Beta
×

Welcome to the Slashdot Beta site -- learn more here. Use the link in the footer or click here to return to the Classic version of Slashdot.

Thank you!

Before you choose to head back to the Classic look of the site, we'd appreciate it if you share your thoughts on the Beta; your feedback is what drives our ongoing development.

Beta is different and we value you taking the time to try it out. Please take a look at the changes we've made in Beta and  learn more about it. Thanks for reading, and for making the site better!

Bad Security Driving Out the Good

kdawson posted more than 7 years ago | from the no-lemonade-for-you dept.

Security 215

Bruce Schneier has up at Wired a typically thoughtful piece on how, in the security market as in others, the lemons are winning out over the good products. Schneier harks back to "The Market For Lemons," the 1970s work of economist George Akerlof, to explain why the market's invisible hand pushes most of the best products into the abyss: "With so many mediocre security products on the market, and the difficulty of coming up with a strong quality signal, vendors don't have strong incentives to invest in developing good products. And the vendors that do tend to die a quiet and lonely death."

Sorry! There are no comments related to the filter you selected.

The way of the world (4, Insightful)

pytheron (443963) | more than 7 years ago | (#18797789)

Marketing and persuasion always wins out in the end. How many tech guys have tried to convince a boss that whatever solution they are going with is not in the interest of the company. Even if you make an objective flow-chart/business impact plan.. their mind is made up. Dick from marketing has personality-brainwashed him. He took him to lunch, he couldn't possibly be like the other salesmen.. nice chap.

Re:The way of the world (5, Insightful)

BSAtHome (455370) | more than 7 years ago | (#18797915)

You are right; it is not security/xyz that sells, but the perception of securty/xyz. That is where the marketers come in.

Re:The way of the world (2, Insightful)

beckerist (985855) | more than 7 years ago | (#18798089)

I think there's more to it though. More security more often than not = less functionality. A completely locked down workstation, while secure, is not going to provide the users with as much functionality than a wide-open workstation. A lot of products are sold simply because of ease-of-use (read: ipod), and security is merely an extra "feature."

Think of it too like a car. Would you rather have a car that has a governor, limiting your speed to 55MPH/100KPH? It's safer...

Re:The way of the world (3, Funny)

Alzheimers (467217) | more than 7 years ago | (#18798301)

In New Jersey, their governors don't have any speed limit...

Re:The way of the world (2, Funny)

pragma_x (644215) | more than 7 years ago | (#18798399)

Actually, having driven on the NJ Turnpike myself, I was under the impression that governors are installed on all cars in The Garden State that enforce a minimum speed of 55mph.

Re:The way of the world (1)

Bluesman (104513) | more than 7 years ago | (#18798533)

Not true anymore, we bumped it up to 65mph.

Re:The way of the world (1)

mlts (1038732) | more than 7 years ago | (#18799045)

Bruce summed it up with his term for it, security theater.

Tech Guys should learn from Marketing. (1)

jellomizer (103300) | more than 7 years ago | (#18798005)

I know it sounds dirty. But most technical problems that people have are more emotional and less technical. If IT pushed hard enough to get the Best software and the people dont feel good about the software they will pressure you and bug you about every little problem to proove to you and themselfs that they should have went with the other product. Having the buisness case helps when all things are equal but as people who needs to support the product well need to take the plate invite or bring your boss to lunch do the marketing for the better product. Try to get people to feel emotionally good about the product. If they are not emotionally OK with the project they will have problems with it. But if they are emotionally ok with a Bad Product they will overlook its problems and spend their own time to find workarounds.

Re:The way of the world (1)

Mockylock (1087585) | more than 7 years ago | (#18798155)

I agree. Happens all the time when those in charge are oblivious.

The best Marketing = Religion (5, Insightful)

LibertineR (591918) | more than 7 years ago | (#18798179)

Tech Companies should learn this and never forget it.

Endless promotion, Endless recruitment, Constant attack on competition.

Persuasive spokespersons, Constant reminders of what you WONT get if you dont buy, and buy NOW.

An answer to every question or challenge about your product, and when that wont work, promote FAITH in the organization, and patience in the reciept of what you are really wanted.

Unashamed, unabashed belief in your product as THE ONLY real solution.

This is Evangelism, and it works better than anything else, regardless of whether you really have the goods or not.

Re:The best Marketing = Religion (1, Flamebait)

jeffasselin (566598) | more than 7 years ago | (#18798439)

The difference with religion, is that unsatisfied customers can't call them on their lies, since they're dead!

No one ever came back from the dead to tell us "There is NO life after death" for very obvious reasons :-)

Re:The way of the world (0)

Anonymous Coward | more than 7 years ago | (#18798231)

How many techs try to convince a boss that the best solution is XYZ operating system/database/programming language/hardware mfg./etc., which coincidentally happens to be the tech's favorite technology and the one they are most skilled in?

Re:The way of the world (3, Insightful)

Red Flayer (890720) | more than 7 years ago | (#18798417)

It's funny, though, TFA has little to say about marketing -- except for asymmetrical information theory. Marketing ties into this because it is how companies take advantage of buyers, who have less accurate info than sellers.

The problem is not just marketing. The problem is that since buyers aren't well-informed, they choose mediocre products, which prices out the best products. This starts a nasty cycle, since with the best products out of the market, buyers then choose even poorer solutions to save a buck, which ends up pricing out the best remaining products, and so on.

Marketing takes advantage of asymmetrical information -- but the root cause is the buyer's lack of information. Given that most decision-makers do not have the resources to adequately research every purchase they make, how can this be fixed? How much should a company spend on researching products, in relation to the cost of those products? Many people can't justify spending a lot of time researching the options for a $2000/yr solution. When the proposals come in, and several[1] of the vendors offer a seemingly-equivalent solution for $1500, how can I justify spending $2000? Purchasing is about choosing products that meet your requirements at the lowest cost. It's not feasible for every purchase to undergo a full TCO analysis that includes factored risk of loss -- how many businesses employ actuaries?

Multiply this scenario by thousands, and the best solutions are driven out of business.

[1] It's important that there are multiple options at that price point, since it makes each of the products at that level seem acceptable.

Re:The way of the world (2, Insightful)

daviddennis (10926) | more than 7 years ago | (#18799473)

Something you might not have noticed is that if reviews truly use ease of use and throughput as the most important factors, the most insecure products look better than more secure products.

Security is one of the few cases where we're supposed to pay more to inconvenience ourselves. I'd say most people outside of the small fraternity of computer security folk would really prefer the insecure product, until its consequences hit them.

