Slashdot is powered by your submissions, so send in your scoop

 



Forgot your password?
typodupeerror
×
Security Businesses

Bad Security Driving Out the Good 215

Bruce Schneier has up at Wired a typically thoughtful piece on how, in the security market as in others, the lemons are winning out over the good products. Schneier harks back to "The Market For Lemons," the 1970s work of economist George Akerlof, to explain why the market's invisible hand pushes most of the best products into the abyss: "With so many mediocre security products on the market, and the difficulty of coming up with a strong quality signal, vendors don't have strong incentives to invest in developing good products. And the vendors that do tend to die a quiet and lonely death."
This discussion has been archived. No new comments can be posted.

Bad Security Driving Out the Good

Comments Filter:
  • by pytheron ( 443963 ) on Thursday April 19, 2007 @09:35AM (#18797789) Homepage
    Marketing and persuasion always wins out in the end. How many tech guys have tried to convince a boss that whatever solution they are going with is not in the interest of the company. Even if you make an objective flow-chart/business impact plan.. their mind is made up. Dick from marketing has personality-brainwashed him. He took him to lunch, he couldn't possibly be like the other salesmen.. nice chap.
    • by BSAtHome ( 455370 ) on Thursday April 19, 2007 @09:42AM (#18797915)
      You are right; it is not security/xyz that sells, but the perception of securty/xyz. That is where the marketers come in.
    • I know it sounds dirty. But most technical problems that people have are more emotional and less technical. If IT pushed hard enough to get the Best software and the people dont feel good about the software they will pressure you and bug you about every little problem to proove to you and themselfs that they should have went with the other product. Having the buisness case helps when all things are equal but as people who needs to support the product well need to take the plate invite or bring your boss t
    • by LibertineR ( 591918 ) on Thursday April 19, 2007 @09:58AM (#18798179)
      Tech Companies should learn this and never forget it.

      Endless promotion, Endless recruitment, Constant attack on competition.

      Persuasive spokespersons, Constant reminders of what you WONT get if you dont buy, and buy NOW.

      An answer to every question or challenge about your product, and when that wont work, promote FAITH in the organization, and patience in the reciept of what you are really wanted.

      Unashamed, unabashed belief in your product as THE ONLY real solution.

      This is Evangelism, and it works better than anything else, regardless of whether you really have the goods or not.

    • by Red Flayer ( 890720 ) on Thursday April 19, 2007 @10:12AM (#18798417) Journal
      It's funny, though, TFA has little to say about marketing -- except for asymmetrical information theory. Marketing ties into this because it is how companies take advantage of buyers, who have less accurate info than sellers.

      The problem is not just marketing. The problem is that since buyers aren't well-informed, they choose mediocre products, which prices out the best products. This starts a nasty cycle, since with the best products out of the market, buyers then choose even poorer solutions to save a buck, which ends up pricing out the best remaining products, and so on.

      Marketing takes advantage of asymmetrical information -- but the root cause is the buyer's lack of information. Given that most decision-makers do not have the resources to adequately research every purchase they make, how can this be fixed? How much should a company spend on researching products, in relation to the cost of those products? Many people can't justify spending a lot of time researching the options for a $2000/yr solution. When the proposals come in, and several[1] of the vendors offer a seemingly-equivalent solution for $1500, how can I justify spending $2000? Purchasing is about choosing products that meet your requirements at the lowest cost. It's not feasible for every purchase to undergo a full TCO analysis that includes factored risk of loss -- how many businesses employ actuaries?

      Multiply this scenario by thousands, and the best solutions are driven out of business.

      [1] It's important that there are multiple options at that price point, since it makes each of the products at that level seem acceptable.
      • Re: (Score:3, Insightful)

        by daviddennis ( 10926 )
        Something you might not have noticed is that if reviews truly use ease of use and throughput as the most important factors, the most insecure products look better than more secure products.

        Security is one of the few cases where we're supposed to pay more to inconvenience ourselves. I'd say most people outside of the small fraternity of computer security folk would really prefer the insecure product, until its consequences hit them.

        D
        • Re: (Score:3, Insightful)

          by joto ( 134244 )

          I'd say most people outside of the small fraternity of computer security folk would really prefer the insecure product, until its consequences hit them.

          What consequences? You talk like something gruesome is going to happen to anyone that loses data. But for most of us, it's just an inconvenience. Old budgets and technical stuff with zero interest for anyone outside the project. If someone finds it, he's probably going to delete it and fill it up with mp3's instead.

