Bad Security Driving Out the Good
Bruce Schneier has up at Wired a typically thoughtful piece on how, in the security market as in others, the lemons are winning out over the good products. Schneier harks back to "The Market For Lemons," the 1970s work of economist George Akerlof, to explain why the market's invisible hand pushes most of the best products into the abyss: "With so many mediocre security products on the market, and the difficulty of coming up with a strong quality signal, vendors don't have strong incentives to invest in developing good products. And the vendors that do tend to die a quiet and lonely death."
Fundamentally people claim they want security, but are often not willing to pay for it. The business that spends the market driven required amount of time on security (even if it's not enough) wins out.
If on the other hand you spend the proper amount of time on security, and position yourself outside the market by the delay in time and additional cost, you lose.
Which is pretty much why OSS rules in terms of security. In the OSS world, we can afford to spend an extra month or two per release to make sure everyone is in order and decent procedures are followed. Which isn't to say it's always the case [most GAIM plugins are horribly written] but usually more often than not it is with things like GPG, OpenSSL, OpenSSH, etc...
Tom
Someday, I'll have a real sig.
I find the people in Marketing are terrible not only when you're buying a product, but also when you're the company making the product. Sometimes people in marketing make stuff up just to get a sale. I think it's in their blood. It hurts both sides because the customer is expecting to get something that doesn't exist, and the development team has to now build this thing that never existed. So often it gets cobbled together really fast, just so the customer thinks it works, but it reality it's only a half working solution.
Anthropic principle: We see the universe the way it is because if it were different we would not be here to see it.
The Earth is degenerating today. Bribery and corruption abound.
Children no longer obey their parents, every man wants to write a book,
and it is evident that the end of the world is fast approaching."
--Assyrian tablet, c. 2800 BCE (allegedly)
SO YOU'RE GOING TO DIE: The Comic for Dealing with Death
Nobody argues the free market is infallible. If they do, don't listen.
What people argue is that the free market is "good enough," and is a system that is so complex and quick to react, that any attempt to regulate it for its own good should be looked at long and hard -- simply because it's so difficult to do better without detrimental ramifications, even with the best of intentions.
Natural monopolies are a problem and environmental costs are a problem, and are good targets for regulation.
"Imperfect information" -- I don't understand where this idea got started, but it's completely wrong when applied to free markets. It has to do with zero-sum games like the bond market where there are definitely winners and losers -- here, the guy with the best information wins.
In a free market, when a transaction takes place, the idea is that both parties are better off than they were before. I make a piece of furniture to sell you, you buy it because you can't make as good a piece of furniture for as low a price. I make a profit, and you profit by using your time more efficiently. We both win, despite the fact that I'm a furniture expert and you don't know every detail about the construction of the chair I sold you.
In fact, it's precisely this reason, that you don't need to have perfect information to participate to your advantage, that the free market works.
No, it's not perfect, but it's the best we've got in a free society.
If moderation could change anything, it would be illegal.
Most home door locks are terrible. The standard for them specifies that they should resist opening for 15 seconds with a screwdriver. Really.
The US Department of Housing and Urban Development used to have good standards for doors and locks in their housing projects. Every unit had a steel-sheathed fire door with a steel frame and locks that could resist serious abuse. In a building with interior walls of reinforced concrete, this provided quite good security. Which was needed.
I once saw a news video where some cops were raiding an apartment in a housing project. They show up at the door with a two-person battering ram, and bang away for a while. After about thirty seconds of banging, the cops are exhausted, and they try yelling through the door at the occupant to open the door. From inside, a sleepy voice answers "I can't. You broke the lock". The door held until they sent out for power saws.
Now that's how security should work.