Slashdot Mirror
Bad Security Driving Out the Good
Bruce Schneier has up at Wired a typically thoughtful piece on how, in the security market as in others, the lemons are winning out over the good products. Schneier harks back to "The Market For Lemons," the 1970s work of economist George Akerlof, to explain why the market's invisible hand pushes most of the best products into the abyss: "With so many mediocre security products on the market, and the difficulty of coming up with a strong quality signal, vendors don't have strong incentives to invest in developing good products. And the vendors that do tend to die a quiet and lonely death."
Marketing and persuasion always wins out in the end. How many tech guys have tried to convince a boss that whatever solution they are going with is not in the interest of the company. Even if you make an objective flow-chart/business impact plan.. their mind is made up. Dick from marketing has personality-brainwashed him. He took him to lunch, he couldn't possibly be like the other salesmen.. nice chap.
"I am not bound to please thee with my answers" [William Shakespeare]
Anyone else got a hankerin' for some lemonade after all this talk of lemons?
It really boils down to marketing, IMHO. And laziness. The average person doesn't want to have to learn about something and investigate its merits. By and large they're much happier being told that Item A does XYZ, while Item B does XYZ *and* W, all while being easier to use than Item A. Despite W being a useless feature, and the "easier to use" claim being baseless, Item B will win out due to how it's been marketed.
This guy's the limit!
As TFA states, it's easy for someone to create a security product which they themselves cannot break. Hiring external testers can be a huge expense if done right, and when companies rely more on hype than on technical brilliance, they end up getting screwed. SecuStick is rare only in that its crappy security made headlines.
When you are sure of something, you probably are wrong (search for "Unskilled and Unaware of It").
Well... that explains why Vista is selling.
(Yeah I know... flamebait. But it had to be said.)
then any other IT sector: marketing trumps all. You can have a mediocre product that has a good marketing campaign and you will move product. Moving Product begets market penetration.**
-tp
** I set someone up GOOD for a comment....
Website Hosting
If you look at technology the winners are never the best. Becuase the Best costs to much and people (including us, (the more technically informed) rairly get enough information to make informed decisions. There are only very limited indrustires that are regulated enough to give people informaton to make the best purchasing decisions. Like Fine Juleriy, they are required to state what quality the product is. Diomonds had the 4 Cs (Karot (it sounds like a C), Cut, Color, Clarity) and they are very regulated when they tell you what the quality is. The same is with Gold, I know my Wedding Ring is 14 Karot gold. Now this is not saying we can't be ripped of but it at leasts has a reconized source that tells us what the quality is and we can make informed decisions. Technology is different there is no clear way that we can know if the Sun Enterprise server is better quality then the Dell Server, All we know is that the dell server is cheaper.
If something is so important that you feel the need to post it on the internet... It probably isn't that important.
Socrates in the 400s BC was already complaining about how sophistry is winning over logic and reason. The world will never change.
Fundamentally people claim they want security, but are often not willing to pay for it. The business that spends the market driven required amount of time on security (even if it's not enough) wins out.
If on the other hand you spend the proper amount of time on security, and position yourself outside the market by the delay in time and additional cost, you lose.
Which is pretty much why OSS rules in terms of security. In the OSS world, we can afford to spend an extra month or two per release to make sure everyone is in order and decent procedures are followed. Which isn't to say it's always the case [most GAIM plugins are horribly written] but usually more often than not it is with things like GPG, OpenSSL, OpenSSH, etc...
Tom
Someday, I'll have a real sig.
I find the people in Marketing are terrible not only when you're buying a product, but also when you're the company making the product. Sometimes people in marketing make stuff up just to get a sale. I think it's in their blood. It hurts both sides because the customer is expecting to get something that doesn't exist, and the development team has to now build this thing that never existed. So often it gets cobbled together really fast, just so the customer thinks it works, but it reality it's only a half working solution.
Anthropic principle: We see the universe the way it is because if it were different we would not be here to see it.