D

Re:The way of the world (4, Insightful)

zappepcs (820751) | more than 7 years ago | (#18798485)

It gets better. Take an honest look at advertising, look at what they are selling and how they are selling it. Chances are better than 90% of the products you either don't need, can live without, or just plain can't use. Any product that is worth its weight simply doesn't need to be advertised.

While you are looking at marketing campaigns, see who spends the most money. I believe that the value of a product is inversely related to advertising dollars spent. With the exception of products that are new. VoIP is one of those (even though I can't for the life of me figure out what the Vonage marketers were thinking) exceptions where the product is so new that advertising is as much about education as it is selling. Sleeping aids and medicines for ailments your parents never heard of is no better than little blue pill junk mail. There are times that I think that such advertisements should be blockable and covered under the can-spam act.

Anyway, advertising sells. Without it consumers won't even know there is a product. Despite the buzz about desktop linux there actually are people in North America that do NOT know what Linux is, never mind if they want to use it. Security products and practices are the same. I haven't counted, but I know I don't have enough fingers for counting the number of times I've heard a VP spouting verbatim from some magazine article as if he learned it in college or something.

This effect is what keeps MS products so prominent, people don't actually know or understand that there are other competing products. People know about Mcafee and Norton. They don't know about ClamAV, and are not sure what Symantec does.

The open market, in this respect, is just a popularity contest.

I had hopes that sites like Consumer reports et al would change that, but no, consumers really are mostly sheep.

Contradictions, anyone? (0)

LibertineR (591918) | more than 7 years ago | (#18798761)

Any product that is worth its weight simply doesn't need to be advertised.

Congradulations, as you have now joined the stupid statement hall of fame, with that one.

Then, you go on to mention that people dont know about Desktop Linux despite the 'buzz'. Huh?

There IS no buzz for Linux outside of technologists BECAUSE there has been no Marketing to speak of.

People dont adopt your product solely on the basis of the other product sucking, you have to give them a reason FOR your product. Even stupid politicians know this. Your product must bring something to the table AND it is your job to let your potential customers know about it, until they can recite it in their sleep.

A product is NOT worth its weight, if nobody knows about it. Geeks are too arrogant to understand that not everyone lives and breathes technology. On any given day, there are 100 if not 1000 times more people browsing MySpace, than at NewEgg.

Strange, I know, but true.

Re:The way of the world (1)

juniorbird (74686) | more than 7 years ago | (#18799403)

Yes, marketing people are evil droids, bent on the destruction of all that is good and effective. Oh wait, they're probably not.

The issue with going up against marketing is simple: a marketers job is to figure out what their marketing targets expect and need, and then communicate with those targets in a meaningful way. That's all they do. Don't be surprised that they can influence people whom engineering can't; engineers' job isn't to discover needs and influence.

The article pretty much explains why what you see happens, happens: it's difficult for non-specialist engineers to assess the quality of technical products. The result is that these non-specialist engineers assess products based on criteria other than those on which these products should be assessed.

That means that the challenge is to bring the important criteria to the fore for your target audience. And that's a very specialized skill; it's called marketing.

lemons (0, Offtopic)

Takichi (1053302) | more than 7 years ago | (#18797815)

Anyone else got a hankerin' for some lemonade after all this talk of lemons?

marketing (3, Insightful)

gEvil (beta) (945888) | more than 7 years ago | (#18797817)

It really boils down to marketing, IMHO. And laziness. The average person doesn't want to have to learn about something and investigate its merits. By and large they're much happier being told that Item A does XYZ, while Item B does XYZ *and* W, all while being easier to use than Item A. Despite W being a useless feature, and the "easier to use" claim being baseless, Item B will win out due to how it's been marketed.

Re:marketing (3, Informative)

Turn-X Alphonse (789240) | more than 7 years ago | (#18797965)

I completely disagree.

My parents both wish to learn more but they just don't understand what thinks mean. They think "memory" (RAM) is used to hold data (Hard drive space), so getting more RAM must mean they can store more files. Logically this works, memory = storage in the classic sense and this is why marketing works. Saying "More 255 QUQUTALUU memory!" and "wow a massive 20 gig hard drive" makes it seem like these things are big and impressive, where as people who know see it's complete crap.

Maybe if we stopped calling people lazy and taught them just the basics (what RAM does, what a hard drive does etc.) they would understand marketing for the bullshit it is and see through it. But instead we sit here going "lol idiots, too lazy! idiots!" and end up having to slave over their mistakes.

Re:marketing (3, Insightful)

gEvil (beta) (945888) | more than 7 years ago | (#18798087)

You are correct--there are some people who honestly are interested in learning about these things so that they can make these decisions themselves. However, they are the exception, not the rule. If someone is truly interested in learning, I'm more than happy to help them out. But when offers of assistance are met with "I don't want to know about that" or "That doesn't matter to me" then all bets are off and you're on your own, as far as I'm concerned.

Re:marketing (0)

Anonymous Coward | more than 7 years ago | (#18799515)

If someone says "That doesn't matter to me." you should explain to them why it does (or should) matter to their decision making process or realize that you're giving them superfluous information and adjust your lesson accordingly to avoid useless side tracks... interesting though they may be to you.

Re:marketing (2, Insightful)

gEvil (beta) (945888) | more than 7 years ago | (#18798263)

This is an honest question and isn't meant to belittle anyone in any way. But why is that your parents "wish to learn more" but haven't? I'm assuming that you've tried to educate them on the subject before. So why is it that they still haven't learned, despite their efforts to understand?

Computers are complicated, esp. security (1)

norminator (784674) | more than 7 years ago | (#18799071)

I don't know that guy's parents, but thinking of my own parents, or my wife, they want to be able to use computers well, but they aren't in that world all the time. Most people who read slashdot know a lot about computers. We have taken them apart, upgraded them, built new ones. We've looked through the Windows Device Manager (or lspci). We know what all the different parts of a PC are, and how they interact with each other.

For everyone else, it's a magic black box. They know files are kept in there, and maybe that it has fans and gets hot. Oftentimes, they don't know that RAM is the working space for running programs, and that it's a lot faster to access RAM than the hard drive. They don't know the difference between IDE and SATA and SCSI, and they probably haven't even heard those words before. They know how to plug in an iPod, but only if their PC case has USB ports on the front.

