Security

The broken Windows fallacy

The idea that malicious security crackers serve a greater good is an example of the broken window fallacy. Chad Perrin addresses the idea that the industry "needs" these miscreants for certain IT jobs to survive.

Frédéric Bastiat illustrated the broken window fallacy in an essay entitled That Which Is Seen and That Which Is Unseen. When someone claims that a destructive event creates opportunity and productivity benefits that outweigh the detrimental effects, that person (almost always) engages in fallacious thinking.

The term "broken window fallacy" arises from Bastiat's parable of the broken window, in which the following argument is made:

It is an ill wind that blows nobody good. Everybody must live, and what would become of the glaziers if panes of glass were never broken?

The assumption there is that, if windows didn't break, the glaziers' industry would be gutted. As a result, though the shopkeeper whose window was broken is at least momentarily inconvenienced, it seems this event may actually be a blessing in disguise, contributing to the prosperity of an entire industry. The vandal who breaks the window may even be regarded as a hero for setting such benefits in motion!

Bastiat, however, has other ideas:

It is not seen that as our shopkeeper has spent six francs upon one thing, he cannot spend them upon another. It is not seen that if he had not had a window to replace, he would, perhaps, have replaced his old shoes, or added another book to his library. In short, he would have employed his six francs in some way, which this accident has prevented.

The resources that were expended fixing the damage of the broken window were diverted from other uses. One might argue that the end result, then, is neutral -- because there's nothing saying that the book binder who would otherwise have received that money is more deserving of it than the glazier who did receive the money.

This all ignores the quality of life of the shopkeeper whose window was broken, however. His money was essentially spent double-paying for something he already owned. If the window had not been broken, he might have actually improved quality of life for himself and his family by purchasing something new. Alternatively, such incidents of misfortune might prompt him to raise prices on his goods, thus impacting the lives of his customers. Given enough such incidents, he may even be forced to eventually close up his shop entirely.

The broken window fallacy is that of the person who ignores lost opportunities, some of which we may never even be able to identify because they did not arise in the first place. The cost may be, literally, immeasurable.

Compare this to statements to the effect that we "need" malicious security crackers. Apparently, these people induce software developers and vendors to make their software better. They ensure that more software developers and security professionals are employed. They, more so than vandals throwing rocks at shop windows, essentially create an entire industry! In some respects, they are surely heroes.

Similarly, when debates arise over the suitability of given pieces of software for security or stability purposes, some wit may point out that without the failures of that piece of software he or she may not even have a job:

"I'm glad Windows breaks down from time to time. It keeps me employed."

I've seen that at least half a dozen times in the last few years at TechRepublic alone.

I made a living almost exclusively at fixing broken Windows for a while. I was technically an IT consultant, working for a consultancy in Florida, but I might as well have called myself a glazier at the time. When I find upwards of 17,000 separate virus, worm, and other malware infections on a single machine, I'd say that Windows install was definitely broken. Now, I'm writing about security for TechRepublic, a job that probably wouldn't even be necessary at all if not for the activities of malicious security crackers, the vulnerabilities of poorly designed software, and the behavior of security unconscious users.

That doesn't mean I want, or ever wanted, these problems to exist so that I could make a buck. If I could make a choice to either increase the frequency and severity of IT security problems (thus increasing my services' market value) or decrease them to the extent that I have to find a new line of work -- all else being equal -- I would select the latter without hesitation. I can find another line of work, if necessary; I cannot, however, magically make the money spent on my services appear out of thin air, allowing the people paying me to contribute more effectively to the production of wealth in the economic environment we both share.

The next time any of you feel tempted to defend malicious security crackers or developers of low quality software, I hope you'll recognize that argument for what it is: an example of the broken Windows fallacy.

About

Chad Perrin is an IT consultant, developer, and freelance professional writer. He holds both Microsoft and CompTIA certifications and is a graduate of two IT industry trade schools.

34 comments
BEMarshall
BEMarshall

He has much useful to say to us today. I had not expected to see him cited in this context, but it fits. Good article!

stu.field
stu.field

I used to work in an autobody shop and while no one wants to see mangled cars with often mangled people, we did occasionally pray for rain and the wrecks it brought. However there is a big difference between accidents and vandalism and theft. What seems to happen most to computers is nothing more than vandalism or theft by another name. It is wrong and should be punished. Everything breaks down. A lot of what passes for work is fixing broken stuff, medical - bodys, mechanics - cars, and techs - computers and electronics. Unless you are making or building something or growing food, That is what we do. It would be nice to remove those intentionally breaking stuff from the equation but I don't think it's likely to happen.

