| "The most important thing any security company needs to realize is that their primary product is their reputation, not the physical or digital goods that they produce." That's semi-true. They're both important. The belief that the product is worth buying and effort into selling it are primary importance. Getting hacked or sued in public diminishes sales. So, the most important aspect of security for these kinds of companies is perversely minimizing potential for their image to be hit by hackers even if the products have no security. Not an accusation at Yubico but a common strategy in this market. So, they just have to present a good impression to target market. " every ounce of closed source software/hardware in a security offering is something the customer should be concerned about it." Not really. It might surprise you but many companies have run for decades on proprietary platforms. They generated ridiculous sums of money in the process. All kinds of people got jobs, made money, and retired in this time. Nothing to worry about apparently most of the time. The reasons to worry are there but smaller than you think. One must balance many needs in a business. For most, this kind of thing is a checklist item about reducing liability. They're fine if it looks good on paper. " But would you buy a cheap knockoff Yubikey? I certainly wouldn't. " Most would. They want something as an obstacle to hackers while minimizing cost. They don't know if Yubikey has any real quality underneath given how businesses often do things. So, it's a real Yubikey vs a cheaper one. Many, not all, will choose the cheaper one. See Cisco and mobile manufacturers vs Huwei to see how big of a market share that can lead to. "Confidence that when they buy from company X they know that company X has put the best engineers to the task and crafted a device that will protect their valuable digital information." There's a market for that. I used to try to serve it. It's tiny and fickle. Yet, I question what confidence people have in those engineers to begin with as they've never assessed their capabilities in INFOSEC and strong attacks rarely are publicized. It's not like Googling rate of car crashes. " produce world class hardware and software, and charge a sharp premium on it, because security is _so_ important and protects some of our most valuable assets. " Many tried. Market rejected almost all of it. Still does. They want security-defeating feature X, protocol Y, and fall-back Z. They want it to run as fast as competition despite security or safety checks on insecure, potentially-backdoored hardware to get COTS HW benefits. They also don't want to pay hardly anything extra for it despite whole teams of extra people being put into every other component for rigor and price of external evaluations. Market for high-assurance guards is so small that they have to charge over $100,000 per unit to make the money back. Hell, Signal is free and Threema charges $1-2 but they're barely a fraction of 1% of WhatApp or Facebook in marketshare. Demand-side is the problem. So, Yubico is doing what's good for business. All of them are and should until market shows it's willing to make the compromises necessary for strong security. They won't. So, wasting money on it is foolish outside defense sector, academia, and a few niches (eg smartcards) where one can keep a job doing it. |
Implying the Huawei is the "cheap knock off" and Cisco/Apple/Samsung/etc are the noble high quality product fighting the good fight....
My Hauwei Nexus 6P has been the best phone I have ever owned, far exceeding the quality and usability of every Motorola, Samsung, and other phones I have owned.
As to Cisco, after their fasco with the NSA I would not trust them at all for security.