Department of Computer Security? It's a Joke
If you want to make a geek laugh derisively, suggest that responsibility for computer security be turned over to the government. This reaction is guaranteed, regardless of ideology. Geeks know that this is not possible, but rarely are the implications for political economy noted. For 400 years, we've been told that only the state can care for us. There are a thousand rationales why intellectuals have believed this, but none of them seem very robust by comparison to the experience of our times. FULL ARTICLE
Comments (53)
Ernunnos
I'm a geek. Computer security is my job. I'm not laughing. Viruses and other exploits are a technological version of fraud, the prevention of which is a legitimate function of government even in limited libertarian view. And I am a registered libertarian.
Most of the personal systems on the internet, and many of the serves are now controlled by criminal gangs who use them to perpetrate more fraud, ranging from extortion to identity theft to penny stock scams.
The ISPs don't care because helping their users secure their systems would cost more in immediate customer support hours than it would pay off in saved bandwidth, and their time horizons - as with most modern corporations - are one quarter long. The users don't care because a firewall and security measures would cost more than they would gain in performance. Modern virus writers do not disable infected computers because the computer's processing power and bandwidth are a valuable resource once controlled. So the owners of these compromised systems see very little direct impact in many cases.
The true costs are borne by third parties, innocent victims who suffer because the individual parties who have the power to correct the problem have little to no direct, short-term incentive to do so.
What we have here is a tragedy of the commons, and the bald spots are only beginning to show on the village green. We are fortunate that most of the bad actors on the internet are currently concerned with monetary gain rather than ideological destruction. But it is only a matter of time until that changes.
Published: January 20, 2006 8:52 AM
awh
I'm a security engineer who has worked with intrusion detection systems for a number of Fortune 100 companies. And yes, the notion that government can protect our computers is laughable.
I don't believe there are any legimate function of government but I'll waste no time arguing that, I'll stick with my own area of expertise. It's a moot point for this issue because whether or not the government should be doing it it's plainly obviously that there is no possible way they could do it.
Look no further than the government's own assessment of it's own computer systems' security. They fail year after year. No government beauracracy can move fast enough to even make an impact in computer security. The entire threat landscape will have changed before they can fill out the paperwork in triplicate to start an investigation.
Also consider how people flat out refuse government assistance in most cyber-crimes where the Feds have already claimed jurisdiction. The costs associated with allowing the feds to confiscate all your equipment for as long as they need are higher than getting their results that the offending 13 year old hacker has been found but Russia won't ship him over to be jailed. In the mean time, if this is a publicly traded company we're talking about, the stock price will have taken a 5.6% (on average) dip because of the news.
The government can not, and will never be able to keep the Internet safe. Even if they claim such responsibility it will be private companies and white hats that actually secure our computers.
Published: January 20, 2006 9:27 AM
Larry Ruane
Very good article, Jeff. Here is an example of how the market is addressing the security problem (see the "editorial" near the top of the page):
http://www.techsupportalert.com/issues/issue129.htm
Here's the first part of this item:
Published: January 20, 2006 9:39 AM
Bruce
Ernunnos,
I believe that Jeffrey's point is that while the activities you cited are indeed forms of trespass and fraud, the government is largely impotent to either prevent or prosecute these cases.
Therefore, to have any semblance of security, we have to rely on ourselves and proven experts in the field. The same is largely true in the "real" world where we are also largely on our own to provide our own security.
Published: January 20, 2006 9:45 AM
tz
Then why do many libertarians laud the monopoly that does things which impair security (the browser is part of the OS)? If a huge, corporate, unresponsive monopoly is their idea of good computing, then wouldn't the government be better?
I.e. does it really matter if I don't have a choice in operating systems on my Dell, Gateway, etc. that the lack of choice comes from a corporation or government?
Yes, he put a newly installed OS - but why can't it go with firewall up until it installs the latest patches (which if they cared would shut off all the unnecessary services - you can't exploite a security hole if the service isn't on). Of course it probably was an Apple powerbook running yellow dog linux. Not!
Oh no, don't mention that the security problem is mainly one of monopoly, because that might complicate the laissez faire attitude that anyone who becomes a billionaire even in a heavily distorted and regulated market must be considered a hero regardless of the tactics and behavior.
They also had their "Trusted Computing" initiative, and were supposed to have spent a year plugging all the holes. Either this was PR or they have fundamental problems.
But why should we expect big bureaucracies to work whether they are corporations or government? Wal-Mart was a lesson because they didn't have the layers of management. Sam Walton visited every store. Has Bill Gates, Steve Ballmer, or any of the others recently written any code present in any of the current products? They tried not becoming like IBM yet they became just as much a bureaucracy.
Lauding a corporation that is run like a government? Power allows the restriction of choice and still corrupts even in this context.
GM, Ford, and Chrysler could save a few bucks if they would omit the ignition locks. Why not? So people would complain about their cars being stolen - the problem is the thieves, not the lack of security...
The earlier poster does make a good point about property definitions in cyberspace. Everything is virtual, but the social structures formed. Yet it doesn't seem to be enough.