Comment removed based on user account deletion
A Porsche 911 but... Well... You know the rest.
Deleted
I'm a $600/hr security consultant - you'd know my name, I used to work at - well I probably shouldn't say. I've FORGOTTEN more than Bruce Schneier knows about crypto, and I think the Secustick is a VERY secure product.
Part of the problem here is the market allows itself to be conned. We want to believe that the Securestick works, we don't want to spend the time or pay an extra added expense to have the claims of the marketers actually tested. If users made choices based on objective facts and called for warranties or 3rd party confirmation of marketing claims as part of the base product the lemons would start working their way out of the system. Costs would go up though and so the market is willing to absorb bad products and the risk associated with them for lower immediate prices.
Most people will focus in on cheap, worthless crap because they don't want to spend the money or expensive over-hyped crap because they believe the four color glossies. This is true for almost every item on shelf, not just security items.
With security products, things become harder because there's no easy way to tell if it is working. If there's never an attempt to steal the data or hack the server, or if the attempt goes unnoticed, then it appears everything is working great.
DeviantArt Page
NSFWWhen you buy a car, it's an expensive personal purchase. When it fails, it's immediately obvious and you mean have legal avenues to investigate to mitigate the issue.
When you make a security decision, it's usually a low-cost personal purchase. When it fails (say your identity gets stolen), the losses you might incur can greatly outweigh the initial investment in the technology, and you will little legal recourse against the vendor to make things right.
This is why I don't trust any commercial security product that isn't merely selling support or management tools. Because they've nothing to lose except my business.
THIS THING CAN TURN ON A DIME, MACROSSZERO STYLE ALSO FUCK BETA, ~NYORON
If you build it, THEY WONT COME, unless you practically shove it down their throat, with associated information, pricing, positioning, comparisons and timing. Got that, Commodore?
Microsoft sells technology like Procter and Gamble sells soap, and that is no accident.
Companies with better technology sit and fume, with never a thought to learning about how to market their products in a competitive marketplace, especially when presented with the fact that marketing AINT CHEAP, even if it sucks.
It will never change, because technologists are too in love with their products to ever consider that somebody else wont be without persuasion.
norton/symantec , bought out sygate :(
I keep worrying they'll pounce on nod32 next.
As Microsoft Windows and the design of the optic nerve shows, it's not the best that succeeds, but the thing that's good enough.
I'm in the hole of the broadband donut.
There is an invisible line between being good (as in above average) and good enough (as in gets the job done).
All things equal, people will choose good over good enough, however all things are not equal. Better products tend to cost more, better service costs more. Cheap products that do mostly marginal job wins the price war and hence wins the market.
There are always going to be niche markets that serve people who KNOW quality and service, most people don't care enough. They'll just choose whatever is cheapest at the moment from brands that they know (even if cheap), as long (and this is key) the quality is "good enough".
Which is why if I were making a product line, I'd make two different and distinct products, one "good enough" and one with better higher quality/service. I'd even go so far as to make sure by brand distinction that people would knwo "cheap, but good enough" from "good" by using strong branding.
Take McDonalds vs any higher quality hamburger shop (Red Robin, White Castle etc), which one is "good enough" vs good. Why don't more people choose the better burger?? It is because McDonalds is "good enough". And in spite of everyone complaining about McDonalds employee quality of service, it is "good enough" to keep going back.
Agent K: A *person* is smart. People are dumb, stupid, panicky animals, and you know it.
I know it sounds dirty. But most technical problems that people have are more emotional and less technical. If IT pushed hard enough to get the Best software and the people dont feel good about the software they will pressure you and bug you about every little problem to proove to you and themselfs that they should have went with the other product. Having the buisness case helps when all things are equal but as people who needs to support the product well need to take the plate invite or bring your boss to lunch do the marketing for the better product. Try to get people to feel emotionally good about the product. If they are not emotionally OK with the project they will have problems with it. But if they are emotionally ok with a Bad Product they will overlook its problems and spend their own time to find workarounds.