Neon Samurai
Neon Samurai

.. is the willingness to work one's self out of a job because it's no longer needed. I think most of us would like to discover that the office is secured and responding to future threats without our ongoing labour. I did have a boss back in my days of working a Windows shop though. "If not for Microsoft, we wouldn't get to visit our customers weekly on billable time."

CharlieSpencer
CharlieSpencer

I recall the term used in economics is "opportunity cost'. Every time someone spends money, they choose to sacrifice the opportunity to spend that money on everything else available at that price. Money spent on windows is money not spent on books or shoes. Time spent fighting malware is time not spent on more interesting, more productive work. People often complain here about the liability of software and OS developers not properly securing their code, while usually neglecting to assign any responsibility to the malware developers.

HAL 9000
HAL 9000

But no matter how much anyone improves the Hardness of Windows the day isn't going to come soon that I will not have a job. Personally though I would prefer not to be doing this work as there is much more productive work I could be doing improving the whole Computer Experience and not wasting my time by running around fixing things that others have deliberately broken. Col

Tony Hopkinson
Tony Hopkinson

against code rot there.... There are always other broken windows to replace. Far too many people living in greenhouses and throwing bricks about. Oops...

Sterling chip Camden
Sterling chip Camden

People are often afraid to work themselves out of a job by providing a solution that renders what they're doing unnecessary. I've always felt that if you're able to create a comprehensive solution, there will be plenty of other opportunities to follow.

Neon Samurai
Neon Samurai

The farmers are out of work for a few months but that cold gold be gravy time for the autobody folks.

jmgarvin
jmgarvin

Our software is pretty darn good at what it does. However, the bugs we encounter, for the most part are due to Windows or some freaky stupidity in a MS API we are using. The prime example of kludge is how Windows deals with services. WTF is wrong with Windows and why can a service get "stuck" in the starting state? Why do I have to reboot to REALLY restart my services?

apotheon
apotheon

I recall the term used in economics is "opportunity cost'. Yep, that's the term. I didn't feel a particular need to use it in the article to get my point across, though. People often complain here about the liability of software and OS developers not properly securing their code, while usually neglecting to assign any responsibility to the malware developers. I don't think that's really how it tends to play out. I think what usually happens is that people blame the malware developer for screwing with us and the software developer if he or she (or it, in the case of an organization) hasn't done everything reasonably possible to ensure these problems are fixed quickly or never arise in the first place. Other people then raise a stink about how it's not the software's fault, or the software vendor's fault, because of absurd arguments like "It's only vulnerable because it's more popular!" and of course a huge debate springs into being. Because the debate isn't about the malware writers, they appear to get less attention from those assigning blame, but the only reason for that is in fact the apologists for commercial vendors that do a terrible job of protecting the interest of their customers. . . . or, in your eyes, is suggesting improved security the same as blaming the victim?

Neon Samurai
Neon Samurai

.. it becomes very much there responsability. In development methods where other's are allowed to suggest patches, the software developer has help and historically corrects the flaw faster. If a flaw is known for a long time but repeatedly not corrected then that is very much the developer's fault. Discovering the flaw is of benefit and reporting that flaw as researchers do is how things should happen. This doesn't absolve criminals who exploit rather than report such flaws. Since those criminals are not easily found and tried, the only response is to continue improving the software which leaves the reactionary responsibility on the shoulders of the software developers shoulders. Unfortunately, my own views on what should be done to exploitative criminals would probably cause more martyrs than deterrents.

apotheon
apotheon

That was an interesting twist as I expected something else What did you expect?

apotheon
apotheon

I've long been of the opinion that the mark of the true, respectable professional is that he or she honestly works toward the day his or her current services are no longer needed.

Jaqui
Jaqui

winter is the major maintenance time for the machinery, if not a livestock farm. if the farmer is doing the animal products, then they are year round working on their production. feeding, watering, cleaning. health checks... The extra bodies for the busier season, the growing season and harvest time, they don't have much work in winter.