Even when someone wants to learn, they'll get beaten down with marketing confusions like 1GB = 1,000,000,000 bytes (why wouldn't that be true, as far as they know?), 3 Mb/s = 384kB/s, and 802.11a/b/g/n (these letters are assigned by standards bodies made up of engineers, not by marketing people). In the market for security products, customers really have to pay attention to realize that security by obscurity is very poor security (or worse than none at all in many cases), and even to be able to recognize when obscurity is even being used as the main form of security. The many different encryption algorithms available today are confusing at best (how are my parents supposed to remember that DES, not AES is the one that has been cracked). And then consider the fact that even a very secure algorithm like 256-bit AES can be completely worthless if it is not implemented very carefully. RC4, the algorithm used in the easy to crack WEP wireless encryption scheme, can actually be pretty secure, if it is implemented correctly [rsa.com] , which it wasn't for WEP.

In TFA, Schneier points out that even he has a tough time telling if if some of these products are implemented well or not. Computer security is a very complex subject. "Is that a thumbprint reader? That must be secure, I saw one in a high-tech spy movie in the 80's!" Movies and TV don't help, either.

Re:marketing (1)

jojoba_oil (1071932) | more than 7 years ago | (#18798141)

By and large they're much happier being told that Item A does XYZ, while Item B does XYZ *and* W, all while being easier to use than Item A. Despite W being a useless feature, and the "easier to use" claim being baseless, Item B will win out due to how it's been marketed.
Actually, I think what it's saying is that Item A does XYZ, while Item B says it does XYZ and uses W as a distraction away from the core functionality.

Also, as described in TFA "easier to use" seems to equate exactly to "less interaction with user" or "controlled interruption of computing experience". If a user sees a firewall product repeatedly asking about random security stuff, they won't see it as being secure but rather as annoying. Fine examples (although not directly "security products") are the different models of Windows: Vista is horribly annoying, whereas others are horribly insecure.

So while I'll agree with you that marketing plays a part, I'd disagree on your other points.

Re:marketing (1, Insightful)

Anonymous Coward | more than 7 years ago | (#18798213)

The average person doesn't want to have to learn about something and investigate its merits.

The "average" person's life doesn't revolve around IT. Let's look at Apple. You know why they were a hit with the artist community? Because you pulled it out of the box and it ran. Artists have to concentrate on their job - which is their art/craft/job - not having to spend hours upon hours reading poorly written manuals and trial and error. Hire someone? Please, at $100/hr for a Windows/*NIX admin type, they'd wouldn't be able to make a living - they barely make living as it is (Do what you love and the money will follow - HA!).

The above goes for the same with: construction, accountants, lawyers, Indian chiefs, etc...

Re:marketing (1)

Doctor-Optimal (975263) | more than 7 years ago | (#18798391)

The above goes for the same with: construction, accountants, lawyers, Indian chiefs, etc...

How about motorcycle cops and sailors?

Your point is valid, but... (1)

Jeff Molby (906283) | more than 7 years ago | (#18799525)

And laziness. The average person doesn't want to have to learn about something and investigate

There's no reason to be condescending.

In most cases, the difference between value of the "best" product and its competitors is less than the time/money cost of determining which is indeed the "best".

Money. (5, Insightful)

Sorthum (123064) | more than 7 years ago | (#18797829)

As TFA states, it's easy for someone to create a security product which they themselves cannot break. Hiring external testers can be a huge expense if done right, and when companies rely more on hype than on technical brilliance, they end up getting screwed. SecuStick is rare only in that its crappy security made headlines.

Re:Money. (4, Informative)

cyphercell (843398) | more than 7 years ago | (#18798385)

Secustick is rare in that they admitted that their device was insecure when the flaw was discovered (highly commendable). This is something I see happening at work quite often, you simply don't talk about your mistakes or anyone elses, because people are so damn neurotic about it. You have to very carefully say what you're trying to say, or people will get defensive and supervisors get offensive. Quality takes a back seat because people don't have an f*ing clue what the difference is between accountability and guilt/incompetence. Secustick is holding themselves accountable, but I'm sure many see them as a joke.

The best understatement of the year so far? (4, Informative)

ZorroXXX (610877) | more than 7 years ago | (#18797837)

Written by no other than Bruce Schneier:

... but even I couldn't tell you if Kingston's offering is better than Secustick. ... And if I can't tell the difference, most consumers won't be able to either.

Vista (5, Insightful)

Toe, The (545098) | more than 7 years ago | (#18797843)

Well... that explains why Vista is selling.

(Yeah I know... flamebait. But it had to be said.)

Re:Vista (4, Insightful)

Architect_sasyr (938685) | more than 7 years ago | (#18798127)

Is it flamebait? If I had mod points I'd probably flag as insightful. As I've stated before I'm the linux guy in a Microsoft shop and the majority of Vista upgrades (that are voluntary - so about 3% of our vista users) have done it because Vista offers better security and a slick interface, from a team of Microsoft oriented tech's, this has produced outrage. Despite the best intentions of the IT team Vista is coming regardless of what we want. I personally blame the marketing, and would cite the comment made to me not 3 days ago. "Vista has to be more secure. All the ad[vertisement]s say that it is". I can't compete with Microsofts marketing tactics (nor any other company) I simply don't have the resources. Only the respect of the IT team and the proven skill/competency in what we do has kept the CEO's from asking for the upgrades.

On Topic: Is this really a "bad security winning out" scenario, or are we merely looking at the triangle of cost, security and usability... cost and usability are of course the big factors for most corporations, so the sacrifice of security is, perhaps, merely a progression of cost cutting and the aim to supress those "annoying messages" that indicate a potential PEBKAC when inputting data.

My $0.02 AU

no different... (1)

teknopurge (199509) | more than 7 years ago | (#18797851)

then any other IT sector: marketing trumps all. You can have a mediocre product that has a good marketing campaign and you will move product. Moving Product begets market penetration.**

-tp

** I set someone up GOOD for a comment....

Re:no different... (1)

dmsuperman (1033704) | more than 7 years ago | (#18798317)

ROFL he said a funny word. "begets" lol...

Re:no different... (0)

Anonymous Coward | more than 7 years ago | (#18799077)

If the products too flimsy it won't be able to achieve penetration, will it? At least, that's what my girlfriend keeps telling me...

The winners are never the best. (1)

jellomizer (103300) | more than 7 years ago | (#18797853)

If you look at technology the winners are never the best. Becuase the Best costs to much and people (including us, (the more technically informed) rairly get enough information to make informed decisions. There are only very limited indrustires that are regulated enough to give people informaton to make the best purchasing decisions. Like Fine Juleriy, they are required to state what quality the product is. Diomonds had the 4 Cs (Karot (it sounds like a C), Cut, Color, Clarity) and they are very regulated when they tell you what the quality is. The same is with Gold, I know my Wedding Ring is 14 Karot gold. Now this is not saying we can't be ripped of but it at leasts has a reconized source that tells us what the quality is and we can make informed decisions. Technology is different there is no clear way that we can know if the Sun Enterprise server is better quality then the Dell Server, All we know is that the dell server is cheaper.

