Bad Security Driving Out the Good

Bruce Schneier has up at Wired a typically thoughtful piece on how, in the security market as in others, the lemons are winning out over the good products. Schneier harks back to "The Market For Lemons," the 1970s work of economist George Akerlof, to explain why the market's invisible hand pushes most of the best products into the abyss: "With so many mediocre security products on the market, and the difficulty of coming up with a strong quality signal, vendors don't have strong incentives to invest in developing good products. And the vendors that do tend to die a quiet and lonely death."

The way of the world

[pytheron]

Marketing and persuasion always wins out in the end. How many tech guys have tried to convince a boss that whatever solution they are going with is not in the interest of the company. Even if you make an objective flow-chart/business impact plan.. their mind is made up. Dick from marketing has personality-brainwashed him. He took him to lunch, he couldn't possibly be like the other salesmen.. nice chap.

Re:The way of the world

[BSAtHome]

You are right; it is not security/xyz that sells, but the perception of securty/xyz. That is where the marketers come in.

Re:The way of the world

[beckerist]

I think there's more to it though. More security more often than not = less functionality. A completely locked down workstation, while secure, is not going to provide the users with as much functionality than a wide-open workstation. A lot of products are sold simply because of ease-of-use (read: ipod), and security is merely an extra "feature."

Think of it too like a car. Would you rather have a car that has a governor, limiting your speed to 55MPH/100KPH? It's safer...

Re:The way of the world

[Red+Flayer]

It's funny, though, TFA has little to say about marketing -- except for asymmetrical information theory. Marketing ties into this because it is how companies take advantage of buyers, who have less accurate info than sellers.

The problem is not just marketing. The problem is that since buyers aren't well-informed, they choose mediocre products, which prices out the best products. This starts a nasty cycle, since with the best products out of the market, buyers then choose even poorer solutions to save a buck, which ends up pricing out the best remaining products, and so on.

Marketing takes advantage of asymmetrical information -- but the root cause is the buyer's lack of information. Given that most decision-makers do not have the resources to adequately research every purchase they make, how can this be fixed? How much should a company spend on researching products, in relation to the cost of those products? Many people can't justify spending a lot of time researching the options for a $2000/yr solution. When the proposals come in, and several[1] of the vendors offer a seemingly-equivalent solution for $1500, how can I justify spending $2000? Purchasing is about choosing products that meet your requirements at the lowest cost. It's not feasible for every purchase to undergo a full TCO analysis that includes factored risk of loss -- how many businesses employ actuaries?

Multiply this scenario by thousands, and the best solutions are driven out of business.

[1] It's important that there are multiple options at that price point, since it makes each of the products at that level seem acceptable.

Re:The way of the world

[zappepcs]

It gets better. Take an honest look at advertising, look at what they are selling and how they are selling it. Chances are better than 90% of the products you either don't need, can live without, or just plain can't use. Any product that is worth its weight simply doesn't need to be advertised.

While you are looking at marketing campaigns, see who spends the most money. I believe that the value of a product is inversely related to advertising dollars spent. With the exception of products that are new. VoIP is one of those (even though I can't for the life of me figure out what the Vonage marketers were thinking) exceptions where the product is so new that advertising is as much about education as it is selling. Sleeping aids and medicines for ailments your parents never heard of is no better than little blue pill junk mail. There are times that I think that such advertisements should be blockable and covered under the can-spam act.

Anyway, advertising sells. Without it consumers won't even know there is a product. Despite the buzz about desktop linux there actually are people in North America that do NOT know what Linux is, never mind if they want to use it. Security products and practices are the same. I haven't counted, but I know I don't have enough fingers for counting the number of times I've heard a VP spouting verbatim from some magazine article as if he learned it in college or something.

This effect is what keeps MS products so prominent, people don't actually know or understand that there are other competing products. People know about Mcafee and Norton. They don't know about ClamAV, and are not sure what Symantec does.

The open market, in this respect, is just a popularity contest.

I had hopes that sites like Consumer reports et al would change that, but no, consumers really are mostly sheep.

Re:The way of the world

[daviddennis]

Something you might not have noticed is that if reviews truly use ease of use and throughput as the most important factors, the most insecure products look better than more secure products.

Security is one of the few cases where we're supposed to pay more to inconvenience ourselves. I'd say most people outside of the small fraternity of computer security folk would really prefer the insecure product, until its consequences hit them.

