Security Review that Standard

Tim Oren writes at the tail end of excellent posting on the business model of various choices Netscape made:

Moral of the story? It’s the business model more than the threat model that often dominates the real world of commercial security deployment. Grigg is right that if the actual threat had been analyzed, the focus would have been on the server (Willy Sutton: “That’s where the money is.”), not hypothetical packet sniffers. But that wouldn’t have created a client/server lock-in, so it didn’t fit the actual goals. Security designers – paranoids by trade – would be well advised to find an equivalently cynical business type to vet their ideas.

This is so true. It’s always advisable to look into motives. People tend to be very nieve about this, particularly specialists of one strip or another. I think one might go further and say that if you dig into the business model of the advocates of a proposed standard and find that it is driven entirely by noble virtues then you must step back and become concerned, not that they are being nieve, but that they run the risk of being coop’d by players who enter the market with a strong business model.

It is, of course, quite dangerous to try and look into motives. In fact some professions forswear it entirely. Just to pick one reason why it’s dangerous is that an entrepeur is often very fuzzy about his business model. He may have a primary model, but he always is juggleing a pool of options. He values these options because they give him the flexiblity to learn from the market as he goes forward. The outsider can’t see that information. The outsider can’t even see the list of options that the entrepenure is juggling; since the entrepeur is likely telling a simplified, but consistent, story about what’s happening so as not to confuse his audience.

While the pool of options are on the upside there is always a pool of risks haunting the emerging enterprise.

Of course it’s a good thing if you let all the professions have a chance to take a look at the worse case senarios around your whatever boondoggle your currently engaged in.

Which reminds me of an peice of paper they were handing out at a Real Estate open house once. This peice of paper adviced me that before making a bid on the property I would do well to consult with my own advisors. It then helpfully enumerated various advisors I might touch base with – in no particular order: pest inspectors, HVAC experts, structural engineers, title insurers, buyer real estate agent, geologist, … and on and on for maybe a good 40 or 60 kinds of expertise I might wish to bring to bear before making an offer on the house. This did not encourage confidence that the seller was being forthright.

Leave a Reply

Your email address will not be published.