If something is so important that you feel the need to post it on the internet... It probably isn't that important.
We have a Market Failure here. Ergo, we need computer security controlled by the government — let's expand the Department of Homeland Security's duties one more time... Or, because we, the critics of the free market, hate the DHS (mostly because it was not us introducing it), let's create an entirely different entity instead.
Pre-emptive flamebaiting...
Yes, there is a government agency looking into computer security, but their role, so far, has been advisory. An alleged "market failure" is usually interpreted into need for more regulation by short-minded illiberals...
In Soviet Washington the swamp drains you.
The problem is that in order to have good security your product has to make a user or system do less, or have more of a management overhead. People don't like that, they'd rather have less trouble. Successful products MAKE you think they are providing security while bothering you as little as possible.
while you're probably just trolling, wouldn't want anyone to believe otherwise so: secustick is horribly insecure
I don't know if they planned it that way, someone at Kingston Technology is happy. By sending their encrypted usb memory stick to Bruce, who then links to it from both his blog and the Wired article, when then gets linked from Slashdot, they have somehow achieved the best exposure for their product ever!
My business: Farstrider Studios.
I feel there is a basic problem when we consider computer security for the average user (not people who have professional or legal obligations to protect their data). There are now two types of average users, those who are so dumb they don't have any security at all (no firewall, no anti-virus, open Wi-Fi etc). These people need to be educated. On the other hand, there is an increasing population of average users who have been turned into paranoid security freaks.
Most people have no need of a USB key that self-destructs. They don't need to encrypt their hard drives, on which they probably store nothing more sensitive than their really bad first novel draft. They don't need a 26 character Hex password on their operating system. I suspect that a much higher percentage of these normal people lose their data because they can't remember the password to access the data than lose it due to not having tight enough encryption protection. They are out there having to reformat their drive because they can't remember their login password, or having their laptop explode because they installed the new "Explodo-Crypt" device and then accidently had the caps lock key on when they tried to access it.
People need to get effective security solutions for their REALISTIC needs.
Life needs more saving throws.
It was usually a joke on at least either computer of physical grounds. Most of the time, the idea behind everything was "if it drives the user crazy, it must be good", sometimes to the point of making the bypass non-detectable and easier than the normal process. For example, the need to swipe badges 3 times to get into the building, but no name or photo on the badge, or FTP blocked for "safety reasons" while all the webmails were allowed.
Maybe if the people in charge of it weren't there as a punishment...
Endless promotion, Endless recruitment, Constant attack on competition.
Persuasive spokespersons, Constant reminders of what you WONT get if you dont buy, and buy NOW.
An answer to every question or challenge about your product, and when that wont work, promote FAITH in the organization, and patience in the reciept of what you are really wanted.
Unashamed, unabashed belief in your product as THE ONLY real solution.
This is Evangelism, and it works better than anything else, regardless of whether you really have the goods or not.
It isn't actually a high quality at all. Come on, people are always dumb. Marketing technique is done by making it looks like everyone already has it or everyone will going get it or everyone already done it or everyone will help you to get it, and this technique ALWAYS works, unless that it turns out to be that they are LOOKS LIKE betrayed afterwards.
So, make it look like that. Come on, how many so called freaking not-so-good GNU projects looks like everyone wants to have it or everyone already have it or everyone will help you to get it? Every successful truly good GNU projects has at least one but even though it has ONE it doesn't have everything and that's why they still can't beat Windows.
Not everyone already have Mac or iPod when it just came out, but it looks like everyone already has it, that's how they are almost always successful. Come the facking on, how many matha fackers knows about the quality of a Mac? It's look. It's everything that makes it look like everyone already has it and everyone will going to get it and everyone already done it and everyone will help you to get it.
It doesn't really matter if everyone ACTUALLY already has it nor everyone will ACTUALLY gonna get it nor everyone already DONE it nor everyone will help you to get it. Truth is, it's facking opposite.
