Dailydave mailing list archives

Re: Lap Dances for All

From: Adam Shostack <adam () homeport org>
Date: Thu, 3 Mar 2005 10:32:31 -0500

Twenty years ago, there was no good way for a customer to judge the
quality of a used car.  The dealer knows more about it than the
customer reasonably can.  It's expensive to bring 20 used cars to your
mechanic to get them checked out, and besides, he may see your lemon
as his paycheque.

Studying this market earned Akerlof and Spence the nobel prize:  They
talk about assymetric information, lemons markets, and signaling,
which is a message that's cheap for a high quality provider to send,
and expensive for a low quality provider.

Today, we have a bunch of ways of signaling the quality of a used
car, including dealer-backed warranties, certified-pre-owned programs,
and Carfax, which is a background checking system for cars.

I'm hoping to have a paper on this done soon.  Some of my thoughts
have been blogged at:

http://www.emergentchaos.com/archives/000493.html
http://www.emergentchaos.com/archives/000722.html
http://www.emergentchaos.com/archives/000775.html

And I'd love to discuss the idea further.

Adam

On Wed, Mar 02, 2005 at 11:28:07PM -0800, halvar () gmx de wrote:
| Hey all,
| 
| just to chip in a few cents:
| 
| Right now, there is no way for a customer to judge the security of a 
| closed-source
| software product, and thus we have a classical market failure where more 
| secure
| software is driven out of the market (as it is more expensive to build, 
| thus more expensive
| to sell and the customer will buy the cheaper product since he can't see 
| the difference).
| 
| It is clear that we thus need to "link" the risk of widespread attacks 
| using unknown
| vulnerability back into the market. I see two avenues of doing this:
| 
| 1. Make the software industry liable for damages from worms etc. --  
| obviously, they
| would have to buy insurance for this
| 2. Create a market for vulnerabilities where the folks that find bugs have 
| a place to go
| and get paid for their work
| 
| I seriously wonder which one of the above two options software vendors like 
| better. And
| the next time some vendor tries to tell you it is unethical to sell bugs, 
| ask him which of the
| two options he prefers.
| 
| Cheers,
| Halvar 
| 
| _______________________________________________
| Dailydave mailing list
| Dailydave () lists immunitysec com
| https://lists.immunitysec.com/mailman/listinfo/dailydave
_______________________________________________
Dailydave mailing list
Dailydave () lists immunitysec com
https://lists.immunitysec.com/mailman/listinfo/dailydave

Current thread:

Lap Dances for All Dave Aitel (Mar 02)
- Re: Lap Dances for All Adam Shostack (Mar 02)
- Re: Lap Dances for All Rodney Thayer (Mar 02)
  - Re: Lap Dances for All Andre Ludwig (Mar 02)
    - Re: Lap Dances for All dan (Mar 02)
    - Re: Lap Dances for All Andre Ludwig (Mar 02)
    - Re: Lap Dances for All Rodney Thayer (Mar 02)
    - Re: Lap Dances for All Jason (Mar 02)
    - Re: Lap Dances for All halvar (Mar 02)
    - Re: Lap Dances for All Jason (Mar 03)
    - Re: Lap Dances for All Adam Shostack (Mar 03)
- Re: Lap Dances for All Ejovi Nuwere (Mar 02)
- <Possible follow-ups>
- RE: Lap Dances for All Maynor, David (ISS Atlanta) (Mar 02)
- Re: Lap Dances for All Chris Wysopal (Mar 03)
  - Re: Lap Dances for All dan (Mar 03)
- RE: Lap Dances for All surreal (Mar 03)
  - RE: Lap Dances for All Chris Wysopal (Mar 03)
    - Re: Lap Dances for All Adam Shostack (Mar 03)
  - RE: Lap Dances for All security curmudgeon (Mar 04)
- RE: Lap Dances for All surreal (Mar 03)