D

Re:The way of the world

[joto]

I'd say most people outside of the small fraternity of computer security folk would really prefer the insecure product, until its consequences hit them.

What consequences? You talk like something gruesome is going to happen to anyone that loses data. But for most of us, it's just an inconvenience. Old budgets and technical stuff with zero interest for anyone outside the project. If someone finds it, he's probably going to delete it and fill it up with mp3's instead.

Besides, relying on encryption, because you're constantly walking around losing USB-thumbsticks with confidential data on it, is not the solution. If you are physically losing confidential storage media, you should work on physical security first. Don't lose it!

Security must be balanced. Just because it's possible to imagine "perfect" encryption on a thumbdrive, doesn't mean it makes much sense. There are other factors, such as convenience, compatibility with different computing platforms, and so on, to consider. Besides, you should always plan for what to do if the data is lost. Encryption won't protect against social engineering, and there might be spies inside your company too. If your data is so important that you can't afford to lose it, you shouldn't carry it on a thumbstick in the first place.

marketing

[gEvil+(beta)]

It really boils down to marketing, IMHO. And laziness. The average person doesn't want to have to learn about something and investigate its merits. By and large they're much happier being told that Item A does XYZ, while Item B does XYZ *and* W, all while being easier to use than Item A. Despite W being a useless feature, and the "easier to use" claim being baseless, Item B will win out due to how it's been marketed.

Re:marketing

[gEvil+(beta)]

You are correct--there are some people who honestly are interested in learning about these things so that they can make these decisions themselves. However, they are the exception, not the rule. If someone is truly interested in learning, I'm more than happy to help them out. But when offers of assistance are met with "I don't want to know about that" or "That doesn't matter to me" then all bets are off and you're on your own, as far as I'm concerned.

Re:marketing

The average person doesn't want to have to learn about something and investigate its merits.

The "average" person's life doesn't revolve around IT. Let's look at Apple. You know why they were a hit with the artist community? Because you pulled it out of the box and it ran. Artists have to concentrate on their job - which is their art/craft/job - not having to spend hours upon hours reading poorly written manuals and trial and error. Hire someone? Please, at $100/hr for a Windows/*NIX admin type, they'd wouldn't be able to make a living - they barely make living as it is (Do what you love and the money will follow - HA!).

The above goes for the same with: construction, accountants, lawyers, Indian chiefs, etc...

Re:marketing

[gEvil+(beta)]

This is an honest question and isn't meant to belittle anyone in any way. But why is that your parents "wish to learn more" but haven't? I'm assuming that you've tried to educate them on the subject before. So why is it that they still haven't learned, despite their efforts to understand?

Money.

[Sorthum]

As TFA states, it's easy for someone to create a security product which they themselves cannot break. Hiring external testers can be a huge expense if done right, and when companies rely more on hype than on technical brilliance, they end up getting screwed. SecuStick is rare only in that its crappy security made headlines.

Vista

[Toe,+The]

Well... that explains why Vista is selling.

(Yeah I know... flamebait. But it had to be said.)

Re:Vista

[Architect_sasyr]

Is it flamebait? If I had mod points I'd probably flag as insightful. As I've stated before I'm the linux guy in a Microsoft shop and the majority of Vista upgrades (that are voluntary - so about 3% of our vista users) have done it because Vista offers better security and a slick interface, from a team of Microsoft oriented tech's, this has produced outrage. Despite the best intentions of the IT team Vista is coming regardless of what we want. I personally blame the marketing, and would cite the comment made to me not 3 days ago. "Vista has to be more secure. All the ad[vertisement]s say that it is". I can't compete with Microsofts marketing tactics (nor any other company) I simply don't have the resources. Only the respect of the IT team and the proven skill/competency in what we do has kept the CEO's from asking for the upgrades.

On Topic: Is this really a "bad security winning out" scenario, or are we merely looking at the triangle of cost, security and usability... cost and usability are of course the big factors for most corporations, so the sacrifice of security is, perhaps, merely a progression of cost cutting and the aim to supress those "annoying messages" that indicate a potential PEBKAC when inputting data.

My $0.02 AU

This story 2400 years old.

[qazsedcft]

Socrates in the 400s BC was already complaining about how sophistry is winning over logic and reason. The world will never change.

Good vs Good Enough

[Archangel+Michael]

There is an invisible line between being good (as in above average) and good enough (as in gets the job done).