Neon Samurai
Neon Samurai

System shutdown is a function of the kernel. Send the kill signal to the processes then cut power once they all get out of the way. It's not the user space process decision to remain active. This is what happens though. Why is a user space process allowed to hang the kernel's shutdown job? Worse still, it's not a Windows program causeing the hang so I can't even claim it's simply IE's deep hooks or similar. I can't blame Windows only for this though as my Mandriva 2008.1 hangs on shutdown when trying to halt the resolver process. Frustraiting but by that time the user data seems to be flushed back to the drive already. Windows is hanging within the user's desktop session so I stand a greater chance of data corruption. I know developers who have issues with the .Net versions also. What works on one version breaks with the next. Lack of migration path for those left out in the cold by the latest Studio DE are another one. "Windows has detected mouse movement; rebooting." I wish there was less basis for that joke also. Why must most updates require a reboot to before implementing changes; does this all need to be that tightly bound into the kernel. As you point out, why must a full system reboot be performed to refresh services? This was one of the hardest things to understand when I started with Linux based OS actually; "you mean I don't have to reboot? I just restart the deamon? That can't possibly work, doesn't it leave crap in memory?"

HAL 9000
HAL 9000

That is a [b]Rhetorical Question[/b] right. :^0 Col

CharlieSpencer
CharlieSpencer

Yep, I spotted the post, although I didn't open it up to see what (potentially hypocritical) content I submitted. Lunchtime, you know.

pgit
pgit

A fellow I work with occasionally holds the premise that his goal is to put himself out of work, meaning that he has succeeded in getting everyone to operate 110% on best practices. (or on a Mac, he says) He's been very gracious in letting me move some of his clients into Linux, something I did for him a while back (5 years?) This fellow is one serious power user, too. It's amazing what he's done with kontact, for instance. There's no better way to convince someone to try Linux than having this fellow show you around his systems; automated triple back ups, access to his core data from anywhere in the building (and even some of it across the internet) and of course the fact that e can do anything a typical office would require, for free and without bulky anti virus/malware software gunking the works. But I digress. The point being he openly states what you posit as the sign of a 'true professional.' On the other end, when teaching an A+ class I would always show weaknesses in windows design and coding and make somewhat snide comments about Microsoft, until one day an older gentleman apparently had enough and yelled "shut up! Bill Gates is going to guarantee me a job!! He's responsible for your job, too, so shut the up!!!" Some others in the class chimed in, though with less emotion, "...yeah, good or bad it doesn't matter, can we just stick to the curriculum?"

Jaqui
Jaqui

agree with that, mostly. There are some services that it isn't possible in, like Policing. ;) I strongly endorse the concept of having your employees / co-workers taught how to do as many of the jobs as possible. I have seen this find a diamond hidden in the staff, someone hired for one position who excelled in another one when given the opportunity. This also has the benefit of improving the morale for everyone, since they see people being "promoted from within" instead of hired from outside when possible. It also means that in an unexpected staffing shortage [ motor vehicle accident etc. ] your staff can share the workload out without it being a major issue.

Neon Samurai
Neon Samurai

I'll have a go at it though. I don't think justifying your ongoing expense too accounting by repeating the same fixes over and over is right though. This is like intentionally selling broken or counterfeit products to protect your higher profit margin. Consider a blacksmith that intentionally includes flaws so he can sell the same iron work to the same customer over and over. I'd much rather the underlying flaws that enable my repeat visits for virus infection or data leakage be fixed so I can justify my salary through improving rather than maintaining the information systems. Ideally, I'd like to harden a company once and move on to improving security for the next; each network as a new world to explore. Consider the areas where you are the cusomer rather than service provider. Do you prefer high quality products you can rely on for years or do you prefer to replace products repeatedly by continually spending money on it. I'd much rather buy once and put the next chunk of money towards something different. For me it's computers. Would one rather buy a computer mouse then replace it several times a year or buy a high quality mouse once. If constantly spending money on replacement mice, one doesn't have that money available for future major upgrades when technology improvements truly justify purchasing new hardware. I'm not going to afford a new GPU in the future if I'm spending all my money on keyboards and mice now. Also, if one is skilled enough to work themselves out of a job in one company, that experience and resume should easily attrack the next company. "I worked at XYZ company for six months during which time I implemented self maintaining security policy and automated information systems that will keep them running efficiently and safely for the next decade." - 'Can you start tomorrow?'

micky.parker
micky.parker

We strive to do the best job possible, where things that do go wrong don't happen again. This, generally, is the meaning of professionalism. HOWEVER, when your accountant-led company - as many are - see I.T. in terms of a 'cost centre' & would dearly love to be able to dispense with your services, it is difficult to maintain such an approach.

