“There’s no math band-aid that will cure these boo-boos”
December 20, 2012  

First of all, that’s a great line. The rest of mathbabe’s post debunking Nate Silver’s book is equally great. This passage sums it up:

Silver confuses cause and effect. We didn’t have a financial crisis because of a bad model or a few bad models. We had bad models because of a corrupt and criminally fraudulent financial system.

This reminds me of the mistake that many security experts make about the security vulnerability market: the vulnerability market is not causing bad incentives, bad incentives are causing the vulnerability market.

Furthermore, there’s no regulatory band-aid that can cure the boo-boo known as the vulnerability market. The idea that a goverment can control or eliminate this market is a false hope.

Here’s a more familiar analogy: in this world, there’s a market for assassinations. In this market, the target of an assassination might not have the resources to be the high bidder, if they got the opportunity to bid at all. There’s no way to regulate this market because assassins and their customers don’t care about regulations. What a government can do is make it illegal—but note that this does not eliminate the market, it just increases the price of an assassination.

Similarly, in the security vulnerabilities market, the producer of the vulnerable product may not have the desire or resources to be the high bidder, or may not have the opportunity to bid. There’s little a government can do about this.