Re: [SC-L] re: Why Software Will Continue to Be Vulnerable
It appears that the "user-obvious malware" would need to reach the anterior insula to make a difference in computer security. >From Business Week -- "Why Does logic often takes a backseat in making decisons?": "The National Hockey League and its players wrangle over a salary cap. The impasse causes the season to be canceled. Everybody loses. What went wrong? According to the new science of neuroeconomics, the explanation might lie inside the brains of the negotiators. Not in the prefrontal cortex, where people rationally weigh pros and cons, but deep inside, where powerful emotions arise. Brain scans show that when people feel they're being treated unfairly, a small area called the anterior insula lights up, engendering the same disgust that people get from, say, smelling a skunk. That overwhelms the deliberations of the prefrontal cortex. With primitive brain functions so powerful, it's no wonder that economic transactions often go awry. "In some ways, modern economic life for humans is like a monkey driving a car," says Colin F. Camerer, an economist at California Institute of Technology." http://www.businessweek.com/print/magazine/content/05_13/b3926099_mz057.htm?chan=mz&; -gp Quoting Bill Cheswick <[EMAIL PROTECTED]>: > > >Here's a depressing survey > > I found it utterly unsurprising. The bad guys almost never erase hard > drives, or > do other terribly inconvenient things to the machines they own. They simply > run in the background, mostly, and the users don't understand the issues. > > My father has repeatedly asked why he should care that his computer is > totally > owned. I've told him that his CPU engine is blowing blue smoke all over the > Internet, > but that doesn't help. > > An outbreak of user-obvious malware might change the equation, but I am not > suggesting > that someone run the experiment. > > ches > > >
[SC-L] re: Why Software Will Continue to Be Vulnerable
>Here's a depressing survey I found it utterly unsurprising. The bad guys almost never erase hard drives, or do other terribly inconvenient things to the machines they own. They simply run in the background, mostly, and the users don't understand the issues. My father has repeatedly asked why he should care that his computer is totally owned. I've told him that his CPU engine is blowing blue smoke all over the Internet, but that doesn't help. An outbreak of user-obvious malware might change the equation, but I am not suggesting that someone run the experiment. ches
Re: [SC-L] Why Software Will Continue to Be Vulnerable
At 8:05 AM -0400 5/2/05, Kenneth R. van Wyk wrote: > Yet, despite that pessimistic outlook -- and the survey that > forked this thread -- I do think that companies are demanding > more in software security, even though consumers are not. Companies value time spent on cleanup more than consumers do. -- Larry Kilgallen
Re: [SC-L] Why Software Will Continue to Be Vulnerable
Michael Silk wrote: I honestly don't believe that the consumers will _EVER_ care, and I don't believe that should have to. At most maybe they should just need to keep an eye out for a sticker, or star-rating (government approved) or something. But as you say, 'security' is 'hard to measure', so an approach like that won't work. As the saying goes, give the consumer the choice between security and dancing pigs, and they'll pick dancing pigs every single time. There's probably more than just a grain of truth to that. Yet, despite that pessimistic outlook -- and the survey that forked this thread -- I do think that companies are demanding more in software security, even though consumers are not. I'm not aware of surveys that directly address that, but it sure seems obvious to me that they are. Here's to wishful thinking, anyway! Cheers, Ken van Wyk
Re: [SC-L] Why Software Will Continue to Be Vulnerable
Inline.. On 5/2/05, Jeff Williams <[EMAIL PROTECTED]> wrote: > > What really mystifies me is the anlogy to fire insurance. *Everyone* > > keeps their fire insurance up to date, it costs money, and it protects > > against a very rare event that most fire insurance customers have never > > experienced. What is it that makes consumers exercise prudent good > > sense for fire insurance, but not in selecting software? > > Fire safety is physical, not tremendously complicated, and we have tons of > actuarial data. Software security, on the other hand, is extremely difficult > for anyone to measure -- it takes a lot of effort, even with the most > advanced tools and knowledge. > > So there's no way for anyone to tell which software is secure. Many vendors > make dramatically inflated claims about their product's security features > and rarely get called on them. For example, there are dozens of vendors > claiming that their technology solves the OWASP Top Ten -- which is > ridiculous. > > Anyway, it's not surprising to me that consumers aren't seeking out > security. Or that vendors aren't providing it for that matter. In my > opinion, the market is broken because of asymmetric information, and it will > never work until we find ways to make security more visible to everyone. To whom, though? I honestly don't believe that the consumers will _EVER_ care, and I don't believe that should have to. At most maybe they should just need to keep an eye out for a sticker, or star-rating (government approved) or something. But as you say, 'security' is 'hard to measure', so an approach like that won't work. Maybe there is no answer, and the problem will never be fixed ... it's probably sad but true that companies won't allow 'security' to be added, or they will at least charge for it because it's now widely accepted that 'security' is 'feature' not a requirement. And consumers will never care; look at health warnings on cigarettes for example (at least in australia): "Smoking causes cancer.", yet people still smoke. It will be exactly the same with software. jmho... -- Michael
