely manner as well as helping our insured solve a problem such as a fraudulent workers compensation claim (which happens far to often).

Furthermore, it is our job to analyze the policy that we are taking out for an insured and look for the holes in the coverage that would result something like the above.

The point is that typically a businessowner can avoid those types of problems by not being cheap and enlisting the help of a professional, which as I said, many 'wise' business owners do

Re:Hacker vs. Cracker

[Tacomanator]

whoops, s/commercial lines/personal lines/

curious ...

Would there be a higher premium for those running a Microsoft OS vs. oBSD?

Re:curious ...

I doubt anyone smart enough to run oBSD would bother buying the insurance to begin with... so probably no.

Re:curious ...

"Only one remote hole in the default install, in more than 7 years!"

This used to say "No remote holes..."

Nobody's perfect. :)

Insurance HA

[BJZQ8]

Anybody that would willingly buy insurance is at least half-nuts. If you DO buy insurance and DO get broken into they will send out swarms of "adjusters" and question how this could have happened, and how lax your security must be. Then they will proceed to up your premiums to make back what they paid you for the "damage." So they will end up getting THEIR money anyway. So my advice would be to take that money you would have spent on insurance, and buy a firewall and a decent admin to run it.

Re:Insurance HA

[Patrick13]

Anybody that would willingly buy insurance is at least half-nuts. If you DO buy insurance and DO get broken into they will send out swarms of "adjusters" and question how this could have happened, and how lax your security must be.

I agree. In the article it says that you have to pay $50,000 to have an outside consultant access you security. Then of course there are the insurance premiums...

That kind of $$$ would go a long ways toward paying a security admin and internal security awareness training for your staff.

Re:Insurance HA

[freeweed]

Anybody that would willingly buy insurance is at least half-nuts.

Yeah, next time my house burns down I'll keep that in mind.

Remember, insurance isn't about protecting the stupid. It's about protecting you in case of ACCIDENTS. And yes, they do happen, even to the best of us.

Re:Insurance HA

[BJZQ8]

Most "Hacker" incidents probably aren't going to be about your computer infrastructure completely melting down into a agglutinated mass of 0's and 1's. They are going to be about temporary disruptions and defacings, or perhaps data loss. That is where the insurance companies will always stick it to you. I would agree that insurance for a massive catastrophe would be wise...but even then the insurance companies will hasten to raise your premiums if "you allowed" something of this scale to happen. I still think this money is best spent on prevention...and perhaps the money you spent on fire insurance would be best spent on a halon fire-suppression system. Sure that doesn't cover earthquakes and rabid raccoons, but I'm sure neither does "h/cracker insurance."

Do they cover your bandwidth bill too?

[Stephenmg]

Do they cover your bandwidth bill when some random infected virus sends packets to your secured site even if you dont get infected?

Re:Do they cover your bandwidth bill too?

The article sounded like they'd only cover you if you use approved software, and should an attack occur, they'll hire a PR firm for you so they can convince the public your compnay isn't incompetant, until the next time it happens because your admin still doens't know how to patch machines.

Cracker insurance

What's the cracker equivalent of negroes and fried chicken?

Re:Cracker insurance

[B3ryllium]

Hot grits and natalie portman, right?

problem

[io333]

[I] [T]hink [Y]ou [M]ay [H]ave [A] [C]opywright [V]iolation [I]n [T]he [F]irst [L]ine [O]f [T]he [S]tory?

The obligatory scheme

1: Sign a Hacker Insurance contract.
2: Install insecure systems (eg Windows) company-wide
3: Put some "0wn3d by" or other h4x0r-style files randomly in the filesystems.
4: Wait the first data loss.
5: Jump around like a chimp screaming Hackers! Hackers! Hackers!
6: Profit!

An analogy

[thesilverbail]

Thats like the story of NASA inventing this hyper-super-duper centrifugally balanced gravity boosting ballpoint pen for their astronauts and the Soviets bringing along a pencil.

Re:An analogy

[ajakk]

The important word there is story, considering this is false. Snopes

Re:An analogy

[treat]

Thats like the story of NASA inventing this hyper-super-duper centrifugally balanced gravity boosting ballpoint pen for their astronauts and the Soviets bringing along a pencil.

I don't know about you, but I wouldn't want bits of (conductive) graphite floating around if *I* were in a space ship.

Re:An analogy

Why the fuck not, NASA did it. That pencil vs pen thing is a Space Myth... some company spent X million developing the pen and NASA said 'sure we use it', but on their first flights they did use pencils.

Hackers Need Insurance

[briggsb]

Sure companies need insurance against hrackers but many hackers spend so much time on the websites they cracl that they should get insurance too.

You know how they will cover the losses

[Anonymous+Coward++1]

Call up Greenspan and crank up the printing press - we've got an insurance bailout on our hands!