Yet I laugh when I see juxtaposed articles by the same author, one complaining about the lack of choice and the bad level of service in Government, then blegging about some problem with Windows (with a disclaimer that Mac and/or Linux users shouldn't taunt).
If the most ardent, freedom-loving libertarian will regularly put up with really bad products, why do they expect the average person not to accept what is merely as bad from Government?
Someone please explain. Mac is more user friendly and more secure and all this is right out of the box, but people still prefer windows. Linux is less expensive and more secure, but people still prefer windows. OK, maybe MS Office, but OpenOffice 2.0 and iWork and most of the rest can now read and write microsoft document formats (and there was and is Office for Mac), so that excuse is no longer valid.
(More software to pirate maybe? If all your friends will share their programs and activation codes, I can see this but woudn't approve.)
Yes, there are holes in opensource systems and Macs. But they are addressed and closed, and the system design makes them harder to exploit (most people won't run as root, but inserting a Sony DRMed disk into a windows system will install a rootkit). And it isn't monoculture - Apache is more prevalent than IIS, but hacked less. But Apache is opensource and modular, and IIS apparently is also "part of the operating system".
Yes, security is a battle, but it is better to have body armor and a shield and an UZI than to be naked with a dull dagger.
Published: January 20, 2006 10:10 AM
Ernunnos
The government is largely impotent to prevent or prosecute most strong-arm robbery as well. That doesn't mean it doesn't have a role to play.
The market is simply not addressing this issue. I've been fighting spam and other internet fraud since the early '90s and the very beginnings of the commercialization of the internet, first as a hobby, then as a professional. Private industry has had over a decade to fix these problems, yet they have only gotten worse.
If you think that the free market will address crime, I ask you: when? What measures are even on the horizon to address the threat of the millions of zombied systems that exist? When will the number of those systems begin to drop, rather than rise? Actually, never mind the minima, where's the inflection point?
The rate at which these systems are being created is still increasing, as is the number and cleverness of nefarious uses they are being put to. The government solutions may be blunt and crude, but you cannot argue that the free market has provided a solution, or will provide a solution in the near future.
(By the way, any market solution must be marketable. Most users can't be bothered to understand or purchase a $30 firewall. The idea that they're going to manage a virtual PC is ludicrous. The problem is not lack of technology, it's lack of will.)
Published: January 20, 2006 10:11 AM
W Baker
Jeff et al.,
I suppose one can't write a piece on computer security without the Mac cultists chiming in!
It seems to me that the market has answered your 'battle' call. OS X has been out for approximately five years. To date there are no viruses, no Trojans, no spyware. None.
Now the ubiquitous Microsoft Certified IT type, whose very livelihood is predicated upon Microsoft writing and compounding bad code with equal or worse code, will immediately scoff and sputter: Mac's are secure because they have such a small market share, security through obscurity.
How much malware is out there/has been written (granted most of it has been recognised and contained)? Tens of thousands, maybe over 100,000. How much malware exits for Microsoft? The largest portion. How much malware exits for Linux which has about as much install base as OS X? Several dozen. How is it that OS X has zero? Not one single hacker has taken the time to try and control around 5% of the installed base of operating systems. How can this be?
Two wagers. The stock retort will be, 'well Macs just don't have any software', or 'I need Windows to run this sort of accounting program'. (Where do they come up with these answers? Someone 'in the know' told them. An IT type who works for fill-in the blank said so.) The second bet: they will never, ever check out the fact that Macs will do everything their Windows machines will do and much more - and certainly much more elegantly and reliably.
The market has answered the security call. Very few seem interested.
Published: January 20, 2006 10:16 AM
Francisco Torres
tz,
I do not understand the point of your rant against Microsoft: does it mean you agree that the government cannot improve internet security or that you agree the government can?
If people choose Windows over other operating systems, is it not their right to do so? Are not there other options for you?
Ernunnos,
"The government solutions may be blunt and crude, but you cannot argue that the free market has provided a solution, or will provide a solution in the near future."
Exactly which government solutions are you talking about? And why do you say the market has not provided solutions or that none of us can argue that it has provided solutions? If the market has not provided a solution that suits YOU, then why don't you market your OWN solution? The market allows such freedom: why not take it?
Could it be that the market has provided a solution that suits ALMOST ALL users, except you? If so, would your own problems be enough justification for government intervention? Is that ethical?
Published: January 20, 2006 10:31 AM
George Giles
Remember the words of Nancy Reagan: "Just Say No". No one is forced to use a computer it is a voluntary activity. It is a joke to consider the stumbling, bumbling leviathan that is the Federal government to do anything but make the problem worse (war on poverty, war on drugs, war on terrorism, war on ...).
Anyone who thinks another government agency is what we need should watch Terry Gilliam's brilliant movie Brazil, it is a prescient piece of speculative fiction, that is unfortunately coming true before our eyes.
Published: January 20, 2006 10:39 AM
billwald
MS should put a (working) OS on a read only chip. What it cost in hardware would be saved in reducing pirate copies.
Published: January 20, 2006 10:58 AM
David K. Meller
Dear Jeffrey,
An interesting point, but one can also observe that a very serious crime, identity theft, also closely connected with widespread use and ownership of computers,was a felony which barely even existed before the US government saddled us all with Social(ist) (in)Security Numbers.
