Rosio Pavoris

When stories like this break, which they do every few months, weeks, or days, depending on which corner of the internets you live in, it’s important to wonder not just why this particular product was crap (I’m guessing a severe case of NIH), but also why there are so many crap security products on the market in the first place.
The answer isn’t just that it’s hard to develop good security products; it is (and it’s complicated by Schneier’s Law), but that doesn’t explain how many of these crap products are actually quite popular.
At least part of the answer is in the concept of a lemon market.

George Akerlof famously discussed this in his 1970 paper The Market for Lemons: Quality Uncertainty and the Market Mechanism, and Bruce Schneier himself has been mentioning it in his talks for some time now, but since few people can be bothered to read an entire paper on economics or listen to hour-long talks, I thought I’d sum it up.

The example Akerlof used was of the used car market. Suppose that there are crappy used cars (”lemons”) worth $2,000, high-quality used cars worth $6,000, and everything in between, and that the buyer cannot reliably tell the difference between them before buying them.
Naturely, crappy cars will be worth less than high-quality cars, but the buyer, not being able to distinguish between them (price is not a reliable indicator, since car salesmen aren’t known for their honesty), will generally only be willing to pay what an average car is worth (in our simplified example, $4,000, say). This will be the equilibrium price for used cars in this market.

However, there’s a problem. The user car salesmen can accurately assess the value of the cars they sell, and they know very well that the high-quality cars are worth more than $4,000, so they won’t sell them at that price. However, the buyer, not having a way to distinguish overpriced crap cars from correctly priced good cars, won’t buy them at the higher price.
The result is that the high-quality cars don’t sell, and are driven out of the market by lower-quality cars.

The basic criterion that makes a lemon market possible is information asymmetry. That is, sellers are aware which of their products are crap, but buyers cannot accurately determine a product’s value before buying it.
I’m sure you can see how this applies to many other markets, not just security. Operating systems comes to mind. So does the MP3 player market.

This is one of the points where the free market breaks down. For the free market to work, it is required that consumers are informed. In practice, they very rarely are.

So how do you solve this?

One of the ways to do it is through government regulation. Laws against false advertising exist in many countries, and you can regulate the quality of many products directly.
While this is certainly part of the answer, there are other ways.

Another way, which may not work for all markets, is through warranties and guarantees offered by the seller. A car salesman can offer to let the customer use the car for a while, and if he doesn’t like it, he can bring it back and get his money back.
This is trickier to do in the security business, since most people aren’t in any position to evaluate the quality of the product even after getting to use it for quite a while (really, you generally don’t notice when your firewall protects you; you only notice when it fails to, and that might not happen for months, or even years), and things like penetration tests are expensive. It does work for some products, though.
These warranties can also be enforced through government regulation.

What probably works best in the security market is public quality assurances.
While individual buyers can’t really assess the quality of their products even after buying them, security researchers certainly can. The buyer could then rely on reviews by these researches to assess the quality (or lack thereof) of a product. Quality labels are already used in many industries, and are basically a quicker form of the same thing.
Of course, this isn’t a perfect system. Unscrupulous companies could buy good reviews from unscrupulous researchers or computer magazines (which is something that happened a lot in the firewall market of the ’90s, which is one of Schneier’s favorite examples), seriously confusing market signals. Then it’s up to the publication to establish them as reliable, probably in much the same way as the security products.

There is no silver bullet.
Educating users would at least weed out the obviously retarded products, and would increase security across the board even with mediocre products, but most users just aren’t very interested (which would be fine by me, if it was only themselves they’re harming; however, as botnets prove, it very obviously isn’t), and snake oil products will always be around either way.
It seems the only thing to do is to pay attention to security researchers, and to sue people who make crap products into oblivion, forever.