          Besides, relying on encryption, because

    • by zappepcs ( 820751 ) on Thursday April 19, 2007 @10:15AM (#18798485) Journal
      It gets better. Take an honest look at advertising, look at what they are selling and how they are selling it. Chances are better than 90% of the products you either don't need, can live without, or just plain can't use. Any product that is worth its weight simply doesn't need to be advertised.

      While you are looking at marketing campaigns, see who spends the most money. I believe that the value of a product is inversely related to advertising dollars spent. With the exception of products that are new. VoIP is one of those (even though I can't for the life of me figure out what the Vonage marketers were thinking) exceptions where the product is so new that advertising is as much about education as it is selling. Sleeping aids and medicines for ailments your parents never heard of is no better than little blue pill junk mail. There are times that I think that such advertisements should be blockable and covered under the can-spam act.

      Anyway, advertising sells. Without it consumers won't even know there is a product. Despite the buzz about desktop linux there actually are people in North America that do NOT know what Linux is, never mind if they want to use it. Security products and practices are the same. I haven't counted, but I know I don't have enough fingers for counting the number of times I've heard a VP spouting verbatim from some magazine article as if he learned it in college or something.

      This effect is what keeps MS products so prominent, people don't actually know or understand that there are other competing products. People know about Mcafee and Norton. They don't know about ClamAV, and are not sure what Symantec does.

      The open market, in this respect, is just a popularity contest.

      I had hopes that sites like Consumer reports et al would change that, but no, consumers really are mostly sheep.
    • Marketing and persuasion always wins out in the end.

      Only if the marketers can suppress truth, but that's very expensive and fails eventually. If you look at Microsoft's quarterly statements you will see that they spend about a billion dollars a month on marketing. Some good examples of their failures are webTV, IE, Zune, Plays for Sure, Bob, ME and now Vista. Not only did M$ blow a much of money shouting about these things, they have done a lot to sabotage their competitors efforts. Yet all of these

  • marketing (Score:4, Insightful)

    by gEvil (beta) ( 945888 ) on Thursday April 19, 2007 @09:36AM (#18797817)
    It really boils down to marketing, IMHO. And laziness. The average person doesn't want to have to learn about something and investigate its merits. By and large they're much happier being told that Item A does XYZ, while Item B does XYZ *and* W, all while being easier to use than Item A. Despite W being a useless feature, and the "easier to use" claim being baseless, Item B will win out due to how it's been marketed.
    • Re:marketing (Score:4, Informative)

      by Turn-X Alphonse ( 789240 ) on Thursday April 19, 2007 @09:45AM (#18797965) Journal
      I completely disagree.

      My parents both wish to learn more but they just don't understand what thinks mean. They think "memory" (RAM) is used to hold data (Hard drive space), so getting more RAM must mean they can store more files. Logically this works, memory = storage in the classic sense and this is why marketing works. Saying "More 255 QUQUTALUU memory!" and "wow a massive 20 gig hard drive" makes it seem like these things are big and impressive, where as people who know see it's complete crap.

      Maybe if we stopped calling people lazy and taught them just the basics (what RAM does, what a hard drive does etc.) they would understand marketing for the bullshit it is and see through it. But instead we sit here going "lol idiots, too lazy! idiots!" and end up having to slave over their mistakes.
      • Re:marketing (Score:4, Insightful)

        by gEvil (beta) ( 945888 ) on Thursday April 19, 2007 @09:53AM (#18798087)
        You are correct--there are some people who honestly are interested in learning about these things so that they can make these decisions themselves. However, they are the exception, not the rule. If someone is truly interested in learning, I'm more than happy to help them out. But when offers of assistance are met with "I don't want to know about that" or "That doesn't matter to me" then all bets are off and you're on your own, as far as I'm concerned.
      • Re: (Score:2, Insightful)

        This is an honest question and isn't meant to belittle anyone in any way. But why is that your parents "wish to learn more" but haven't? I'm assuming that you've tried to educate them on the subject before. So why is it that they still haven't learned, despite their efforts to understand?
        • I don't know that guy's parents, but thinking of my own parents, or my wife, they want to be able to use computers well, but they aren't in that world all the time. Most people who read slashdot know a lot about computers. We have taken them apart, upgraded them, built new ones. We've looked through the Windows Device Manager (or lspci). We know what all the different parts of a PC are, and how they interact with each other.

          For everyone else, it's a magic black box. They know files are kept in there
      • Maybe if we stopped calling people lazy and taught them just the basics (what RAM does, what a hard drive does etc.) they would understand marketing for the bullshit it is and see through it. But instead we sit here going "lol idiots, too lazy! idiots!" and end up having to slave over their mistakes.

