Shostack + Friends Blog Archive

 

The Diginotar Tautology Club

I often say that breaches don’t drive companies out of business. Some people are asking me to eat crow because Vasco is closing its subsidiary Diginotar after the subsidiary was severely breached, failed to notify their reliant parties, mislead people when they did, and then allowed perhaps hundreds of thousands of people to fall victim to a man in the middle attack. I think Diginotar was an exception that proves the rule.

Statements about Diginotar going out of business are tautological. They take a single incident, selected because the company is going out of business, and then generalize from that. Unfortunately, Diginotar is the only CA that has gone out of business, and so anyone generalizing from it is starting from a set of businesses that have gone out of business. If you’d like to make a case for taking lessons from Diginotar, you must address why Comodo hasn’t gone belly up after *4* breaches (as counted by Moxie in his BlackHat talk).

It would probably also be helpful to comment on how Diginotar’s revenue rate of 200,000 euros in 2011 might contribute to it’s corporate parent deciding that damage control is the most economical choice, and what lessons other businesses can take.

To be entirely fair, I don’t know that Diginotar’s costs were above 200,000 euros per year, but a quick LinkedIn search shows 31 results, most of whom have not yet updated their profiles.

So take what lessons you want from Diginotar, but please don’t generalize from a set of one.

I’ll suggest that “be profitable” is an excellent generalization from businesses that have been breached and survived.

[Update: @cryptoki pointed me to the acquisition press release, which indicates 45 employees, and “DigiNotar reported revenues of approximately Euro 4.5 million for the year 2009. We do not expect 2010 to be materially different from 2009. DigiNotar’s audited statutory report for 2009 showed an operating loss of approximately Euro 280.000, but an after-tax profit of approximately Euro 380.000.” I don’t know how to reconcile the press statements of January 11th and August 30th.]

3 comments on "The Diginotar Tautology Club"

  • Anonymous says:

    “I think Diginotar was an exception that proves the rule.”

    This is a stretch using the very logic you’re arguing against, though I admire your effort to spin it around. I think you as well as the people asking you to eat crow are generalizing, albeit on two different fronts. The actions taken by DigiNotar (referring to delayed response and/or suppression) are not much different than governments or companies of past following a suspected breach. DigiNotar was in a significant position of trust leading to far-reaching negative effects making this incident irreparably harmful to their business.

    While this may be the case with a trusted CA, as placed trust becomes increasingly important and visible to the people that rely on technology more every day – other companies may meet the same fate. It’s a combination of factors in both how the incident is handled, how the entity is trusted and, most importantly, the perception of the incident in the minds of the public and those in power politically.

    Trying to generalize or come up with rules that hold true as such things evolve will only lead down a path of disappointment. Many of the factors involved are difficult, if not impossible to measure. But then, many people are good at spinning anything into something else – be it positive, forgotten, or anything else.

    -.02

    • Adam says:

      I disagree quite strongly. We have lots of other incidents that have not lead to businesses shutting down. Its incumbent on others who’d like to make the case that Diginotar proves something to explain what it is and how it differs from Comodo.

  • LonerVamp says:

    With Diginotar, I really believe this is not indicative of a, “you get hacked you go out of business,” issue, except in certain cases. For Diginotar, their security broke. But that’s their line of business. When a company’s line of business breaks, no matter what it is, there’s a good chance you’re history. And not only did they make a big mistake, but it was pretty endemic, with multiple intrusions and a multitude of fundamental things that were just plain wrong.

    If your main line business fails enough that your customers shun you, you’re going to be done. Has Comodo been shunned? I’ve not had any such indications of that outside security-minded persons. For Diginotar, browsers slammed them, the media made a huge deal of it, and their own government slammed them. What’s left? From what rumors I’ve heard, this was a good chance for Vasco to deal with what was a poor investment decision in the first place…

    A single point of failure that results in a major retailer divulging CC information really still doesn’t hit their main business line in such a brilliant fashion, and certainly can be PR’ed down into an isolated issue.

    A counterpoint would probably be to bring up HBGary, though it would be better to bring up HBGary Federal, which itself may as well be gone and will likely either be sold or just abandoned.

    One might even bring up Epsilon’s recent breach and continued rumors of still being inadequate, though again I’m not sure their main line business was affected, i.e. they can still email out and fulfill their marketing contracts.

    While I don’t think any rule can be made either way, as everything is so situational, I really think you have to watch your main business line (especially if you’re in security) and watch your customer reaction.

Comments are closed.