Well, if we see the open source world, many people actually has it and many people actually going to get it and many people actually have done something with it and many people will help you to get it but it doesn't look like it, and that's the ultimate problem of it's POPULARITY. Popularity isn't everything but it helps, a lot. So, it's LOOK is it's part of quality. And, many open source projects has low quality if you consider that.
-p
The problem is The Press. Particularly publications like InfoWord who just regurgitate press releases. Many reporters don't even install product or try to look under the hood, and even when they do find an issue, they let the product manager off the hook when they hear "it will be fixed in the final release".
;)
When you combine a Culture of Fear that came with 9/11 and Bush administration with the technology void left after the Dot COM bust, we got a lot "security" Lemons. The security market was in the Zone before Web 2.0 took off.
Check out that personal firewall on your desktop. My Point is, the reporter was more interested in the wine at dinner than the security product he wasn't reviewing in the Labs. Sorry, we had to make the revenue target for quarter. Hope it didn't cause you any issues.
A very good friend of mine has done some high end encryption coding for some major tech companies over the last few years, and has become somewhat in demand for his work. He was recently approached by a major computer manufacturer (lets call them Nell), and asked to create a security method to prevent counterfeit laptop batteries from being used in their laptops (perhaps due to recent bad press about batteries catching on fire). They also told him that it had to be very inexpensive, as they did not want to raise their cost for laptop batteries above the level it was now. He then asked them if they wanted it to be secure or cheap, and told them that truly secure was not going to be cheap. They then repeated what they had told him. This went back and forth for a while until he told them that what they really wanted was for my friend to sign off on his "secure" method, regardless of whether it was secure or not, so they could redirect blame to his organization when the cheap security method was easily defeated, and give the appearance that "Nell" cares about security. This lost him the bid. True it is...the saying that I saw on a bridge once, which read "Remember, this bridge was built by the lowest bidder." Sadly, chances are that the most popular security method is actually even less secure than none at all, since a false sense of security makes people do stupid things. I once told an associate to stop storing sensitive financial information on spreadsheets on his home PC. He said he was not concerned because he used Zone Alarm. He then had his finances compromised...through a Phishing scam.
Congradulations, as you have now joined the stupid statement hall of fame, with that one.
Then, you go on to mention that people dont know about Desktop Linux despite the 'buzz'. Huh?
There IS no buzz for Linux outside of technologists BECAUSE there has been no Marketing to speak of.
People dont adopt your product solely on the basis of the other product sucking, you have to give them a reason FOR your product. Even stupid politicians know this. Your product must bring something to the table AND it is your job to let your potential customers know about it, until they can recite it in their sleep.
A product is NOT worth its weight, if nobody knows about it. Geeks are too arrogant to understand that not everyone lives and breathes technology. On any given day, there are 100 if not 1000 times more people browsing MySpace, than at NewEgg.
Strange, I know, but true.
For some reason sales and marketing get conflated. Sales is selling. Marketing is finding out what will sell.
Deleted
Comment removed based on user account deletion
It's funny how Schneier wrote this article. Counterpane's idea of security is monitoring your logs for a fee. That doesn't improve security at all--just adds a layer of crap to what's currently wrong.
Schneier hasn't been anything more than a talking head for years.
Which is a shame, because truthfully his crypto stuff is great.
1.Most people don't care about IT security (or where they do care, its way down the list). People don't believe their data is not important enough to bother with keeping it secure. And more to the point, they just don't even KNOW their data is not secure. What I would like to see is for some group or experts or something to do a simulated break-in or hack attack or something and publish all the "stolen" data (i.e. basically something that shows just how insecure peoples data really is and why they need to care about making it secure only with fake systems and data). Show people what could happen to their data if they don't take care of security. Show a fake "clueless user" accessing a fake "phishing email" and giving their fake bank details to a fake "Russian hacker" who then proceeds to clean all the money out of the fake account. And then show that this is NOT fake, its real and is happening every day.
