Re: [Cryptography] Market demands for security (was Re: Opening Discussion: Speculation on "BULLRUN")
On Sep 8, 2013, at 6:49 PM, Phillip Hallam-Baker wrote: > ...The moral is that we have to find other market reasons to use security. > For example simplifying administration of endpoints. I do not argue like some > do that there is no market for security so we should give up, I argue that > there is little market for something that only provides security and so to > sell security we have to attach it to something they want Quote from the chairman of a Fortune 50 company to a company I used to work for, made in the context of a talk to the top people at that company*: "I don't want to buy security products. I want to buy secure products." This really captures the situation in a nutshell. And it's a conundrum for all the techies with cool security technologies they want to sell. Security isn't a product; it's a feature. If there is a place in the world for companies selling security solutions, it's as suppliers to those producing something that fills some other need - not as suppliers to end users. -- Jerry *It's obvious from public facts about me that the company "receiving" this word of wisdom was EMC; but I'll leave the other company anonymous. ___ The cryptography mailing list cryptography@metzdowd.com http://www.metzdowd.com/mailman/listinfo/cryptography
Re: [Cryptography] Market demands for security (was Re: Opening Discussion: Speculation on "BULLRUN")
On 9/09/13 03:48 AM, James A. Donald wrote: On 2013-09-09 6:08 AM, John Kelsey wrote: a. Things that just barely work, like standards groups, must in general be easier to sabotage in subtle ways than things that click along with great efficiency. But they are also things that often fail with no help at all from anyone, so it's hard to tell. b. There really are tradeoffs between security and almost everything else. If you start suspecting conspiracy every time someone is reluctant to make that tradeoff in the direction you prefer, you are going to spend your career suspecting everyone everywhere of being ant-security. This is likely to be about as productive as going around suspecting everyone of being a secret communist or racist or something. Part of the problem is that we are trained to label ideas that we find uncomfortable as conspiracy theories. And, when they are shown to be true, we aren't ready to apologise for our slapping down of those wretches so labelled. It's far better to talk in risk terms. Yes, the NSA could have hacked the RNG in intel's chips. But what is the likelhood? Low? Medium? High? Everyone can choose, and now the desire to slap down is detuned. Same with NSA infiltrating the IETF. Yes, we can agree it is a risk. But what steps has the IETF taken to mitigate it? It is an open forum, we can check the bona fides of all players, we can read their comments forever, etc etc. We can therefore all (personally) decide on whether the risk is adequately mitigated. And whether to do more mitigation at the individual level. Poor analogy. Everyone is a racist, and most people lie about it. Everyone is a communist in the sense of being unduly influenced by Marxist ideas, and those few of us that know it have to make a conscious effort to see the world straight, to recollect that some of our supposed knowledge of the world has been contaminated by widespread falsehood. The Climategate files revealed that official science /is/ in large part a big conspiracy against the truth. And Snowden's files seem to indicate that all relevant groups are infiltrated by people hostile to security. I think we can just about comfortably put our own professional difficulties into risk analysis, and agree to differing levels of risk. But once we get into non-security issues such as racism, politics, etc, our ability to be objective rapidly diminishes. (I don't disagree with what is said above, I just agree we can't talk productively at that level...) iang ___ The cryptography mailing list cryptography@metzdowd.com http://www.metzdowd.com/mailman/listinfo/cryptography
Re: [Cryptography] Market demands for security (was Re: Opening Discussion: Speculation on "BULLRUN")
Phillip Hallam-Baker writes: >People buy guns despite statistics that show that they are orders of >magnitude more likely to be shot with the gun themselves rather than by an >attacker. Some years ago NZ abolished its offensive (fighter) air force (the choice was either to buy all-new, meaning refurbished, jets at a huge cost or abolish the capacity). Lots of people got very upset about this, because it was leaving us defenceless. (For people who are wondering why this position is silly, have a look at the position of New Zealand on a world map. The closest country with direct access to us (in other words that wouldn't have to go through other countries on the way here) is Peru, and they don't have any aircraft carriers). Peter. ___ The cryptography mailing list cryptography@metzdowd.com http://www.metzdowd.com/mailman/listinfo/cryptography
Re: [Cryptography] Market demands for security (was Re: Opening Discussion: Speculation on "BULLRUN")