The ubiquity of the SSN on everything (often mandated by the selfsame government) from school and college records to driver's licences to bank accounts and credit cards, and rental leases, among many other things, provides unscrupulous thieves and hackers with an indefensible perfect window to invade ANYONE'S life.
As you know, the SSN wouldn't even EXIST without the Federal Government.
Needless to say, it also provides complete transparancy to GOVERNMENT voyeurs,thieves,and snoops.
Peace and Freedom
David K.Meller
Published: January 20, 2006 11:02 AM
David K. Meller
Dear Jeffrey,
An interesting point, but one can also observe that a very serious crime, identity theft, also closely connected with widespread use and ownership of computers,was a felony which barely even existed before the US government saddled us all with Social(ist) (in)Security Numbers.
The ubiquity of the SSN on everything (often mandated by the selfsame government) from school and college records to driver's licences to bank accounts and credit cards, and rental leases, among many other things, provides unscrupulous thieves and hackers with an indefensible perfect window to invade ANYONE'S life.
As you know, the SSN wouldn't even EXIST without the Federal Government.
Needless to say, it also provides complete transparancy to GOVERNMENT voyeurs,thieves,and snoops.
Peace and Freedom
David K.Meller
Published: January 20, 2006 11:04 AM
Ernunnos
Francisco,
The government solution is finding those responsible, and throwing them in jail, or in the case of those who enable the criminals, penalizing them for taking short-term profits over long-term security. And this is now an issue of national security. If national security isn't a cause you care about, market security. Any business which relies on the internet - almost all of them these days - can be held hostage by extortionists armed with millions of compromised personal computers. The infrastructure itself is vulnerable.
You can't argue that the market has provided a solution to this problem because the market hasn't provided a solution to this problem. Many businesses are already secretly paying these extortion fees because they have no alternative. The few defense measures that exist are exceedingly expensive and ineffective since the victims have no way to get to the root of the problem.
And if the power currently wielded by extortionists ever falls to people who care less about money than they do about ideology, the consequences will be catastrophic. It's easy to ignore the root problem simply because we aren't the ones being directly or obviously damaged. Yet. But you're living in denial if you think it won't.
Published: January 20, 2006 11:33 AM
awh
Ernunnos,
you wrote:
Computer security is my job.
&
You can't argue that the market has provided a solution to this problem because the market hasn't provided a solution to this problem.
So I gotta ask... what is it you do all day?
Of course I can argue the market has provided a solution - it's why there are jobs in security!
Many businesses are already secretly paying these extortion fees because they have no alternative.
That is a totally seperate issue. All those businesses have had the oportunity to invest in computer security but decided not to. It's a business decision to invest the capital in computer security (or insurance, or any risk management for that matter). Pointing out that some firms believe it's cheaper not spend money on computer security is a completley seperate issue from whether or not security is available to them.
Published: January 20, 2006 12:13 PM
Norman
It is possible to use an analogy of computer 'theft' (in any form) to a criminal robbing your store. There are some quite obvious implications.
The government cannot 'protect' all stores from robbery with 100% effectiveness. It is impossible. We have local police forces, but even that is *arguably* inefficient (which is why banks hire security guards and such). So, what did the free market do? It developed locks, security systems, motion detectors, security guards, sensors, etc. Even so, the government prosecutes those who commit robberies.
The government *could* make attempts to solve all these problems, and in cases have tried (gun control anyone?). The biggest help has not been the government, but the free market. The government's job is to prosecute those who violate the personal property rights of its citizens. If it does so effectively (i.e. proper punishment), then crime will be reduced because the incentive to commit a crime is so low.
By analogy, if the government tried to do this sort of thing with computer crime, it would be an absolute disaster. Should they prosecute those who commit crimes over the internet? Absolutely. With enough convictions and strong sentences (large fines, jailtime, etc.), internet criminals will simply have to stop because the risk is so high. In the meantime, you guys in internet security (a free market solution to the problem, not perfect, but often effective) can create the firewalls and security we need to operate effectively.
The market can and will respond. It has responded already. Note also that the market does not create *immediate* responses sometimes, too. No matter what, there is some inherent inefficiency in the market. HOWEVER, you can bet your motherboard that the government will do a entirely deficient job in security.
Published: January 20, 2006 12:34 PM
Curt Howland
Ernunnos,
"The government solution is finding those responsible, and throwing them in jail,..."
Do they? Isn't breaking and entering, be it a building or computer, already illegal? Where are the prisons full of crackers?
Sending someone an unsolicited commercial fax is illegal, so is sending someone an unsolicited commercial email. Various additions to the "crime" are made by obfuscations. Where are the prisons full of spammers?
Using private information for fraud is already illegal, called "fraud". Where are the prisons full of phishers?
It's all well and good to declare how government "should" solve a problem. You have yet to do anything but say "should", just as government has yet to do anything other than make lawful acting harder. Otherwise, there would be no murder, since that has been illegal for as long as there have been laws.
W. Baker,
"How much malware exits for Linux which has about as much install base as OS X? Several dozen."
