[Cryptography] Market demands for security (was Re: Opening Discussion: Speculation on "BULLRUN")

Phillip Hallam-Baker hallam at gmail.com
Sun Sep 8 18:49:56 EDT 2013 

On Sun, Sep 8, 2013 at 3:08 PM, Perry E. Metzger <perry at piermont.com> wrote:

> On Sun, 8 Sep 2013 08:40:38 -0400 Phillip Hallam-Baker
> <hallam at gmail.com> wrote:
> > The Registrars are pure marketing operations. Other than GoDaddy
> > which implemented DNSSEC because they are trying to sell the
> > business and more tech looks kewl during due diligence, there is
> > not a market demand for DNSSEC.
>
> Not to discuss this particular case, but I often see claims to the
> effect that "there is no market demand for security".
>
> I'd like to note two things about such claims.
>
> 1) Although I don't think P H-B is an NSA plant here, I do
> wonder about how often we've heard that in the last decade from
> someone trying to reduce security.
>

There is a market demand for security. But it is always item #3 on the list
of priorities and the top two get done.

I have sold seven figure crypto installations that have remained shelfware.

The moral is that we have to find other market reasons to use security. For
example simplifying administration of endpoints. I do not argue like some
do that there is no market for security so we should give up, I argue that
there is little market for something that only provides security and so to
sell security we have to attach it to something they want.




> 2) I doubt that safety is, per se, anything the market demands from
> cars, food, houses, etc. When people buy such products, they don't
> spend much time asking "so, this house, did you make sure it won't
> fall down while we're in it and kill my family?" or "this coffee mug,
> it doesn't leach arsenic into the coffee does it?"
>

People buy guns despite statistics that show that they are orders of
magnitude more likely to be shot with the gun themselves rather than by an
attacker.


However, if you told consumers "did you know that food manufacturer
> X does not test its food for deadly bacteria on the basis that ``there
> is no market demand for safety''", they would form a lynch mob.
> Consumers *presume* their smart phones will not leak their bank
> account data and the like given that there is a banking app for it,
> just as they *presume* that their toaster will not electrocute them.
>

Yes, but most cases the telco will only buy a fix after they have been
burned.

To sell DNSSEC we should provide a benefit to the people who need to do the
deployment. Problem is that the perceived benefit is to the people going to
the site which is different...


It is fixable, people just need to understand that the stuff does not sell
itself.

-- 
Website: http://hallambaker.com/
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://www.metzdowd.com/pipermail/cryptography/attachments/20130908/afc52bc6/attachment.html>

More information about the cryptography mailing list