[LINK] The Law and Economics of Software Security

steve jenkin sjenkin at canb.auug.org.au
Sun Mar 18 11:30:49 AEDT 2007


Eleanor Lister wrote on 17/3/07 7:08 PM:
> i get the neo-con newsletters regularly ("know thy enemy") as i came
> across this little gem:
>
>   
>>   The Law and Economics of Software Security
>>   By Robert W. Hahn, Anna Layne-Farrar
>>   Posted Date: Friday, March 16, 2007
>>   How secure are our software networks?
>>   http://www.aei-brookings.org/publications/abstract.php?pid=1064
>>     
>
> comments?
>   
I skimmed half... gave up, Not worth much.

In the exec summary four conclusions are reported. One is perverse:

"Third, contrary to the prevailing view that market fail-
ures in the provision of software security are serious, some
software users, particularly businesses, may face fairly strong
incentives to take reasonable precautions. In response to this
demand, several innovative market-based solutions have
emerged to address a number of software security problems."

Translate this into medicine, say 'JN Patelle' in Townsville.:
"The rampant infections in patients, deaths and complications,
particularly those in seriously ill patients, will create fairly strong
incentives to seek reasonable protections. In response, several
innovative market-based solutions arose [go interstate or to a private
hospital]"

It's patently absurd... Not only technically, but in their
legal-economic reference frame.

There people equate 'Software Security' with PC (desktop) security,
which is pretty much Microsoft.
[They refer to a study that says "monocultures" aren't necessarily
insecure, and System diversity creates problems]

In their definition of security risks/threats, they mostly list vectors
applicable only to MSFT systems.
[The other is common: Denial of Service]

They entirely miss "Integrity", as in CIA [confidentiality, Integrity,
Availability]

In my skimming, I failed to notice them talking about the Dec 2004
change in hacker culture that was reported in the 2005 AusCert
review/report. "The Hackers turned Pro". yep, they are doing it *for
money*. This fits the definition of *organised crime*. They are doing
what you'd expect - engaging Stealth Mode...

The report notes that some counts have gone down from 2004 to 2005. Yep,
you'd expect that from organised crime seeking to cover its tracks...


Here's the thing:
The MSFT security problems are *entirely* preventable and avoidable.
Proof: Look at all the older widely deployed, often extremely high-value
targets, and the other server & desktop options:
They don't suffer the same rampant problems... And it's not because they
are ignored.

That's the nub of the Internet Security problem...

regards
s

-- 
Steve Jenkin, Info Tech, Systems and Design Specialist.
0412 786 915 (+61 412 786 915)
PO Box 48, Kippax ACT 2615, AUSTRALIA

sjenkin at canb.auug.org.au http://www.canb.auug.org.au/~sjenkin




More information about the Link mailing list