Slashdot Mirror

← Back to Stories (view on slashdot.org)

Bad Security Driving Out the Good

Posted by kdawson on from the no-lemonade-for-you dept.

Bruce Schneier has up at Wired a typically thoughtful piece on how, in the security market as in others, the lemons are winning out over the good products. Schneier harks back to "The Market For Lemons," the 1970s work of economist George Akerlof, to explain why the market's invisible hand pushes most of the best products into the abyss: "With so many mediocre security products on the market, and the difficulty of coming up with a strong quality signal, vendors don't have strong incentives to invest in developing good products. And the vendors that do tend to die a quiet and lonely death."

8 of 215 comments (clear)

  1. Matter of desire by tomstdenis · · Score: 3, Interesting

    Fundamentally people claim they want security, but are often not willing to pay for it. The business that spends the market driven required amount of time on security (even if it's not enough) wins out.

    If on the other hand you spend the proper amount of time on security, and position yourself outside the market by the delay in time and additional cost, you lose.

    Which is pretty much why OSS rules in terms of security. In the OSS world, we can afford to spend an extra month or two per release to make sure everyone is in order and decent procedures are followed. Which isn't to say it's always the case [most GAIM plugins are horribly written] but usually more often than not it is with things like GPG, OpenSSL, OpenSSH, etc...

    Tom

    --
    Someday, I'll have a real sig.
  2. Marketers are terrible. by CastrTroy · · Score: 3, Interesting

    I find the people in Marketing are terrible not only when you're buying a product, but also when you're the company making the product. Sometimes people in marketing make stuff up just to get a sale. I think it's in their blood. It hurts both sides because the customer is expecting to get something that doesn't exist, and the development team has to now build this thing that never existed. So often it gets cobbled together really fast, just so the customer thinks it works, but it reality it's only a half working solution.

    --

    Anthropic principle: We see the universe the way it is because if it were different we would not be here to see it.
  3. Re:This story 2400 years old. by kisrael · · Score: 5, Interesting

    The Earth is degenerating today. Bribery and corruption abound.
    Children no longer obey their parents, every man wants to write a book,
    and it is evident that the end of the world is fast approaching."
    --Assyrian tablet, c. 2800 BCE (allegedly)

    --
    SO YOU'RE GOING TO DIE: The Comic for Dealing with Death
  4. case in point by yakumo.unr · · Score: 2, Interesting

    norton/symantec , bought out sygate :(
    I keep worrying they'll pounce on nod32 next.

  5. Smoking Mirrors Dominate by dma1965 · · Score: 2, Interesting

    A very good friend of mine has done some high end encryption coding for some major tech companies over the last few years, and has become somewhat in demand for his work. He was recently approached by a major computer manufacturer (lets call them Nell), and asked to create a security method to prevent counterfeit laptop batteries from being used in their laptops (perhaps due to recent bad press about batteries catching on fire). They also told him that it had to be very inexpensive, as they did not want to raise their cost for laptop batteries above the level it was now. He then asked them if they wanted it to be secure or cheap, and told them that truly secure was not going to be cheap. They then repeated what they had told him. This went back and forth for a while until he told them that what they really wanted was for my friend to sign off on his "secure" method, regardless of whether it was secure or not, so they could redirect blame to his organization when the cheap security method was easily defeated, and give the appearance that "Nell" cares about security. This lost him the bid. True it is...the saying that I saw on a bridge once, which read "Remember, this bridge was built by the lowest bidder." Sadly, chances are that the most popular security method is actually even less secure than none at all, since a false sense of security makes people do stupid things. I once told an associate to stop storing sensitive financial information on spreadsheets on his home PC. He said he was not concerned because he used Zone Alarm. He then had his finances compromised...through a Phishing scam.

  6. Re:Uh-oh "market failure"... by Bluesman · · Score: 4, Interesting

    Nobody argues the free market is infallible. If they do, don't listen.

    What people argue is that the free market is "good enough," and is a system that is so complex and quick to react, that any attempt to regulate it for its own good should be looked at long and hard -- simply because it's so difficult to do better without detrimental ramifications, even with the best of intentions.

    Natural monopolies are a problem and environmental costs are a problem, and are good targets for regulation.

    "Imperfect information" -- I don't understand where this idea got started, but it's completely wrong when applied to free markets. It has to do with zero-sum games like the bond market where there are definitely winners and losers -- here, the guy with the best information wins.

    In a free market, when a transaction takes place, the idea is that both parties are better off than they were before. I make a piece of furniture to sell you, you buy it because you can't make as good a piece of furniture for as low a price. I make a profit, and you profit by using your time more efficiently. We both win, despite the fact that I'm a furniture expert and you don't know every detail about the construction of the chair I sold you.

    In fact, it's precisely this reason, that you don't need to have perfect information to participate to your advantage, that the free market works.

    No, it's not perfect, but it's the best we've got in a free society.

    --
    If moderation could change anything, it would be illegal.
  7. Standards for security by Animats · · Score: 3, Interesting

    Most home door locks are terrible. The standard for them specifies that they should resist opening for 15 seconds with a screwdriver. Really.

    The US Department of Housing and Urban Development used to have good standards for doors and locks in their housing projects. Every unit had a steel-sheathed fire door with a steel frame and locks that could resist serious abuse. In a building with interior walls of reinforced concrete, this provided quite good security. Which was needed.

    I once saw a news video where some cops were raiding an apartment in a housing project. They show up at the door with a two-person battering ram, and bang away for a while. After about thirty seconds of banging, the cops are exhausted, and they try yelling through the door at the occupant to open the door. From inside, a sleepy voice answers "I can't. You broke the lock". The door held until they sent out for power saws.

    Now that's how security should work.

  8. Re:Vista is selling? by Toe,+The · · Score: 2, Interesting

    I'd say Vista was failing badly and it's hurting computer sales.

    Well... Mac sales in the U.S. are up 30% over last year.