May 03, 2005

Security as a "Consumer Choice" model or as a sales (SANS) model?

In thoughts about how to do Internet security - something the world fails at dismally for the present time - it is sometimes suggested that a "consumer choice" model would work. This model sets up independent non-profit organisations that conduct unbiased reports on products. They promulgate strict rules designed to ensure their independence, such as the separation of advertising revenue or even not taking money for advertising at all. (Will's history lesson)

By way of example, in today's Lighthouse, The Independent Institute suggests that the american Food and Drug Administration ("FDA") should be replaced with this model:

"If aspirin were invented today, the U.S. Food and Drug Administration might not approve it. We should keep this in mind when thinking about Vioxx, Bextra and other pain-relief drugs that have recently been taken off the market. This is not to say that the new pharmaceuticals are “safe,” but rather that all pharmaceuticals involve tradeoffs. The real question is: who is to make those tradeoffs, patients and doctors or the FDA?"

There are already plenty of security groups and more pop up every year, but they are generally platforms for sales. SANS for instance just released an update for its top 20 threats (but still doesn't mention phishing as a threat, confirming its status as a dinosaur).

From historical pre-Internet times, the list divides the threats into a top 10 list for Microsoft and a top 10 for Unix. Reading the Microsoft list gives the overwhelming impression that it is sanitised and softened. The clue is the use of brand - when being critical, the wrong terminology is used. So, we find that "Windows" has a bug, which aside from confusing me as to whether my X Windows or my KDE windows or Mac's windows have an issue, avoids the obviously harsher connotations of the correct brand of "Microsoft Windows."

Why? Fear of offending companies. SANS is really a seller of conferences, as one can see from the front page, it is not an independent security organisation. And conferences are attended by companies, not by individuals. Better not offend a very large company then.

Which brings up the problem with the "consumer choice" model - what is the revenue model? How are all these reports to be funded? Thinking about the old model, magazine sales created the revenue, but that doesn't work today because the net operates at zero marginal cost.

So maybe we need to turn to net models of cooperation, and create an open source-like culture of security reports? Would it be possible to craft a set of criteria for security reports where the product was covered by Creative Commons licence, any group could create one and a few volunteers sit in the middle and mentor and collate?

An intriguing thought. People are doing the work anyway; why not publish it and share the benefit? Throw in a reputation system to stop Microsoft from inserting their own "SANS report" and we're away. Would it work? I don't know, but it's at least worth a second cup of coffee.

Addendum: the comments below remind me of Will's history lesson. Well worth reviewing as it sets the scene for the wider discussion.

#2 Whoops, spoke to soon. The press release from SANS actually uses the proper brand names and gives Microsoft a bad rep. Good one!

Posted by iang at May 3, 2005 06:17 AM | TrackBack

Welcome to the raw world of un-controlled distribution meaning direct from the producer to the consumer. Institution building to fill the void of buyers beware and sellers take advantage will not be cured by a non-profit or independant entity. The Insurance companies assumed the risk of product liability, and malpractice then lobbied governments to regulate on their behalf. So the void must now be filled with private entities but with a profit motive since good nature in humanity cannot be trusted unless there is some pain for none compliance.

The Churches have the threat of hell, the government has the monopoly of violence, and insurance firms have the proxy of the government to enforce their risk based bets.

The only thing that will work is betting for a private affair. If a betting palor can establish a universal monetary unit or near universal monetary unit they can enforce standards without the proxy of the government. So punters are the answer and all folks must become punters assume risk and be able to offset it with liquidity based trading of risk on a micro as well as macro scale.

So does the ladder Mum uses to put stuff away in the pantry have a risk factor? Well probably the ladder does but is it worth Mum buying an insurance policy on? The manufacturer of the ladder might have an aggregated risk factor but in isolation it is too small to offset. If this is done without the government proxy then the ladder cost goes down, regulations are reduced meaning they are not there and the ladder manufacturer produces ladder within acceptable guidlines for safety established by the ladder manufacturer.

By using private standards established by the producer and accepted by the seller the value added becomes the quality of the product and a risk not readily offset by either party removing the frictional cost of insurance, regulations, courts and lawyers. So with the removal of defined regulatory enforced chains of supply the removal of government proxies via insurance and safety regulations are in need.

So does the consumer get less? Probably not since most government standards are implimented by corrupt officials and worked around by manufacturers; they will get better ladders less corruption, and cheaper products.

Direct means no governmentally enforced middle man to pay and pay and pay. I can underwrite the risk via a contract issued by the producer and pruchased by the consumer adding 2% to the products cost. Of course you must agree to my arbitration arrangements which makes me a taxer.

Posted by: Jim Nesfield at May 3, 2005 09:05 AM

i've periodically made reference to situation being at the stage of the automobile industry in the 70s or possibly even the 60s aftermarket seatbelt stage ... a recent comment that kicked off a slew of followup comparisons

old reference that it may possibly require regulatory compliance

some recent news items:

Sarbanes Oxley for IT security?
Business Inaction Could Lead to Cybersecurity Law,1759,1791566,00.asp
Inaction Could Lead to Cybersecurity Law

Posted by: Lynn Wheeler at May 3, 2005 09:40 AM


This first link is a redirect to at the time of writing.

Posted by: Daniel A. Nagy at May 3, 2005 01:32 PM

Daniel - fixed! You are a victim of a 'bug' in some browsers (firefox?) which interprets a spelling error as a search instruction, and the most popular reference to http turns out to be Microsoft. If you made it https then you'd get Paypal. In bugs filed over at Mozilla, the last I heard is that spelling mistakes in security models do not constitute security bugs :-)

Posted by: Iang at May 3, 2005 01:51 PM



semi-colon should be a colon ... aka "http"-colon-slash-slash

Posted by: Lynn Wheeler at May 3, 2005 09:23 PM
Post a comment

Remember personal info?

Hit preview to see your comment as it would be displayed.