Hacker News new | ask | show | jobs
by fpgaminer 3690 days ago
> we, as a product company

The most important thing any security company needs to realize is that their primary product is their reputation, not the physical or digital goods that they produce. "We, as a product company" is totally the wrong attitude. There's really no question about it, every ounce of closed source software/hardware in a security offering is something the customer should be concerned about it.

From a product perspective it totally makes sense to be worried about open sourcing the entire design. "Our competition will make clones!" And that may be true of every other kind of product. But would you buy a cheap knockoff Yubikey? I certainly wouldn't. Again, reputation is the key here. That's what a security company sells to their customers. Confidence that when they buy from company X they know that company X has put the best engineers to the task and crafted a device that will protect their valuable digital information.

A company can build up a reputation in the security industry, produce world class hardware and software, and charge a sharp premium on it, because security is _so_ important and protects some of our most valuable assets. That premium is completely derived from the trust that they've garnered. It's insane for Yubico to squander theirs under some false sense of IP security.

EDIT: And all that said, I totally understand where they're coming from on some of their points. They have to depend on chip manufacturers, and chip manufacturers are just the absolute worst when it comes to open source and security. Sometimes there are hard constraints and compromises have to be made. Most of cryptography is a trade-off. So don't take my comment to mean that designs absolutely have to be 100% open source. That's infeasible most of the time for hardware. But Yubico should be striving for it and pressuring the market.
2 comments
jfindley 3690 days ago
> A company can build up a reputation in the security industry, produce world class hardware and software, and charge a sharp premium on it, because security is _so_ important and protects some of our most valuable assets.

Hmm. I think there's considerable limits on how true this is. I would argue Yubikey's current security is more than good enough for almost everyone.

As mentioned in your edit, there's not a lot Yubico can do about the hardware restrictions. Given these restrictions, a common way companies in this industry assure users of the security of their device is FIPS 140-2 certifications, which range from levels 1 to 4.

Level 4-certified devices are extremely expensive, and the market for them is tiny, which seems to indicate that there's a definite limit on the amount people and organisations are prepared to pay to ensure security.

link
nickpsecurity 3690 days ago
"The most important thing any security company needs to realize is that their primary product is their reputation, not the physical or digital goods that they produce."

That's semi-true. They're both important. The belief that the product is worth buying and effort into selling it are primary importance. Getting hacked or sued in public diminishes sales. So, the most important aspect of security for these kinds of companies is perversely minimizing potential for their image to be hit by hackers even if the products have no security. Not an accusation at Yubico but a common strategy in this market. So, they just have to present a good impression to target market.

" every ounce of closed source software/hardware in a security offering is something the customer should be concerned about it."

Not really. It might surprise you but many companies have run for decades on proprietary platforms. They generated ridiculous sums of money in the process. All kinds of people got jobs, made money, and retired in this time. Nothing to worry about apparently most of the time. The reasons to worry are there but smaller than you think. One must balance many needs in a business. For most, this kind of thing is a checklist item about reducing liability. They're fine if it looks good on paper.

" But would you buy a cheap knockoff Yubikey? I certainly wouldn't. "

Most would. They want something as an obstacle to hackers while minimizing cost. They don't know if Yubikey has any real quality underneath given how businesses often do things. So, it's a real Yubikey vs a cheaper one. Many, not all, will choose the cheaper one. See Cisco and mobile manufacturers vs Huwei to see how big of a market share that can lead to.

"Confidence that when they buy from company X they know that company X has put the best engineers to the task and crafted a device that will protect their valuable digital information."

There's a market for that. I used to try to serve it. It's tiny and fickle. Yet, I question what confidence people have in those engineers to begin with as they've never assessed their capabilities in INFOSEC and strong attacks rarely are publicized. It's not like Googling rate of car crashes.

" produce world class hardware and software, and charge a sharp premium on it, because security is _so_ important and protects some of our most valuable assets. "

Many tried. Market rejected almost all of it. Still does. They want security-defeating feature X, protocol Y, and fall-back Z. They want it to run as fast as competition despite security or safety checks on insecure, potentially-backdoored hardware to get COTS HW benefits. They also don't want to pay hardly anything extra for it despite whole teams of extra people being put into every other component for rigor and price of external evaluations. Market for high-assurance guards is so small that they have to charge over $100,000 per unit to make the money back. Hell, Signal is free and Threema charges $1-2 but they're barely a fraction of 1% of WhatApp or Facebook in marketshare. Demand-side is the problem.

So, Yubico is doing what's good for business. All of them are and should until market shows it's willing to make the compromises necessary for strong security. They won't. So, wasting money on it is foolish outside defense sector, academia, and a few niches (eg smartcards) where one can keep a job doing it.

link
the_ancient 3690 days ago
>>Cisco and mobile manufacturers vs Huwei to see how big of a market share that can lead to.

Implying the Huawei is the "cheap knock off" and Cisco/Apple/Samsung/etc are the noble high quality product fighting the good fight....

My Hauwei Nexus 6P has been the best phone I have ever owned, far exceeding the quality and usability of every Motorola, Samsung, and other phones I have owned.

As to Cisco, after their fasco with the NSA I would not trust them at all for security.

link
nickpsecurity 3690 days ago
That's an accusation and implication. The Chinese strategy, which isn't entirely secret, is to use their hackers to get trade secrets out of firms in all kinds of sectors to hand to their own firms. Each time, their firms leverage those as a head start on their own products which combine their own innovations, labor advantage, and money from vast market in China. It's a proven model. Far as Cisco and Samsung, it's been clear Huwei has been knocking them off the same way.

Besides, what are you even questioning given that Huawei admitted they had and removed Cisco source code? Of course they robbed them. :P

"As to Cisco, after their fasco with the NSA I would not trust them at all for security."

Which is totally irrelevant to my point that cloners... especially Chinese cloners... will make knock-offs of a hardware product in any country that hurt that company's business if the product is worth it to them. The NSA collecting secret information to determine if you're a terrorist, felon, or threat to foreign policy != Chinese intelligence giving your competition your I.P. who then operate in your market with cheaper labor. NSA is a hypothetical threat for most companies whereas Chinese tech and labor market have been doing my country (U.S.) in for decades with many companies achieving parity or dominance in some sector through stolen I.P.. It didn't help that idiots running our companies put R&D centers over there to reduce labor costs. (rolls eyes) Such stuff is an existential threat to small, hardware providers worth cloning given what Shenzhen can pull off.

link
grawlinson 3690 days ago
The NSA does the same thing for American business.

http://www.economist.com/node/1842124 http://money.cnn.com/2015/04/30/news/airbus-germany-nsa-spyi...

link
nickpsecurity 3690 days ago
Name five, foreign companies off the top of your head who have US products that cloned... with source and such... their product line. Which also became huge players in market taking huge sums from original. I'm interested in seeing them as I blast NSA for what tiny, industrial espionage I find.
link
the_ancient 3689 days ago
>Chinese intelligence giving your competition your I.P. who then operate in your market with cheaper labor.

Well first and foremost I do not accept the concept of IP in the first place, Information is not property and should not be protected.

Nor or they "my competition" they might be cisco, but I do not support nationalism, or protectionism.

Let me Guess, your a Trump Supporter?

link
nickpsecurity 3689 days ago
How do you get from admitting Chinese use spies to rob American companies of R&D to thinking anyone avoiding that is a Trump supporter? You have a powerful imagination or loose standards of logic to make a leap like that.

More like a company acting in rational self-interest should keep any IP they depend on away from the Chinese. Or expect to be cloned but leverage them and dominate their market as much as possible before displaced by homegrown offering.

link