Same install base? Golly, I didn't know that OSX had 4 MILLION publicly accessable servers online as of last March.
http://news.netcraft.com/archives/2005/03/14/fedora_makes_rapid_progress.html
Please, having never heard about these "several dozen" of malware for Linux, could you provide a citation?
OSX is a nice system. Don't overstate your case.
AWH, "what do you do all day?"!!! That's great, I wish I'd said it first. I wonder if Ernunnos thinks that if government took over computer security, he'd be employed by them.
Published: January 20, 2006 12:55 PM
Curt Howland
Oops, forgot something. Because of the ability to scan by IP address, computer security is a very distributed issue. Attacks can come from any direction at any time. This is something that a "centrally planned" environment cannot cope with. eg, September 2001.
The only defense against a distributed attack is a distributed defense. By leaving the responsibility for security with those individuals who are directly responsible for the systems, the greatest number of defenses can be attempted, and the effective ones adopted. Just like self defense.
Published: January 20, 2006 1:01 PM
Ernunnos
"The market has answered the security call. Very few seem interested."
A market solution that isn't marketable isn't a valid market solution. Claiming that "the market works, people just won't buy the market's solution" is like communists claiming that "communism works, people are just too selfish."
Any system has to be judged by how well it works in reality with real human incentives and motivations. Communism doesn't work because it ignores fundamental human incentives for action. Purely market-based approaches to internet fraud and extortion on a massive scale ignore the fact that the people who are in a position to prevent it have no incentive to do so.
Published: January 20, 2006 1:28 PM
Ernunnos
Exactly. What we have here is asymmetrical warfare. The attackers, by their nature, are distributed. The defenders, by their nature, are not. An effective defense requires cooperation between millions of individuals who have no immediate and pressing incentive to cooperate.As a result, the attackers have the upper hand.
As for you wags who wonder what I do, I create stopgaps. Temporary measures to stem the tide.
Over 85% of all email on the internet is spam or virus traffic. I oversee email systems that cost millions of dollars, not including the salaries of the people who maintain them, and most of that cost is just to keep the spam to a moderate level. While I personally appreciate the income, from an economic standpoint, all that money and all that effort is utterly wasted. It creates no new value, it merely preserves the network as a usable product. The idea that I should be happy because it keeps me employed is merely a variation on the broken window fallacy, which I never thought I'd hear promoted on Mises.org!
Published: January 20, 2006 1:44 PM
Wesley Baker
Erunnos,
Does comparing the computer operating systems' markets to political arrangements really pass the primary school rhetoric course, much less justify an response?
Mr. Howland,
I stand corrected: there are four known pieces of Linux malware which have been released 'into the wild'. http://infosecuritymag.techtarget.com/ss/0,295796,sid6_iss407_art817,00.html
The question still remains, how many 'Joe users' are going to work at the root level of their computers? How many people 'pop their hoods' on their automobiles and rebuild the lower engine - much less simply change their own plugs and wires?
That's said in no way to denigrate open-source operating systems. It's just simply to point out that there is a safe, extremely consumer friendly computing system which is always poo-pooed simply because 99% of people associate computing with Windows.
There seems to be a strange association amongst free-market proponents: they automatically assume that the one (company, person, etc.) with the most market share, the most recognized, or the company on every street corner must de facto be the best or the only viable alternative - all things considered price, convenience, availability of goods, etc. Somehow they never seem to consider that this same market's competition has produced a far superior product or service somewhere else in the niches, but finding it involves some looking, learning and patience.
Pardon my ramblings.
Published: January 20, 2006 2:03 PM
Curt Howland
Mr. Baker, no worries. Thanks for the pointer. I in no way denigrate OSX. That it is build upon the Open Source BSD kernel and toolset is a major part of its beauty. I've worked at Apple, I know how user-friendly their software is. I try only to denigrate bad software no matter who writes it.
Ernunnos, let's put some of your statements here and try to find a pattern.
"Purely market-based approaches to internet fraud and extortion on a massive scale ignore the fact that the people who are in a position to prevent it have no incentive to do so." "Private industry has had over a decade to fix these problems, yet they have only gotten worse." "Most users can't be bothered to understand or purchase a $30 firewall." "Computer security is my job."
Ok, the stage is set. Now for the kicker:
"Viruses and other exploits are a technological version of fraud, the prevention of which is a legitimate function of government even in limited libertarian view."
False. You cannot prevent crime. Period. It is a logical impossibility. More laws only create more criminals. More enforcement only deprives those who abide the law, as the various prohibitions have demonstrated over time.
"I oversee email systems that cost millions of dollars, not including the salaries of the people who maintain them, and most of that cost is just to keep the spam to a moderate level. While I personally appreciate the income, from an economic standpoint, all that money and all that effort is utterly wasted."
Yet you have specifically stated that there is no incentive to fix the problem.
I will assume that you do not mean that you do not have that incentive. You have already made it clear that you want someone else to solve the problem. Can you tell me, then, who is it you were specifically referring to when you said "the people who are in a position to prevent it have no incentive to do so."?
I, too, am a professional in this field, and so far I am not impressed.