Hartford Steam Boiler Insurance covers this

[Animats]

The Hartford Steam Boiler Insurance Company offers insurance against computer breakdowns for a wide variety of reasons. Their business is insuring companies against mechanical failures. They started out with steam engines (hence the name) but the business has grown.

Hartford Steam Boiler offers good rates, but requires intrusive inspections. Before they insure something, they inspect and provide a list of things they want fixed. Then they inspect again, after the problems are fixed. Only then will they provide insurance coverage. They then have the right to inspect at any time, and they use it.

This works great for steam boilers (where they have great expertise) but they haven't tried to expand much out of their niche. Even though they do cover some computers, they're still mostly focused on boilers. It's good that others are now moving in that direction.

This is the right approach. When Hartford Steam Boiler started in 1866, steam boilers blew up regularly. Within a few years, boilers insured by Hartford Steam Boiler weren't blowing up. A similar approach may eliminate computer crashes as a major problem. The day may well come when you can't buy insurance because you have an insecure OS on the premises.

Re:Hartford Steam Boiler Insurance covers this

[zby]

The problem is that Microsoft can just buy Hartford Steam Boiler.

Re:Hartford Steam Boiler Insurance covers this

The day may well come when you can't buy insurance because you have an insecure OS on the premises.

Even worse the day may well come when when you cannot hire uncertified admins regardless of experience.

Re:Hartford Steam Boiler Insurance covers this

[Black+Parrot]

> The Hartford Steam Boiler Insurance Company offers insurance against computer breakdowns for a wide variety of reasons.

Do they cover the Steam Boiler of Death [SBOD]?

mitigating risk

This makes a whole lot of sense, because it allows companies to spread the cost of computer crime over time.

Every company expects numerous break ins, vandalism, data theft, etc.. The problem is that it is hard to budget for this because the value of the damage is different in every case.

Buying insurance for the attacks allows shortfalls in the data crime budget to be covered, and provides benefits for budgeting and tax purposes by increasing stability in the face of constant inevitable loss.

"network risk insurance"

If it's an insurance against network risks, shouldn't it be dubbed a "Microsoft Insurance?"

I can see the conversation now, "Oooh, you're running MS Servers? Your premiums just went way up..."

What a great idea. I can see it now.

[Kenja]

Guido: Nice network you gots here, it would be a shame if something where to happen to it.
Customer: What do you mean?
Nunzio: You know, accidents, like your customer records being posted on slashdot. Accidents happen you know.
Guido: But your in luck, my brother and me can, for a small fee, grantee your network wont be hacked by disreputable people like us. Think of it as "insurance".

Re:What a great idea. I can see it now.

[Skevin]

Wouldn't their names actually be Gu1d0 and Nunzzz10?

Solomon

Re:What a great idea. I can see it now.

[rk]

Would Guido make me use Python?

Re:What a great idea. I can see it now.

[Xerithane]

I was thinking something more like this:

Luigi: How many servers you got here, Colonel?
Colonel: Oh, er ... seven hundred workstations, two hundred Linux servers, and er, two dozen Sun servers.
Luigi:Sun servers, Dino.
Dino:Be a shame if someone was to set fire to them.
Colonel: Set fire to them?
Luigi: Fires happen, Colonel.
Dino: Things burn.

Re:What a great idea. I can see it now.

Colonel: Now, I've noticed a tendency for these posts to get rather silly. Now I do my best to keep things moving along, but I'm not having things getting silly. Those last two posts got very silly indeed. Now, nobody likes a good laugh more than I do, except perhaps my wife and some of her friends. Oh yes, and Captain Johnson. Come to think of it, most people like a good laugh more than I do, but that's beside the point. Now, let's have a good, clean, healthy troll post.

Re:What a great idea. I can see it now.

Actually, what's funny is that, had you written it with but a few changes, it would have been modified as "Flamebait" with great gnashings of teeth:

Jamaal: Yo, nice network you gots here, it would be a shame if something where to happen to it.
Customer: What do you mean?
Muhammed: You know, man, accidents, like your customer records being posted on slashdot. Accidents happen you know.
Jamaal: But you're in luck, my brother and me can, for a small fee, guarantee your network won't be hacked by disreputable people like us. Think of it as "insurance".

Not a bad idea

Car insurance is cheaper if you have an ignition disabler, and other anti-theft features.

If companies actually buy cracking insurance, they will want to get it at a low price.

The insurance industry, by charging high-premiums for bad IT management, bad security, bad policy, and bad software, could force companies to improve themselves.

How high are the premiums on MS SQL 2000?

You could clearly point to the insurance premiums and show how much bad security is costing the company.

Re:Not a bad idea

[pmz]

The insurance industry, by charging high-premiums for bad IT management, bad security, bad policy, and bad software, could force companies to improve themselves.