2.No-one has invested any money in making security easier to use. And it IS possible to make security easier to use. For example, why hasn't someone made an email encryption program where you press "encrypt" and it automatically checks public key databases, locates public keys for the recipient and automatically encrypts the email? And I mean a solution that does NOT require purchasing any kind of certificate in order for it to work. (something that uses PGP/GPG as the underlying encryption would be good)
3.Governments and government agencies (especially agencies like the FBI, CIA, NSA and their equivalents all over the world) have a vested interest in NOT seeing IT security get better (at least for normal people) because that makes it harder to find drug barons, child pornographers, music/movie/software pirates, terrorists etc. Also, for many governments that are not democracies (China, Saudi Arabia, Iran etc) encryption makes it harder to engage in state censorship to make sure that the population only sees what the government wants them to see.
4.The laws are too heavily biased in favor of large corporations. Right now, its easier to claim that your product is secure without making it secure than it is to actually make it secure. Laws are needed that introduce stiffer penalties for companies that claim their product does xyz (e.g. "encrypts your files so you can't get at them without a password" "completely trashes all the data if the wrong password has been entered multiple times") when it does not in fact do xyz. If companies couldn't make those claims, either the companies would stop pretending insecure products were actually secure or they would make their products secure. Either way, products that are actually secure become easier to find.
I don't know that guy's parents, but thinking of my own parents, or my wife, they want to be able to use computers well, but they aren't in that world all the time. Most people who read slashdot know a lot about computers. We have taken them apart, upgraded them, built new ones. We've looked through the Windows Device Manager (or lspci). We know what all the different parts of a PC are, and how they interact with each other.
For everyone else, it's a magic black box. They know files are kept in there, and maybe that it has fans and gets hot. Oftentimes, they don't know that RAM is the working space for running programs, and that it's a lot faster to access RAM than the hard drive. They don't know the difference between IDE and SATA and SCSI, and they probably haven't even heard those words before. They know how to plug in an iPod, but only if their PC case has USB ports on the front.
Even when someone wants to learn, they'll get beaten down with marketing confusions like 1GB = 1,000,000,000 bytes (why wouldn't that be true, as far as they know?), 3 Mb/s = 384kB/s, and 802.11a/b/g/n (these letters are assigned by standards bodies made up of engineers, not by marketing people). In the market for security products, customers really have to pay attention to realize that security by obscurity is very poor security (or worse than none at all in many cases), and even to be able to recognize when obscurity is even being used as the main form of security. The many different encryption algorithms available today are confusing at best (how are my parents supposed to remember that DES, not AES is the one that has been cracked). And then consider the fact that even a very secure algorithm like 256-bit AES can be completely worthless if it is not implemented very carefully. RC4, the algorithm used in the easy to crack WEP wireless encryption scheme, can actually be pretty secure, if it is implemented correctly, which it wasn't for WEP.
In TFA, Schneier points out that even he has a tough time telling if if some of these products are implemented well or not. Computer security is a very complex subject. "Is that a thumbprint reader? That must be secure, I saw one in a high-tech spy movie in the 80's!" Movies and TV don't help, either.
Comment removed based on user account deletion
And I realize the homophones are confusing, but it's spelled "too," when used as an adverb, "to" as a preposition or the marker for the infitive, and "two" for the integer between 1 and 3.
Finally, FWIW, the purity of gold is also measured in carats, with an alternate spelling karat (hence the abbreviation 16k).
New punctuation update "~" (no quotes) at the end of a line to indicate sarcasm. ~
There's no reason to be condescending.
In most cases, the difference between value of the "best" product and its competitors is less than the time/money cost of determining which is indeed the "best".
My grandmother bought a Maytag washer in the 1950's. In 2003, the knob on the front broke. 50 years later, it still washed clothes fine, but there were vice grips clamped to the stem where the knob was. Maytag doesn't make that part any more, so she replaced it with a new top-of-the-line Maytag. It broke last year. My parents bought a Maytag in 1972. It's still working fine. From what I've read about the new ones, they're complete crap. What's more, there isn't a washing machine on the market that could last 30 years, let alone 50 years. They aren't made to last that long.