        I agree with you to a certain extent, but let's face it -- no one can be a "Renaissance Man" (or woman) any more -- there just isn't time. That's why we have a division of labor -- so that you can do what you

        • It's easy to be informed about your field, less so to be adequately informed about, say, 5 fields external to yours, and impossible to be informed about every field, even to some minimum degree.

          This is true, but it's also an overused lame excuse for being ignorant.

          Sure, you can't know everything - but that doesn't mean that you shouldn't know the difference between a bit and a byte, a chainsaw and a drill press, a cell and an organ, an oak tree and a pine tree, limestone and granite, diesel fuel and gasol

    • And laziness. The average person doesn't want to have to learn about something and investigate

      There's no reason to be condescending.

      In most cases, the difference between value of the "best" product and its competitors is less than the time/money cost of determining which is indeed the "best".
  • Money. (Score:5, Insightful)

    by Sorthum ( 123064 ) on Thursday April 19, 2007 @09:37AM (#18797829) Homepage
    As TFA states, it's easy for someone to create a security product which they themselves cannot break. Hiring external testers can be a huge expense if done right, and when companies rely more on hype than on technical brilliance, they end up getting screwed. SecuStick is rare only in that its crappy security made headlines.
    • Re:Money. (Score:5, Informative)

      by cyphercell ( 843398 ) on Thursday April 19, 2007 @10:11AM (#18798385) Homepage Journal
      Secustick is rare in that they admitted that their device was insecure when the flaw was discovered (highly commendable). This is something I see happening at work quite often, you simply don't talk about your mistakes or anyone elses, because people are so damn neurotic about it. You have to very carefully say what you're trying to say, or people will get defensive and supervisors get offensive. Quality takes a back seat because people don't have an f*ing clue what the difference is between accountability and guilt/incompetence. Secustick is holding themselves accountable, but I'm sure many see them as a joke.
  • by ZorroXXX ( 610877 ) <hlovdal@@@gmail...com> on Thursday April 19, 2007 @09:38AM (#18797837)
    Written by no other than Bruce Schneier:

    ... but even I couldn't tell you if Kingston's offering is better than Secustick. ... And if I can't tell the difference, most consumers won't be able to either.
  • Vista (Score:5, Insightful)

    by Toe, The ( 545098 ) on Thursday April 19, 2007 @09:38AM (#18797843)
    Well... that explains why Vista is selling.

    (Yeah I know... flamebait. But it had to be said.)
    • Re:Vista (Score:5, Insightful)

      by Architect_sasyr ( 938685 ) on Thursday April 19, 2007 @09:55AM (#18798127)
      Is it flamebait? If I had mod points I'd probably flag as insightful. As I've stated before I'm the linux guy in a Microsoft shop and the majority of Vista upgrades (that are voluntary - so about 3% of our vista users) have done it because Vista offers better security and a slick interface, from a team of Microsoft oriented tech's, this has produced outrage. Despite the best intentions of the IT team Vista is coming regardless of what we want. I personally blame the marketing, and would cite the comment made to me not 3 days ago. "Vista has to be more secure. All the ad[vertisement]s say that it is". I can't compete with Microsofts marketing tactics (nor any other company) I simply don't have the resources. Only the respect of the IT team and the proven skill/competency in what we do has kept the CEO's from asking for the upgrades.

      On Topic: Is this really a "bad security winning out" scenario, or are we merely looking at the triangle of cost, security and usability... cost and usability are of course the big factors for most corporations, so the sacrifice of security is, perhaps, merely a progression of cost cutting and the aim to supress those "annoying messages" that indicate a potential PEBKAC when inputting data.

      My $0.02 AU
    • [market for lemons] explains why Vista is selling.

      It would if Vista was selling. I have not seen any evidence of that so far, other than channel stuffing. The word from local stores is that people who make the mistake of installing Vista hate it enough to buy XP and pay someone to put it on. They have to buy another copy of XP because Vista upgrades won't give back their license to run XP or they had no choice about OS when they bought a new computer. I'd say Vista was failing badly and it's hurting

