Choices

[Crispin Cowan <crispin () immunix com>]

Jeff Williams wrote:


Not to be crass, but what most consumers care about is what the vendors tell
them to. It's all about the market. Currently, the market is stuck where
vendors don't disclose anything about the security of their process and
product, and consumers don't ask.  Our job is to change the market so that
it works differently.

Now you can change a market with taxation, liability (see Bruce Schneier's
most recent cryptogram for yet another plea), incentives, regulation, etc...
One of the least intrusive models, in my view, is to ensure that everyone
has the same information, and let the market sort it out.


Meanwhile, the only people who are *effectively* changing the market are
the *attackers* :) Consumers spend more on security, care more about the
security of products, pay more attention, etc. etc. in direct response
to the level of threat that they perceive. Were it not for the
attackers, we could all run highly insecure code, and not give a
tinker's damn about it.

Remember that we are fundamentally in the business of solving a problem.
Security is the business of saying "no" to requests, and that is
fundamentally inconvenient at best, and so our "solution" has to be less
annoying than the problem we solve. Taxes & etc. are just ways to make
life even more annoying so that people will choose the pain of secure
software instead. IMHO, that is only justified when one person's lack of
security causes other people gross inconvenience, such as the case of
completely unfirewalled home Windows machines chronically infected with
zombies.


I think you're right that the information has to be appropriate for the
consumer, or at least enough so that a reasonable software architect could
consume it. So if that's the challenge, I'm up for it.


Good luck getting consumers to choose cod liver oil over pop tarts :)

Crispin

--
Crispin Cowan, Ph.D.  http://immunix.com/~crispin/
CTO, Immunix          http://immunix.com