Published: January 20, 2006 2:29 PM
Curt Howland
BillWald, I'm sorry I didn't see your posting about a ROM based machine until now.
Did you not know that such systems exist today, and have for several years, in a wide variety? They're called "Live CD"s and run entirely in RAM off of a CD or DVD.
As you might imagine, such a DVD has a large repository of usable software applications ready to go and uncorruptable. What I like most about them is that they are easily re-mastered, allowing, for instance, a company to produce a "standard desktop" that is immune to spyware, adware and viruses, while also preventing the installation of non-approved software by employees. I've often recommended this as an answer for firewalls, routers, database servers and other systems that must be both responsive and hard to crack.
Here's one of the most popular: http://www.knoppix.net/
Published: January 20, 2006 2:45 PM
Ernunnos
Every time we take a career criminal off the street and put them in prison we prevent crime. People often complain about the price of prisons, but since most criminals are capable of doing far more than $20,000 worth of damage to others per year, it actually works out to be a good economic bargain. I want the people who manage the networks and the computers that are currently being used as weapons to bear the costs of their (in)action. Their victims have the incentive, but not the means, they have the means, but not the incentive. If the costs are shifted back where they belong, the means and incentive will come together, and the problem will be solved.Published: January 20, 2006 2:47 PM
Curt Howland
"we take a career criminal off the street..."
My earlier question stands, then. Since it's already both illegal and prosecutable, and has always been so, where are the prisons full of crackers?
"If the costs are shifted back where they belong, the means and incentive will come together, and the problem will be solved."
"Where they belong". Hmmm. I see only one way to do this, but I would prefer you tell me what you have in mind. As has been suggested before, by referencing the movie _Brazil_, it seems that my rather unhappy imagination is not alone in its misgivings about the reality of those simple and subjective words.
Published: January 20, 2006 2:58 PM
Ernunnos
Laws must be enforced, not just written. Fraud has been illegal for quite some time, but this is a whole new area for law enforcement to operate in, and they're still getting up to speed. That said, they are getting up to speed. Now they just need to start enforcing laws against creating an attractive nuisance as well.Published: January 20, 2006 3:56 PM
Randy Erhart
As I read it was hard for me not to think I was reading about the infernal income tax system which the United States as afflicted upon its people. All the loopholes and the impossibility to equitably or fairly apply it. This year I have finally seen that it is not "laws" that are being passed but "whims". And the propaganda of simplification, it never gets easier but just grows in complexity. Some sectors of the populace can rip it off immensely and never have to pay back the fraud (because they have nothing), while others are taken to task for everything they have. Why is it not shouted from the rooftops that the only thing government can do is establish monopolies which will cause a few to be rewarded greatly at the expense of the majority (sounds like the gambling racket). But govenment has gone beyond that to now have people employed in agencies diametrically opposed to one another, in the political welfare system that feeds off the whole populace (when neither side or view should be in the politic arena but left to the markets and liberty of the people, but then it's liberty that they scorn, or is it just the greed to do good?)
Published: January 20, 2006 3:58 PM
Curt Howland
"they just need to start enforcing laws against creating an attractive nuisance as well."
I see we're still playing 20 Questions.
What "attractive nuisance"? Why does it "need" to be enforced, coercively, in a way that the free market cannot?
On a separate point, that of hitting lax people and providers directly, I suggest http://www.ordb.org/faq/ and other, ah, "voluntary" techniques.
Published: January 20, 2006 4:08 PM
Curt Howland
Didn't take long reading _Planned Chaos_ to find this:
But what shall we think of the statesman who interferes by compulsion in order to raise the price of cotton above the level it would reach on the free market? What the interventionist aims at is the substitution of police pressure for the choice of the consumers. All this talk: the state should do this or that, ultimately means: the police should force consumers to behave otherwise than they would behave spontaneously. In such proposals as: let us raise farm prices, let us raise wage rates, let us lower profits, let us curtail the salaries of executives, the us ultimately refers to the police. Yet the authors of these projects protest that they are planning for freedom and industrial democracy.
Published: January 20, 2006 4:42 PM
steve
Ernunnos:
Hackers might be a costly problem, but they are just amateurs compared to what our own government has done and continues to do to us. That would include lying to, spying on, stealing from, and killing the same population the government says it wants to protect.
I would prefer to take my chances with the hackers.
Published: January 20, 2006 4:47 PM
Paul Edwards
Wesley,
I’ve seen this point before by others and always thought it warranted an answer:
“There seems to be a strange association amongst free-market proponents: they automatically assume that the one (company, person, etc.) with the most market share, the most recognized, or the company on every street corner must de facto be the best or the only viable alternative - all things considered price, convenience, availability of goods, etc. Somehow they never seem to consider that this same market's competition has produced a far superior product or service somewhere else in the niches, but finding it involves some looking, learning and patience.�
That’s how it comes across, and that may be how it is for some; but let me give you my spin:
ASSUMING completely open entry to a market, then at any given time, it stands to reason that the firm with the largest market share has up to that point, succeeded in satisfying the most customers the most. It isn’t that they have been necessarily technologically superior, although they might be, but they have necessarily provided the most customer satisfaction. Marketing plays a role in this because if they are better at conveying how their product will help their customer than their competition is, and they can follow through as advertised adequately, this counts as providing more satisfaction.