  • If you look at technology the winners are never the best. Becuase the Best costs to much and people (including us, (the more technically informed) rairly get enough information to make informed decisions. There are only very limited indrustires that are regulated enough to give people informaton to make the best purchasing decisions. Like Fine Juleriy, they are required to state what quality the product is. Diomonds had the 4 Cs (Karot (it sounds like a C), Cut, Color, Clarity) and they are very regulated
    • I think the open dialog of the internet is making things slightly better. You can truly find user reviews on just about any product. Its really sad that there still isn't yet a good universal review site that the average Joe knows about. I think there really is an untapped market for something like this. Many if Google started it, it MIGHT take off. Google are you listening???
    • But it really comes down to how you define better. With Jewelry, there's very strict guidelines to determine color,clarity, etc of diamonds. It's very easy to define 14 K gold. It's another thing entirely with computer systems. How do you define security, stability, and other attributes? Sure there's metrics like MTTF,and MTBF, but those don't really define anything concrete. As far as I'm aware there's no real metrics for security, except looking at number of past exploits, and how long they took to
      • Well with Jewelry the strict guidlines came over time. The Jewelry market is much older then technology. I am sure before we got Karats there was a lot of debate on how to measure the value of Gold Objects. Size, Weight, Purity, Color, Malability, Taist, Carosiveness... Overtime with people getting scammed with say Gold Coated Lead, or other yellow tinted metals, they finally started getting rules to help regulate themselfs. Right now we there no real metric for technology but we really should start putt
    • by demon ( 1039 )
      I think you meant carat [wikipedia.org]...
  • by qazsedcft ( 911254 ) on Thursday April 19, 2007 @09:39AM (#18797859)
    Socrates in the 400s BC was already complaining about how sophistry is winning over logic and reason. The world will never change.
    • by kisrael ( 134664 ) on Thursday April 19, 2007 @09:42AM (#18797917) Homepage
      The Earth is degenerating today. Bribery and corruption abound.
      Children no longer obey their parents, every man wants to write a book,
      and it is evident that the end of the world is fast approaching."
      --Assyrian tablet, c. 2800 BCE (allegedly)
      • by BeBoxer ( 14448 )
        The Earth is degenerating today. Bribery and corruption abound.
        Children no longer obey their parents, every man wants to write a book,
        and it is evident that the end of the world is fast approaching."
        --Assyrian tablet, c. 2800 BCE (allegedly)


        I think something got lost in translation here. Or is a desire to write a book really a sign of the end times?
        • by v01d ( 122215 )
          Or is a desire to write a book really a sign of the end times?

          Based on the new publications at Barnes and Nobles I can see why someone might make the inference.
        • by kisrael ( 134664 )
          I think something got lost in translation here. Or is a desire to write a book really a sign of the end times?
          Heh, in our increasingly "post-literate" age it seems kind of odd.

          Maybe a "truer to the spirit" translation would be "every man wants his own talk show" :-)
      • Let's assume humans are bad and have always been bad. In fact, let's assume they are maximally bad and will never get worse or better. Animals don't change, so let's look at the things that humans have made. That's technology. Technology enables humans to do things. If humans are maximally bad, then they will make maximally bad use of technology. There's a lot more bad you can do with a handgun, a vehicle, or the Internet than with a stone tablet, an ox, or a knife. Therefore our situation will continue to
      • by kbahey ( 102895 )
        I think something is not right. I doubt Assyrian inscriptions existed before 2400 BCE [aina.org].

        Perhaps it is the Sumerians? They inhabited Mesopotamia at that time.
  • Matter of desire (Score:4, Interesting)

    by tomstdenis ( 446163 ) <<moc.liamg> <ta> <sinedtsmot>> on Thursday April 19, 2007 @09:39AM (#18797871) Homepage
    Fundamentally people claim they want security, but are often not willing to pay for it. The business that spends the market driven required amount of time on security (even if it's not enough) wins out.

    If on the other hand you spend the proper amount of time on security, and position yourself outside the market by the delay in time and additional cost, you lose.

    Which is pretty much why OSS rules in terms of security. In the OSS world, we can afford to spend an extra month or two per release to make sure everyone is in order and decent procedures are followed. Which isn't to say it's always the case [most GAIM plugins are horribly written] but usually more often than not it is with things like GPG, OpenSSL, OpenSSH, etc...

    Tom
    • by dpilot ( 134227 )
      I'll disagree...

      It's just that we're not trained with respect to security. We have come to take it for granted. So far our model for security has been physical security, and we pretty much have been able to take it for granted. Violations of that assumption are pretty rare and shocking, and the common use of those 2 adjective for that situation validate the assumption.

      Now take a different location where the assumption of physical security is not valid, such as Iraq or places in Africa. Most of us would just
  • by CastrTroy ( 595695 ) on Thursday April 19, 2007 @09:39AM (#18797873)
    I find the people in Marketing are terrible not only when you're buying a product, but also when you're the company making the product. Sometimes people in marketing make stuff up just to get a sale. I think it's in their blood. It hurts both sides because the customer is expecting to get something that doesn't exist, and the development team has to now build this thing that never existed. So often it gets cobbled together really fast, just so the customer thinks it works, but it reality it's only a half working solution.
    • For some reason sales and marketing get conflated. Sales is selling. Marketing is finding out what will sell.

