[Cryptography] Market demands for security (was Re: Opening Discussion: Speculation on "BULLRUN")

[Perry E. Metzger]

On Sun, 8 Sep 2013 08:40:38 -0400 Phillip Hallam-Baker
<hallam at gmail.com> wrote:
> The Registrars are pure marketing operations. Other than GoDaddy
> which implemented DNSSEC because they are trying to sell the
> business and more tech looks kewl during due diligence, there is
> not a market demand for DNSSEC.

Not to discuss this particular case, but I often see claims to the
effect that "there is no market demand for security".

I'd like to note two things about such claims.

1) Although I don't think P H-B is an NSA plant here, I do
wonder about how often we've heard that in the last decade from
someone trying to reduce security.

2) I doubt that safety is, per se, anything the market demands from
cars, food, houses, etc. When people buy such products, they don't
spend much time asking "so, this house, did you make sure it won't
fall down while we're in it and kill my family?" or "this coffee mug,
it doesn't leach arsenic into the coffee does it?"

Consumers, rightfully, presume that reasonable vendors *naturally*
did not design products that would kill them and they focus instead
on the other desirable characteristics, like comfort or usability or
what have you.

However, if you told consumers "did you know that food manufacturer
X does not test its food for deadly bacteria on the basis that ``there
is no market demand for safety''", they would form a lynch mob.
Consumers *presume* their smart phones will not leak their bank
account data and the like given that there is a banking app for it,
just as they *presume* that their toaster will not electrocute them.

If you ever say "we're not worrying about security in our systems
because there's no market demand for it", you had better make sure
not to say it in public from now on, because the peasants with
pitchforks and torches will eventually find you if they catch wind of
it.

Perry
-- 
Perry E. Metzger		perry at piermont.com