This is how insurance companies can actually act on behalf of the consumers. While personal injury lawyers make insurance companies out to be money-grubbing scum-sucking urine-soaked bug feces, we can't forget that those same insurance companies finance car crash testing and safety reporting for the their own and the public's benefit. We also can't forget it is the insurance companies who can actually challenge run-a-way medical costs for their own and the public's benefit. The same goes for construction (flood plains, building codes, etc.), too.

Insurance companies could be Microsoft's worst nightmare.

Will this make better security?

[WPIDalamar]

The article went on to talk about some "hoops" companies must go through to get insured. Some of these hoops included external audits, and assurances that security is important. Perhaps this kind of thing can actually increase security since it gets people higher up (and not the techies) thinking about it.

If you're board of directors tries to get cracker insurance, and the insurance company fails you as being to big of a risk .... I bet that board will step up to the plate for security funding!

Re:Will this make better security?

Schneier has been talking about this for years. See: Secrets & Lies

Might actually help

[AppHack]

The interesting thing is that if companies followed the requirements of the insurance company to get the hacker insurance, their security would improve tremendously. Many companies don't even perform the simple tasks the insurance companies will require. That alone would help tremendously.

Ironically, if more companies would conduct assessments, patch vulnerable systems, setup security policies, etc. the demand for this type of insurance might actually diminish. Little chance of that. :-)

Re:Might actually help

[marko123]

Excellent point. Home contents insurance is a good example of this. Minimum requirements in Australia are proper locks on doors and windows (hint, hint, MS). They expect you to deter the basic burglar attacks by doing things that you might not if you didn't care about insurance. You also get a discount with some brokers if you have an alarm system installed. This analogy applies well to networks.

Re:Might actually help

[B3ryllium]

While I would never use it on my server (I choose YOU, FreeBSD!), Windows XP does have a built-in firewall. I think 2K might, as well, but I'm not sure.

It works well enough to annoy the crap out of me after installing a third-party firewall AND a hardware firewall, and wondering why I can't get a server to work, without realizing that the built-in firewall was enabled ... :)

Not to mention that XP seems to have the Guest account disabled (or at least, tells you to disable it) by default, and only lets users with accounts log in ... It's my favourite Windows to date! A bit expensive though.

*cough, cough*
<slashdot_mode>
Windows sucks! Microsoft is horrible! I want to use UNIX and BeOS, dangit!
</slashdot_mode>

Re:Might actually help

[sunwukong]

Speaking of home insurance, I just received my annual assessment and the new clauses explicitly exclude any damages due to "cyber attacks", i.e., hacking or net downtime, etc.

More info

[jhouserizer]

Does anybody know where documentation can be found on how "risk assessment" is done for this type of insurance?

This would be a very interesting way to gauge what software and network hardware an establishment should/should not be using.

It would be very interesting to see where Microsoft products fall in the mix.

Re:More info

SANS Institute lists those providing such insurance, so you could contact the companies directly, but one arrangement with Lloyd's of London makes it cheaper for Counterpane Security customers, see link at the bottom. Here's the Sans info:

http://www.sans.org/rr/casestudies/insurance.php

Who Provides Hacker's
Insurance

Providing insurance for cyber loss is a new industry. Most insurance
carriers do not have the necessary expertise or tools to adequately
assess the needed coverage. As a result, there are currently only a few
companies offering hacker's insurance. However, with the financial
losses continuing to escalate, the demand for this protection will also
increase.

Lloyd's of London has created an insurance product that incorporates
elements of crime coverage and property coverage, addressing specific
exposures faced in our computer age.

The product, Computer Information & Data Security Insurance (CIDSI),
combines theft and malicious damage protection coupled with business
interruption coverage. CIDSI further provides expert computer security
surveying and loss control services to mitigate exposures and losses.
The product is a comprehensive program that can help address significant
exposures.

Other vendors of computer crime insurance include:

* Internet Security Systems (www.iss.net)
* Counterpane
(www.counterpane.com)
* J.S. Wurzler Website Insurance & Security
(www.jswum.com)
* Axent Technologies (www.axent.com)
* Insuretrust.com
LLC (www.insuretrust.com)
* Ace Ltd. (www.acelimited.com)

Cost

Liability is still difficult to calculate. An example of one method for
calculations is to average a Web site's revenue over several months and
divide for an estimate of the hourly cost of downtime. However, this
calculation doesn't consider account traffic and potential customers
lost as the result of service interruption.

Insurers typically determine policy costs according to the company's
size, the volume of business a company conducts on the Web, and the
effectiveness of company's security policy. Some insurers offer a
discount if you have an affiliation with certified information security
experts.

Policies can carry premiums starting at $7,000 all the way to $3 million
dollars. Lloyd's of London has recently announced a policy to cover up
to $100 million dollars but the price of the premium has to be
negotiated specifically with Lloyd's.

