Hacker News new | ask | show | jobs
by fluoridation 498 days ago
A tragedy of the commons occurs when multiple independent agents exploit a freely available but finite resource until it's completely depleted. Security isn't a resource that's consumed when a given action is performed, and you can never run out of security.
1 comments
JumpCrisscross 498 days ago
> Security isn't a resource that's consumed when a given action is performed, and you can never run out of security

Security is in general non-excludable (vendors typically patch for everyone, not just the discoverer) and non-rival (me using a patch doesn't prevent you from using the patch): that makes it a public good [1]. Whether it can be depleted is irrelevant. (One can "run out" of security inasmuch as a stack becomes practically useless.)

[1] http://www.econport.org/content/handbook/commonpool/cprtable...

link
fluoridation 498 days ago
>Security is [...] a public good

Yeah, sure. But that doesn't make it a resource. It's an abstract idea that we can have more or less of, not a raw physical quantity that can utilize directly, like space or fuel. And yes, it is relevant that it can't be depleted, because that's what the term "tragedy of the commons" refers to.

link
jrussino 498 days ago
> it is relevant that it can't be depleted, because that's what the term "tragedy of the commons" refers to

I think you're using an overly-narrow definition of "tragedy of the commons" here. Often there are gray areas that don't qualify as fully depleting a resource but rather incrementally degrading its quality, and we still treat these as tragedy of the commons problems.

For example, we regulate dumping certain pollutants into our water supply; water pollution is a classic "tragedy of the commons" problem, and in theory you could frame it as a black-and-white problem of "eventually we'll run out of drinkable water", but in practice there's a spectrum of contamination levels and some decision to be made about how much contamination we're willing to put up with.

It seems to me that framing "polluting the security environment" as a similar tragedy of the commons problem holds here, in the sense that any individual actor may stand to gain a lot from e.g. creating and/or hoarding exploits, but in doing so they incrementally degrade the quality of the over-all security ecosystem (in a way that, in isolation, is a net benefit to them), but everyone acting this way pushes the entire ecosystem toward some threshold at which that degradation becomes intolerable to all involved.

link
JumpCrisscross 498 days ago
> It's an abstract idea that we can have more or less of, not a raw physical quantity that can utilize directly, like space or fuel

Uh, intellectual property. Also land ownership is an abstract idea. (Ownership per se is an abstract idea.)

link
fluoridation 498 days ago
Land is obviously a finite resource. I don't know what point you're trying to make with regards to intellectual property.
link
JumpCrisscross 498 days ago
> don't know what point you're trying to make with regards to intellectual property

Stocks. Bonds. Money, for that matter. These are all "abstract idea[s] that we can have more or less of, not a raw physical quantity." We can still characterise them as rival and/or excludable.

link