Neon Samurai
Neon Samurai

I was thinking of animal farmers as I was hitting send but was more focuses on the auto body shops. The winter weather always brings in work for them. Crop farmers get a chance for major maintenance over the winter but it's still down time with the fields frozen over. The harvest is sold and they are left to coast through until the cycle starts in the spring.

Neon Samurai
Neon Samurai

With the Mandriva shutdown thing it's not consistantly hanging and only one machine shows the issue so I can't call it consistant across the distribution or related distributions. I'm organizing my home directory on that for a wipe and 2009.1 install anyhow. It's good to have some ideas to consider with it though. For whatever reason, it's just the Resolver process or if it's shutting down then the process that gets the kill signal after. Windows is more frequent though XP has been better than older versions; most of the time it will eventually shutdown. This is more consistant though as it's not just one machine that present near hang states during shutdown. In the case of my gaming install at home, the major offenders are two system monitor utilities. The second displays the BIOS AI's processor overclock status which has hung once or twice where the other flakey utility that came with the board I just shutdown by hand before going into my gaming session. I suspected it was either resources or process entanglement though as I can consistently crash out the memory management for IE or Excel thanks to much experience (and lost work) in a previous job. The maximum specs listed in Excel's help are higher than the true maximums it can manage for any reasonable period of time. My Debian boxes have been rock solid except for an Etch to Lenny upgrade that seems to now have syslogd fighting with rsyslogd. Backtrack box hasn't had any issues either though it more often just gets the power button held down (liveCD) unless I'm rebooting into one of the other two OS on that machine.

apotheon
apotheon

There are three reasons for one of your points that spring immediately to my mind: I can't blame Windows only for this though as my Mandriva 2008.1 hangs on shutdown when trying to halt the resolver process. There are three reasons that a process might reasonably hang the system during shutdown that come immediately to mind. One is that the process might have had itself some kind of fit and started consuming 100% of CPU, thus not leaving any for the kernel processes to use to terminate processes on the system. Another is that the process might have priority access to some resource and simply not be relinquishing it -- and that resource might be considered sacrosanct by the kernel because barging in and taking over could cause data corruption or similar issues, depending on the reason the resource is being monopolized. Finally, it's possible that whatever process is hanging simply is a kernel process. Of course, in the case of MS Windows, there are myriad other reasons that something might hang the shutdown, because its kernel and applications have a very difficult time playing nice with each other sometimes. It's possible some penny-ante desktop widget has spawned a race condition that the kernel processes can't resolve without hosing itself as well. This sort of problem arises because of a number of issues with how the system architecture was designed, such as lack of effective privilege separation. There's one reason that comes immediately to mind for another one of your points: This was one of the hardest things to understand when I started with Linux based OS actually; "you mean I don't have to reboot? I just restart the deamon? That can't possibly work, doesn't it leave crap in memory?" Maybe it (the application) does leave crap in memory, but Unix-like systems tend to have much better process management capabilities, actually cleaning up after memory leaks rather than just leaving there until the next time the system is restarted. I guess that means the application can leave crap in memory, but the OS eventually cleans up after the application -- whereas in MS Windows, it generally doesn't. Last I checked (on XP), WordPad still had a memory leak that it had inherited from Windows Write back in '93 or '94, and MS Windows still hadn't learned to clean up after it.

CharlieSpencer
CharlieSpencer

If anyone at TR could answer that one, she'd be making enough money in Redmond to have better things to do with her spare time than hang out here.

Neon Samurai
Neon Samurai

Being available as a liveCD was a big benefit but I've not had the time to properly test it yet either. I need to get some sort of imaging in place though so it's time to go back to the software lists and see what else is available. How is G4U not providing more connectivity options. I'd probably post that as a bug on the tracker list these days. You do have it mitigated as much as possible from the sounds of it though.

pgit
pgit

Every test I've done with clonezilla has been an abysmal failure, and I've tried well over a dozen times. Funny you bring it up, I just tried 2 more times yesterday on a 20GB HD w/Mandriva 09.1 yesterday. Both were no go, the first one said the image may be corrupt. We alias the user (proftp) so no actual machine user account info is used to log in to the ftp, and the user account that is on the server that's alaiased but used for access is pretty much sand boxed to have access to ftp and little else. There's a fairly stingy smoothwall firewall on the perimeter. (On my own personal setup there's two, with the LAN behind the second and a honey pot occasionally between the two) BTW demonstrating a restore with a G4U image at the moment. I'm going to give clonezilla another try sometime today, too.