What to look for in a policy is addressed here:
http://216.239.53.100/search?q=cache:nLr6A8 YsCgcC: practice.findlaw.com/
worldbeat-1202.html+%22hack er+insurance%22&hl=en&i e=UTF-8

Counterpane customers can get it cheaper through an arrangement with Lloyd's of
London because they are their customers:

http://www.counterpane.com/pr-lloydsqa.html

Re:More info

[paranoic]

So you might think they would require some sort of security audit?

Maybe as part of whatever the requirements are for getting a Systems Admin license?

Maybe as part of suspending your Systems Admin license if you fail?

All of the above are good things.

What to expect

Insurance companies are largely responsible for your loss of rights while driving. They'll do the same for the internet. They'll lobby hard for wiretaps and whatever else it takes to create a closer 'relationship' between computer users and police agencies.

Let me guess..

[nortcele]

and the main investor in these insurance companies would be...
Microsoft perhaps?

Force majeure?

[GQuon]

One solution could be to declare it a result of force majeure: "An act of God", an event that could never be anticipated. Somehow I don't believe that would hold up in court.
The good thing about cracker insurance, is that the insurance companies will impose terms that the insured parties have to comply with. And they can give discounts on premiums if some measures are taken by the insured. How about a 10% discount for switching from Windows to a secure system ;-)

How do they pro-rate it?

[grub]

Would a firm get a break on their insurance if they ran 100 OpenBSD servers rather than 100 Windows servers or do they view a box as a box as a box?

There is an easier way

[mao+che+minh]

Companies seem to be using this insurance option partly for peace of mind. Peace of mind, to me, would be more easily obtained (and for far less money) by simply dumping your insecure operating systems and services in favor of more flexible systems which are not commonly targeted and easier to secure.

This reduces total overhead by removing the license fees associated with Windows, SQL, and Exchange, and eliminates the need for expensive insurance options. The money saved could be used to hire a qualified network security person in-house.

Insurance?

[chunkwhite86]

I see some posts here about insurance cost of Windoze vs. oBSD. oBSD is about as secure as it gets - certainly it's several orders of magnitude stronger than the toys from Redmond. A Logical human would conclude that it should be much cheaper to insure oBSD than Windoze. Not necessarily so...

The problem here, is that Microsoft has already admitted that their products have crap security. What's preventing M$ from opening their own (or buying out another) hacker insurance co. and giving large discounts to Windoze based corporations? Would other corporations stick with a non-M$ operating system if they had to pay double the insurance premium and/or accept reduced coverage?

There is definite potantial for abuse here.

Re:Insurance?

[WPIDalamar]

well.. duh... someone has to pay the claims

If MS offers huge discounts for windows insurance, then the would loose GOBS of money when it comes time to pay out those insurance claims. I'm guessing the profit margin on insurance generally isn't as big as it is on software! They would essentially have to pay for their own bugs.

Re:Insurance?

"Only one remote hole in the default install, in more than 7 years!"

This used to say "No remote holes..."

Nobody's perfect. :D

Re:Insurance?

[chunkwhite86]

well.. duh... someone has to pay the claims

If MS offers huge discounts for windows insurance, then the would loose GOBS of money when it comes time to pay out those insurance claims. I'm guessing the profit margin on insurance generally isn't as big as it is on software! They would essentially have to pay for their own bugs.

Of course they would lose gobs of money on the claims. But gobs of money is exactly what Microsoft has! Look at the Xbox. It's losing millions and millions of dollars for MS. Do they care? No! It's all about market share.

Remember, although MS has 90% market share on the desktop, they have a far lower percentage of the server market. And the server market is where the big profit margins are.

Whats a few million here and there (in claim payouts) if they can flex their "insurance muscle" and "force" all large corporations to switch to Windows on the Servers.

Remember - it's usually not the techies in the server room making these decisions. Mr. Big Boss sees that it's just a nickel and a dime to insure his Windows servers with Microsoft Insurance Co. while it costs him an arm and a leg to insure oBSD, Linux, etc. It's doesn't take Einstein to do the math and watch the non M$ platforms disappear.

Scary.

More insurance.

[eniu!uine]

How about slashdot insurance?

Re:More insurance.

Yes, but the cooler your site the higher the premium.

Stock-buying time.

[_RidG_]

"...but is expected to explode from a $100 million sideshow into a $2.5 billion behemoth by 2005..."

Even taking these predictions with a rather large grain of salt, this is still fairly impressive. Might be a good time to look into putting your money into (gasp!) the stock market?

How do you judge a products security.

[Neophytus]

'Mainstream' servers like IIS and Apache will have their flaws documentation within days, perhaps hours, of being discovered. This will make insurance on servers like this easier to judge. What about a home-brew image server? Or an obscure small scale database from sourceforge.
Auditing and insuring as apropriate for these applications would be a slow and tricky process (the cynic in me says it is yet another business oppertunity) as many thousands of apps would have to be tested and rated on an insurance-risk-table - if you do want to be insured from this so called 'h/cracker threat' it isn't going to come cheap.

