Security-As-A-Feature And The Economics of Abundance

from the a-feature-not-a-product dept

The always insightful Bruce Schneier has a new piece out arguing that the stand-alone security industry is doomed, as security increasingly becomes a feature of other products, rather than a product in its own right. He points out that hardly anybody wants to buy a "security product." They want to buy useful products -- operating systems, databases, web servers, whatever -- and take for granted that the developers of those products have designed it to be secure out of the box. Schneier points out that consolidation in the security industry has not taken the form of large security firms buying small security firms, but of non-security-focused software firms buying security firms to help bolster the security and reputation of their products. This may indicate that developers of other software products are recognizing that better security is one of the key features customers are demanding in their products.

If you'll excuse me for jumping on a Techdirt hobby-horse here, this is another example of the economics of abundance at work. Security products are increasingly becoming commodities. Obviously the software ones -- anti-virus tools, software firewalls, intrusion detection systems -- have a marginal cost of zero, and even many of the hardware devices are built on commodity parts that get cheaper every month. What hasn't gotten cheaper is the expertise required to put the bewildering array of security tools together into a coherent system that's customized for a firm's particular business. Indeed, as security products have gotten more numerous and more complex, it has actually gotten harder to keep track of them all and know which security tools are the best ones to use in any given situation.

And crucially, this isn't something you can outsource to a third party. I've written before (in the context of e-voting) that encryption isn't magic pixie dust that automatically makes a system more secure. The same point applies to security more generally. Having the best firewall in the world won't do you any good if it's not configured properly, or if your network hasn't been designed with security in mind. And because every large organization has different security needs, every organization needs a slightly different security setup.

This creates a huge opening for companies who understand that customers are not looking to buy a security software product, but a suite of software that they can count on to be secure without worrying about the details. We've pointed out that this is essentially the business Red Hat is in: not selling software but selling the expertise of its employees with respect to the software. Security is a big part of that. "Security software" is an infinite good, and the market for it will get increasingly crowded in the future. On the other hand, the expertise needed to build complex software systems securely is as scarce as ever, and such expertise is one of the key ways that software companies can distinguish themselves from the competition.

Timothy Lee is an expert at the Insight Community. To get insight and analysis from Timothy Lee and other experts on challenges your company faces, click here.

10 Comments | Leave a Comment..

Transparency Isn't A Substitute For Privacy

from the power-imbalances dept

Slashdot points to a great Bruce Schneier article debunking the idea that "transparency" is better than privacy. People like David Brin argue that technological change is rapidly making the concept of privacy obsolete, and that instead of lamenting this fact, we should make sure that everyone, including the government, is subject to increased "transparency." But Schneier does a great job of explaining what's wrong with this theory: the less power you have, the more important your privacy is to you. If the government knows everything about you, and you know everything about the government, that's not a fair trade. The government can use its increased knowledge to coerce you in a variety of ways that you're not going to like. But even if you know about everything the government is doing, you're not going to have the power to stop it from doing things you don't like. Reduced privacy for everyone increases the power of those who already have power, and increases the vulnerability of those without power.

The other problem is that in the real world, accepting less privacy for ordinary citizens isn't going to lead to increased transparency in government. Government officials who might want to put more cameras up on public streets are not going to want cameras installed in police headquarters. The Bush administration wants our electronic communications to be more "transparent" to NSA eavesdropping, but they haven't reciprocated by giving us information about how those eavesdropping programs work. It's a mistake to equate government transparency with reduced privacy for private citizens because transparency of government activities and privacy for ordinary citizens are both ways of limiting the ability of the government to violate our rights.

Timothy Lee is an expert at the Insight Community. To get insight and analysis from Timothy Lee and other experts on challenges your company faces, click here.

26 Comments | Leave a Comment..

Bruce Schneier Has An Open Wi-Fi Network

from the share-and-share-alike dept

Bruce Schneier, one of the sharpest people in the computer security world, has a great piece about why he leaves his home wireless network open for anyone to use. When I wrote something similar a couple of years ago, I caught a lot of flack from people who said that I was opening myself up to security risks, either from people downloading child pornography with my connection or from people hacking into my home computers and stealing my data. But as Schneier points out, neither of these risks is unique to your home wireless network. Like Schneier, I've got several restaurants and coffee shops within walking distance of my apartment that offer free wi-fi access. While it's not impossible that somebody would park their car out in front of my street and use my Internet connection to do something illegal, it seems more likely that they'd do so over a cup of coffee in one of the nearby coffee shops, where they wouldn't evoke suspicion. Moreover, I have a laptop and I visit coffee shops and other locations with open wi-fi connections all the time. If my laptop has security vulnerabilities, I should be a lot more worried about getting cracked on those networks (which make it easy to target a bunch of people at once) than that I'll have the bad luck of living next to a cracker. I need to keep my laptop properly locked down in any event. Once I've done that, an open wi-fi network is a fairly minor risk. Finally, Schneier closes by pointing out that security is a trade-off. If perfect security is your standard, you shouldn't connect to the Internet at all, because there's always a risk of a security breach. Given that we're willing to accept some level of risk if we have a good reason, the question we should be asking is about the relative risks of different activities. The risk of leaving your wireless network open isn't zero, but it's probably small.

Now, I should point out that all of this assumes that you're a reasonably technically savvy individual with an understanding of basic security concepts: that you know how to update your operating system on a regular basis and that you've set the administrative password on your access point to a non-default value. If you're a complete networking neophyte (not that many of those probably read Techdirt), you should probably get some advice from someone more technically savvy about good Internet security practices. Actually, you should do that whether or not you choose to open your wireless network. But on the list of potential network security threats, an open wi-fi network is probably pretty low on the list.

Timothy Lee is an expert at the Insight Community. To get insight and analysis from Timothy Lee and other experts on challenges your company faces, click here.

35 Comments | Leave a Comment..