BS claims (was Re: Firewall Primitives)

["Marcus J. Ranum" <mjr () ranum com>]

Adam Shostack wrote:
> Given that marketing can stamp "freakin' intensely secure"
> where they want, but that stamping 'gigabit' on something is
> falsifiable, everyone stamps "FIS," making it useless as a decision
> making criteria.

        "Gigabit" is falsifiable but I don't think it really matters
in the large that the claim is falsifiable. We saw that with the
Intrusion.com "test" run by Miercomm - most technically savvy
readers were outraged by what a faked-up test it was, but I bet that
a huge number of potential customers (the unsophisticated ones) saw
that and said "oh. look. an independent 3rd party tested that product
at 900Mbit/sec and it passed" and accepted the "gigabit" claim on
the marketing glossies.

        For me the moment of "Eureka!" regarding marketing bogusness
was when I was reading a joke someone sent around about a city
slicker who buys a donkey from a farmer for $500. The farmer comes
the next day to deliver the donkey and says "here y'are! bad news is,
it's dead." The city slicker doesn't even blink and says "Great!"
"What do you mean, 'great'?" asks the farmer. "Well, I am going to
raffle it off, so I don't care if it's dead."  The farmer leaves and
the next week drops by and asks the city slicker about the donkey
and the city guy says, "I did great! I made $990 on that donkey!"
"What? How?!" stammers the farmer. The city guy explains: "I raffled
it off at $10 a ticket. I sold 150 tickets, which netted me $1,500.
When the winner got the donkey and realized it was dead, I refunded
him his $10."

        So that's how the "stake your claim" game works for marketing.
You could make an IDS and claim that it's "5-gigabit capable" and sell
lots based on that assertion. Of course a very small handful of
customers would buy it and discover that it didn't keep up with the
load. Meanwhile you've got their money already and can just spend
lots of time sending presales engineers in to try to make it work,
or blame their network configuration, or whatever, and you've still
edged your competitors out of that account and can rely on people's
tendency to throw good money after bad rather than admit they screwed
up.

        Marketing something as "secure" when it isn't - same approach
works just fine there. Vendors have been doing this for years. "Our
system is hardened!"  "oh, so - why did it just get hacked?"  "Well,
this year's crop of hackers is just smarter, I guess."   "uh. OK."
"Here's a patch."

        I'm afraid that the "good ole days" of Internet Security
(mjr waves his curmudgeon card!) are gone forever. Internet Security
is a "market" now, which means that the venture guys, empty suits,
and carpet-baggers have descended upon us, lured by the irresistable
smell of money in naive customers' hands. It's going to get worse, too.
There are more start-ups in security today than ever before, even
in the middle of a tech downturn. That means the scrabbling over
customers is going to get even more ferociously darwinian - so the
folks who are inclined to play fast and loose with the truth are
going to be even more likely to do so.

The solution: trust, but verify.

mjr.
---
Marcus J. Ranum                         http://www.ranum.com
Computer and Communications Security    mjr () ranum com

_______________________________________________
firewall-wizards mailing list
firewall-wizards () honor icsalabs com
http://honor.icsalabs.com/mailman/listinfo/firewall-wizards