       
    • Re: (Score:3, Insightful)

      by radarsat1 ( 786772 )
      That's true. I think the solution is that R&D managers have to be tougher. I know it's rare, but you really need an individual who is willing to stand up to marketing, and just say, you know: "No, actually we don't have that product." If the marketing person who sold the non-existent product can be made to lose face, there would be some motivation for them to not do it again, and to really _learn_ what the products are and what they do instead of just memorizing the buzzwords.

      The problem, essentially
  • Comment removed based on user account deletion
  • A Porsche 911 but... Well... You know the rest.

     
  • Secustick (Score:4, Funny)

    by Anonymous Coward on Thursday April 19, 2007 @09:40AM (#18797879)
    I'm a $600/hr security consultant - you'd know my name, I used to work at - well I probably shouldn't say. I've FORGOTTEN more than Bruce Schneier knows about crypto, and I think the Secustick is a VERY secure product.
  • Part of the problem here is the market allows itself to be conned. We want to believe that the Securestick works, we don't want to spend the time or pay an extra added expense to have the claims of the marketers actually tested. If users made choices based on objective facts and called for warranties or 3rd party confirmation of marketing claims as part of the base product the lemons would start working their way out of the system. Costs would go up though and so the market is willing to absorb bad produ
  • Most people will focus in on cheap, worthless crap because they don't want to spend the money or expensive over-hyped crap because they believe the four color glossies. This is true for almost every item on shelf, not just security items.
    With security products, things become harder because there's no easy way to tell if it is working. If there's never an attempt to steal the data or hack the server, or if the attempt goes unnoticed, then it appears everything is working great.
  • When you buy a car, it's an expensive personal purchase. When it fails, it's immediately obvious and you mean have legal avenues to investigate to mitigate the issue.

    When you make a security decision, it's usually a low-cost personal purchase. When it fails (say your identity gets stolen), the losses you might incur can greatly outweigh the initial investment in the technology, and you will little legal recourse against the vendor to make things right.

    This is why I don't trust any commercial security produc
  • Its the same thing in all technical markets. Creators of fine technologies like to think that the sheer genius of their creation will be all they need to get people excited, and that their marketing efforts need go no further than a press release, and a product information page on their web site.

    If you build it, THEY WONT COME, unless you practically shove it down their throat, with associated information, pricing, positioning, comparisons and timing. Got that, Commodore?

    Microsoft sells technology like

  • case in point (Score:2, Interesting)

    by yakumo.unr ( 833476 )
    norton/symantec , bought out sygate :(
    I keep worrying they'll pounce on nod32 next.
  • As Microsoft Windows and the design of the optic nerve shows, it's not the best that succeeds, but the thing that's good enough.

  • by Archangel Michael ( 180766 ) on Thursday April 19, 2007 @09:47AM (#18798001) Journal
    There is an invisible line between being good (as in above average) and good enough (as in gets the job done).

    All things equal, people will choose good over good enough, however all things are not equal. Better products tend to cost more, better service costs more. Cheap products that do mostly marginal job wins the price war and hence wins the market.

    There are always going to be niche markets that serve people who KNOW quality and service, most people don't care enough. They'll just choose whatever is cheapest at the moment from brands that they know (even if cheap), as long (and this is key) the quality is "good enough".

    Which is why if I were making a product line, I'd make two different and distinct products, one "good enough" and one with better higher quality/service. I'd even go so far as to make sure by brand distinction that people would knwo "cheap, but good enough" from "good" by using strong branding.

    Take McDonalds vs any higher quality hamburger shop (Red Robin, White Castle etc), which one is "good enough" vs good. Why don't more people choose the better burger?? It is because McDonalds is "good enough". And in spite of everyone complaining about McDonalds employee quality of service, it is "good enough" to keep going back.
    • by scruffy ( 29773 )

      Take McDonalds vs any higher quality hamburger shop (Red Robin, White Castle etc),
      I was with you until "quality" and "White Castle" made it into the same sentence. White Castle hamburgers are called "sliders" for a reason.
  • We have a Market Failure [wikipedia.org] here. Ergo, we need computer security controlled by the government — let's expand the Department of Homeland Security's duties one more time... Or, because we, the critics of the free market, hate the DHS (mostly because it was not us introducing it), let's create an entirely different entity instead.

    Pre-emptive flamebaiting...

