Re: [Cryptography] Market demands for security (was Re: Opening Discussion: Speculation on BULLRUN)
Phillip Hallam-Baker hal...@gmail.com writes: People buy guns despite statistics that show that they are orders of magnitude more likely to be shot with the gun themselves rather than by an attacker. Some years ago NZ abolished its offensive (fighter) air force (the choice was either to buy all-new, meaning refurbished, jets at a huge cost or abolish the capacity). Lots of people got very upset about this, because it was leaving us defenceless. (For people who are wondering why this position is silly, have a look at the position of New Zealand on a world map. The closest country with direct access to us (in other words that wouldn't have to go through other countries on the way here) is Peru, and they don't have any aircraft carriers). Peter. ___ The cryptography mailing list cryptography@metzdowd.com http://www.metzdowd.com/mailman/listinfo/cryptography
Re: [Cryptography] Market demands for security (was Re: Opening Discussion: Speculation on BULLRUN)
On Sep 8, 2013, at 6:49 PM, Phillip Hallam-Baker wrote: ...The moral is that we have to find other market reasons to use security. For example simplifying administration of endpoints. I do not argue like some do that there is no market for security so we should give up, I argue that there is little market for something that only provides security and so to sell security we have to attach it to something they want Quote from the chairman of a Fortune 50 company to a company I used to work for, made in the context of a talk to the top people at that company*: I don't want to buy security products. I want to buy secure products. This really captures the situation in a nutshell. And it's a conundrum for all the techies with cool security technologies they want to sell. Security isn't a product; it's a feature. If there is a place in the world for companies selling security solutions, it's as suppliers to those producing something that fills some other need - not as suppliers to end users. -- Jerry *It's obvious from public facts about me that the company receiving this word of wisdom was EMC; but I'll leave the other company anonymous. ___ The cryptography mailing list cryptography@metzdowd.com http://www.metzdowd.com/mailman/listinfo/cryptography
Re: [Cryptography] Market demands for security (was Re: Opening Discussion: Speculation on BULLRUN)
On Sun, Sep 8, 2013 at 3:08 PM, Perry E. Metzger pe...@piermont.com wrote: On Sun, 8 Sep 2013 08:40:38 -0400 Phillip Hallam-Baker hal...@gmail.com wrote: The Registrars are pure marketing operations. Other than GoDaddy which implemented DNSSEC because they are trying to sell the business and more tech looks kewl during due diligence, there is not a market demand for DNSSEC. Not to discuss this particular case, but I often see claims to the effect that there is no market demand for security. I'd like to note two things about such claims. 1) Although I don't think P H-B is an NSA plant here, I do wonder about how often we've heard that in the last decade from someone trying to reduce security. There is a market demand for security. But it is always item #3 on the list of priorities and the top two get done. I have sold seven figure crypto installations that have remained shelfware. The moral is that we have to find other market reasons to use security. For example simplifying administration of endpoints. I do not argue like some do that there is no market for security so we should give up, I argue that there is little market for something that only provides security and so to sell security we have to attach it to something they want. 2) I doubt that safety is, per se, anything the market demands from cars, food, houses, etc. When people buy such products, they don't spend much time asking so, this house, did you make sure it won't fall down while we're in it and kill my family? or this coffee mug, it doesn't leach arsenic into the coffee does it? People buy guns despite statistics that show that they are orders of magnitude more likely to be shot with the gun themselves rather than by an attacker. However, if you told consumers did you know that food manufacturer X does not test its food for deadly bacteria on the basis that ``there is no market demand for safety'', they would form a lynch mob. Consumers *presume* their smart phones will not leak their bank account data and the like given that there is a banking app for it, just as they *presume* that their toaster will not electrocute them. Yes, but most cases the telco will only buy a fix after they have been burned. To sell DNSSEC we should provide a benefit to the people who need to do the deployment. Problem is that the perceived benefit is to the people going to the site which is different... It is fixable, people just need to understand that the stuff does not sell itself. -- Website: http://hallambaker.com/ ___ The cryptography mailing list cryptography@metzdowd.com http://www.metzdowd.com/mailman/listinfo/cryptography
Re: [Cryptography] Market demands for security (was Re: Opening Discussion: Speculation on BULLRUN)
On 2013-09-09 6:08 AM, John Kelsey wrote: a. Things that just barely work, like standards groups, must in general be easier to sabotage in subtle ways than things that click along with great efficiency. But they are also things that often fail with no help at all from anyone, so it's hard to tell. b. There really are tradeoffs between security and almost everything else. If you start suspecting conspiracy every time someone is reluctant to make that tradeoff in the direction you prefer, you are going to spend your career suspecting everyone everywhere of being ant-security. This is likely to be about as productive as going around suspecting everyone of being a secret communist or racist or something. Poor analogy. Everyone is a racist, and most people lie about it. Everyone is a communist in the sense of being unduly influenced by Marxist ideas, and those few of us that know it have to make a conscious effort to see the world straight, to recollect that some of our supposed knowledge of the world has been contaminated by widespread falsehood. The Climategate files revealed that official science /is/ in large part a big conspiracy against the truth. And Snowden's files seem to indicate that all relevant groups are infiltrated by people hostile to security. ___ The cryptography mailing list cryptography@metzdowd.com http://www.metzdowd.com/mailman/listinfo/cryptography