In the military they teach that there are two ways to defeat an enemy, take its ability or take its will. This means you can take away someone’s ability to harm you or you can take away their will to do so. Why can’t this apply in the world of anti-abuse? Good news…it can!
We already use the term “attack” to describe abusive activity on a platform and in many ways preventing abuse is like fighting a war. While we would always prefer to take away someone’s ability to abuse the system in many cases it is not possible. Generally, either because of time constraint or usability constraint. Let us then understand the will of the enemy to abuse the system.
For the vast majority of abuse, it is foremost a business in its core. Therefore, our leading principle in fighting this kind of abuse is to increase the price of abuse and in turn reduces its profitability. Without profitability we have destroyed the will of the enemy to even start trying to abuse a platform.
Let's illustrate this with an example. Yelp has a lot of restaurants and points of interests available online. They probably have tens or hundreds of millions of records. We can imagine multiple products that can be built on top of those records from a Yelp competitor to an analytics company that sales other insights from that data. But first we need to have it all available in some sort of database we have easy access to.
If Yelp has 200 million records like this, it becomes a non-trivial task to copy them all. Ignoring any legal or moral aspect of doing this, let’s look at the monetary cost of such project. We will need a software engineer to write a simple program, almost any engineer will do at this point, so we might find one to do this for only $5,000 on upwork or another site. Now we need a server and database, we can use Azure or AWS and get one IP and DB for $1,000 for the duration of such a short project. That put us on $6,000 / $200,000,000 = 0.003 cents per record, basically free. This is the cost we need to increase. This cost will grow rapidly as even simple defenses require more expensive engineers working for a longer time, using more expensive infrastructure.
There is another aspect of cost here, how long does it take to grab it all?
If we request 100 records every second, this is known as queries per second or QPS, we will copy 8.64 million records a day: 200,000,000 / 8,640,000= 23 days. This is another way to increase the cost of abuse, if it takes 20 years to get all the records it will delay any possible profits so far in to the future it will effectively kill any venture based on Yelp’s data.
It is not hard to see that we will very fast require a couple of million dollars if every record costs anywhere close to a cent. This would be in addition to the investment in a product based on data copied from Yelp which might have legal issues and is definitely a week point in any startup pitching to a venture capital for funding. When we get to this point, as Yelp, we reduce the number of potential abusive adversaries. Building up deterrent and lowering overall abuse.
This philosophy will help us stay on the right track with our mind on the goal: reducing overall abuse and protecting the service, its users and its data.
In the next post, I’ll be talking about the methodology we can use to implement the points made here. We will dive into how we can even know we are under an attack and how to increase the cost of abuse in more details.
- Abuse is a business, increase the cost of abuse.
- We can look at cost as a monetary cost.
- We can look at cost as time based.
- Our goal is to reducing overall abuse and protecting the service.