On the other hand, the beauty of open entry to the market means that at any moment, things could change. All is in the past, when we ask what the present status is. So the firm that has been the best till now may not be best anymore. And if not, it will not keep its market share, assuming free entry to the market.
Published: January 20, 2006 5:47 PM
Paul Edwards
As an aside:
I have a story I’ve really wanted to tell and I was just reminded of it here, so I’ll tell it here: I love Costco because I never fear that I might be dissatisfied with a product I buy from them. If I don’t like it, I take it back, they ask if I want cash or have it added back to my card. They take it back with no receipt, no debates. It is so pleasant. I really can only say good things about them.
Now contrast that with Car Toys. To start with I am leery of small shops. I don’t know what their return policy is and I don’t want to read fine print, especially after I’ve bought the thing. Well I went for it anyways. I bought a 600W car power supply for my laptop. Well, it would work for a few minutes and then the lap-top would indicate it was back on its own battery again, and the green light on the power supply would go out.
I told my story to the manager and he said, “the problem is you didn’t take the batteries out of your laptop�. I said “you’re not going to tell me I need to take the batteries out of my laptop before I can plug it into 110 are you?�. At which point he chastised me for raising my tone of voice at him and questioning his technical background. He finally took the thing back, charging me a restocking fee because I didn’t have the original box. (I guess that means he’s restocking it on his shelf.) I guess I won’t be dealing with Car Toys again. And I won’t hesitate to tell my sad tale of woe to any poor joe willing to listen either.
So what do I make of this: In a free market there are good reasons why companies get big and others stay small. I love truly free markets.
Published: January 20, 2006 5:53 PM
Ernunnos
Millions of unsecured systems.Because there is no incentive for those with the unsecured systems to clean them up. The damage is almost entirely concentrated on innocent third parties. It needs to be enforced coercively for the the same reason you might want government to use coercive force against a company that disposed of its chemical waste by dumping it on your lawn. And why shouldn't they? The money they save can easily go to making its products cheaper, earning it many happy customers who don't live in your neighborhood.It's a classic case of externalized costs. Don't tell me I have to explain it on an economics blog.
Published: January 20, 2006 6:39 PM
Ernunnos
Yes, I know. Everyone wants to look the other way and hope it doesn't happen to them. It's easier.Published: January 20, 2006 6:46 PM
Larry N. Martin
Ernunnos, you keep saying that the government ought to do it, but you have yet to show the practical side of *how* government can do it, and do it effectively.
Published: January 20, 2006 7:25 PM
Curt Howland
"Millions of unsecured systems."
You want someone to prosecute millions of people who are already victims of having their systems violated against their will for you?
Here I had a germ of hope that you would try to prosecute Microsoft for releasing such an easily compromised system to the mass market.
"Because there is no incentive for those with the unsecured systems to clean them up."
I think you will find that those who are infected and zombied are just as angry as you are, but are either unaware of why their machine is slow, or do not know how to fix it. That is not solved by making them criminals.
"It's a classic case of externalized costs. Don't tell me I have to explain it on an economics blog."
Oh, I've seen from the beginning that you are trying to externalize the costs of your business upon the taxpayers. That's why you say things like "we should", rather than "I will".
"Everyone wants to look the other way and hope it doesn't happen to them."
Everyone? My, you do paint with a broad brush. I actively assist my neighbors in cleaning things up and using alternatives to known unsecure systems. Much nicer than prosecuting them.
I will, however, explain the spirit of Mr. Edwards statement:
The death and destruction wrought upon the individuals of the world by governments, even if only measured by their own governments, far outstrips any damage caused by the supposed "criminals" that those governments were instituted to prosecute.
I agree with Mr. Edwards completely, I would gladly rather face the hackers, whom it is legal for me to defend myself against, than the abuses of government who will kill me with impunity if I try to defend myself against them.
And I do, in fact, defend myself. My systems, be they Windows, Mac or *nix, have never been compromised. I deal with spam because it is there, like hail and lightning, I do not expect anyone else to solve the problem for me.
Published: January 20, 2006 7:45 PM
Ernunnos
Oh, there's plenty of responsibility to go around. Microsoft in particular has a lot to answer for.I'm a taxpayer too. And protection of property - all property - is the sole legitimate function of government. The owner of a 7-11 can call the cops when his store is robbed, I ask for nothing less. It's called equal protection under the law. That's nice, but it's baling the Titanic with a teacup. This is not an O(donated evening) class of problem.That's nice, but not what I'm talking about. Your systems can still be reduced to worthlessness by a DDOS from millions of machines that are compromised, and there isn't a damn thing you can do about it even if your systems remain completely buttoned tight. If it hasn't happened to you it's because nobody cares enough to make you a target. Yet. But if and when they do, you'll be looking for outside aid too, and find very rapidly that nobody is listening. If you're lucky your ISP will take pity on you and not charge you for the bandwidth overages.Published: January 20, 2006 8:19 PM
Ernunnos
Government doesn't have to do it, government just has to provide the motivation. Drag a couple of telecom CEOs in front of Congress and let them know that they'll be fined a few million per day that government honeypots detect malicious traffic coming from their network space. It'll get done. The technical solutions exist, and are even relatively cheap, if you attack the problem at the source. And some ISPs are already using them. But the market is not eliminating those that don't. In fact, they have a market advantage because they're externalizing their costs.For example, many ISPs and businesses do virus filtering on incoming mail. Only a minority filter mail sent by their own customers to other sites.
