[Cryptography] Market demands for security (was Re: Opening Discussion: Speculation on "BULLRUN")

Sun Sep 8 16:29:56 EDT 2013

On 09/08/2013 12:08 PM, Perry E. Metzger wrote:
> I doubt that safety is, per se, anything the market demands from
> cars, food, houses, etc.

I wouldn't have said that.  It's a lot more complicated than
that.  For one thing, there are lots of different "people".
However, as a fairly-general rule, people definitely do 
consider safety as part of their purchasing decisions.
 -- Why do you think there are layers of tamper-evident
  packaging on Tylenol (and lots of other things)?  Note that
  I was not kidding when I suggested tamper-evident data
  security measures.  Not only do responsible vendors want
  the product to be safe when it leaves the factor, they want 
  to make sure it /stays/ safe.
 -- Any purchaser with an ounce of sense will hire an inspector
  to check over a house before putting down a deposit.  Sales
  contracts require the seller to disclose any known defects,
  and generally provide some sort of warranty.
 ++ Forsooth, if people bought crypto as carefully as they buy
   houses, we'd all be a lot better off.
 -- In many cases, consumers do not -- and cannot -- /directly/
  evaluate safety and quality, so they rely on third parties.
  One familiar example is the airline industry.  The airlines
  generally /like/ being regulated by the FAA because by and 
  large the good guys already exceed FAA safety standards, and 
  they don't want some bad guy coming in and giving the whole
  industry a bad name.
 -- I imagine food and drug safety is similar, although the
  medical industry complains about over-regulation more than
  I would have expected.
 -- There are also non-governmental evaluation agencies, such
  as Underwriters' Laboratories and Earth Island Institute.

 ** There are of course /some/ people who court disaster.  For
  example, there are folks who consider seatbelt laws and motorcycle
  helmet laws to be oppressive government regulation.  These are
  exceptions to the trends discussed above, but they do not 
  invalidate the overall trends.

 !! Note that even if you are doing everything you know how to do,
  you can still get sued on the grounds of negligence and deception
  if something goes wrong ... especially (but not only) if you said
  it was safer than it was.  Example:  Almost every plane crash ever.

  Let's be clear:  A lot of consumer "demands" for safety are made
  retroactively.  "Caveat emptor" has been replaced by /caveat vendor/.