Re:The winners are never the best. (0, Offtopic)

petwalrus (645792) | more than 7 years ago | (#18797963)

Juleriy. Awesome.

Re:The winners are never the best. (0)

Anonymous Coward | more than 7 years ago | (#18798097)

And the worst spelling award goes to...

Re:The winners are never the best. (1)

jellomizer (103300) | more than 7 years ago | (#18798159)

Mie! Eie'll poot et reth mi oter ewerds fer werst spilleng!

Re:The winners are never the best. (1)

emor8t (1033068) | more than 7 years ago | (#18798279)

Seriously man, that doesn't even come out phonetically. Joolary, Jewlary, something like that, but where do you get riy?

Re:The winners are never the best. (1)

MindStalker (22827) | more than 7 years ago | (#18797985)

I think the open dialog of the internet is making things slightly better. You can truly find user reviews on just about any product. Its really sad that there still isn't yet a good universal review site that the average Joe knows about. I think there really is an untapped market for something like this. Many if Google started it, it MIGHT take off. Google are you listening???

Re:The winners are never the best. (1)

CastrTroy (595695) | more than 7 years ago | (#18798011)

But it really comes down to how you define better. With Jewelry, there's very strict guidelines to determine color,clarity, etc of diamonds. It's very easy to define 14 K gold. It's another thing entirely with computer systems. How do you define security, stability, and other attributes? Sure there's metrics like MTTF,and MTBF, but those don't really define anything concrete. As far as I'm aware there's no real metrics for security, except looking at number of past exploits, and how long they took to fix, but a lot of companies don't give out that information.

Re:The winners are never the best. (1)

jellomizer (103300) | more than 7 years ago | (#18798119)

Well with Jewelry the strict guidlines came over time. The Jewelry market is much older then technology. I am sure before we got Karats there was a lot of debate on how to measure the value of Gold Objects. Size, Weight, Purity, Color, Malability, Taist, Carosiveness... Overtime with people getting scammed with say Gold Coated Lead, or other yellow tinted metals, they finally started getting rules to help regulate themselfs. Right now we there no real metric for technology but we really should start putting time and effort into finding a fair metric for such.

Re:The winners are never the best. (3, Funny)

Simon80 (874052) | more than 7 years ago | (#18798441)

Check your spelling [tfd.com] before you send your messages, you're hurting my eyes!

Re:The winners are never the best. (0)

Anonymous Coward | more than 7 years ago | (#18798237)

Man...I know this won't get viewed by anyone. It's called the 4 C's because "Karot" is spelled Carat....You'd think you'd look that up before making a ridiculous claim

Carat, diamonds, rarely, industries, jewelery... (0)

Anonymous Coward | more than 7 years ago | (#18799295)

And I realize the homophones are confusing, but it's spelled "too," when used as an adverb, "to" as a preposition or the marker for the infitive, and "two" for the integer between 1 and 3.

Finally, FWIW, the purity of gold is also measured in carats, with an alternate spelling karat (hence the abbreviation 16k).

Re:The winners are never the best. (1)

ZlotyJelop (954615) | more than 7 years ago | (#18799455)

Diamond market is actually a perfect example of asymmetric market where uninformed buyers are paying something like 10 times more than the good is really worth. The market for diamonds is artificially inflated by cartel.

If you don't believe try selling your precious diamond (not exchanging it for another). You will be happy to get 50% of what you paid for it, what by the way is still a great deal considering what it cost to produce the diamonds.

This is a very good story about the diamond industry. http://www.theatlantic.com/doc/198202/diamond/ [theatlantic.com] Please note that this is a link to a newspaper and not any academic source. Still it is a very good read.

If you prefer academic resources Google for Central Selling Organization. You will find plenty of articles and HBS cases.

This story 2400 years old. (5, Insightful)

qazsedcft (911254) | more than 7 years ago | (#18797859)

Socrates in the 400s BC was already complaining about how sophistry is winning over logic and reason. The world will never change.

Re:This story 2400 years old. (5, Interesting)

kisrael (134664) | more than 7 years ago | (#18797917)

The Earth is degenerating today. Bribery and corruption abound.
Children no longer obey their parents, every man wants to write a book,
and it is evident that the end of the world is fast approaching."
--Assyrian tablet, c. 2800 BCE (allegedly)

Re:This story 2400 years old. (1)

BeBoxer (14448) | more than 7 years ago | (#18798563)

The Earth is degenerating today. Bribery and corruption abound.
Children no longer obey their parents, every man wants to write a book,
and it is evident that the end of the world is fast approaching."
--Assyrian tablet, c. 2800 BCE (allegedly)


I think something got lost in translation here. Or is a desire to write a book really a sign of the end times?

Re:This story 2400 years old. (1)

v01d (122215) | more than 7 years ago | (#18798803)

Or is a desire to write a book really a sign of the end times?

Based on the new publications at Barnes and Nobles I can see why someone might make the inference.

Re:This story 2400 years old. (1)

kisrael (134664) | more than 7 years ago | (#18798859)

I think something got lost in translation here. Or is a desire to write a book really a sign of the end times?
Heh, in our increasingly "post-literate" age it seems kind of odd.

Maybe a "truer to the spirit" translation would be "every man wants his own talk show" :-)

Matter of desire (3, Interesting)

tomstdenis (446163) | more than 7 years ago | (#18797871)

Fundamentally people claim they want security, but are often not willing to pay for it. The business that spends the market driven required amount of time on security (even if it's not enough) wins out.

If on the other hand you spend the proper amount of time on security, and position yourself outside the market by the delay in time and additional cost, you lose.

Which is pretty much why OSS rules in terms of security. In the OSS world, we can afford to spend an extra month or two per release to make sure everyone is in order and decent procedures are followed. Which isn't to say it's always the case [most GAIM plugins are horribly written] but usually more often than not it is with things like GPG, OpenSSL, OpenSSH, etc...

Tom

Re:Matter of desire (1)

dpilot (134227) | more than 7 years ago | (#18798557)

I'll disagree...

It's just that we're not trained with respect to security. We have come to take it for granted. So far our model for security has been physical security, and we pretty much have been able to take it for granted. Violations of that assumption are pretty rare and shocking, and the common use of those 2 adjective for that situation validate the assumption.

Now take a different location where the assumption of physical security is not valid, such as Iraq or places in Africa. Most of us would just not go there, or if we had to would probably invest seriously in physical security, ie flak jackets, bodyguards, etc.