[H|Cr]acker?

[cheesyfru]

I know what a hacker is, but what is a "cacker" or a "racker"?

(simple regular expression bugs in article titles explain a lot about why Slash is the way it is)

Re:[H|Cr]acker?

[WPIDalamar]

And what the hell is a |acker !!!

Re:[H|Cr]acker?

[B3ryllium]

You mean "Cacker", don't you?

Re:[H|Cr]acker?

The title is suppossed to denote either Hacker or Cracker. A cracker is a toasted piece of processed dough on which cheese or caviar is placed.
Seriously though, a cracker is someone who breaks into networks for malicious purposes, whereas a hacker does it for nonmalicious purposes, i.e. for the challenge

Re:[H|Cr]acker?

[sakeneko]

[H|Cr]acker?

I know what a hacker is, but what is a "cacker" or a "racker"?

(simple regular expression bugs in article titles explain a lot about why Slash is the way it is)

Nah.... Posting flames on regular expression bugs in article titles explain a lot about why Slashdot is the way it is....

*nix flavors are vulnerable too

[mmuskratt]

OK M$ bashies, enough. One word, "bugtraq."

The issue here is really interesting. Do you think that by patching systems, and by going through security testing, the premiums for this type of insurance will go down? How do you determine a financial settlement (Kevin Mittnick allegedly cost several companies billions of dollars in damage, blah blah blah)? Will this make security teams wealthy and sysadmins better?

Furthermore, the article says that this type of insurance has been around for 3 years now, but I didn't get a hit when I typed in "network risk insurance" into Google...who is providing this?

Sounds like a scam I'd like to be a part of...

Microsoft

Microsoft can make their software bugs profitable. More bugs: more risks: is higher insurance costs. Just imagine what deals they could make with those insurance companies. B.G.:"I'll give you tree MS SQL bugs for 100.000 a year, or else we will release a patch for it" Insurance:"Sounds like a good deal, but i want one which can be remotely exploited annymously to insure results" B.G.:"off course".
And the more bugs get exploited the more poeple will get these policies instead of hiring a good admin that will secure their computers and is up-to-date with bug announcements. Spending money on "what could be" isn't the solution to a faulty network/system.

What, are Forrester consultants on deep discount?

[sulli]

I thought the "$2.5 billion by 200[0,2,4,6]" claims went out with Aeron chairs and the Segway. Does anyone take that shit seriously?

fuel the fires

[gkbarr]

of the world's biggest evil empire - the insurance industry. WTF is wrong with people? Hacker insurance? How the hell do people expect to be able to prove they were hacked when most companies dont even know how to check to logs on their "firewall"? More money wasted that should be creating actual jobs for people who need them. /rant

YES! STEP 2 IS REALIZED!

[Eric_Cartman_South_P]

1) Collect Insurance Policies

2) H@x0r 127.0.0.1

3) Profit!

Is this really a surprise?

...explode from a $100 million sideshow into a $2.5 billion behemoth by 2005...

Mitnick is back on the scene, after all...

Bean counters can understand now!

[Eric_Cartman_South_P]

When the insurance rates for Linux and BSD are less than Windows (surely this will become the case), even managers and bean counters will see which is better. This is good news.

SURELY I would pay less insurance if I'm using all FreeBSD 5.0 boxes vs. Windows NT 4.0 SP1 boxes! Let's see what the rates turn out to be. Again... very good news!

Re:Bean counters can understand now!

[bmajik]

this is ridiculous.

Nobody that is experienced enough to make an objective computer security threat analysis works in the insurance industry.

Insurance underwriters aren't fantastically bright, and the actuaries that keep insurance companies running don't have computer security expertise.

Just running FreeBSD vs NT4.0 SP1 isn't enough to make any kind of a policy decision.

If all aspects of network, administration, training, etc were identical, then, perhaps, a premium for a policy might be different based on OS choice.

But, if you know anything at all, the choice of technology has a lot less to do with computer security than the choice of humans and procedures.

Furthermore, the number of variables involved in something like writing a anti-hacker policy is so large that many of them will be ignored, as the models that the actuaries use to do their risk analysis work on terms of masses of people, and all of the variables in those models are not exposed to the underwriters.

Here's an example -- for an auto insurance policy, they ask you what kind of car it is, how often you get a trafic violation, how old you are, and how far you drive in an average day.

Wouldn't you say there are more variables that are statistically significant than that ? The underwriters don't care that you drink, own a cell phone, etc etc (although they may start on the cell phone matter). Yet those are things that may be modelled by the actuaries, on broad terms to set the safety margins in the premiums.

