Home

Why aren't there more hacks?

Web security is terrible. It's extremely hard to secure computers from motivated and competent adversaries.

So why aren't there more hacks? I look out in the world and there's tons of people and websites that seem trivial to hack, and in an efficient market of hackers you'd expect the hackers to be exploiting these insecurities.

This is both on the organizational level - many companies are incompetent at security - and the individual level - the most commonly used password is still 123456.

Security Stance

• It's gotten much easier to catch hackers, such that even if security as a whole is weak, prosecution and punishment is trivial.
• If this were true I'd expect to see a large increase in the number of prosecutions. Ironically the BJS.gov website was unavailable because of an invalid SSL certificate on their cybercrime stats page, so I wasn't able to check, but my guess is that this hasn't gone up proportionately. [info-request]
• Security is actually strong and/or strong in the areas where it matters (e.g. banks), and so for anything you'd want to hack it's actually quite hard to do so.
• Security through obscurity actually does work - there are so many more internet connected devices, people, and orgs, that it's hard to detect the vulnerable and valuable ones.

Demand side

• There's little to no demand to hack most individuals/organizations, because it's too hard to turn specific hacks into money. Banks and credit card companies have too many ways to reverse transactions.
• Seems plausible, though maybe that speaks to the lack of creativity in turning digital goods into cash among the criminal element?
• Other motivations for hacking (personal,non-monetary) aren't compelling for competent hackers - at least at scale.

Other

• There actually are a huge number of hacks happening/ongoing, but I'm not aware of it because they're never reported. (e.g. graveyard evidence problem)
• A secondary indicator of hacks would be cyber-insurance prices, whether or not they've gone up over time [info-request]