Re: The monetization of information insecurity

[Parity <pty.err () gmail com>]

Returning to the original proposition -

Everyone here who has ever filled out an application for business insurance
may recall where the questionnaire asked whether they ran AV software. No
doubt there was a time when the actuarial data showed a definite inverse
correlation between AV utilization and real, actual losses.

A couple of decades later, insurers still hold customers negligent when
they don't run AV.

Point #1 being, there actually was a time when the monetization strategy of
infosec produced good results.

Point #2 being, today's successful infosec industry is tomorrow's worthless
vestige.

pty
 On Sep 11, 2014 8:45 AM, "Dominique Brezinski" <
dominique.brezinski () gmail com> wrote:

> Michal, I think you give fantastic counter-points with regard to liability
> and doing everything possible to prevent incidents. My gut tells me it is
> foolish to rely on third parties for your own security, and that extends to
> software you purchase and run. To extend stupid physical world analogies,
> think of a modern warrior -- though firearms are relatively simple
> mechanical devices, even the best engineered ones fail, and any good
> operator does not solely rely on just a firearm for their defense. Gear
> fails. Software is gear. Good defense requires good gear, good planning,
> good training, and good execution. The latter three anticipate gear
> failures. The quality and maturity of planning, training and execution is
> what sets apart good defenders from the rest -- not the gear. Yes, spend
> your money wisely on the gear that serves your needs, but you can't expect
> that it won't fail.
>
> Liability law and insurance just push the impact of failure around, but
> someone always pays for it, and that is almost always the consumer.
>
> Dom
>
>
> On Wed, Sep 10, 2014 at 8:10 AM, Michal Zalewski <lcamtuf () coredump cx>
> wrote:
>
> > > You want to know what would work? Holding software producers legally
> > liable
> > > for their software bugs, because only if they have consequences for
> > their
> > > actions will they ever start taking things seriously!
> >
> > It's a fairly persistent argument, but there is also a range of
> > counterpoints. Perhaps most importantly, liability for damages puts
> > the open source community and small, emerging companies at a distinct
> > disadvantage, whereas large businesses would be likely to just factor
> > it in as a cost of doing business.
> >
> > In that context, it may be also informative to look at the credit card
> > & banking industry; liability for fraudulent charges hasn't really
> > pushed them toward developing particularly safe payment technologies -
> > instead, the cost is just factored in and ultimately passed on the
> > customer in the form of higher payment processing fees.
> >
> > I abhor physical-world analogies, but if we're going down that path,
> > it's also worth noting that we seldom hold people accountable for not
> > doing absolutely everything within their power to stop abuse. The
> > builders of your home or the designers of your car are usually not on
> > the hook if somebody breaks in, even though they could have built more
> > of a fortress. The company that makes your cereal is not on the hook
> > if somebody poisons your food down the supply chain, even though they
> > could have used tamper-resistant packaging.
> >
> > /mz
> > _______________________________________________
> > Dailydave mailing list
> > Dailydave () lists immunityinc com
> > https://lists.immunityinc.com/mailman/listinfo/dailydave
>
>
> _______________________________________________
> Dailydave mailing list
> Dailydave () lists immunityinc com
> https://lists.immunityinc.com/mailman/listinfo/dailydave
_______________________________________________
Dailydave mailing list
Dailydave () lists immunityinc com
https://lists.immunityinc.com/mailman/listinfo/dailydave