Home page logo
/

interesting-people logo Interesting People mailing list archives

Re: pro regulation viewpoint on cyber vulnerabiltiy
From: David Farber <dave () farber net>
Date: Mon, 30 Mar 2009 18:29:36 -0400



Begin forwarded message:

From: Ed Biebel <edward () biebel net>
Date: March 30, 2009 5:45:38 PM EDT
To: dave () farber net
Subject: Re: [IP] Re: pro regulation viewpoint on cyber vulnerabiltiy

Vadim makes a thought-proviking analogy but I think he fails to look deep enough to see how the market has responded in the case of home security.

Admittedly the home is not very secure in real terms but most homeowners have layers of security. The majority of money is kept off- site in a bank. Tangible valuables are stored in low cost safety- deposit boxes at a bank or similar secure facility. Replaceable property is insured making its loss an inconveniece at best. I jointly share the cost with my neighbors to provide roving security patrols in the form of my local police department to augment my personal safety. This patrol will respond within minutes should my "perimeter defenses be breached" and will escalate their response until the problem is solved. It is not perfect but it also not just a pane of glass between me and the evil-doers.

It seems that very few of these other layers exist in the computing market. Should my PC be breached and my financial data be lost, my accounts looted, my life savings evaporated, there is insurance product to provide a safety net and no additional defenses I can buy at reasonable cost (or at a shared cost) to protect myself.

In many ways, this is one of the best arguments for companies like Google that provide security with the "cost" shared among a large population. A number of LGBT blogs have come under DDoS attacks this week and many that are self-hosted or hosted on small providers have been compromised. One blogger commented that was why he did not move his blog from blogger. He figures Google has a much better chance of defending against attack than he does alone.

Ed


On Mon, Mar 30, 2009 at 4:51 PM, David Farber <dave () farber net> wrote:


Begin forwarded message:

From: Vadim Antonov <avg () kotovnik com>
Date: March 30, 2009 3:27:27 PM EDT
To: David Farber <dave () farber net>
Cc: ip <ip () v2 listbox com>
Subject: Re: [IP] pro regulation viewpoint on cyber vulnerabiltiy


David - for IP, if you wish.


On Mon, 30 Mar 2009, David Farber wrote:

A paper that speaks to market failure is at:
http://www.csis.org/component/option,com_csis_pubs/task,view/id,5370/type,1/

The sad truth is that there is no single documented case of "market
failure" which couldn't be easily traced back to previous non-market
intervention (by government or crime) - and these should be properly
called "government failures", i.e. governments either doing what they
shouldn't do (granting monopolies to politically connected parties,
engaging in social engineering, etc), or failing in their duty to protect
citizens.

Just ask an economist to offer not a plausible theoretical scenario in
which a market failure could occur - but a clear-cut real-life case of
market failure, and then watch him squirming uncomfortably.

Market failure is one of those elusive concepts which everybody seems to
believe in, but which start to shift meaning, twist, and finally evaporate
if a closer scrunity is applied.  Using it as a justification for any
policy is, at best, intellectually dishonest.

When applied to "cybersecurity", the very first assertion that "market has
failed to secure cyberspace" is a plain lie.  Any real security expect
knows that there's no such thing as absolute and perfect security.
Better security comes with price - and this price increases exponentially
if stronger (and rarer) treats are considered.

Thus, securing any real installation requires finding a proper balance
between security and cost - and in many cases that balance is on a side
which any security-conscious person would find quite insecure (just think
how long your front door would hold if someone wants to break in, or how
your windows are totally penetrable with an aid of a brick).  However,
laminated cardboard doors and easily breakable glass windows are
sufficient to deter majority of opportunistic criminals - and defending
against determined thieves would be way too costly given that the chances
that one would pay a visit are rather small.

"Cybersecurity" is no different. Even with broken-by-design security model of Windows/Explorer use of a cheap consumer security product (Norton, etc)
would be quite sufficient to achieve good-enough security.  Nearly all
people who suffered from attacks by hackers simply didn't consider
security of their computers to be important enough to devote 15-20 minutes
and few dozen dollars needed to find a product, buy, and install it.

Well, there are people who don't bother to lock their doors and leave keys
in the ignition locks of their cars - but for some reason there's no
experts calling for federal programs to fix these "market falures".  I
think that is because, without the smoke screen of fancy jargon, any
reasonable person would see inanity of any such proposal.

--vadim





-------------------------------------------
Archives: https://www.listbox.com/member/archive/247/=now
RSS Feed: https://www.listbox.com/member/archive/rss/247/
Powered by Listbox: http://www.listbox.com





-------------------------------------------
Archives: https://www.listbox.com/member/archive/247/=now
RSS Feed: https://www.listbox.com/member/archive/rss/247/
Powered by Listbox: http://www.listbox.com

  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]