All things equal, people will choose good over good enough, however all things are not equal. Better products tend to cost more, better service costs more. Cheap products that do mostly marginal job wins the price war and hence wins the market.

There are always going to be niche markets that serve people who KNOW quality and service, most people don't care enough. They'll just choose whatever is cheapest at the moment from brands that they know (even if cheap), as long (and this is key) the quality is "good enough".

Which is why if I were making a product line, I'd make two different and distinct products, one "good enough" and one with better higher quality/service. I'd even go so far as to make sure by brand distinction that people would knwo "cheap, but good enough" from "good" by using strong branding.

Take McDonalds vs any higher quality hamburger shop (Red Robin, White Castle etc), which one is "good enough" vs good. Why don't more people choose the better burger?? It is because McDonalds is "good enough". And in spite of everyone complaining about McDonalds employee quality of service, it is "good enough" to keep going back.

Computer Security - The Problem for Joe Blow

[Grashnak]

I feel there is a basic problem when we consider computer security for the average user (not people who have professional or legal obligations to protect their data). There are now two types of average users, those who are so dumb they don't have any security at all (no firewall, no anti-virus, open Wi-Fi etc). These people need to be educated. On the other hand, there is an increasing population of average users who have been turned into paranoid security freaks.

Most people have no need of a USB key that self-destructs. They don't need to encrypt their hard drives, on which they probably store nothing more sensitive than their really bad first novel draft. They don't need a 26 character Hex password on their operating system. I suspect that a much higher percentage of these normal people lose their data because they can't remember the password to access the data than lose it due to not having tight enough encryption protection. They are out there having to reformat their drive because they can't remember their login password, or having their laptop explode because they installed the new "Explodo-Crypt" device and then accidently had the caps lock key on when they tried to access it.

People need to get effective security solutions for their REALISTIC needs.

The best Marketing = Religion

[LibertineR]

Tech Companies should learn this and never forget it.

Endless promotion, Endless recruitment, Constant attack on competition.

Persuasive spokespersons, Constant reminders of what you WONT get if you dont buy, and buy NOW.

An answer to every question or challenge about your product, and when that wont work, promote FAITH in the organization, and patience in the reciept of what you are really wanted.

Unashamed, unabashed belief in your product as THE ONLY real solution.

This is Evangelism, and it works better than anything else, regardless of whether you really have the goods or not.

Re:The best Marketing = Religion

[poopdeville]

If there is no afterlife, why bother being a 'good person' in this life?

As the Buddha said (paraphrasing), "I know nothing except that I can make myself better." Put into a western context, if life has no intrinsic meaning, I am the only person who can give it meaning. Through my thoughts and actions.

So why try to do good? Because I've found people I care about.

Re:Uh-oh "market failure"...

[spun]

The standard thinking is that, because of the existence of market failures such as externalities, natural monopolies, and imbalance of information (the issue at hand), the free market paradoxically needs some regulation in order to remain free.

Libertarians are the group most vehemently against this concept, but I have never heard a single one of them coherently explain how exactly the free market will remain free without regulation. Their arguments seem to boil down to "LALALALA I can't hear you! There's no such thing as market failure, the market is infallible!"

If you have a better argument as to why market failures aren't a problem, or a better solution than regulation if you think they are, I'd love to hear it.

Re:Marketers are terrible.

[radarsat1]

That's true. I think the solution is that R&D managers have to be tougher. I know it's rare, but you really need an individual who is willing to stand up to marketing, and just say, you know: "No, actually we don't have that product." If the marketing person who sold the non-existent product can be made to lose face, there would be some motivation for them to not do it again, and to really _learn_ what the products are and what they do instead of just memorizing the buzzwords.

The problem, essentially, is a lack of liability on the part of the sales person. They do this all the time, selling "features" that are just speculative... if they were made to be more careful, it wouldn't happen and the whole R&D department would run more smoothly. Salespeople should be forced to sell products that DO exist. Information flow from R&D to marketing needs to be more open: *these* are the products we actually *have*, go sell them.

If salespeople were made to look dumb in front of their clients when they make a mistake, they wouldn't make mistakes. The problem currently is that when they DO make mistakes, it's R&D that has to pay, not them. You need an R&D manager who is willing to tell them they fucked up, instead of "okay, well I _guess_ we could do that, if we bump our schedule and stop working on this other project for a while.."