    Yes, there is a government agency [wikipedia.org] looking into computer security, but their role, so far, has been advisory. An alleged "market failure" is usually

    • by spun ( 1352 ) <loverevolutionar ... Nom minus author> on Thursday April 19, 2007 @10:13AM (#18798443) Journal
      The standard thinking is that, because of the existence of market failures such as externalities, natural monopolies, and imbalance of information (the issue at hand), the free market paradoxically needs some regulation in order to remain free.

      Libertarians are the group most vehemently against this concept, but I have never heard a single one of them coherently explain how exactly the free market will remain free without regulation. Their arguments seem to boil down to "LALALALA I can't hear you! There's no such thing as market failure, the market is infallible!"

      If you have a better argument as to why market failures aren't a problem, or a better solution than regulation if you think they are, I'd love to hear it.
      • by Bluesman ( 104513 ) on Thursday April 19, 2007 @10:33AM (#18798771) Homepage
        Nobody argues the free market is infallible. If they do, don't listen.

        What people argue is that the free market is "good enough," and is a system that is so complex and quick to react, that any attempt to regulate it for its own good should be looked at long and hard -- simply because it's so difficult to do better without detrimental ramifications, even with the best of intentions.

        Natural monopolies are a problem and environmental costs are a problem, and are good targets for regulation.

        "Imperfect information" -- I don't understand where this idea got started, but it's completely wrong when applied to free markets. It has to do with zero-sum games like the bond market where there are definitely winners and losers -- here, the guy with the best information wins.

        In a free market, when a transaction takes place, the idea is that both parties are better off than they were before. I make a piece of furniture to sell you, you buy it because you can't make as good a piece of furniture for as low a price. I make a profit, and you profit by using your time more efficiently. We both win, despite the fact that I'm a furniture expert and you don't know every detail about the construction of the chair I sold you.

        In fact, it's precisely this reason, that you don't need to have perfect information to participate to your advantage, that the free market works.

        No, it's not perfect, but it's the best we've got in a free society.

        • The imbalance of information problem isn't about the fact that an individual needs perfect information to participate successfully. You can read the paper mentioned for the real reasons that this form of market failure is a problem, but I'll try to summarize.

          Sellers of used cars have more information about the true value of their car than buyers do. Therefore, buyers must assume that the car is of lesser value than the seller states. As a group, they will offer less than a fair value for the car. This drive
        • by marcosdumay ( 620877 ) <marcosdumay AT gmail DOT com> on Thursday April 19, 2007 @01:48PM (#18802229) Homepage Journal

          "What people argue is that the free market is "good enough," and is a system that is so complex and quick to react, that any attempt to regulate it for its own good should be looked at long and hard -- simply because it's so difficult to do better without detrimental ramifications, even with the best of intentions."

          In other words: "La la la la. I'm not hearing you". We've already saw how the free market behaves, and didn't like it. The deployed solution was regulation, and that made the situation better, but created a lot of problems itself. Can you put any other alternative on the table?

          And imperfect information IS a problem. You enter a deal if you THINK you'll be better after than before it. What you think will happen doesn't have to resemble what will really happen, they just are the same thing if you have perfect information.

      • by mi ( 197448 )

        Market is not infallible. The libertarian argument is, it is less fallible than the vast majority of mechanisms designed to regulate it.

        Even with the "sacred" things like FDA, it is unclear, if the number of lives preserved by the agency's weeding out bad medicines is greater, than that lost because of the immense regulatory burden faced by the pharmaceuticals.

        • by spun ( 1352 )
          Looking back over history, it is pretty clear to me the vast costs that society pays when markets are unregulated. Do you have any evidence that the market is less fallible?

          I've come down hard on free market libertarian types in the past, but that has just been counterproductive. I'm now trying to figure out a way to build a socialist construct within a completely free market framework in a fair and non-coercive way. I'm interested in any ideas that anyone has about better and non-coercive ways of maintaini
      • You can usually find libertarian analysis on each specific kind of reason regulators develop for the need of regulation, but a simple answer to them all at once isn't available. Not that I agree with all they say on each and every subject, but that they do work deeply on all of them, they do. At the Mises Institute website [mises.org] alone you'll find tens of thousands of articles, or even full length books (downloadable for free), on all these subjects, including the ones you mentioned. They're worth reading, if for
  • by Grashnak ( 1003791 ) on Thursday April 19, 2007 @09:56AM (#18798153)
    I feel there is a basic problem when we consider computer security for the average user (not people who have professional or legal obligations to protect their data). There are now two types of average users, those who are so dumb they don't have any security at all (no firewall, no anti-virus, open Wi-Fi etc). These people need to be educated. On the other hand, there is an increasing population of average users who have been turned into paranoid security freaks.

