Slashdot Mirror
Bad Security Driving Out the Good
Bruce Schneier has up at Wired a typically thoughtful piece on how, in the security market as in others, the lemons are winning out over the good products. Schneier harks back to "The Market For Lemons," the 1970s work of economist George Akerlof, to explain why the market's invisible hand pushes most of the best products into the abyss: "With so many mediocre security products on the market, and the difficulty of coming up with a strong quality signal, vendors don't have strong incentives to invest in developing good products. And the vendors that do tend to die a quiet and lonely death."
Marketing and persuasion always wins out in the end. How many tech guys have tried to convince a boss that whatever solution they are going with is not in the interest of the company. Even if you make an objective flow-chart/business impact plan.. their mind is made up. Dick from marketing has personality-brainwashed him. He took him to lunch, he couldn't possibly be like the other salesmen.. nice chap.
"I am not bound to please thee with my answers" [William Shakespeare]
It really boils down to marketing, IMHO. And laziness. The average person doesn't want to have to learn about something and investigate its merits. By and large they're much happier being told that Item A does XYZ, while Item B does XYZ *and* W, all while being easier to use than Item A. Despite W being a useless feature, and the "easier to use" claim being baseless, Item B will win out due to how it's been marketed.
This guy's the limit!
As TFA states, it's easy for someone to create a security product which they themselves cannot break. Hiring external testers can be a huge expense if done right, and when companies rely more on hype than on technical brilliance, they end up getting screwed. SecuStick is rare only in that its crappy security made headlines.
When you are sure of something, you probably are wrong (search for "Unskilled and Unaware of It").
Well... that explains why Vista is selling.
(Yeah I know... flamebait. But it had to be said.)
Socrates in the 400s BC was already complaining about how sophistry is winning over logic and reason. The world will never change.
Fundamentally people claim they want security, but are often not willing to pay for it. The business that spends the market driven required amount of time on security (even if it's not enough) wins out.
If on the other hand you spend the proper amount of time on security, and position yourself outside the market by the delay in time and additional cost, you lose.
Which is pretty much why OSS rules in terms of security. In the OSS world, we can afford to spend an extra month or two per release to make sure everyone is in order and decent procedures are followed. Which isn't to say it's always the case [most GAIM plugins are horribly written] but usually more often than not it is with things like GPG, OpenSSL, OpenSSH, etc...
Tom
Someday, I'll have a real sig.
I find the people in Marketing are terrible not only when you're buying a product, but also when you're the company making the product. Sometimes people in marketing make stuff up just to get a sale. I think it's in their blood. It hurts both sides because the customer is expecting to get something that doesn't exist, and the development team has to now build this thing that never existed. So often it gets cobbled together really fast, just so the customer thinks it works, but it reality it's only a half working solution.
Anthropic principle: We see the universe the way it is because if it were different we would not be here to see it.
I'm a $600/hr security consultant - you'd know my name, I used to work at - well I probably shouldn't say. I've FORGOTTEN more than Bruce Schneier knows about crypto, and I think the Secustick is a VERY secure product.
There is an invisible line between being good (as in above average) and good enough (as in gets the job done).
All things equal, people will choose good over good enough, however all things are not equal. Better products tend to cost more, better service costs more. Cheap products that do mostly marginal job wins the price war and hence wins the market.
There are always going to be niche markets that serve people who KNOW quality and service, most people don't care enough. They'll just choose whatever is cheapest at the moment from brands that they know (even if cheap), as long (and this is key) the quality is "good enough".
Which is why if I were making a product line, I'd make two different and distinct products, one "good enough" and one with better higher quality/service. I'd even go so far as to make sure by brand distinction that people would knwo "cheap, but good enough" from "good" by using strong branding.
Take McDonalds vs any higher quality hamburger shop (Red Robin, White Castle etc), which one is "good enough" vs good. Why don't more people choose the better burger?? It is because McDonalds is "good enough". And in spite of everyone complaining about McDonalds employee quality of service, it is "good enough" to keep going back.
Agent K: A *person* is smart. People are dumb, stupid, panicky animals, and you know it.
I feel there is a basic problem when we consider computer security for the average user (not people who have professional or legal obligations to protect their data). There are now two types of average users, those who are so dumb they don't have any security at all (no firewall, no anti-virus, open Wi-Fi etc). These people need to be educated. On the other hand, there is an increasing population of average users who have been turned into paranoid security freaks.
Most people have no need of a USB key that self-destructs. They don't need to encrypt their hard drives, on which they probably store nothing more sensitive than their really bad first novel draft. They don't need a 26 character Hex password on their operating system. I suspect that a much higher percentage of these normal people lose their data because they can't remember the password to access the data than lose it due to not having tight enough encryption protection. They are out there having to reformat their drive because they can't remember their login password, or having their laptop explode because they installed the new "Explodo-Crypt" device and then accidently had the caps lock key on when they tried to access it.
People need to get effective security solutions for their REALISTIC needs.
Life needs more saving throws.
Endless promotion, Endless recruitment, Constant attack on competition.
Persuasive spokespersons, Constant reminders of what you WONT get if you dont buy, and buy NOW.
An answer to every question or challenge about your product, and when that wont work, promote FAITH in the organization, and patience in the reciept of what you are really wanted.
Unashamed, unabashed belief in your product as THE ONLY real solution.