Anyways, don't tell me, this is idealistic and impossible.
Does anyone have an R&D manager who stands up to marketing like this?

Maytag Washers

[a_nonamiss]

My grandmother bought a Maytag washer in the 1950's. In 2003, the knob on the front broke. 50 years later, it still washed clothes fine, but there were vice grips clamped to the stem where the knob was. Maytag doesn't make that part any more, so she replaced it with a new top-of-the-line Maytag. It broke last year. My parents bought a Maytag in 1972. It's still working fine. From what I've read about the new ones, they're complete crap. What's more, there isn't a washing machine on the market that could last 30 years, let alone 50 years. They aren't made to last that long.

It's because there's no financial incentive for a company to make good washing machines any more. The ones out there are rushed to market, made of inferior quality parts and put together poorly. If I have to buy a new one in 5 years, even better for the company that makes it. They get to sell me another one.

In the free-market economy, if I decided to make a 50 year washing machine, I'd have to compete with companies that are established in the market. My washer would necessarily be more expensive than a GE or Whirlpool, and nobody's ever heard of my company. On the off-chance some people buy it, realize that it's great and it gets a good reputation, I'm still faced with the fact that once everyone in the world has a 50 year washer, I'm out of customers until 2057. Now what?

I used Washing Machines as an example here, but it's true of nearly every consumer device out there. I'm not sure what the solution is, but I don't see it getting better any time soon.

Re:Maytag Washers

[cdrguru]

Young people are also trained to think that they may want a newer, better, more feature rich washing machine in five years. So, spending money today on a better washing machine simply means that the money is being wasted because in five years they will want a new one anyway.

I ran into this with office furniture recently. Some desks that were quite well constructed needed to be gotten rid of because we didn't have space in the office. The responses I got were "I can buy a desk at Ikea for $100 and when it breaks, by another new one. Always having a new desk is worth more than spending $400 for your desk."

This is where we have come to. Quality beyond a certain level is pointless now. It is pointless for the company because they will not be selling replacements and pointless for the consumer because they don't understand the point.

Worse, making things that can be repaired is viewed as pointless. Today most television sets cannot be meaningfully repaired. There are only a few functional unit assemblies and parts are sold as these assemblies only, when the parts are available. So you find yourself with a $1000 HDTV that if something breaks it is a $800 part plus labor to repair it. It might be a blown fuse on the board that cost $0.39. In 1960 this was handled by skilled technicians that would find the bad part on the board and replace it. Today it is handled by a semi-skilled parts replacer that convinces you that you just need to buy a new TV because the repair is more than the unit cost new.

This makes a certain amount of sense in a high labor cost environment because the cost of the skilled technician's time is more than $1000. There are some pretty severe side effects of this. We blow through a lot more trash because most things just cannot be repaired and must be replaced. Manufacturers are rewarded not for quality but features.

It is certainly almost impossible to compete today on quality. The overwhelming signal that is sent out on the Internet are (a) prices and (b) uninformed customer reviews. The pricing means lowest price wins most of the time and to hell with customer service or product quality. The uninformed customer reviews are worthless but because they seem to be from "peers" they are given great weight. Of course, happy people are rarely motivated to write positive reviews but angry people want to let people know. So most reviews are negative, to the extent that an expensive, high quality product with some usability issues will accumulate negative reviews while a cheap, low quality product may not. Especially if the low quality product is sold to consumers that are willing to write off their cheap purchase as a learning experience without trying to broadcast it to the world.

The Internet invariable creates a race-to-the-bottom situation because of this. Low prices and few reviews beat out high prices and negative reviews, even when the reviews reflect a small percentage of the customers.

Stock market

[HalAtWork]

Very close to how the stock market works.

Re:Uh-oh "market failure"...

[marcosdumay]

"What people argue is that the free market is "good enough," and is a system that is so complex and quick to react, that any attempt to regulate it for its own good should be looked at long and hard -- simply because it's so difficult to do better without detrimental ramifications, even with the best of intentions."

In other words: "La la la la. I'm not hearing you". We've already saw how the free market behaves, and didn't like it. The deployed solution was regulation, and that made the situation better, but created a lot of problems itself. Can you put any other alternative on the table?

And imperfect information IS a problem. You enter a deal if you THINK you'll be better after than before it. What you think will happen doesn't have to resemble what will really happen, they just are the same thing if you have perfect information.