[146873] in cryptography@c2.net mail archive
Re: [Cryptography] Market demands for security (was Re: Opening
daemon@ATHENA.MIT.EDU (Phillip Hallam-Baker)
Sun Sep 8 23:50:24 2013
X-Original-To: cryptography@metzdowd.com
In-Reply-To: <20130908150810.35bad8fd@jabberwock.cb.piermont.com>
Date: Sun, 8 Sep 2013 18:49:56 -0400
From: Phillip Hallam-Baker <hallam@gmail.com>
To: "Perry E. Metzger" <perry@piermont.com>
Cc: Ray Dillinger <bear@sonic.net>,
"cryptography@metzdowd.com" <cryptography@metzdowd.com>,
John Gilmore <gnu@toad.com>
Errors-To: cryptography-bounces+crypto.discuss=bloom-picayune.mit.edu@metzdowd.com
--===============6740177962288921215==
Content-Type: multipart/alternative; boundary=089e01493e423ea7e604e5e717ee
--089e01493e423ea7e604e5e717ee
Content-Type: text/plain; charset=ISO-8859-1
On Sun, Sep 8, 2013 at 3:08 PM, Perry E. Metzger <perry@piermont.com> wrote:
> On Sun, 8 Sep 2013 08:40:38 -0400 Phillip Hallam-Baker
> <hallam@gmail.com> wrote:
> > The Registrars are pure marketing operations. Other than GoDaddy
> > which implemented DNSSEC because they are trying to sell the
> > business and more tech looks kewl during due diligence, there is
> > not a market demand for DNSSEC.
>
> Not to discuss this particular case, but I often see claims to the
> effect that "there is no market demand for security".
>
> I'd like to note two things about such claims.
>
> 1) Although I don't think P H-B is an NSA plant here, I do
> wonder about how often we've heard that in the last decade from
> someone trying to reduce security.
>
There is a market demand for security. But it is always item #3 on the list
of priorities and the top two get done.
I have sold seven figure crypto installations that have remained shelfware.
The moral is that we have to find other market reasons to use security. For
example simplifying administration of endpoints. I do not argue like some
do that there is no market for security so we should give up, I argue that
there is little market for something that only provides security and so to
sell security we have to attach it to something they want.
> 2) I doubt that safety is, per se, anything the market demands from
> cars, food, houses, etc. When people buy such products, they don't
> spend much time asking "so, this house, did you make sure it won't
> fall down while we're in it and kill my family?" or "this coffee mug,
> it doesn't leach arsenic into the coffee does it?"
>
People buy guns despite statistics that show that they are orders of
magnitude more likely to be shot with the gun themselves rather than by an
attacker.
However, if you told consumers "did you know that food manufacturer
> X does not test its food for deadly bacteria on the basis that ``there
> is no market demand for safety''", they would form a lynch mob.
> Consumers *presume* their smart phones will not leak their bank
> account data and the like given that there is a banking app for it,
> just as they *presume* that their toaster will not electrocute them.
>
Yes, but most cases the telco will only buy a fix after they have been
burned.
To sell DNSSEC we should provide a benefit to the people who need to do the
deployment. Problem is that the perceived benefit is to the people going to
the site which is different...
It is fixable, people just need to understand that the stuff does not sell
itself.
--
Website: http://hallambaker.com/
--089e01493e423ea7e604e5e717ee
Content-Type: text/html; charset=ISO-8859-1
Content-Transfer-Encoding: quoted-printable
<div dir=3D"ltr"><br><div class=3D"gmail_extra"><br><br><div class=3D"gmail=
_quote">On Sun, Sep 8, 2013 at 3:08 PM, Perry E. Metzger <span dir=3D"ltr">=
<<a href=3D"mailto:perry@piermont.com" target=3D"_blank">perry@piermont.=
com</a>></span> wrote:<br>
<blockquote class=3D"gmail_quote" style=3D"margin:0 0 0 .8ex;border-left:1p=
x #ccc solid;padding-left:1ex">On Sun, 8 Sep 2013 08:40:38 -0400 Phillip Ha=
llam-Baker<br>
<<a href=3D"mailto:hallam@gmail.com" target=3D"_blank">hallam@gmail.com<=
/a>> wrote:<br>
> The Registrars are pure marketing operations. Other than GoDaddy<br>
> which implemented DNSSEC because they are trying to sell the<br>
> business and more tech looks kewl during due diligence, there is<br>
> not a market demand for DNSSEC.<br>
<br>
Not to discuss this particular case, but I often see claims to the<br>
effect that "there is no market demand for security".<br>
<br>
I'd like to note two things about such claims.<br>
<br>
1) Although I don't think P H-B is an NSA plant here, I do<br>
wonder about how often we've heard that in the last decade from<br>
someone trying to reduce security.<br></blockquote><div><br></div><div>Ther=
e is a market demand for security. But it is always item #3 on the list of =
priorities and the top two get done.</div><div><br></div><div>I have sold s=
even figure crypto installations that have remained shelfware.</div>
<div><br></div><div>The moral is that we have to find other market reasons =
to use security. For example simplifying administration of endpoints. I do =
not argue like some do that there is no market for security so we should gi=
ve up, I argue that there is little market for something that only provides=
security and so to sell security we have to attach it to something they wa=
nt.</div>
<div><br></div><div><br></div><div>=A0<br></div><blockquote class=3D"gmail_=
quote" style=3D"margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1=
ex">
2) I doubt that safety is, per se, anything the market demands from<br>
cars, food, houses, etc. When people buy such products, they don't<br>
spend much time asking "so, this house, did you make sure it won't=
<br>
fall down while we're in it and kill my family?" or "this cof=
fee mug,<br>
it doesn't leach arsenic into the coffee does it?"<br></blockquote=
><div><br></div><div>People buy guns despite statistics that show that they=
are orders of magnitude more likely to be shot with the gun themselves rat=
her than by an attacker.=A0</div>
<div><br></div><div><br></div><blockquote class=3D"gmail_quote" style=3D"ma=
rgin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">
However, if you told consumers "did you know that food manufacturer<br=
>
X does not test its food for deadly bacteria on the basis that ``there<br>
is no market demand for safety''", they would form a lynch mob=
.<br>
Consumers *presume* their smart phones will not leak their bank<br>
account data and the like given that there is a banking app for it,<br>
just as they *presume* that their toaster will not electrocute them.<br></b=
lockquote><div><br></div><div>Yes, but most cases the telco will only buy a=
fix after they have been burned.</div><div><br></div><div>To sell DNSSEC w=
e should provide a benefit to the people who need to do the deployment. Pro=
blem is that the perceived benefit is to the people going to the site which=
is different...</div>
<div><br></div><div><br></div><div>It is fixable, people just need to under=
stand that the stuff does not sell itself.</div></div><div><br></div>-- <br=
>Website: <a href=3D"http://hallambaker.com/" target=3D"_blank">http://hall=
ambaker.com/</a><br>
</div></div>
--089e01493e423ea7e604e5e717ee--
--===============6740177962288921215==
Content-Type: text/plain; charset="us-ascii"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
Content-Disposition: inline
_______________________________________________
The cryptography mailing list
cryptography@metzdowd.com
http://www.metzdowd.com/mailman/listinfo/cryptography
--===============6740177962288921215==--
