CrankySec

Fungible Tokens

A token is a symbol. Something that exists to represent something else. When we say "here's something as a token of our appreciation", we are saying "since appreciation is not tangible, here's something that is." A token at the arcade is a representation of your permission to play a game: it's a way to tell the machine that you've paid, and you're allowed to play. Fungibility is the property of something being exactly the same as another unit of the same something. One dollar is one dollar. My $1 bill has the exact same purchasing power as your $1 bill. We can swap bills and we'll have exactly $1 at the end. That banknote is a token, and it's a fungible one: it's a physical representation of a social construct (money), and, all things being equal, one banknote is the same as the next.

The important thing here is that tokens are symbols, and we're seeing the transformation of our profession from necessary to symbolic.

Back in the late 1990s and early 2000s, computer fuckery was afoot. Computers were being connected to this global network, people noticed that a lot of the vibes, aesthetics, techniques, and ethos of phreakers were transferrable to this new reality, shenanigans research was being done, tools were being developed, conferences were being organized, hacker supergroups were a thing, and some enterprising folks realized that there was money to be made from companies that were scared of this new landscape.

All the horror stories involving viruses, worms, Back Orifices, SQL injections, MitMs, buffer overflows, and whatnot led to a knee-jerk reaction that created a whole new market. This new market made a bunch of the first movers very rich, and created a massive demand for skilled labor. The confluence of every business needing to "get on this internet thing" and the unknown risks of doing so changed the course of many careers: your system admins now need to know how to protect your systems on top of knowing how to run your systems. This, of course, was too much. Specialization was needed, and specialize we did. Security operations centers emerged. The need for penetration testers, researchers, malware analysts, security architects, digital forensics and incident response people skyrocketed, and, a little bit later, the need for GRC people, threat modeling folks, threat intel peeps, cybersecurity auditors, et cetera, exploded as well. Professional prospects were good if you were into that sort of thing.

Those were the mobilization days of the war against the unknown enemies of "dIgItAl TrAnSfOrMaTiOn": McDonald's wants to offer you the option to oder your Filet-o-Fish over the internet, but McDonald's doesn't want people fucking with the online ordering application and getting 100 happy meals for -$500. Those holes needed to be patched, and no one even knew what and where these holes were. An army of professionals was needed, and the corporate world started drafting recruiting anyone with a pulse.

It goes without saying that plucking people with no experience right out off school and/or help desk was not going to work on a large scale, mainly because there was no experience to be had in the first place. Everything was brand new, everyone was kinda figuring it out as they went. Again, some enterprising people looked at the landscape and thought: "Well, shit. Let's start training people on how to do this job! Everyone's digging for gold, let's sell shovels type of deal!" The cybersecurity certification racket industry was born.

Pay was good, jobs aplenty. Unfortunately, "good pay" and "jobs aplenty" is anathema to our current model of capitalism. Once again, there was money to be made by removing the "inefficiencies", "streamlining processes", looking for "economies of scale", and shit like that. That gave birth to managed security services companies, vCISOs, bug bounties, and every other kind of tactic that can be employed to make people do more while paying less. Why the hell would I pay $300k for a CISO if I can have a virtual one for $30k? vCISOs are a win-win: cheaper than an actual CISO, and someone from the outside I can throw under the bus and still sleep at night. Worse thing that can happen is us having to move to a different MSS. Some regulation says the we must have a CISO? We do have one. They just happen to be the CISO of 10 other companies. If, for regulatory purposes, all you need is a CISO, it doesn't matter who they are. They're fungible. But, most importantly, they're tokens.

With many of the low hanging fruits of cybersecurity somewhat solved, and the things we didn't manage to solve rendered inconsequential (to the businesses), it's time to demobilize. The market doesn't need this many people not because the threats are no longer there or because we have great cybersecurity. The market doesn't need this many people because the market does not give a fuck about cybersecurity. Companies have learned that they don't need to be proactive and prevent cybersecurity incidents from happening: they just need to say "sowie UwU", send you some code to a identity monitoring service, sit back a couple of weeks and see their stock price bounce right back. The only remedy the people who are affected by shit like this is the cumbersome process of going to court or joining a class-action suit to maybe get a $4 check 10 years from now.

In other words, companies realized that cybersecurity failures can be added to the externalities heap: they get to enjoy the benefits of monetizing our data while letting us handle the fallout of their negligence. Same as always.

Little aside: What is "funny" to me is that this doesn't work on a smaller scale: imagine you're at a bar with a bunch of people. One asshole drinks the bar dry and vomits all over the place. He then says: "Well? Aren't you guys going to clean up this mess?" The check comes, and said asshole says "Well? Aren't you guys going to pick up the tab?" I'm sure you wouldn't extend another invitation to the aforementioned asshole. We don't act the same way when it comes to subsidizing the consequences of bad cybersecurity.

I don't think you have to wonder why a software "engineer" for a decaying company with very little societal value like Meta makes $500k/year to invent new ways to show you ads, while the people who are trying to make sure your granny's SSN doesn't leak so she won't get her identity stolen, or the people who are trying to prevent your computer from joining a DDoS machine or becoming part of a cryptocurrency mining operation behind your back are making $75k.

That's a very clear message: preventing bad cybersecurity outcomes isn't worth anything near the ability to make you click on an ad. Helping secure our very infrastructure is not worth the same as spying on your very move sell your data to the highest bidder. Doing collective good seems to be bad for business. But businesses cannot be openly saying that. AT&T can't go and send you an email saying "LOL. We lost your data, and there's nothing you can do about it. Get fucked!" They need to put on a show and say that they care very much about cybersecurity and privacy. "We take security very seriously! We even have a cybersecurity team!" That's your token right there. A lot of us are employed today as tokens, not as people who are expected to do something. Symbols that exist to show the world that our employers "take security very seriously!"

Where does that leave us, then? Fuck if I know. But, if I had to venture a guess, I'd say the only way out of this mess is through collective action. And that's also a hard thing to do, but we're trying. Clearly, I need to acknowledge that this is not exclusively a cybersecurity issue: you can s/cybersecurity/anything and this should read about the same because with very few exceptions, we're all fungible tokens.

P.S. We are raising funds to try and get some sort of formal entity off the ground that would serve to address at least some of these problems. We have a store, and you can also buy me a coffee. But do join us on Discord so we can put our heads together and see what we can accomplish.