Why do we have such bad security? In tonight's keynote, Bruce Schneier started by assuming that large companies have bad security (products or systems) because it makes business sense. It doesn't make sense to spend money on security until it becomes more expensive not to. There are few consequences for bad security. He suggests increasing liability, which has interesting implications for open source. If open source projects were immune to liability, that would be a killer advantage for open source code in some areas.

On the other hand, if everybody who wrote, shipped or administered insecure systems were liable including open source, you would think large institutions would have an advantage. It's surprising Microsoft doesn't support broad liability for security holes (or maybe this is the next phase after Palladium). Microsoft could just buy insurance against this liability anyway. And this gets to Bruce's real solution: that with insurance and liability for security holes, there will be a free market for security. Companies could sell secure products and agree to accept some liability (currently every software package you buy disclaims liability for anything, even problems they know about). This is a very free market approach. Akin to the carbon market which puts an actual price on pollution of a certain kind, liability and insurance put a price on insecurity.