One of my favorite people on the planet, Mr. Bruce Schneier (of Crypto-Gram and Facts fame) wrote a commentary piece on Wired today:
I see this kind of thing happening over and over in computer security. In the late 1980s and early 1990s, there were more than a hundred competing firewall products. The few that "won" weren't the most secure firewalls; they were the ones that were easy to set up, easy to use and didn't annoy users too much. Because buyers couldn't base their buying decision on the relative security merits, they based them on these other criteria. The intrusion detection system, or IDS, market evolved the same way, and before that the antivirus market. The few products that succeeded weren't the most secure, because buyers couldn't tell the difference.
How do you solve this? You need what economists call a "signal," a way for buyers to tell the difference. Warrantees are a common signal. Alternatively, an independent auto mechanic can tell good cars from lemons, and a buyer can hire his expertise.
I concur with his overall point (as I eat most things out of his hand). I do not have a solution to this problem, but would like to help create one. FWIW, most security products that I've seen seem to be the worst security products. To date, I still use PasswordSafe - because at least this way only myself and Bruce can get to my pwlist.
Thanks to boingboing for pointing this out.
No comments:
Post a Comment