On 2013-09-09 6:08 AM, John Kelsey wrote: a. Things that just barely work, like standards groups, must in general be easier to sabotage in subtle ways than things that click along with great efficiency. But they are also things that often fail with no help at all from anyone, so it's hard to tell. b. There really are tradeoffs between security and almost everything else. If you start suspecting conspiracy every time someone is reluctant to make that tradeoff in the direction you prefer, you are going to spend your career suspecting everyone everywhere of being ant-security. This is likely to be about as productive as going around suspecting everyone of being a secret communist or racist or something. Poor analogy. Everyone is a racist, and most people lie about it. Everyone is a communist in the sense of being unduly influenced by Marxist ideas, and those few of us that know it have to make a conscious effort to see the world straight, to recollect that some of our supposed knowledge of the world has been contaminated by widespread falsehood. The Climategate files revealed that official science /is/ in large part a big conspiracy against the truth. And Snowden's files seem to indicate that all relevant groups are infiltrated by people hostile to security. ___ The cryptography mailing list cryptography@metzdowd.com http://www.metzdowd.com/mailman/listinfo/cryptography
Re: [Cryptography] Market demands for security (was Re: Opening Discussion: Speculation on "BULLRUN")
On Sun, Sep 8, 2013 at 3:08 PM, Perry E. Metzger wrote: > On Sun, 8 Sep 2013 08:40:38 -0400 Phillip Hallam-Baker > wrote: > > The Registrars are pure marketing operations. Other than GoDaddy > > which implemented DNSSEC because they are trying to sell the > > business and more tech looks kewl during due diligence, there is > > not a market demand for DNSSEC. > > Not to discuss this particular case, but I often see claims to the > effect that "there is no market demand for security". > > I'd like to note two things about such claims. > > 1) Although I don't think P H-B is an NSA plant here, I do > wonder about how often we've heard that in the last decade from > someone trying to reduce security. > There is a market demand for security. But it is always item #3 on the list of priorities and the top two get done. I have sold seven figure crypto installations that have remained shelfware. The moral is that we have to find other market reasons to use security. For example simplifying administration of endpoints. I do not argue like some do that there is no market for security so we should give up, I argue that there is little market for something that only provides security and so to sell security we have to attach it to something they want. > 2) I doubt that safety is, per se, anything the market demands from > cars, food, houses, etc. When people buy such products, they don't > spend much time asking "so, this house, did you make sure it won't > fall down while we're in it and kill my family?" or "this coffee mug, > it doesn't leach arsenic into the coffee does it?" > People buy guns despite statistics that show that they are orders of magnitude more likely to be shot with the gun themselves rather than by an attacker. However, if you told consumers "did you know that food manufacturer > X does not test its food for deadly bacteria on the basis that ``there > is no market demand for safety''", they would form a lynch mob. > Consumers *presume* their smart phones will not leak their bank > account data and the like given that there is a banking app for it, > just as they *presume* that their toaster will not electrocute them. > Yes, but most cases the telco will only buy a fix after they have been burned. To sell DNSSEC we should provide a benefit to the people who need to do the deployment. Problem is that the perceived benefit is to the people going to the site which is different... It is fixable, people just need to understand that the stuff does not sell itself. -- Website: http://hallambaker.com/ ___ The cryptography mailing list cryptography@metzdowd.com http://www.metzdowd.com/mailman/listinfo/cryptography
Re: [Cryptography] Market demands for security (was Re: Opening Discussion: Speculation on "BULLRUN")
> Not to discuss this particular case, but I often see claims to the > effect that "there is no market demand for security". Bill Gates 2003 "trustworthy computing" memo is a direct proof of the opposite. He perceived lack of security, shown by reports of worms and viruses, as a direct threat against continued sales of Windows products. And then he proceeded to direct the company to spend billions to improve the matter. Say what you want about BillG, but he is pretty good at assessing market demand. -- Christian Huitema ___ The cryptography mailing list cryptography@metzdowd.com http://www.metzdowd.com/mailman/listinfo/cryptography
Re: [Cryptography] Market demands for security (was Re: Opening Discussion: Speculation on "BULLRUN")