It's because there's no financial incentive for a company to make good washing machines any more. The ones out there are rushed to market, made of inferior quality parts and put together poorly. If I have to buy a new one in 5 years, even better for the company that makes it. They get to sell me another one.
In the free-market economy, if I decided to make a 50 year washing machine, I'd have to compete with companies that are established in the market. My washer would necessarily be more expensive than a GE or Whirlpool, and nobody's ever heard of my company. On the off-chance some people buy it, realize that it's great and it gets a good reputation, I'm still faced with the fact that once everyone in the world has a 50 year washer, I'm out of customers until 2057. Now what?
I used Washing Machines as an example here, but it's true of nearly every consumer device out there. I'm not sure what the solution is, but I don't see it getting better any time soon.
-Arthur
Cave ne ante ullas catapultas ambules
Most home door locks are terrible. The standard for them specifies that they should resist opening for 15 seconds with a screwdriver. Really.
The US Department of Housing and Urban Development used to have good standards for doors and locks in their housing projects. Every unit had a steel-sheathed fire door with a steel frame and locks that could resist serious abuse. In a building with interior walls of reinforced concrete, this provided quite good security. Which was needed.
I once saw a news video where some cops were raiding an apartment in a housing project. They show up at the door with a two-person battering ram, and bang away for a while. After about thirty seconds of banging, the cops are exhausted, and they try yelling through the door at the occupant to open the door. From inside, a sleepy voice answers "I can't. You broke the lock". The door held until they sent out for power saws.
Now that's how security should work.
I'm surprised you don't see security products with the warentee that comes with more expensive surge protectors. You know, the ones that "say" there is a $x thousand dollar connected equipment guarentee.
If I saw a memory stick that had a simmilar liability insurance if security is compromised, it would definatly put their money where their marketing is.
"Knowledge is the only instrument of production that is not subject to diminishing returns" -Journal of Political Econom
The imbalance of information problem isn't about the fact that an individual needs perfect information to participate successfully. You can read the paper mentioned for the real reasons that this form of market failure is a problem, but I'll try to summarize.
Sellers of used cars have more information about the true value of their car than buyers do. Therefore, buyers must assume that the car is of lesser value than the seller states. As a group, they will offer less than a fair value for the car. This drives some of the more honest sellers who were telling the truth about the value of their car out of the market. This raises the proportion of dishonest to honest sellers, so buyers are even more likely to undervalue the car, perpetuating the cycle.
It is a systemic problem, not an individual problem regarding idiots getting screwed over.
- None can love freedom heartily, but good men; the rest love not freedom, but license. -- John Milton
Let's assume humans are bad and have always been bad. In fact, let's assume they are maximally bad and will never get worse or better. Animals don't change, so let's look at the things that humans have made. That's technology. Technology enables humans to do things. If humans are maximally bad, then they will make maximally bad use of technology. There's a lot more bad you can do with a handgun, a vehicle, or the Internet than with a stone tablet, an ox, or a knife. Therefore our situation will continue to worsen as we develop new technology.
You can't reasonably stop technology, nor would you really want to--technology itself does some good because people, while bad, are not maximally bad. The solution is, thus, to work on the people aspect of things.
Make that 4800 years old.
If you mod me down, I shall become more powerful than you could possibly imagine.
What do you mean Vista is selling?
1 6 h -vistasales.html i d=aQ.oZSDrncbk&refer=us
http://slashdot.org/article.pl?sid=07/04/18/15122
http://www.cbc.ca/technology/story/2007/03/27/tec
http://www.bloomberg.com/apps/news?pid=20601103&s
You must mean why Vista is selling *at all* which is also related to issues other than security.
brandelf -t FreeBSD
Microsoft has proven time and time again that great software ALWAYS wins out in the end.
