Re: 0x43434343 - talking of money...

["Kurt Seifried" <listuser () seifried org>]

Once upone a time...

I did some consulting work. Through a company, with a second guy. We were
helping a shipping company verify the design of their authentication system
for a web based system that provided information/etc to their employees. We
did the work remotely, via email and over the phone. Simply put we read
their design docs, spoke to them on the phone a few times, and had a few
email exchanges. The contract took around 30 hours including writing the
final report. We billed them $6,000 USD (as agreed) for it, that's $200 an
hour per person for us to read your docs, talk to you and essentially say
"this is correct".

Was it worth $6,000 to the company? Heck yes. The cost of one intrusion into
the system (did I mention this had to be used via public web terminals like
in airports?) would easily cost more then verifying the design. The cost of
fixing a mistake in implementation would easily cost more then $6,000.
Essentially it was a case os "measure twice, cut once".

We need to remember that often times what we provide to a business, even if
it seems to be at a rather high price, is well worth it to them. I used to
feel guilty making as much money as "professionals" until I realized that it
was worth it. I pay my accountant a hundred bucks an hour, and I smile when
I write him the check for my year end. One year I tried to do my own
book-keeping, it took me 80 hours all told (that's two weeks of lost billing
time basically, OUCH), my accountant took me aside after that year end day
and said politely "Kurt... we think it's best if from now on we do your
book-keeping for you, it's going to cost a little extra". At which point I
interupted him and said something to the effect of "Oh god yes, please,
please please please do my book-keeping. I don't care what it costs as long
as I don't have to do it". I suspect he was prepared to make the case for
it, but I already knew the most important thing, it was cheaper to pay my
account $X to do it right then to lose $Y (where Y is a sum larger then X)
in billable hours doing it myself.

This is true of many specialized tasks, especially in computer security.

Although yes, once you're earning 6 digits I think it's time to start
thinking about why you really need much more. Personally I'm a big believer
in quality of life, and money, beyond a sane level, doesn't really help much
there.

Kurt Seifried, kurt () seifried org
A15B BEE5 B391 B9AD B0EF
AEB0 AD63 0B4E AD56 E574
http://seifried.org/security/


----- Original Message ----- 
From: "Daniele Muscetta" <daniele () muscetta com>
To: <dailydave () lists immunitysec com>
Sent: Saturday, November 22, 2003 7:30 AM
Subject: Re: [Dailydave] 0x43434343 - talking of money...


> You guys wrote (sorry for mixing different threads and people together):
>
> > there is a definite desire to have a way for vulnerability researchers
> > to make money purely off vulnerability research, rather than signing
> > NDA's to Microsoft and going and sitting in a cube in Seattle for 80K
> > a year plus health insurance and a couple free copies of Word.
>
> And:
>
> > As far as 5k for my 0day...I would laugh, I make far more doing
> > pentesting with it that 5k would cover.
>
>
> Well... what does it make me think:
>
>
> What kind of living standard do you guys have ? or would like to have ?
> Even those 80K are NOT that bad.... I live with just more than 30K with
> my wife and two kids !
> And trust me that we manage, we don't miss anything seriously !!
>
> Do you ever think how a lot of FAMILIES actually live with much less ?
> HOW MUCH money do you think are really needeed to live in this world ?
>
> Do you EVER think to third world countries where 300 bucks a month is a
> RICH salary ? ...and there are families actually carrying on with that...
> Do you ever even feel a tiny bit guilty or greedy for desiring so much ?
>
>
> You might dismiss me as being bigot... but there's a limit....
> I just don't care what you will think of this rant of mine.
>
> I am just disgusted by your being greedy and just trying to get rich
> with your research.
> If you do research for the sake of research.... you should be happy to
> do it, and that's it!
> You should not be claiming for money so much !
> you get compensation already. Those 5K is my wage of TWO months !
>
> Well, I am all in favour of knowing how things can be made more secure,
> but your research is maily about how to break them, most of the
> times.... and you even fight with each other about who was able to break
> it first...
> Have you ever tried to BUILD something instead ?
>
> I don't mean to raise a flame.
> I just hope to make someone think with his hearth instead than with his
> wallet for a minute.
>
>
> With Best Regards,
>
> Daniele Muscetta
>
>
>
> _______________________________________________
> Dailydave mailing list
> Dailydave () lists immunitysec com
> http://www.immunitysec.com/mailman/listinfo/dailydave

_______________________________________________
Dailydave mailing list
Dailydave () lists immunitysec com
http://www.immunitysec.com/mailman/listinfo/dailydave