Published: January 20, 2006 8:29 PM
Doug Rees
As a certified geek, I joined in the derisive laughter. But what scared me is that none of my non-geek friends would laugh at the suggestion. They'd all think it's a good idea. DAMN!!!!
Published: January 20, 2006 8:46 PM
Doug Rees
I occurred to me that, if the government had been managing computer technology all along, we'd still be running CP/M on 2 MHz machines. After taking 100 million dollars of the taxpayer's money, the team of expert consultants led by Tom DeLay's nephew would have concluded that colour monitors and hard disks are "prohibitively expensive". President Bush would go on TV to inform us that, regrettably, the National Modem Initiative was being scrapped because "we can't have terrorists hooking their computers into our telephone system".
Published: January 20, 2006 11:26 PM
MLS
"Drag a couple of telecom CEOs in front of Congress and let them know that they'll be fined a few million per day that government honeypots detect malicious traffic coming from their network space. It'll get done."
I see you have a great respect for property rights. Here is a better idea:
Have the government drag YOU in front of congress and have them tell you that you will be fined a few thousand dollars a day if any malicious traffic escapes your network space.
What about malicious traffic coming out of government?
I take it you have never heard of "capture" theory. I would not overlook that fact that your ideas may gain huge support by regulation seeking companies. ISP will want to be "public utilities" just to erect huge barriers to entry - cartelizing the industry. You really think public-utility-ISPs will do a better job securing the 'net?
Also, severely going after spammers does not reduce spam! What it really does is reduce the number of spammers! Spamming will continue as long as there is profits to be made from it. Only two things can reduce spam: free-market security and consumers opting not to buy stuff from spammers.
"But the market is not eliminating those that don't. In fact, they have a market advantage because they're externalizing their costs."
That's funny. I prefer my ISP not to block ports and filter my mail - thank you very much. My subjective value evaluaion would lead me to purchase services from an ISP that did provide such an external BENEFIT! Unfortunately I live in a heavily regulated area.
---
Maybe what we need is some gigantic public firewall, eh?
Published: January 21, 2006 12:17 AM
Curt Howland
"government just has to provide the motivation."
I see that the image that sprang to mind when I read your very first posting, Ernunnos, of armbands, informers and prison camps, was spot on. Where there is a whip, there is a way!
Government has only one "motivation", the gun. That you feel so comfortable recommending the use of coercive force against others is...sad.
Published: January 21, 2006 7:27 AM
Curt Howland
MLS, I, too, would prefer an ISP that does not block ports. Most did respond to customer demands by blocking port 80 in-bound and between customers. This started well before the Code Red and Nimda worms which utilized port 80. The ISPs realized that they were losing not just money for all the bogus traffic, but also customers.
Unfortunately, it's become a Standard Practice, so that even though I would like port 80 open I cannot have it without buying extra "business" level service.
I've also been shopping around for email, and have found that the spam filtering in Gmail is quite good, and since they enabled POP downloading of mail, can be used for any number of users as sort of an "external spam filter". Challange-response filtering works exceedingly well, and I note that not only are the email account providers that use that service are doing well, but there are challenge-response packages available on Linux for those who want, as I do, to run their own email server.
I understand why my ISP requires mail to be sent through their server, rather than direct. The last three ISPs I've had have all required this, I must be sampling every one of Ernunnos's "no one has a reason to do this" rare exceptions.
Agreed about spammers making money. They cast a very, very wide net so their response rate, although miniscule, still reaps profits. That, I agree, just like "illegal" drugs, is why there is no way to stop it.
Published: January 21, 2006 3:06 PM
Peter
Challenge-response filtering "works" in that it stops spam, but it doesn't work, since it stops a lot of legitimate mail as well. Unless I can easily see a way to program my mail delivery agent to send responses without me having to see them, I don't send responses. (Spammers could, if they knew about it, send spam purporting to come from me (some do that anyway, of course), and your challenge-response system would send me the challenge, to which my computer would automatically respond, and you'd get the spam!) If I see challenges, I just ignore them; if it's important, I'd phone you an complain rather than respond to the mail-delivery challenge, just because I dislike those things so much. Something like hashcash is a better solution, but also not great.
Published: January 21, 2006 6:53 PM
Name withheld by request
tz claimed that it isn't a problem of monoculture and that Apache is a good counterexample of a dominant piece of software that is still secure. He was right to bring up the issue of monoculture, but I think he has missed an important point about Apache. It is not a monoculture at all. It is run in an enormous variety of configurations, with and without various modules and patches.
Government regulation of computer security would create a monoculture. In the place of individual choices and a market to support them, we would have imposed on us a compromise designed by a committee. The committee would, of course, be advised by the usual rogue's gallery of representatives from the industry. They would undoubtedly set standards that were designed solely to protect security ... and create barriers to entry by competitors. Software development in the US would stagnate. If the standards were pushed worldwide, and they might be, one of the engines that has driven productivity gains would sputter.
