[Dailydave] The monetization of information insecurity

Parity pty.err at gmail.com
Thu Sep 11 12:27:02 EDT 2014

Returning to the original proposition -

Everyone here who has ever filled out an application for business insurance
may recall where the questionnaire asked whether they ran AV software. No
doubt there was a time when the actuarial data showed a definite inverse
correlation between AV utilization and real, actual losses.

A couple of decades later, insurers still hold customers negligent when
they don't run AV.

Point #1 being, there actually was a time when the monetization strategy of
infosec produced good results.

Point #2 being, today's successful infosec industry is tomorrow's worthless

 On Sep 11, 2014 8:45 AM, "Dominique Brezinski" <
dominique.brezinski at gmail.com> wrote:

> Michal, I think you give fantastic counter-points with regard to liability
> and doing everything possible to prevent incidents. My gut tells me it is
> foolish to rely on third parties for your own security, and that extends to
> software you purchase and run. To extend stupid physical world analogies,
> think of a modern warrior -- though firearms are relatively simple
> mechanical devices, even the best engineered ones fail, and any good
> operator does not solely rely on just a firearm for their defense. Gear
> fails. Software is gear. Good defense requires good gear, good planning,
> good training, and good execution. The latter three anticipate gear
> failures. The quality and maturity of planning, training and execution is
> what sets apart good defenders from the rest -- not the gear. Yes, spend
> your money wisely on the gear that serves your needs, but you can't expect
> that it won't fail.
> Liability law and insurance just push the impact of failure around, but
> someone always pays for it, and that is almost always the consumer.
> Dom
> On Wed, Sep 10, 2014 at 8:10 AM, Michal Zalewski <lcamtuf at coredump.cx>
> wrote:
>> > You want to know what would work? Holding software producers legally
>> liable
>> > for their software bugs, because only if they have consequences for
>> their
>> > actions will they ever start taking things seriously!
>> It's a fairly persistent argument, but there is also a range of
>> counterpoints. Perhaps most importantly, liability for damages puts
>> the open source community and small, emerging companies at a distinct
>> disadvantage, whereas large businesses would be likely to just factor
>> it in as a cost of doing business.
>> In that context, it may be also informative to look at the credit card
>> & banking industry; liability for fraudulent charges hasn't really
>> pushed them toward developing particularly safe payment technologies -
>> instead, the cost is just factored in and ultimately passed on the
>> customer in the form of higher payment processing fees.
>> I abhor physical-world analogies, but if we're going down that path,
>> it's also worth noting that we seldom hold people accountable for not
>> doing absolutely everything within their power to stop abuse. The
>> builders of your home or the designers of your car are usually not on
>> the hook if somebody breaks in, even though they could have built more
>> of a fortress. The company that makes your cereal is not on the hook
>> if somebody poisons your food down the supply chain, even though they
>> could have used tamper-resistant packaging.
>> /mz
>> _______________________________________________
>> Dailydave mailing list
>> Dailydave at lists.immunityinc.com
>> https://lists.immunityinc.com/mailman/listinfo/dailydave
> _______________________________________________
> Dailydave mailing list
> Dailydave at lists.immunityinc.com
> https://lists.immunityinc.com/mailman/listinfo/dailydave
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.immunityinc.com/pipermail/dailydave/attachments/20140911/e773ba30/attachment.html>

More information about the Dailydave mailing list