Problem here is that from an information sense, we have never really been safe. We've also made the implicit assumption that because we're physically safe, our information is safe, too. That assumption is not valid.

We've spawned an industry spewing the message, "Buy our product and your information will be safe." However unwarranted that message is, we're used to buying products that fix problems. Unfortunately for our information safety, this assumption is currently not valid, either.

If people could truly realize that their information is not safe, and that most security products are like the "Catarrh Remedies" of the 1800s, they would act differently.

Marketers are terrible. (3, Interesting)

CastrTroy (595695) | more than 7 years ago | (#18797873)

I find the people in Marketing are terrible not only when you're buying a product, but also when you're the company making the product. Sometimes people in marketing make stuff up just to get a sale. I think it's in their blood. It hurts both sides because the customer is expecting to get something that doesn't exist, and the development team has to now build this thing that never existed. So often it gets cobbled together really fast, just so the customer thinks it works, but it reality it's only a half working solution.

Re:Salesmen are terrible. (1)

Colin Smith (2679) | more than 7 years ago | (#18798799)

For some reason sales and marketing get conflated. Sales is selling. Marketing is finding out what will sell.

 

Re:Marketers are terrible. (2, Insightful)

radarsat1 (786772) | more than 7 years ago | (#18798853)

That's true. I think the solution is that R&D managers have to be tougher. I know it's rare, but you really need an individual who is willing to stand up to marketing, and just say, you know: "No, actually we don't have that product." If the marketing person who sold the non-existent product can be made to lose face, there would be some motivation for them to not do it again, and to really _learn_ what the products are and what they do instead of just memorizing the buzzwords.

The problem, essentially, is a lack of liability on the part of the sales person. They do this all the time, selling "features" that are just speculative... if they were made to be more careful, it wouldn't happen and the whole R&D department would run more smoothly. Salespeople should be forced to sell products that DO exist. Information flow from R&D to marketing needs to be more open: *these* are the products we actually *have*, go sell them.

If salespeople were made to look dumb in front of their clients when they make a mistake, they wouldn't make mistakes. The problem currently is that when they DO make mistakes, it's R&D that has to pay, not them. You need an R&D manager who is willing to tell them they fucked up, instead of "okay, well I _guess_ we could do that, if we bump our schedule and stop working on this other project for a while.."

Anyways, don't tell me, this is idealistic and impossible.
Does anyone have an R&D manager who stands up to marketing like this?

Duh (1)

akheron01 (637033) | more than 7 years ago | (#18797875)

I think this is pretty obvious, why do you think Apple was always "dying" until they started making their machines as cheaply and unreliably built as the rest of the industry?

The "best" car might be (1)

Colin Smith (2679) | more than 7 years ago | (#18797877)

A Porsche 911 but... Well... You know the rest.

 

Re:The "best" car might be (1)

iainl (136759) | more than 7 years ago | (#18798143)

Is "the rest" the bit where the Porsche execs perform a boardroom coup and end up running pretty much the whole of VAG?

Secustick (4, Funny)

Anonymous Coward | more than 7 years ago | (#18797879)

I'm a $600/hr security consultant - you'd know my name, I used to work at - well I probably shouldn't say. I've FORGOTTEN more than Bruce Schneier knows about crypto, and I think the Secustick is a VERY secure product.

Re:Secustick (0)

Anonymous Coward | more than 7 years ago | (#18798015)

I'm Steven Seagal, I could kick all your asses but you don't see me posting as an AC and boasting about it.

Re:Secustick (0)

Anonymous Coward | more than 7 years ago | (#18798017)

I'm a $600/hr security consultant - you'd know my name, I used to work at - well I probably shouldn't say. I've FORGOTTEN more than Bruce Schneier knows about crypto, and I think the Secustick is a VERY secure product.

But are your abs NP hard [geekz.co.uk] ?

Re:Secustick (0)

Anonymous Coward | more than 7 years ago | (#18798029)

Either that or you're a Secustick employee.

yeah (1)

JeanBaptiste (537955) | more than 7 years ago | (#18798067)

while you're probably just trolling, wouldn't want anyone to believe otherwise so: secustick is horribly insecure [slashdot.org]

Need a smarter, tougher market (1)

Ingolfke (515826) | more than 7 years ago | (#18797893)

Part of the problem here is the market allows itself to be conned. We want to believe that the Securestick works, we don't want to spend the time or pay an extra added expense to have the claims of the marketers actually tested. If users made choices based on objective facts and called for warranties or 3rd party confirmation of marketing claims as part of the base product the lemons would start working their way out of the system. Costs would go up though and so the market is willing to absorb bad products and the risk associated with them for lower immediate prices.

Same in every market. (1)

slusich (684826) | more than 7 years ago | (#18797895)

Most people will focus in on cheap, worthless crap because they don't want to spend the money or expensive over-hyped crap because they believe the four color glossies. This is true for almost every item on shelf, not just security items.
With security products, things become harder because there's no easy way to tell if it is working. If there's never an attempt to steal the data or hack the server, or if the attempt goes unnoticed, then it appears everything is working great.

Additional factor makes it worse for individuals. (1)

Ayanami Rei (621112) | more than 7 years ago | (#18797897)

When you buy a car, it's an expensive personal purchase. When it fails, it's immediately obvious and you mean have legal avenues to investigate to mitigate the issue.

When you make a security decision, it's usually a low-cost personal purchase. When it fails (say your identity gets stolen), the losses you might incur can greatly outweigh the initial investment in the technology, and you will little legal recourse against the vendor to make things right.

This is why I don't trust any commercial security product that isn't merely selling support or management tools. Because they've nothing to lose except my business.

The answer is obvious (-1)

Anonymous Coward | more than 7 years ago | (#18797939)

In this day and age, more than ever, we need good intel. Good intel requires traffic and comms access. No intel service wants perfectly secure security products in the mass market. It is the way of the world that these products will have several backdoors because the manufacturers liaise with intel, as happened during the approval process involving French intel and the Secstick product.

Tech companies just dont understand Marketing (1)

LibertineR (591918) | more than 7 years ago | (#18797967)

Its the same thing in all technical markets. Creators of fine technologies like to think that the sheer genius of their creation will be all they need to get people excited, and that their marketing efforts need go no further than a press release, and a product information page on their web site.

If you build it, THEY WONT COME, unless you practically shove it down their throat, with associated information, pricing, positioning, comparisons and timing. Got that, Commodore?

Microsoft sells technology like Procter and Gamble sells soap, and that is no accident.

