Dailydave mailing list archives
Re: 0x43434343 - talking of money...
From: "Kurt Seifried" <listuser () seifried org>
Date: Sat, 22 Nov 2003 15:34:18 -0700
Once upone a time... I did some consulting work. Through a company, with a second guy. We were helping a shipping company verify the design of their authentication system for a web based system that provided information/etc to their employees. We did the work remotely, via email and over the phone. Simply put we read their design docs, spoke to them on the phone a few times, and had a few email exchanges. The contract took around 30 hours including writing the final report. We billed them $6,000 USD (as agreed) for it, that's $200 an hour per person for us to read your docs, talk to you and essentially say "this is correct". Was it worth $6,000 to the company? Heck yes. The cost of one intrusion into the system (did I mention this had to be used via public web terminals like in airports?) would easily cost more then verifying the design. The cost of fixing a mistake in implementation would easily cost more then $6,000. Essentially it was a case os "measure twice, cut once". We need to remember that often times what we provide to a business, even if it seems to be at a rather high price, is well worth it to them. I used to feel guilty making as much money as "professionals" until I realized that it was worth it. I pay my accountant a hundred bucks an hour, and I smile when I write him the check for my year end. One year I tried to do my own book-keeping, it took me 80 hours all told (that's two weeks of lost billing time basically, OUCH), my accountant took me aside after that year end day and said politely "Kurt... we think it's best if from now on we do your book-keeping for you, it's going to cost a little extra". At which point I interupted him and said something to the effect of "Oh god yes, please, please please please do my book-keeping. I don't care what it costs as long as I don't have to do it". I suspect he was prepared to make the case for it, but I already knew the most important thing, it was cheaper to pay my account $X to do it right then to lose $Y (where Y is a sum larger then X) in billable hours doing it myself. This is true of many specialized tasks, especially in computer security. Although yes, once you're earning 6 digits I think it's time to start thinking about why you really need much more. Personally I'm a big believer in quality of life, and money, beyond a sane level, doesn't really help much there. Kurt Seifried, kurt () seifried org A15B BEE5 B391 B9AD B0EF AEB0 AD63 0B4E AD56 E574 http://seifried.org/security/ ----- Original Message ----- From: "Daniele Muscetta" <daniele () muscetta com> To: <dailydave () lists immunitysec com> Sent: Saturday, November 22, 2003 7:30 AM Subject: Re: [Dailydave] 0x43434343 - talking of money...
You guys wrote (sorry for mixing different threads and people together):there is a definite desire to have a way for vulnerability researchers to make money purely off vulnerability research, rather than signing NDA's to Microsoft and going and sitting in a cube in Seattle for 80K a year plus health insurance and a couple free copies of Word.And:As far as 5k for my 0day...I would laugh, I make far more doing pentesting with it that 5k would cover.Well... what does it make me think: What kind of living standard do you guys have ? or would like to have ? Even those 80K are NOT that bad.... I live with just more than 30K with my wife and two kids ! And trust me that we manage, we don't miss anything seriously !! Do you ever think how a lot of FAMILIES actually live with much less ? HOW MUCH money do you think are really needeed to live in this world ? Do you EVER think to third world countries where 300 bucks a month is a RICH salary ? ...and there are families actually carrying on with that... Do you ever even feel a tiny bit guilty or greedy for desiring so much ? You might dismiss me as being bigot... but there's a limit.... I just don't care what you will think of this rant of mine. I am just disgusted by your being greedy and just trying to get rich with your research. If you do research for the sake of research.... you should be happy to do it, and that's it! You should not be claiming for money so much ! you get compensation already. Those 5K is my wage of TWO months ! Well, I am all in favour of knowing how things can be made more secure, but your research is maily about how to break them, most of the times.... and you even fight with each other about who was able to break it first... Have you ever tried to BUILD something instead ? I don't mean to raise a flame. I just hope to make someone think with his hearth instead than with his wallet for a minute. With Best Regards, Daniele Muscetta _______________________________________________ Dailydave mailing list Dailydave () lists immunitysec com http://www.immunitysec.com/mailman/listinfo/dailydave
_______________________________________________ Dailydave mailing list Dailydave () lists immunitysec com http://www.immunitysec.com/mailman/listinfo/dailydave
Current thread:
- RE: 0x43434343 - talking of money... Mike Bailey (Nov 24)
- <Possible follow-ups>
- Re: 0x43434343 - talking of money... Kurt Seifried (Nov 24)