Neon Samurai
Neon Samurai

I had to learn my way around that a while back and managing it out of a database is still combersome without going to a more combined solution. Even if I do wire Postfix into a database userlist, it'll need to be edited and I don't see the client getting familiar with SQL from the command line. Any potential in looking at Clonezilla? I believe it does all your imaging and should do sftp. The thought of cleartext usernames and passwords on a closed network is enough to make me itch. Over a public network borders on madness. I'm actually surprised that G4U hasn't already picked up sftp support.

pgit
pgit

The ftp is there primarily for using G4U to make whole disk images. Every machine has a bare metal restore image waiting to go. He wants me to update them after he's made major changes to a system. eg he just acquired a new Vista system (for his gaming buddies apparently) so he'll load up his stuff then ask me to "G4U it." It's in part that compunction this fellow has to 'have it all.' And he won't stop asking me to show him more... so far I have successfully avoided saying "mail server." =)

Neon Samurai
Neon Samurai

Only thing I'd change would be dropping the FTP and running transfers through ssh (assuming you mean FTP not sFTP of course). It was actully or first post that had me looking at Kontact again last night. I'm looking for a way to sync more of my PDA back and forth. There is an OpenSync package for maemo so it's a matter of doing the setup and testing I think. I gave up on Palm long ago for sync to anything but Windows and a sync to my phone would be nice but not critical. Got your comment in a text on my desktop to digest in detail later though. Cheers for the overview.

pgit
pgit

I'm at the location right now. It's all pretty out of the box Mandriva setup. There's a file server that keeps everything, and any apps opened from anywhere use the data files off this server. Then there's a backup server that doubles as a print server. This has ssh keys for every other machine and scripts run by cron to go out and grab whatever is needed off the workstations, mostly just personalizations, but there's also personal data on each one (a few of the machines have email accounts for instance) so pretty much /home gets rsynced over ssh. It then pushes a copy of everything to large external HDs for the "grab and run in an earthquake" factor. And lastly it pushes a few critical items over the internet to my ftp server. I've mentioned before I'll offer this free to the good clients that really could benefit. (I really shouldn't say it or I'll jinx the place, maybe hint then: the wiring in this place isn't exactly standard, and there's a lot of stuff running on a few of the circuits...) This guy wanted his data accessed as if local to whatever workstation via sshfs. There's one workstation I set up with a wiki, which this fellow uses like nobody's business. And another has an mp3 server, this fellow listens to a lot of motivational stuff, like the other day some book commissioned by Dale Carnegie in the early 1900's. (a 'book on tape') This guy is the consummate power user, and any tool you show him, he immediately knows how to put it to good use, and of course wants one. I wish everyone were like this fellow. Only problem is the pending transition to KDE 4. We haven't jumped on any but testing machines. (he allows me to use his lab and the bazillion unused computers laying around for testing anything I want) First thing I saw in the Mandriva forums about KDEPIM was stuff like "I've lost my contacts" or "kontact failed to start." That would be a disaster. This guy runs his life out of kontact, literally. (e.g. he's set a color on the calendar for when he's on duty watching his one year old son) Lotta fun around this place. And like you mention it's "set it and forget it" for the most part. Same with a lot of other clients. They'd been seeing the geek squad or some other contractor weekly, until they gave me a shot. Now I rarely ever see the folks. Thank God a lot of people are still using windows. ;) BTW this power ser does have 3-4 XP machines and one w/Vista. He's also a power gamer, I don't know where he finds all the minutes in a day...

Neon Samurai
Neon Samurai

Any chance of a high level outline of his setup being published? I'm currently looking at how to replace Outlook on my test machine. Backups done a different way are always something worth looking at. Access from anywhere on the network; ssh, I love ya! Sadly, in your second point the age old parasitic approach to IT is well demonstrated. Why provide clients with a good system when you can offer a solution that insures you'll be back to fix it constantly. Broken window fallacy indeed.