Companies with better technology sit and fume, with never a thought to learning about how to market their products in a competitive marketplace, especially when presented with the fact that marketing AINT CHEAP, even if it sucks.

It will never change, because technologists are too in love with their products to ever consider that somebody else wont be without persuasion.

Re:Tech companies just dont understand Marketing (1)

Tim99 (984437) | more than 7 years ago | (#18799255)

Yes, I was employed by a banker running a small Tech company that he owned. I have a technical background - he did not. He let me make all of the technical decisions. He 'helped' with the financial ones. The best advice he gave me was "Don't fall in love with the product."

What he meant was that the market will change quickly and you will need to ditch whatever it is that we have now, and start something completely new. Trying to adapt your old product to the new market means that you will fail. As I found when I had my own company, knowing the technical stuff is a small fraction of what you need to run a business. One of the regularly quoted statistics from accountants is that "Half of all small businesses fail in the first year", one of the less quoted is that "Ninety percent of all small businesses fail in the first 5 years". Perhaps I was lucky, I sold ours and retired after 12 years.

case in point (2, Interesting)

yakumo.unr (833476) | more than 7 years ago | (#18797983)

norton/symantec , bought out sygate :(
I keep worrying they'll pounce on nod32 next.

Design and Evolution (1)

Paulrothrock (685079) | more than 7 years ago | (#18797999)

As Microsoft Windows and the design of the optic nerve shows, it's not the best that succeeds, but the thing that's good enough.

Good vs Good Enough (5, Insightful)

Archangel Michael (180766) | more than 7 years ago | (#18798001)

There is an invisible line between being good (as in above average) and good enough (as in gets the job done).

All things equal, people will choose good over good enough, however all things are not equal. Better products tend to cost more, better service costs more. Cheap products that do mostly marginal job wins the price war and hence wins the market.

There are always going to be niche markets that serve people who KNOW quality and service, most people don't care enough. They'll just choose whatever is cheapest at the moment from brands that they know (even if cheap), as long (and this is key) the quality is "good enough".

Which is why if I were making a product line, I'd make two different and distinct products, one "good enough" and one with better higher quality/service. I'd even go so far as to make sure by brand distinction that people would knwo "cheap, but good enough" from "good" by using strong branding.

Take McDonalds vs any higher quality hamburger shop (Red Robin, White Castle etc), which one is "good enough" vs good. Why don't more people choose the better burger?? It is because McDonalds is "good enough". And in spite of everyone complaining about McDonalds employee quality of service, it is "good enough" to keep going back.

Re:Good vs Good Enough (1)

one_in_a_milli0n (1085449) | more than 7 years ago | (#18799141)

> They'll just choose whatever is cheapest at the moment from brands that they know
> (even if cheap), as long (and this is key) the quality is "good enough".

A typical US-american notion I might add. Not just for technology but everything else. The desire for quality and long-lastiness is way more prevalent in parts of Europe. Having grown up there, the cheapness and poor quality of the most basic products and items in the US drove me nuts at first.

Re:Good vs Good Enough (1)

Archangel Michael (180766) | more than 7 years ago | (#18799483)

It drives me nuts as well. It is Walmartization of products. Walmart pushes for ever cheaper pricing from suppliers, and thus, they cut quality to meet Walmart's demands. That's why a pair of nice socks can last years, but the cheap ones from Wallyworld only last a few months. But heck, I can buy three dozen pairs of from Wally, for the price of one good pair elsewhere. The net is about the same.

It sucks because it is so wasteful.

Re:Good vs Good Enough (0)

Anonymous Coward | more than 7 years ago | (#18799283)

Good argument.

You missed one point. Where I live, there are no White Castles (well, maybe 1 but I have no clue how to find it), and what the heck is a "Red Robin"? besides a bird. I CAN find about 10 McDonalds, about 8 Burger Kings, and 7 Wendys.

Personally I like Subway better....

Uh-oh "market failure"... (1)

mi (197448) | more than 7 years ago | (#18798009)

We have a Market Failure [wikipedia.org] here. Ergo, we need computer security controlled by the government — let's expand the Department of Homeland Security's duties one more time... Or, because we, the critics of the free market, hate the DHS (mostly because it was not us introducing it), let's create an entirely different entity instead.

Pre-emptive flamebaiting...

Yes, there is a government agency [wikipedia.org] looking into computer security, but their role, so far, has been advisory. An alleged "market failure" is usually interpreted into need for more regulation by short-minded illiberals...

Re:Uh-oh "market failure"... (3, Insightful)

spun (1352) | more than 7 years ago | (#18798443)

The standard thinking is that, because of the existence of market failures such as externalities, natural monopolies, and imbalance of information (the issue at hand), the free market paradoxically needs some regulation in order to remain free.

Libertarians are the group most vehemently against this concept, but I have never heard a single one of them coherently explain how exactly the free market will remain free without regulation. Their arguments seem to boil down to "LALALALA I can't hear you! There's no such thing as market failure, the market is infallible!"

If you have a better argument as to why market failures aren't a problem, or a better solution than regulation if you think they are, I'd love to hear it.

Re:Uh-oh "market failure"... (4, Interesting)

Bluesman (104513) | more than 7 years ago | (#18798771)

Nobody argues the free market is infallible. If they do, don't listen.

What people argue is that the free market is "good enough," and is a system that is so complex and quick to react, that any attempt to regulate it for its own good should be looked at long and hard -- simply because it's so difficult to do better without detrimental ramifications, even with the best of intentions.

Natural monopolies are a problem and environmental costs are a problem, and are good targets for regulation.

"Imperfect information" -- I don't understand where this idea got started, but it's completely wrong when applied to free markets. It has to do with zero-sum games like the bond market where there are definitely winners and losers -- here, the guy with the best information wins.

In a free market, when a transaction takes place, the idea is that both parties are better off than they were before. I make a piece of furniture to sell you, you buy it because you can't make as good a piece of furniture for as low a price. I make a profit, and you profit by using your time more efficiently. We both win, despite the fact that I'm a furniture expert and you don't know every detail about the construction of the chair I sold you.

In fact, it's precisely this reason, that you don't need to have perfect information to participate to your advantage, that the free market works.

No, it's not perfect, but it's the best we've got in a free society.

Re:Uh-oh "market failure"... (1)

mi (197448) | more than 7 years ago | (#18799125)

Market is not infallible. The libertarian argument is, it is less fallible than the vast majority of mechanisms designed to regulate it.

Even with the "sacred" things like FDA, it is unclear, if the number of lives preserved by the agency's weeding out bad medicines is greater, than that lost because of the immense regulatory burden faced by the pharmaceuticals.