On 09/08/2013 12:08 PM, Perry E. Metzger wrote: > I doubt that safety is, per se, anything the market demands from > cars, food, houses, etc. I wouldn't have said that. It's a lot more complicated than that. For one thing, there are lots of different "people". However, as a fairly-general rule, people definitely do consider safety as part of their purchasing decisions. -- Why do you think there are layers of tamper-evident packaging on Tylenol (and lots of other things)? Note that I was not kidding when I suggested tamper-evident data security measures. Not only do responsible vendors want the product to be safe when it leaves the factor, they want to make sure it /stays/ safe. -- Any purchaser with an ounce of sense will hire an inspector to check over a house before putting down a deposit. Sales contracts require the seller to disclose any known defects, and generally provide some sort of warranty. ++ Forsooth, if people bought crypto as carefully as they buy houses, we'd all be a lot better off. -- In many cases, consumers do not -- and cannot -- /directly/ evaluate safety and quality, so they rely on third parties. One familiar example is the airline industry. The airlines generally /like/ being regulated by the FAA because by and large the good guys already exceed FAA safety standards, and they don't want some bad guy coming in and giving the whole industry a bad name. -- I imagine food and drug safety is similar, although the medical industry complains about over-regulation more than I would have expected. -- There are also non-governmental evaluation agencies, such as Underwriters' Laboratories and Earth Island Institute. ** There are of course /some/ people who court disaster. For example, there are folks who consider seatbelt laws and motorcycle helmet laws to be oppressive government regulation. These are exceptions to the trends discussed above, but they do not invalidate the overall trends. !! Note that even if you are doing everything you know how to do, you can still get sued on the grounds of negligence and deception if something goes wrong ... especially (but not only) if you said it was safer than it was. Example: Almost every plane crash ever. Let's be clear: A lot of consumer "demands" for safety are made retroactively. "Caveat emptor" has been replaced by /caveat vendor/. ___ The cryptography mailing list cryptography@metzdowd.com http://www.metzdowd.com/mailman/listinfo/cryptography
Re: [Cryptography] Market demands for security (was Re: Opening Discussion: Speculation on "BULLRUN")
As an aside: a. Things that just barely work, like standards groups, must in general be easier to sabotage in subtle ways than things that click along with great efficiency. But they are also things that often fail with no help at all from anyone, so it's hard to tell. b. There really are tradeoffs between security and almost everything else. If you start suspecting conspiracy every time someone is reluctant to make that tradeoff in the direction you prefer, you are going to spend your career suspecting everyone everywhere of being ant-security. This is likely to be about as productive as going around suspecting everyone of being a secret communist or racist or something. --John ___ The cryptography mailing list cryptography@metzdowd.com http://www.metzdowd.com/mailman/listinfo/cryptography
[Cryptography] Market demands for security (was Re: Opening Discussion: Speculation on "BULLRUN")
On Sun, 8 Sep 2013 08:40:38 -0400 Phillip Hallam-Baker wrote: > The Registrars are pure marketing operations. Other than GoDaddy > which implemented DNSSEC because they are trying to sell the > business and more tech looks kewl during due diligence, there is > not a market demand for DNSSEC. Not to discuss this particular case, but I often see claims to the effect that "there is no market demand for security". I'd like to note two things about such claims. 1) Although I don't think P H-B is an NSA plant here, I do wonder about how often we've heard that in the last decade from someone trying to reduce security. 2) I doubt that safety is, per se, anything the market demands from cars, food, houses, etc. When people buy such products, they don't spend much time asking "so, this house, did you make sure it won't fall down while we're in it and kill my family?" or "this coffee mug, it doesn't leach arsenic into the coffee does it?" Consumers, rightfully, presume that reasonable vendors *naturally* did not design products that would kill them and they focus instead on the other desirable characteristics, like comfort or usability or what have you. However, if you told consumers "did you know that food manufacturer X does not test its food for deadly bacteria on the basis that ``there is no market demand for safety''", they would form a lynch mob. Consumers *presume* their smart phones will not leak their bank account data and the like given that there is a banking app for it, just as they *presume* that their toaster will not electrocute them. If you ever say "we're not worrying about security in our systems because there's no market demand for it", you had better make sure not to say it in public from now on, because the peasants with pitchforks and torches will eventually find you if they catch wind of it. Perry -- Perry E. Metzgerpe...@piermont.com ___ The cryptography mailing list cryptography@metzdowd.com http://www.metzdowd.com/mailman/listinfo/cryptography