Similarly, there are all kinds of factors that relate to insuring some kind of computer operation. First off, if you're talking about a computer network, then the OS on a specific host doesn't seem relevant (or were you envisioning that each host would be a multi-valued line item on the policy, just like each car is a line item on an insurance policy ?)

Kevin Freed....

has been on the market for about three years, but is expected to explode from a $100 million sideshow into a $2.5 billion behemoth by 2005

odd this would coincide with Kevin M finally free

-uglyman

INSURANCE DENIED

you are running M$ software so there is a pre-existing condition.

sorry.

a115tat3

[floppy+ears]

Ah, maybe that explains why I keep getting hacked by some l33t dude called a115tat3.

DDOS Flood insurance

[bareman]

and don't forget to get your DDOS flood insurance coverage too.

wtf?

Oh that's just fucking perfect.. we went from "Big Tobacco" to "Big Oil" to "Big Fast-food", and now we're at "Big Insurance"?!

feh, you psychosocialists are really starting to piss me off

Not to be anal, but...

[mikecarrmikecarr]

The article title reads [H|Cr]acker Insurance

This regex works but I don't think it works for the reasons that the author intended. For example,

The [H|Cr] is a character class matching the single character H, C, r or |.

So this regex will match Hacker Insurance, and Cracker Insurance (bolding indicates what part of the word matches)... it will also match |acker Insurance

I wouldn't normally be so anal but the title involves hackers/crackers... you'd think you'd get the logic right, no?

I would humbly suggest the regex (H|Cr)acker Insurance

If the author was intending some weird regex syntax where [] indicates something other than a character class then I apologize in advance,

Re:Not to be anal, but...

[The+Masked+Fruitcake]

It has already been pointed out that the author is not using regex rules. :)

How 'bout "slashdot effect" insurance?

[Idou]

I am sure that does much more damage than some little ol' virus.

Re:How 'bout "slashdot effect" insurance?

[Stephenmg]

I was also thinking about DoS too. Slashdot effect might look like a DoS on port 80.

Insurance Insurance

[Betelgeuse]

is expected to explode from a $100 million sideshow into a $2.5 billion behemoth by 2005, according to insurance industry projections.

So, do the companies buy insurance to guard against the chance that their predictions are wrong?

Re:Insurance Insurance

Well..... yes, they do. It's called "reinsurance", where an insurance company will write a large policy, and then sell off parts of it to other companies, to spread the risk around. General Re (owned by Warren Buffett) makes quite a bit of money this way.

Re:Insurance Insurance

[freeweed]

So, do the companies buy insurance to guard against the chance that their predictions are wrong?

Actually, yes. Insurance is essentially a business based on probability, and there are many examples of this:

On the smaller end of the scale are things like Hole-in-One insurance - basically, an insurance company will pay, say, $20,000, if someone gets a hole-in-one during your corporate golf tournament, but you only pay $500 for this coverage. Odds of someone getting a hole-in-one = just slightly less than $500/$20,000, so the insurance company makes a small profit overall, and you get a really neat prize if you're lucky enough.

Numbers completely contrived, it's been a couple of years since I sold insurance.

insurance company charges more for MS-Win

[natmakarvitch]

here is an excerpt from an old press article: "one of the first companies to offer hacker insurance, has begun charging its clients 5 percent to 15 percent more if they use Microsoft's Windows NT software ... has been selling hacker insurance since 1998, based his decision on more than 400 security analyses [ ... ] system administrators working on open source systems tend to be better trained and stay with their employers longer than those at firms using Windows" read on: short (long)

Hmm, systems improve if they are open to scrutiny?

[Idou]

Problem is, the clients that need software insurance the most run sofware that forbids you to checkout code, and the software that lets you checkout the code doesn't need insurance.

This fact may prevent the kind of scenario your post describes to occur in the computer industry.

I can see their logic:

foreach (hack_attempt)
rates+=(rates*0.1)

if(provider==$Microsoft)
rates=(rates*1000)
else
rates=normalRate

This Has To Be A HUGE Scam

[SirCodeAlot]

I predict every claim will be turned down, under the guise of a preexisisting condition. If the admin can't secure the sytem, they certainly won't be able to prove the system was clean before purchasing insurance.

Re:This Has To Be A HUGE Scam

I agree. Insurance companies are in the business to rip people off^H^H^H^H^H^H^H^H^H^H^H^H^H^Hmake money to enable their employees to make a living. I wouldn't buy hacker insurance any more than I would buy flight insurance.

No, it's correct

[metalhed77]

He's not following regex rules! If he wanted a regex it'd use parenthesis instead of brackets. He's following the formatting conventions you often see in gnu utils when you execute them with --help.
So [H|Cr] is correct.

For instance,part of man --help is

man [-c|-f|-k|-w|-tZT device] ..

If it were a regex it'd look like H|(Cr)acker. But we're not doing pattern matching, substitution, or even transliteration; we're defining options.

Did I just spend 2 minutes writing this? I have no life.