Re:Uh-oh "market failure"... (1)

alexgieg (948359) | more than 7 years ago | (#18799335)

You can usually find libertarian analysis on each specific kind of reason regulators develop for the need of regulation, but a simple answer to them all at once isn't available. Not that I agree with all they say on each and every subject, but that they do work deeply on all of them, they do. At the Mises Institute website [mises.org] alone you'll find tens of thousands of articles, or even full length books (downloadable for free), on all these subjects, including the ones you mentioned. They're worth reading, if for no other reason than to better know the many arguments available.

Meh (1)

Doctor-Optimal (975263) | more than 7 years ago | (#18799405)

At the Mises Institute website [mises.org] alone you'll find tens of thousands of articles, or even full length books (downloadable for free), on all these subjects, including the ones you mentioned. They're worth reading, if for no other reason than to better know the many arguments available.
If they had any value the market would have assigned them a price

Re:Uh-oh "market failure"... (0)

Anonymous Coward | more than 7 years ago | (#18798757)

I don't think we have a true market failure, just a case where the typical consumer doesn't value security as much as the typical slashdotter.

Lets assume everyone had their identity stolen via some hacker. I'm willing to bet the market would change real fast to where everyone here thinks it should be. I'd bet that the typical consumer would want the best after that.

It'd be curious to see the home security market as well (i.e. - I bet a lot of people buy home security systems after a break-in)

good security isn't fun (1)

Madman (84403) | more than 7 years ago | (#18798045)

The problem is that in order to have good security your product has to make a user or system do less, or have more of a management overhead. People don't like that, they'd rather have less trouble. Successful products MAKE you think they are providing security while bothering you as little as possible.

Re:good security isn't fun (1)

99BottlesOfBeerInMyF (813746) | more than 7 years ago | (#18798719)

The problem is that in order to have good security your product has to make a user or system do less, or have more of a management overhead. People don't like that, they'd rather have less trouble.

Not all security is a usability or functionality loss. For example, antivirus running in the background stops blacklisted binaries from running, but users don't want those binaries running in the first place so the functionality that is stopped is in line with what the user wants. I don't want a remote attacker to be able to log into my box and start up a spam server. Most users might not even know if this happened to them. Security that silently stops this from happening increases usability and users are happier with it.

Successful products MAKE you think they are providing security while bothering you as little as possible.

Agreed, but good products make you think they are providing security while actually doing so and bothering you as little as possible. There is a perception that security and usability are opposites, but it is not so. Many security products and schemes do decrease usability and many of them do not increase security, but there is also a lot of good security out there that does not decrease usability.

Kingston just wet themselves with excitement (1)

Tumbarumba (74816) | more than 7 years ago | (#18798149)

I don't know if they planned it that way, someone at Kingston Technology is happy. By sending their encrypted usb memory stick to Bruce, who then links to it from both his blog and the Wired article, when then gets linked from Slashdot, they have somehow achieved the best exposure for their product ever!

Re:Kingston just wet themselves with excitement (1)

Bill, Shooter of Bul (629286) | more than 7 years ago | (#18798313)

Yeah, but he also said that he didn't know if it was any better in an article about terrible products. I'm sure some search engines are going to make the Kingston = Lemon association.

Computer Security - The Problem for Joe Blow (5, Insightful)

Grashnak (1003791) | more than 7 years ago | (#18798153)

I feel there is a basic problem when we consider computer security for the average user (not people who have professional or legal obligations to protect their data). There are now two types of average users, those who are so dumb they don't have any security at all (no firewall, no anti-virus, open Wi-Fi etc). These people need to be educated. On the other hand, there is an increasing population of average users who have been turned into paranoid security freaks.

Most people have no need of a USB key that self-destructs. They don't need to encrypt their hard drives, on which they probably store nothing more sensitive than their really bad first novel draft. They don't need a 26 character Hex password on their operating system. I suspect that a much higher percentage of these normal people lose their data because they can't remember the password to access the data than lose it due to not having tight enough encryption protection. They are out there having to reformat their drive because they can't remember their login password, or having their laptop explode because they installed the new "Explodo-Crypt" device and then accidently had the caps lock key on when they tried to access it.

People need to get effective security solutions for their REALISTIC needs.

Re:Computer Security - The Problem for Joe Blow (1)

slowbad (714725) | more than 7 years ago | (#18798481)

Company buys major vendor's security product for workstations and then learns that useability is almost zero unless all users given admin rights. The end result: Path of least resistance, and less secure than before, after blowing the budget on questionable mass-market software.

Re:Computer Security - The Problem for Joe Blow (1)

Jimmy King (828214) | more than 7 years ago | (#18798593)

I would argue that your second group is just as dumb and in just as much need of education as your first group. They bought into the "hackers are everywhere and trying to get your data 24/7 no matter where you are and what you're doing" hype. They then went out and blew money on various worthless garbage, be it truly ineffective or just far more security than they actually need or understand how to use properly, and end up with at least as much trouble as they would have without it. You see this problem all over the place even with fairly basic security stuff. How many times have you seen people complaining that they bought and setup a firewall and now half of their Internet related activities don't work because ports need forwarded and whatnot and they don't have the knowledge or desire to gain the knowledge to deal with it? They weren't saved from any problems, they just changed the kinds of problems they would have.

In the end it still all comes down to education (or lack thereof) and, even more accurately imo, desire to be educated. Whether you don't understand the issue enough to realize that you truly do need the protection or don't understand the problem enough to realize what protection you actually need and how to properly use it, the right tool for the job is out there and the only reason you don't have it is lack of education.

Re:Computer Security - The Problem for Joe Blow (1)

Tom (822) | more than 7 years ago | (#18798833)

These people need to be educated.
If user education would work, it would have already.

Forget user education. This is a great example of what "user education" leads to - it is quickly turned into a marketing machine.

Security at all the places I worked. (1)

aadvancedGIR (959466) | more than 7 years ago | (#18798163)

It was usually a joke on at least either computer of physical grounds. Most of the time, the idea behind everything was "if it drives the user crazy, it must be good", sometimes to the point of making the bypass non-detectable and easier than the normal process. For example, the need to swipe badges 3 times to get into the building, but no name or photo on the badge, or FTP blocked for "safety reasons" while all the webmails were allowed.

Maybe if the people in charge of it weren't there as a punishment...

