Remix.run Logo
Remix clone Hacker News
new | show | ask | jobsGithub
tptacek 2 days ago

If you want to fit the word "should" in there somewhere, you can. I think SSO is important, and it would be one of the first 3 things I would stand up at any new shop I went to, but I can think of more important security things that nobody really thinks should be equally distributed across companies.

sunshowers 2 days ago | parent [-]

Okay:

"That there should be nothing magic about security to exempt it from economics."

I disagree quite strongly with this! I think a reasonable premium for SSO support costs is fine but severe price discrimination/bundling based on security features is unethical. That is because security issues have large externalities on uninvolved parties.

tptacek 2 days ago | parent [-]

That's not the fault of the vendor, it's the fault of the customer who refuses to pay for what the vendor charges. You couldn't argue that it would be "unethical" for Atlassian to charge $1000/seat; you'd just say it was too expensive. Somehow though, when you bundle security into that, you don't look at it and say "customers should not use the cheap-o account type and should pay what Atlassian is actually charging for this service, or use a different provider" --- no, they blame Atlassian.

No, not valid. It's Atlassian's customer that's on the hook for securing their offerings to their customers. Atlassian is holding up its end of the bargain. If you don't like it, don't take them up on it! I don't!

sunshowers a day ago | parent [-]

I think as the B2B customer you ought to do right by your users. But as the B2B vendor you have a responsibility to guide your customers towards making better choices. If your SSO plan costs $1000 a month and that's the "true" cost, your non-SSO plan should cost $900 a month to make it unviable for your customers to try and make the bad choice.

This is all normative.

tptacek a day ago | parent [-]

What's a "true cost"?

sunshowers a day ago | parent [-]

I mean what the vendor actually wants to make the customer pay based on their internal margins. If the intention is to make customers pay $1000 a month, don't price a non-SSO tier at $150 a month.

Just my opinion.

tptacek a day ago | parent [-]

So far as I know, no software in the world is cost-plus priced.

sunshowers a day ago | parent [-]

I'm not saying software should be cost plus priced. I'm saying that non-SSO shouldn't have an unreasonable discount.