lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Date: Mon, 25 Sep 2006 23:08:42 -0500
From: Paul Schmehl <pauls@...allas.edu>
To: full-disclosure@...ts.grok.org.uk
Subject: Re: Could InfoSec be Worse than Death?

--On September 25, 2006 3:14:12 PM -0400 "Kenneth F. Belva" 
<ken@...security.com> wrote:
>
> I understand your concern and it is perfectly valid. I would be skeptical
> too initially. But I do not think it is a euphemism. It seems to me there
> are real world examples of revenue generating assets based on information
> security mechanisms.
>
> iTunes, Unbox, Speedpass/Easypass/Paypass. Do these not create cash
> flows? Could they create cash flows (or even exist) if the security
> mechanisms (DRM/authentication) were not present?
>
> The information security mechanisms are a necessary but not sufficient
> condition to create these new assets. The loss prevention model shows how
> this necessary condition breaks down and what we can do to stop the
> breakdown. The virtual trust model says that once we have this necessary
> condition, here are the things we may do with it. The focus is different.
>
Please keep in mind, I'm not trying to argue that you are wrong.  I'm 
thinking out loud, if you will, trying to grasp the crux of your argument.

I agree that things such as iTunes (et. al.) create new flows of revenue. 
If they could be implemented without any security, however, I'm pretty 
certain they would be.  Why would a business spend 3 cents more per widget 
if they didn't have to?  The fact that e-commerce products are wrapped in 
security apparatus is an acknowledgement that without them the revenue 
stream could be compromised or stolen.  But I don't see how that makes the 
security portion a revenue producer.  Take iTunes, for example.  What 
makes it a revenue producer is a product that is attractive to a 
significant number of people.  The internet provides a mechanism for 
moving the product that facilitates sales.  But the security merely 
protects the revenue stream, doesn't it?

Mind you, I understand that you are saying that without the security 
mechanisms only a fool would use that method of delivery, but certainly an 
iTunes could exist in other forms.

For example, the "old" way of renting movies was to walk or drive to the 
local store, pick the movies off the shelf, pay at the counter and return 
home to watch them.  The internet version eliminates the walk or drive and 
provides a (perhaps) more convenient way of picking the movies, and the US 
Postal Service (in the case of America) delivers the movie to your door.

>>From a security standpoint, however, what has changed?  In the former case 
you have to pay for locks on the doors, an alarm system, a monitoring 
company, a theft prevention program and training for your employees.  In 
the latter case you have to pay for an SSL certificate (the analog to 
locks), breakin prevention (the analog to alarms and monitoring) and other 
systems for maintaining and tracking inventory, etc.

ISTM the security aspects remain costs of doing business.

> I am very well aware of the loss prevention model. It seems to me there
> is an addition way to describe how security mechanisms function other
> than loss prevention. The virtual trust perspective is coherent, logical
> and accurately describes the world. It does not exclude the loss
> prevention model but can incorporate loss prevention into it.
>
I'm not disagreeing with you on this.  I think the virtual trust model 
might be a valid way to sell security to upper management.  I just don't 
think they're going to be so enamored with the idea that they won't see 
that you've simply repackaged loss prevention and risk avoidance.  They 
might be more convinced by the trust model, so it's certainly worth 
presenting it that way.

But you haven't yet convinced me that security actually generates revenue. 
It might *enable* otherwise unavailable sources of revenue.  And there's 
no question that being able to sell something on the internet increases 
the potential customer base by orders of magnitude.  So enabling those new 
sources of revenue is a good thing, and selling security that enables 
those sources is a good thing.  Basically that's the argument you make in 
your paper.  With that I agree.

Perhaps we're quibbling over terms.  Enabler versus generator.  To me the 
latter implies the actual creation of wealth, whereas the former implies 
opening up new avenues to wealth.

Paul Schmehl (pauls@...allas.edu)
Adjunct Information Security Officer
The University of Texas at Dallas
http://www.utdallas.edu/ir/security/

Content of type "application/pkcs7-signature" skipped

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