Re:Security at all the places I worked. (1)

Tim99 (984437) | more than 7 years ago | (#18798849)

Yep, this is particularly true in large organizations. I was on a Novell admin course (err, in 1988?, so I guess it was) for version 2.15. One of the IT admins had a mainframe background, so he was really interested in security. He came out with the comment that this Novell stuff was not as secure as the real computers that he normally used, so he would set up policies for his department where the user was forced to change the password every 14 days for a new one with at least 10 characters. I think the rest of us allowed users to recycle previous ones every 40 days with a minimum of 6 characters. As far as I know, we never had any security breaches in about 5 years on a couple of thousand LANs.

A few weeks after the course, I was installing some internally developed software on one of the mainframer's LANS. Yes, all of the users had their "this week's" 10+ character passwords written on notes stuck to their monitors...

If it makes you to have a quiet death (0)

Anonymous Coward | more than 7 years ago | (#18798269)

It isn't actually a high quality at all. Come on, people are always dumb. Marketing technique is done by making it looks like everyone already has it or everyone will going get it or everyone already done it or everyone will help you to get it, and this technique ALWAYS works, unless that it turns out to be that they are LOOKS LIKE betrayed afterwards.

So, make it look like that. Come on, how many so called freaking not-so-good GNU projects looks like everyone wants to have it or everyone already have it or everyone will help you to get it? Every successful truly good GNU projects has at least one but even though it has ONE it doesn't have everything and that's why they still can't beat Windows.

Not everyone already have Mac or iPod when it just came out, but it looks like everyone already has it, that's how they are almost always successful. Come the facking on, how many matha fackers knows about the quality of a Mac? It's look. It's everything that makes it look like everyone already has it and everyone will going to get it and everyone already done it and everyone will help you to get it.

It doesn't really matter if everyone ACTUALLY already has it nor everyone will ACTUALLY gonna get it nor everyone already DONE it nor everyone will help you to get it. Truth is, it's facking opposite.

Well, if we see the open source world, many people actually has it and many people actually going to get it and many people actually have done something with it and many people will help you to get it but it doesn't look like it, and that's the ultimate problem of it's POPULARITY. Popularity isn't everything but it helps, a lot. So, it's LOOK is it's part of quality. And, many open source projects has low quality if you consider that.

-p

The problem is The Press (1)

Z33kPhr3k (1047994) | more than 7 years ago | (#18798377)

The problem is The Press. Particularly publications like InfoWord who just regurgitate press releases. Many reporters don't even install product or try to look under the hood, and even when they do find an issue, they let the product manager off the hook when they hear "it will be fixed in the final release".

When you combine a Culture of Fear that came with 9/11 and Bush administration with the technology void left after the Dot COM bust, we got a lot "security" Lemons. The security market was in the Zone before Web 2.0 took off.

Check out that personal firewall on your desktop. My Point is, the reporter was more interested in the wine at dinner than the security product he wasn't reviewing in the Labs. Sorry, we had to make the revenue target for quarter. Hope it didn't cause you any issues. ;)

Smoking Mirrors Dominate (2, Interesting)

dma1965 (744783) | more than 7 years ago | (#18798701)

A very good friend of mine has done some high end encryption coding for some major tech companies over the last few years, and has become somewhat in demand for his work. He was recently approached by a major computer manufacturer (lets call them Nell), and asked to create a security method to prevent counterfeit laptop batteries from being used in their laptops (perhaps due to recent bad press about batteries catching on fire). They also told him that it had to be very inexpensive, as they did not want to raise their cost for laptop batteries above the level it was now. He then asked them if they wanted it to be secure or cheap, and told them that truly secure was not going to be cheap. They then repeated what they had told him. This went back and forth for a while until he told them that what they really wanted was for my friend to sign off on his "secure" method, regardless of whether it was secure or not, so they could redirect blame to his organization when the cheap security method was easily defeated, and give the appearance that "Nell" cares about security. This lost him the bid. True it is...the saying that I saw on a bridge once, which read "Remember, this bridge was built by the lowest bidder." Sadly, chances are that the most popular security method is actually even less secure than none at all, since a false sense of security makes people do stupid things. I once told an associate to stop storing sensitive financial information on spreadsheets on his home PC. He said he was not concerned because he used Zone Alarm. He then had his finances compromised...through a Phishing scam.

Pot calling kettle black, kitchen news reporting. (0)

Anonymous Coward | more than 7 years ago | (#18799035)

It's funny how Schneier wrote this article. Counterpane's idea of security is monitoring your logs for a fee. That doesn't improve security at all--just adds a layer of crap to what's currently wrong.

Schneier hasn't been anything more than a talking head for years.

Which is a shame, because truthfully his crypto stuff is great.

4 problems with IT security (1)

jonwil (467024) | more than 7 years ago | (#18799059)

1.Most people don't care about IT security (or where they do care, its way down the list). People don't believe their data is not important enough to bother with keeping it secure. And more to the point, they just don't even KNOW their data is not secure. What I would like to see is for some group or experts or something to do a simulated break-in or hack attack or something and publish all the "stolen" data (i.e. basically something that shows just how insecure peoples data really is and why they need to care about making it secure only with fake systems and data). Show people what could happen to their data if they don't take care of security. Show a fake "clueless user" accessing a fake "phishing email" and giving their fake bank details to a fake "Russian hacker" who then proceeds to clean all the money out of the fake account. And then show that this is NOT fake, its real and is happening every day.

2.No-one has invested any money in making security easier to use. And it IS possible to make security easier to use. For example, why hasn't someone made an email encryption program where you press "encrypt" and it automatically checks public key databases, locates public keys for the recipient and automatically encrypts the email? And I mean a solution that does NOT require purchasing any kind of certificate in order for it to work. (something that uses PGP/GPG as the underlying encryption would be good)

3.Governments and government agencies (especially agencies like the FBI, CIA, NSA and their equivalents all over the world) have a vested interest in NOT seeing IT security get better (at least for normal people) because that makes it harder to find drug barons, child pornographers, music/movie/software pirates, terrorists etc. Also, for many governments that are not democracies (China, Saudi Arabia, Iran etc) encryption makes it harder to engage in state censorship to make sure that the population only sees what the government wants them to see.

4.The laws are too heavily biased in favor of large corporations. Right now, its easier to claim that your product is secure without making it secure than it is to actually make it secure. Laws are needed that introduce stiffer penalties for companies that claim their product does xyz (e.g. "encrypts your files so you can't get at them without a password" "completely trashes all the data if the wrong password has been entered multiple times") when it does not in fact do xyz. If companies couldn't make those claims, either the companies would stop pretending insecure products were actually secure or they would make their products secure. Either way, products that are actually secure become easier to find.
Load More Comments
Slashdot Login

Need an Account?

Forgot your password?