Re:No, it's correct

[Xepherys2]

Hmmm, well, that's not right. Typicall, brackets are used to define switches that are optional. Switches defined outside of brackets are usually mandatory, or nessecary for proper use of the command. Hence, with this logic, the author is actually speaking of an "acker", with possible indications of a "Hacker" or "Cracker" as an option.

*shrug*

-Xeph

My favorite part of the article is..

[z_gringo]

Where the CTO for Counterpane Internet Security says:
"I believe that within a few years hacking insurance will be ubiquitous," Schneier said. "The notion that you must rely on prevention is just as stupid as building a brick wall around your house. That notion is just wrong."

Uh, my house has brick walls on all sides for that very purpose..

I guess he is saying that now we should all just forget about applying patches, and installing firewalls. We should just buy insurance for when we get hacked.

Re:My favorite part of the article is..

[MaestroSartori]

So when someone walks up to the open window in your brick wall, or picks the lock in your front door and steals all your belongings, you'll wish you had home contents insurance.

See why this is useful now?

Actually...

[kentyman]

Don't you mean (H|Cr)acker?

parent +5! Infinite wisdom!

Thou art wise.

One ins. co distinguishes operating systems

J. S. Wurzler charged more for Windows NT users, compared with Linux or Unix. This from the CNET news article:

Okemos, Mich.-based J.S. Wurzler Underwriting Managers, one of the
earliest agencies to offer hacker insurance, has begun charging its
clients anywhere from 5 to 15 percent more if they use Microsoft's
Windows NT software instead of Unix or Linux for their Internet
operations.

"We have always felt that there is a high risk with the Windows NT
system," said Walter Kopf, senior vice president of underwriting at
Wurzler. "We have found out that the possibility for loss is greater
using the NT system. Where there is a greater loss, there tends to be
an
increase in the premium."
http://news.com.com/2100-1001-258392.ht ml?legacy=c net

And here's an article on whether your company could be sued for
unwittingly sending on viruses:
http://www.gigalaw.com/articles/2001/hollander-200 1-11.html

Just call them Attackers

[Effugas]

I've just taken to abandoning both Hackers and Crackers and using Attackers. It works just fine in everyday conversation and nobody misunderstands you. "NAT can prevent attackers from breaking into your network, by removing global incoming addressability." "The web site was attacked, but survived." "Somebody is attacking my server."

Say what you mean, mean what you say.

--Dan

Hm.

[grub]

I just called my insurance company:

me: g1bb0r m3 h4x0r 1n5ur4nc3.
insurance co.: Pardon me?
me: g1bb0r... m3... h4x0r... 1n5ur4nc3...
insurance co.: Sir, this is an insurance company.
m3: 3y3 gn0 j00 l4m3x0r! G1BB0R M3 H4X0R 1N5UR4NC3!
-- click --

Some people have no sense of humour.

The new fraud...

[Cruciform]

Instead of having Vito and Tony torch the warehouse, you just give the kid down the street the passwords to the router and the server farm :)

Hmmmm..

[Restil]

Compare your average internet connected server to a more real world scenario, and compare your "cracker" to your "thief".

Imagine a theif wants to steal my TV set and no law or threat of force is going to stop him. If I were to "store" my TV set out on the sidewalk in front of my house, it WILL disappear. It's only a matter of time. Likewise, if I keep an insecure server wide open on the internet, with known exploits, it WILL get cracked, it's only a matter of time.

Now consider that I store my TV set inside my house, like most people do, and keep the doors locked, like most people do. The cracker still knows where the TV is, but he'll first need to get inside to take it. However, if he is undeterred, he can break a window and get in. This compares to your average insecure system behind a firewall. Good protection, to be sure, but if there is a flaw in the system, and an insecure system behind a firewall is still a major flaw, someone can still get in. The options are just limited.

Now say I bolt down the TV set. Removing it will require an extensive amount of time. A dedicated thief can still get it if he wants to, but there's almost a 100% chance that he'll get caught in the process. A well patched, up to date system with no known vulnerabilities is safe. Certainly, some blackhat might have a way in that nobody has ever heard of before, but it's highly unlikely. And likewise, they can track down the physical location of the machine, and hit it manually, but by that time you have bigger problems.

How does this relate to insurance? Imagine an insurance company willing to insure a TV set you store on your sidewalk. It's not going to happen.
So will an insurance company choose to cover a network that has any known vulnerabilities on it? Or are they going to do a risk assessment based on a company's ability to keep their machines secured? And do they plan to keep track of these things? Simple fact is, a well secured network probably won't need the insurance. And good administrators will know this.

This means, that anyone who really needs the insurance will have to pay a TON of money for it, otherwise the insurance companies will go broke handling all the claims, for if someone is well insured, they're likely to be more sloppy. This means the insurance company is going to have to take a somewhat proactive stance to insure (no pun intended) that the customer's network is secured.