Published: January 21, 2006 9:57 PM
Anonymous
Those of you complaining about spam:
Have you tried using bayesian filtering (included in Thunderbird)? Have you installed a tar-pit program like spamd on your mail server (or asked your ISP to do so)? I've found that, when combined, these two solutions, both invented totally in the free market, solve the spam problem to the satisfaction of essentially everyone.
Published: January 22, 2006 11:17 AM
Doug Rees
There's actually a very easy way of dealing with spam. Give out your main email address only to those you want to get email from. Set up a separate email account at one of the free email places, and give that address out to everyone else. Your main email account will be spam-free (the other account will fill up with junk, but that's no problem).
Published: January 22, 2006 2:30 PM
Peter
That's what dodgeit.com is for, of course. But I find that any email address that exists for more than about 3 months gets spam, even if nobody knows the address (it gets more and faster if the address is semi-public, natch).
The problem with all these solutions (challenge-response, Paul Graham's Bayesian filters, tar-pits, "secret" addresses, etc.) is that even if they work in the sense of preventing spam appearing in your inbox, they don't stop it being sent, so it still ties up a lot of bandwidth/money. Something like hashcash is good because if it became widespread it could be implemented at the transport level and prevent spam ever leaving the spammer's computer.
A better solution would be an anonymous service where you can donate money to track down spammers for "extraordinary rendition" :)
Published: January 22, 2006 7:20 PM
MLS
Peter, I like your last suggestion. Any company that bears the cost of preventing spam will be glad to pay any amount less than that. If there was no option of externalizing the cost of business onto taxpayers - then it would be in entrepeneurials' interests to setup some system that, for example, gave out rewards to some spammers, ex-spammers, or generally anybody that will expose the current spammers. This is analogous to the way governments get citizens to report each other (like 'gas gouging').
Published: January 22, 2006 8:46 PM
Francisco Torres
Ernunnos,
Throwing people in jail is not a government "solution", since that is what governments are supposed to do whenever a person commits a crime. A solution means putting a stop to a criminal act, not to prosecute the criminal when the damage was already been done.
Your contention that, somehow, businesses have to pay protection money to Internet extorsionists seems more like a paranoid conspiracy theory, in my mind, than a real problem.
Saying that businesses cannot defend themselves because it is too expensive to do so is nothing more than a classic case of question begging: you cannot KNOW how expensive a certain security measure will be for a customer, since valuations are subjective, in the first place, and security is a relative term, in the second place. What constitutes enough security for one person may be not the same for another, but that does not mean the first one IS less secure, in his or her MIND.
If you do not believe me, try then to figure out why some people build fences or walls around their homes, while many others do NOT. There is a REASON, and has NOTHING to do with people's ignorance, ideology or lack of knowledge.
Published: January 23, 2006 9:53 AM
John Mayer
I'm sure the government solution will involve licensing. Perhaps limiting what software you can use until you have reached a certain level of certification. Or perhaps we can have governments sell computers preinstalled with all the software you 'should' ever need? Then you have to log into on to G.O.D. Goverment Online Domain servers to do anything so they can monitor all activity and enhance security.
What's that, you want to buy a new computer? Sign up, it's only a 2 year waiting list. Oh dear me, we've taken you off the list because you are not considered as having an 'essential' need.
Yeah, I'll trust the government when government mandated health care doesn't consider hip replacement surgery as 'elective'.
Plenty of people buy computers because they are told by the government it will be good for their children's education. When given a choice of a secure system or a cheap system, they will buy the cheap one. How do you deal with those people?
People complain about Microsoft not automatically updating their software to remove vulnerabilites.
The exact same people complain when Microsoft sets their software to automatically update as they don't trust Microsoft. How do you deal with those people?
The government cannot legislate against stupidity.
In fact they encourage it as it gives them more power.
Mac OS X and Linux do have their own vulnerabilites, trojans and hackers. Firefox has been blasted recently for massive security holes.
They rarely have people dedicating their lives to destroying them. The reason Microsoft is targeted is because some people hate Microsoft beyond all reason. They seem to think it is an evil corporation trying to steal your grandmother's organs to sell them on ebay. Yes it is not perfect. No corporation can exist today without being manipulated by governments.
Published: January 23, 2006 9:43 PM
Dewaine
Computer Security! From the same people who brought you Social Security.
What more can be said?
Published: January 25, 2006 12:18 AM
anarkhos
Mac users are mostly unaware of the issue. Windows users turn purple at the mere mention of it, demanding capital punishment for malicious coders.
Unfortunately, the reason the market hasn't responded to the problem by buying Macs is cultural.
It reminds me of a passage from an anti-UNIX book, likening the UNIX phenonenon as living in East Africa, covered with flies, and maligned with various curable diseases unaware that life could be any better.
Life is a lot better, on a Mac ;)
Published: January 25, 2006 9:15 PM
computer
best site
http://www.computers-guide.co
Published: October 5, 2006 12:43 PM