This is Evangelism, and it works better than anything else, regardless of whether you really have the goods or not.
Check your spelling before you send your messages, you're hurting my eyes!
The standard thinking is that, because of the existence of market failures such as externalities, natural monopolies, and imbalance of information (the issue at hand), the free market paradoxically needs some regulation in order to remain free.
Libertarians are the group most vehemently against this concept, but I have never heard a single one of them coherently explain how exactly the free market will remain free without regulation. Their arguments seem to boil down to "LALALALA I can't hear you! There's no such thing as market failure, the market is infallible!"
If you have a better argument as to why market failures aren't a problem, or a better solution than regulation if you think they are, I'd love to hear it.
- None can love freedom heartily, but good men; the rest love not freedom, but license. -- John Milton
Nobody argues the free market is infallible. If they do, don't listen.
What people argue is that the free market is "good enough," and is a system that is so complex and quick to react, that any attempt to regulate it for its own good should be looked at long and hard -- simply because it's so difficult to do better without detrimental ramifications, even with the best of intentions.
Natural monopolies are a problem and environmental costs are a problem, and are good targets for regulation.
"Imperfect information" -- I don't understand where this idea got started, but it's completely wrong when applied to free markets. It has to do with zero-sum games like the bond market where there are definitely winners and losers -- here, the guy with the best information wins.
In a free market, when a transaction takes place, the idea is that both parties are better off than they were before. I make a piece of furniture to sell you, you buy it because you can't make as good a piece of furniture for as low a price. I make a profit, and you profit by using your time more efficiently. We both win, despite the fact that I'm a furniture expert and you don't know every detail about the construction of the chair I sold you.
In fact, it's precisely this reason, that you don't need to have perfect information to participate to your advantage, that the free market works.
No, it's not perfect, but it's the best we've got in a free society.
If moderation could change anything, it would be illegal.
My grandmother bought a Maytag washer in the 1950's. In 2003, the knob on the front broke. 50 years later, it still washed clothes fine, but there were vice grips clamped to the stem where the knob was. Maytag doesn't make that part any more, so she replaced it with a new top-of-the-line Maytag. It broke last year. My parents bought a Maytag in 1972. It's still working fine. From what I've read about the new ones, they're complete crap. What's more, there isn't a washing machine on the market that could last 30 years, let alone 50 years. They aren't made to last that long.
It's because there's no financial incentive for a company to make good washing machines any more. The ones out there are rushed to market, made of inferior quality parts and put together poorly. If I have to buy a new one in 5 years, even better for the company that makes it. They get to sell me another one.
In the free-market economy, if I decided to make a 50 year washing machine, I'd have to compete with companies that are established in the market. My washer would necessarily be more expensive than a GE or Whirlpool, and nobody's ever heard of my company. On the off-chance some people buy it, realize that it's great and it gets a good reputation, I'm still faced with the fact that once everyone in the world has a 50 year washer, I'm out of customers until 2057. Now what?
I used Washing Machines as an example here, but it's true of nearly every consumer device out there. I'm not sure what the solution is, but I don't see it getting better any time soon.
-Arthur
Cave ne ante ullas catapultas ambules
Most home door locks are terrible. The standard for them specifies that they should resist opening for 15 seconds with a screwdriver. Really.
The US Department of Housing and Urban Development used to have good standards for doors and locks in their housing projects. Every unit had a steel-sheathed fire door with a steel frame and locks that could resist serious abuse. In a building with interior walls of reinforced concrete, this provided quite good security. Which was needed.
I once saw a news video where some cops were raiding an apartment in a housing project. They show up at the door with a two-person battering ram, and bang away for a while. After about thirty seconds of banging, the cops are exhausted, and they try yelling through the door at the occupant to open the door. From inside, a sleepy voice answers "I can't. You broke the lock". The door held until they sent out for power saws.
Now that's how security should work.
> In the late 1980s and early 1990s, there were more than a hundred competing firewall products. No there wasn't. I owned a firewall consulting firm back then. In the early 90's there were less than half a dozen firewalls products to choose from. There was very little interest in them until Al Gore made his "Information Super Hi Way" speech around 94? > The few that "won" weren't the most secure firewalls; they were the ones that were easy to set up, easy to use and didn't annoy users too much. That may have been true for the consumer personal firewalls that started coming out in the late 90's, but it wasn't a factor for corporate server like firewalls. We were of the opinion that Gauntlet, the commercial product based off the firewall toolkit, a proxy based, open source firewall from Trusted Information Systems was the most secure firewall at the time. However Firewall One, a statefull packet filtering firewall from Checkpoint, was the clear winner in number of units sold. It had nothing to do with ease of use. Firewall One ran on a Sun. Most corporate accounts had at least some Suns. If you already had Sun's 7/24 support, they included it for your firewall at no extra charge. Any other firewall would have involved paying for 2nd 7/24 support contract. The closest they got to an ease of use issue was the resistance to bringing another flavor of Unix like BSD or Linux into their shop. My how things have changed :-)
In other words: "La la la la. I'm not hearing you". We've already saw how the free market behaves, and didn't like it. The deployed solution was regulation, and that made the situation better, but created a lot of problems itself. Can you put any other alternative on the table?
And imperfect information IS a problem. You enter a deal if you THINK you'll be better after than before it. What you think will happen doesn't have to resemble what will really happen, they just are the same thing if you have perfect information.
Rethinking email