And just think of the possibilities for fraud...

-Restil

Re:Hmmmm..

[smash]

How does this relate to insurance? Imagine an insurance company willing to insure a TV set you store on your sidewalk. It's not going to happen. So will an insurance company choose to cover a network that has any known vulnerabilities on it? Or are they going to do a risk assessment based on a company's ability to keep their machines secured? And do they plan to keep track of these things? Simple fact is, a well secured network probably won't need the insurance. And good administrators will know this.

Nope, they'll just refuse to pay out, due to fine print that disclaims resposibility if "due care" is not taken, if I know my insurance company practices :P

smash.

Your fault

[gnarled]

If you are a bad driver and get into a car crash that was your fault, the automaker is definately not responsible. If you overdose on medicine, the drug company is not responsible.

If you are inept and don't keep your system up to date, the software company is not liable.

Loss Aggregation problems

[scottwimer]

Cyber-risk insurance is a neat idea. There is one major problem with treating it like other sorts of risk that insurance companies write policies for -- the constant and easy loss aggregation potential.

Loss aggregation is the insurance industry's term for the ability of of a single incident to cause multiple claims across their policy book. The Sept 11 attacks are one example of the type of loss aggregation problem that really frightens them.

Cyber-risk policies present similar situations. As long as computer security is driven by the absence or presence of vulnerabilities, individual exploits can result in thousands of claims.

I spent some time discussing this in my session on preventative security for vulnerable software at LinuxWorld last week. As I said then, the insurance companies will be our strongest ally in the security space, but only if we can make computer security a solvable problem.

Don't be fooled into thinking that security problems will go away if only we can get patches for vulnerabilities applied just as soon as they are available. The recent Saphire/Slammer mess should be sufficient to indicate that businesses aren't ever going to be consistently up-to-date with the latest patches. Thinking otherwise is just silly. Security this way is the functional equivalent of taking care of a 3 month old child: feed, burp, change diaper, repeat. Worse, it's a 3 month old that never grows up.

Anyway, back to work.

I wonder if www.hollywoodreporter was insured :)

[nutznboltz]

$ whois
www.hollywoodreporter.com

No match for "WWW.HOLLYWOODREPORTER.COM".

Wayback machine

Some quick notes: www.hollywoodreporter.com recently posted an article about RIAA web site being hacked and then suddenly it disappeared from Internet DNS.

Cracker insurance is YAFOWT

[nutznboltz]

Yet Another Form of Windows Tax.

The difference...

[Eric_Cartman_South_P]

... is big enough that I belive it WILL be accounted for. Insurance rates are a lot more calculated than you portrayed, I believe. I do tons of tech work exclusively for Financial Planners and companies (New York Life, Guardian, etc) so I know a thing or two about insurance. Keeping things simple, an example might better portray my thoughts:

All other things being equal, you pay less car insurance when you have airbags vs. none. Or when you have an alarm vs. none. It's a slight reduction on the comprehensive part of the insurance. I think running BSD instead of Windoze is a big enough difference that there, on whatever level large or small, should be a change in premiums paid. It should be interesting!

H-1B Insurance

[Baldrson]

One of the tricks used by Israeli nationals in the US is to have "students" running around doing stuff that skirts on the illegal -- and then sending them back to Israel when things get hot. I wonder how many H-1Bs from, say, India you can have in a software shop before the carrier starts to jack up the insurance rates. There's always more where they came from you know ... lots more than Israelis.

Schneier is WRONG

Two years ago I heard Bruce Schneier at DefCon saying that "intrusion detection is more important than intrusion prevention". And now he's touting the purchase of insurance over focusing on attack prevention. While Schneier knows more about cryptography than most people on this planet, he doesn't know sh*t about real-world corporate security. I've been doing InfoSec for over 13 years, and I would much rather put my resources into hardening my systems/databases/applications than into monitoring and reacting to intrusions. I've seen a couple prior responses here that seem to be along the same lines.

Also, being that Schneier's company is partnered with Lloyds of London (who provides such insurance) and can provide the necessary assessment services, perhaps his "expert opinions" on the subject show just how far his professional integrity goes. Hmmmm!!!!

Vic

Last Post!

[alpg]

Fortunately, the responsibility for providing evidence is on the part of
the person making the claim, not the critic. It is not the responsibility
of UFO skeptics to prove that a UFO has never existed, nor is it the
responsibility of paranormal-health-claims skeptics to prove that crystals
or colored lights never healed anyone. The skeptic's role is to point out
claims that are not adequately supported by acceptable evidcence and to
provide plausible alternative explanations that are more in keeping with
the accepted body of scientific evidence.
-- Thomas L. Creed, The Skeptical Inquirer, Vol. XII,
No. 2, pg. 215

- this post brought to you by the Automated Last Post Generator...