> In the late 1980s and early 1990s, there were more than a hundred competing firewall products. No there wasn't. I owned a firewall consulting firm back then. In the early 90's there were less than half a dozen firewalls products to choose from. There was very little interest in them until Al Gore made his "Information Super Hi Way" speech around 94? > The few that "won" weren't the most secure firewalls; they were the ones that were easy to set up, easy to use and didn't annoy users too much. That may have been true for the consumer personal firewalls that started coming out in the late 90's, but it wasn't a factor for corporate server like firewalls. We were of the opinion that Gauntlet, the commercial product based off the firewall toolkit, a proxy based, open source firewall from Trusted Information Systems was the most secure firewall at the time. However Firewall One, a statefull packet filtering firewall from Checkpoint, was the clear winner in number of units sold. It had nothing to do with ease of use. Firewall One ran on a Sun. Most corporate accounts had at least some Suns. If you already had Sun's 7/24 support, they included it for your firewall at no extra charge. Any other firewall would have involved paying for 2nd 7/24 support contract. The closest they got to an ease of use issue was the resistance to bringing another flavor of Unix like BSD or Linux into their shop. My how things have changed :-)
Marketing and persuasion always wins out in the end.
Only if the marketers can suppress truth, but that's very expensive and fails eventually. If you look at Microsoft's quarterly statements you will see that they spend about a billion dollars a month on marketing. Some good examples of their failures are webTV, IE, Zune, Plays for Sure, Bob, ME and now Vista. Not only did M$ blow a much of money shouting about these things, they have done a lot to sabotage their competitors efforts. Yet all of these things failed to dominate the market because people knew better. All that marketing is doing is adding to their costs. All the sabotage does is add complexity that drags down the performance of their own systems. Every market for lemons is built on ignorance. In the internet age, ignorance can only be maintained by flooding every information channel with noise but their are as many channels as there are customers.
Friends don't help friends install M$ junk.
ROFL!
As in most things engineered, there is always a compromise. There is no such thing as best in the car world, as you alluded to. The Porsche 911 is a great car no doubt, but it too is a compromise. Hell, its even more complicated than that.
Performance.. do you mean 0-60? Top speed? Handling? Steering feedback?
0-60 maybe the Bugatti Veyron or McClaren F1, same with top speed (unless your talking built for racing cars). Handling could go to quite a few cars from the Porsche Cayman to the Lotus Exige.
Maybe best to a person means size. In that case, a Ford Excursion wins.
Maybe its prestige. Then you probably want a Bentley. Or Rolls Royce. Or Maybach.
Maybe its reliability in which case thats probably a Toyota/Lexus product.
Maybe its price. Then a Kia or Hyundai would do.
There's a good possibility that you want a combination of things. For most of us its reliability and price. Most of us except the ultra-wealthy do care about this. This is why we "only" buy Mercedes for prestige but the cost of a Bentley is just not doable. Or we "only" buy a Mustang when we really wanted an upper performer like a Ferrari or Lambo.
Now we can apply this to security products. What combination of qualities do we require? Maybe we want to give up a little encryption effectiveness for higher throughput in a firewall. Or we want super-secure encryption but don't care about the speed. Maybe its a certain amount of features that we need... ok.. lets give up a little encryption for that in this product. OK, maybe we can't afford product X, so pricing is a factor too so we get a less capable version of what we want cheaper like the Mustang example. I'm not a security product expert by any means, but I think this illustrates this idea of compromise when factoring "the best".
[market for lemons] explains why Vista is selling.
It would if Vista was selling. I have not seen any evidence of that so far, other than channel stuffing. The word from local stores is that people who make the mistake of installing Vista hate it enough to buy XP and pay someone to put it on. They have to buy another copy of XP because Vista upgrades won't give back their license to run XP or they had no choice about OS when they bought a new computer. I'd say Vista was failing badly and it's hurting computer sales.
