Hope For The New Year

I greatly enjoy Edge’s annual question, posed to a variety of top minds (skewing heavily academic). This year’s – what are you optimistic about? – is no exception. Of the many answers, brilliant and tedious alike, two in conjunction stood out for me as reasons to be hopeful about the future.

The first response that really spoke to me was from Juan Enriquez, CEO, scholar, and author. Enriquez argues that a networked global economy will break down poverty, discrimination, and similar ills. A strong excerpt:

“As long as you can become and remain a part of the network, the power of place matters ever less. Who your parents were, where you were born, is irrelevant as long as you have access to and interest in education, technology, science, and networks.”

Tie that to the response from David Berreby, science writer and author. He suggests that the “zombie concept of identity” – “the intuition that people do things because of their membership in a collective identity or affiliation” – is breaking down, as evidenced by more multifaceted analyses of the motivations behind socially devastating actions like terrorism. Berreby offers engaging rhetorical questions:

“As daily talk becomes more comfortable with the idea that people have multiple identities whose management is a complex psychological phenomenon, there will be more research on the central questions: What makes a particular identity convincing? What makes it come to the fore in a given context?”

These two responses in tandem portray a future in which we’re free to create successful societies across the old borders of place and ethnicity, societies that reflect complex and mutually-understood values. It is the sociological equivalent of an efficient market, human capital traded to where it’s best put to use. Again, Enriquez:

“All of this implies an accelerating set of shifts in allegiance and identity. Politicians and citizens who wish to preserve and protect the current country are well advised to pay attention to these trends as more have a choice and as ever more debate whether to become a more compact few. For the illegitimate or the slow, it will be harder to maintain boundaries and borders. There is little margin for error; each government and temporarily dominant party can screw up the whole. And the whole can be split very fast. But you have many options. You can fight to preserve that you love or you can choose to build or inhabit an alternative space. Your choice.”

This sounds aggressive, but I find it hopeful. Give up place, as Eriquez suggests, and you can find global prosperity and community; “[s]omeone’s success depends ever less on taking what the other had, [as] you can build and make your own.” Give up assumptions about groups of people, as Berreby suggests, and you can truly understand the motivations of the other, be it your neighbor, your friend, or your supposed enemy.

It’s a future of choice, and of diversity, and of autonomy. Happy new year.

The Marketplace and Wii

I’m embarrassed to admit that, barring shenanigans, I’ll be jointly acquiring a Nintendo Wii this evening from a filthy Craigslist scalper. Why pay this parasitic premium? Because it’s not worth my time to stand out in the cold every Saturday morning from now until Christmas, hoping I’ll beat a vicious pack of under-caffeinated soccer moms to the counter of my local game store.

Buying from a scalper was easy. I put my offered amount on Craigslist, went about my business, and later that day I had someone willing to meet me at my neighborhood Metro station, brand new Wii in hand. I thought online retail was supposed to deliver that ease and speed of purchase. Amazon pissed off me and everyone else who wanted a Wii by creating the online equivalent of those 5AM game store queues. JC Penny has been utterly uncommunicative as to whether or not the improbable quantity of orders they took will be fulfilled in a timely fashion. The only online retailers who’ve made it easy to order are selling outrageously priced bundles.

Console supply-and-demand grouching aside, Nintendo made a very puzzling decision with regard to the Wii’s video output options. After doing a fair bit of research I can say with reasonable confidence that there’s no way, at present, to get a Wii talking to a 30” Apple Cinema Display.

For that matter, there’s no affordable way to get a Wii displaying on most any VGA or DVI display as best I can tell. What about all the college students getting a Wii for the holidays who only have a computer display in their dorm rooms? The lack of a VGA/DVI adaptor seems a bizarre gap in Nintendo’s launch-time accessory lineup.

Once again, Craigslist to the rescue. It’s actually way, way cheaper to buy a used television than to attempt to piece together the right combination of adapters, convertors, and scalers to get a good picture from the Wii on a computer monitor.

It’s a big, strange market out there. If I were a third-party accessory manufacturer I’d be licking my chops right about now.

Schneier On Infosec Economics

A while back I wrote a post about the economics of information security. Yesterday, security expert Bruce Schneier spoke in a similar vein about where liability and economic burden should fall in the product security lifecycle.

I like what he has to say, but I’m not convinced that incentivizing developers to bear security costs upfront and, theoretically, to produce more secure products will shift enough economic burden onto attackers. As long as it’s cheaper to pay people to exploit software and more profitable to reap the benefits, the underground will deem law enforcement threats an acceptable risk and continue doing their worst, even in the face of (or in spite of) increased security spending.

It’s also somewhat glib to suggest that “[c]omputer security isn’t a technological problem—it’s an economic problem.” Really, it’s both, and a cultural problem to boot.

Can Markets Fix Information Security?

An unavoidable realization when working in information security is that you’re profiting from decades of mistakes.

Whether you’re playing defense or offense, one way or another you pay your rent thanks to the misconceptions, ragged implementations, and carelessness of the generations of technologists that came before you. The best hackers on the planet are the best because they’re close to those mistakes and the technologies that allowed for them.

No surprise, then, that pretty much anyone with a long career in information technology understands that overhaul, not incremental patching, is the only definitive solution to the security woes that plague us.

It’s a losing battle. Such a radical overhaul will likely never occur. Hell, we can barely contemplate a global move to IPv6. Even if we collectively decided to move on to Computing 2.0 our conceptual scope can’t account for all potential vulnerabilities. It’s the human condition: we’re all but blind to faults at the time of a creative act. When it comes to something as complex as computers even hindsight isn’t 20/20; unforeseen vulnerabilities in old software crops up every day.

So, why? I’d argue that the economics of security don’t work out. Right now, for every white hat making dollars off protecting a network there’s a black hat with more to gain from breaking into that network.

Now think beyond one network. Spread information security liability and consequences across all industries, across any portion of the global economy that depends on networks to function (ie, pretty much all of it). Do we have more to gain by collectively sponsoring security initiatives? Of course. Will international governments, militaries, private industries, and non-profits ever coordinate rather than compete? That’s a rhetorical question best left unanswered, suffice to say that to date, competition has not left us more secure.

Yeah, I said it. I’m as pro-market as next post-libertarian, but markets don’t create security. Yet.

Decades ago, people said the same thing about markets and environmentalism. They said that polluting was always cheaper than being green, so industry would continue to pollute. But through advances in technology and revolutionary economic ideas like selling “pollution credits”, industry and environmentalism are no longer polar opposites.

Something similar needs to happen in information security before we see substantive improvement. A combination of technological overhauls and economic refactoring will make security cheap and economically efficient. It’s nice to see that people are thinking about the technical end, but I’m not sure who’s thinking about the economic end.

Talk to me if you know, or if you have thoughts on this subject. Comments are enabled for a change.