innismir.net

David Rice wrote a response about my last post regarding a Secure Software Reality Check and makes some good points.

But people’s “wants” do not exist in a vacuum. The “wants” live within an incentives framework that either promotes or inhibits certain behaviors. In fact, because of relatively low U.S. gas prices (in comparison with the UK, for instance) and tax incentives for purchasing trucks or SUVs over a certain weight, the “want” of a big vehicle is promoted in the U.S. while inhibiting the ”need” for low-emissions subcompacts.

I don’t disagree with the idea of people’s wants not living in a vacuum. The ads on TV demonstrate otherwise. However, most people’s wants live within their own bubbles. For example, While don’t give a crap about torque, horsepower, etc, I do give a damn about 4 wheel drive due to my winter commute down some crazy back roads to the commuter rail. One of my other wants is downright “strange” when compared to the mainstream: I am one of the few people who look for cars with a smaller central console due to my other hobbies, which is a pretty strange “want” to have when you look at the mainstream, but it makes perfect sense within my bubble.

In other words, it makes more sense from a buyer’s perspective in the US to buy a bigger vehicle because the incentive structure rewards that behavior. If gas prices were allowed to rise to $10/gallon and a broader tax burden was placed on all non-subcompacts (much like the gas-guzzler tax on the Hummer, only more general), the incentive to “buy big” would gradually ebb. So the “want” for a big vehicle would be partially transformed into a new “want” for smaller, more fuel-efficient cars (so long as people felt they were better off for buying the smaller car). And it just so happens this “want” would be more aligned with the “need” for reducing the social and environmental costs (known as negative externalities) of car ownership.

I disagree with the current gas prices “reward” buying a larger vehicle. They simply allow for buying a larger vehicle. Do consumers by a Hummer when a Impala would suffice? I’d be stupid to suggest that they don’t. But by creating an external force (i.e. a tax) in order to to “discourage” certain “behaviors” you’re doing nothing to stop the “want” you’re just trying to force people to do something they don’t want to do. You’re treating the symptom (low MPG cars) rather then treating the disease (bad driving habits).

What does this have to do with secure software you may ask?

In the context of software then, there is no incentive to reduce “vulnerability emissions” by software manufacturers nor is there an incentive for buyers to avoid purchasing software with plenty of bugs and defects. Buyers want “big” software; that is, software with a bevy of features even though this dramatically increases the likelihood of latent defects and vulnerabilities. Because of this demand for “big” software, software manufacturers are happy to supply it. There is no incentive to do otherwise.

There is an incentive to do otherwise and I think this is where the MPG analogy breaks down. Every so often Microsoft has some major bug that gets exploited enough that it makes the news cycle. Microsoft’s response to this has been nothing more then a “Whoops! Our Bad. We have a patch.” They then wash their hands of it. This is the equivalent to Ford Motor Company dealing with the Cruise Control issue back in 2003 with “Whoops! Our Bad. We’ll replace it.” However, their are now multiple class action lawsuits from people who were affected by this problem. Why does Microsoft get away scot free yet Ford has to pay the piper? I think one of the reasons is because people haven’t realized that they can make money off of software defects and the other is that people haven’t made a connection yet between physical loss and virtual loss.

Aunt Ethel and Uncle Mortimer, while they don’t give a crap about how many critical bugs their operating system had this month, they do care if their computer gets owned. What needs to be done by us as a  community is teaching them that B is directly related to A. If people start understanding that because some coder at Microsoft didn’t check his buffer size correctly their credit card numbers are now floating around Romania, we’ll start seeing people crying bloody murder. The sooner they do that, the sooner we’ll get vendors who take security seriously, and the sooner that happens, the sooner we’ll all be better off. No laws needed.