The only sad part about this is that most people are still afraid of GNU/Linux. The failure of Vista and success of projects like GIMP and Firefox is changing that quickly.
Friends don't help friends install M$ junk.
Very close to how the stock market works.
Twinstiq, game news
99% of programmers out there don't understand crypto. So they're doomed to reinvent an insecure wheel. You'd be completely amazed at the number of people who don't know how, say, PKI works. Try to explain that in several system public key crypto is usually used to transmit a symmetric key and they'll choke. Too many information they don't get. You've got no idea about how bad it is: there are programmers working on companies' authentication systems that don't fscking know how crypto works.
Maybe, just maybe, that the math required to understand this are too complicated for most programmers (I recommend working with small numbers using pencil and paper to "get it").
Then there are all the "brute force it" kiddies who are persuaded that if they could manage to hack one million of Windows bots they'd be able to brute force anything. Pathetic.
Ali Baba?
Is working for the education industry in California... I couldn't even convince a prospective client in the industry to fix their DNS so users could actually view their site!
And I wonder why my old school grade database got hacked, and I can't transfer because they list the wrong degree now on my records... Seriously hiring one system administrator for a couple hours at $200 an hour would fix all problems... but they bid down for contracts...
Bruce is a rare guy who is deeply knowledgeable in his field of expertise, and yet can see the rest of the world around him. His books and his articles constantly reiterate the point that computer security is no different from physical security in most cases, and security products are no different from any other products in most cases. In this article, he reminds us that the details of whether you're talking about a secure USB stick or a used car or a bathroom sink don't change the base economics of the matter, in general.
Fundamentally, it's cheaper and faster to sell shit to people than it is to sell quality. Making quality products is more expensive, more involved, and more time consuming--that means that I have to charge more to the customer, who generally won't know the difference. In the rare cases (maybe 10%?) where the consumer knows better, he will make a value decision on whether or not it's worth paying the premium, and will probably decide against it.
As a maker of quality products, I not only have higher costs and lower turnover, but my potential market share is probably only 5% of the market. That means I need to make a significant profit on each unit sold. My product which may be 10% better than the average will probably have to sell for twice as much.
"People who do stupid things with hazardous materials often die." -- Jim Davidson on alt.folklore.urban
My security commentary on the Evil Overlord's Handbook points out how evil overlords get duped by salespeople into buying shiny things that don't contribute to solid security.
The lemon problem is just another manifestation of my worst competitor, apathy. If customers cared about good security they'd demand independent testing labs.
Yes, there is market failure, you have just moved it further back up the chain. It's a question of who watches the watchmen. If you rely on another agent to balance information for you, how do you know which agent to trust? You have another level of imbalance of information, and you need another agent to tell you which agent to choose, and so on.
This fact, and not any lack of demand, is what has kept this solution from being adopted. Once again, libertarianism presents simple solutions to complex problems, and when those simple solutions fail, explains it all away by claiming people don't want the solutions.
As always with libertarians, it is the individuals that make up the market system, not the system itself that always fails. It must be nice to advocate for an economic system that has never been put into practice. You can always claim that, were it done and done right, it would work.
- None can love freedom heartily, but good men; the rest love not freedom, but license. -- John Milton
I heard that from one of my profs; I don't know on whom it should be blamed. This might be an example.
Apple's machines from the "dying" era were cheaply and unreliably built, the big problem was that there were not priced as such. Can you say Performa?
My parents had a Mile washer for decades. Then bought another brand (cheaper) when the old one finally died. Just to replace it with a Miele because that seems to be the only brand not to build cheap washers but robust ones. And they now have a reputation for their great quality. And this just because all other products on the market lowered their quality.
Atari rules... ermm... ruled.
That's because they are conflated. I think this definition reflects usage of the term marketing pretty well:
2. the commercial processes involved in promoting and selling and distributing a product or service; "most companies have a manager in charge of marketing"
As another poster said, you are thinking of "market research", which is just one facet of marketing. Advertising is another.