    Most people have no need of a USB key that self-destructs. They don't need to encrypt their hard drives, on which they probably store nothing more sensitive than their really bad first novel draft. They don't need a 26 character Hex password on their operating system. I suspect that a much higher percentage of these normal people lose their data because they can't remember the password to access the data than lose it due to not having tight enough encryption protection. They are out there having to reformat their drive because they can't remember their login password, or having their laptop explode because they installed the new "Explodo-Crypt" device and then accidently had the caps lock key on when they tried to access it.

    People need to get effective security solutions for their REALISTIC needs.
    • I would argue that your second group is just as dumb and in just as much need of education as your first group. They bought into the "hackers are everywhere and trying to get your data 24/7 no matter where you are and what you're doing" hype. They then went out and blew money on various worthless garbage, be it truly ineffective or just far more security than they actually need or understand how to use properly, and end up with at least as much trouble as they would have without it. You see this problem
    • by Tom ( 822 )

      These people need to be educated.
      If user education would work, it would have already.

      Forget user education. This is a great example of what "user education" leads to - it is quickly turned into a marketing machine.
    • accidently had the caps lock key on when they tried to access it

      I've often wondered how much security exactly is lost if the password systems would just allow a case inverted pASSWORD, and warn the user if the password was typed in ALL CAPS. (Some keyboards put everything in caps when caps lock is even if you press the shift key, some invert the sense of the shift key) Thus if the user's password is aLt256!, the system would allow AlT256!, and warn about ALT256!.

      If your password system has billions o

    • Yet, the second group still needs backups. And I doubt they do it.

  • It was usually a joke on at least either computer of physical grounds. Most of the time, the idea behind everything was "if it drives the user crazy, it must be good", sometimes to the point of making the bypass non-detectable and easier than the normal process. For example, the need to swipe badges 3 times to get into the building, but no name or photo on the badge, or FTP blocked for "safety reasons" while all the webmails were allowed.

    Maybe if the people in charge of it weren't there as a punishment...
  • A very good friend of mine has done some high end encryption coding for some major tech companies over the last few years, and has become somewhat in demand for his work. He was recently approached by a major computer manufacturer (lets call them Nell), and asked to create a security method to prevent counterfeit laptop batteries from being used in their laptops (perhaps due to recent bad press about batteries catching on fire). They also told him that it had to be very inexpensive, as they did not want t
  • 1.Most people don't care about IT security (or where they do care, its way down the list). People don't believe their data is not important enough to bother with keeping it secure. And more to the point, they just don't even KNOW their data is not secure. What I would like to see is for some group or experts or something to do a simulated break-in or hack attack or something and publish all the "stolen" data (i.e. basically something that shows just how insecure peoples data really is and why they need to
  • Maytag Washers (Score:5, Insightful)

    by a_nonamiss ( 743253 ) on Thursday April 19, 2007 @11:15AM (#18799553)
    My grandmother bought a Maytag washer in the 1950's. In 2003, the knob on the front broke. 50 years later, it still washed clothes fine, but there were vice grips clamped to the stem where the knob was. Maytag doesn't make that part any more, so she replaced it with a new top-of-the-line Maytag. It broke last year. My parents bought a Maytag in 1972. It's still working fine. From what I've read about the new ones, they're complete crap. What's more, there isn't a washing machine on the market that could last 30 years, let alone 50 years. They aren't made to last that long.

    It's because there's no financial incentive for a company to make good washing machines any more. The ones out there are rushed to market, made of inferior quality parts and put together poorly. If I have to buy a new one in 5 years, even better for the company that makes it. They get to sell me another one.

    In the free-market economy, if I decided to make a 50 year washing machine, I'd have to compete with companies that are established in the market. My washer would necessarily be more expensive than a GE or Whirlpool, and nobody's ever heard of my company. On the off-chance some people buy it, realize that it's great and it gets a good reputation, I'm still faced with the fact that once everyone in the world has a 50 year washer, I'm out of customers until 2057. Now what?

    I used Washing Machines as an example here, but it's true of nearly every consumer device out there. I'm not sure what the solution is, but I don't see it getting better any time soon.
    • Blame it on computers. No, really, it's the computer geeks fault. See, used to be, engineers had little ideal how things really failed. Now with computer data collection and modeling, they can reliably predict exactly how long something will last and make it last just a little longer than the warrantee period.
      I'll bet you could buy a 50 year, or at least a 25 year washing machine, but you'd have to import it from Scandinavia. It'd be made of stainless steel, and you'd have to replace the belts and sea
      • by TFloore ( 27278 )
        Blame it on computers.

        There's a lot of truth to that. Engineers used to design things with a fudge factor built in. Round things up to the next highest thickness part, and stuff like that, for a couple of reasons. Increased durability was one of them. Another was inexact manufacturing processes. Another was just not knowing exactly how thick something needed to be to last "the life of the product" whatever that was supposed to be. Computers affected 2 out of 3 of those reasons.

        There is one other reason spec
    • Re: (Score:3, Insightful)

      by cdrguru ( 88047 )
      Young people are also trained to think that they may want a newer, better, more feature rich washing machine in five years. So, spending money today on a better washing machine simply means that the money is being wasted because in five years they will want a new one anyway.

      I ran into this with office furniture recently. Some desks that were quite well constructed needed to be gotten rid of because we didn't have space in the office. The responses I got were "I can buy a desk at Ikea for $100 and when it
  • by Animats ( 122034 ) on Thursday April 19, 2007 @11:16AM (#18799559) Homepage

    Most home door locks are terrible. The standard for them specifies that they should resist opening for 15 seconds with a screwdriver. Really.

    The US Department of Housing and Urban Development used to have good standards for doors and locks in their housing projects. [hudclips.org] Every unit had a steel-sheathed fire door with a steel frame and locks that could resist serious abuse. In a building with interior walls of reinforced concrete, this provided quite good security. Which was needed.

    I once saw a news video where some cops were raiding an apartment in a housing project. They show up at the door with a two-person battering ram, and bang away for a while. After about thirty seconds of banging, the cops are exhausted, and they try yelling through the door at the occupant to open the door. From inside, a sleepy voice answers "I can't. You broke the lock". The door held until they sent out for power saws.

    Now that's how security should work.

    • I did an install once for a very security conscious person in NYC it was a brick building including interior walls. They get a steel frame and welded on rebar to go back about 18 inches into the wall. The door itself was a fire door steel clad with a layer of magnesium on the outside. Full length hinge and a 3 point lock set (goes up down and to the side) along with one of those mid door bolts that goes to the hardwood floors. Apparently she got the specs from a SWAT cop as to what the drug stashes use t
      • You can go one better:

        Mount the steel door frame so that it floats on automotive valve springs. The springs are pre loaded to push the frame flush outside but with about three inches of travel towards the inside. That way, when rammed, the door gives and the masonry/conrete doesn't take the concentrated impulse of the ram. Apparently valve springs are quite stiff so that using several of them will absorb the energy of a very heavy ram.

        This suggestion was published in one of those counter-culture Paladin
    • by elrous0 ( 869638 ) *
      Had a neighbor once who had a steel door, steal frame, dead bolts that went right in the masonry, etc. Hilariously, it never occurred to the builder that right next to it was a ground level window made of nothing but glass and flimsy aluminum.
  • his dates are off (Score:3, Informative)

    by Wilpower ( 964564 ) on Thursday April 19, 2007 @12:22PM (#18800727)
    > In the late 1980s and early 1990s, there were more than a hundred competing firewall products. No there wasn't. I owned a firewall consulting firm back then. In the early 90's there were less than half a dozen firewalls products to choose from. There was very little interest in them until Al Gore made his "Information Super Hi Way" speech around 94? > The few that "won" weren't the most secure firewalls; they were the ones that were easy to set up, easy to use and didn't annoy users too much. That may have been true for the consumer personal firewalls that started coming out in the late 90's, but it wasn't a factor for corporate server like firewalls. We were of the opinion that Gauntlet, the commercial product based off the firewall toolkit, a proxy based, open source firewall from Trusted Information Systems was the most secure firewall at the time. However Firewall One, a statefull packet filtering firewall from Checkpoint, was the clear winner in number of units sold. It had nothing to do with ease of use. Firewall One ran on a Sun. Most corporate accounts had at least some Suns. If you already had Sun's 7/24 support, they included it for your firewall at no extra charge. Any other firewall would have involved paying for 2nd 7/24 support contract. The closest they got to an ease of use issue was the resistance to bringing another flavor of Unix like BSD or Linux into their shop. My how things have changed :-)
  • Bruce is a rare guy who is deeply knowledgeable in his field of expertise, and yet can see the rest of the world around him. His books and his articles constantly reiterate the point that computer security is no different from physical security in most cases, and security products are no different from any other products in most cases. In this article, he reminds us that the details of whether you're talking about a secure USB stick or a used car or a bathroom sink don't change the base economics of the mat

An adequate bootstrap is a contradiction in terms.

Working...