At one of my previous startups, that shall remain nameless, I was having a discussion with another employee about how a specific feature of the upcoming product (lets call it “FooBar”) should be implemented. I argued that it could not be implemented in the written fashion because it would be insecure. His somewhat tongue-in-cheek reply was that we would simply call “Secure FooBar” instead. “No one would think its insecure if we put the word ‘Secure’ in the name.” While he was semi-joking – this logic is surprisingly true in the security industry. The security industry is a lot like selling dead donkeys. If you haven’t heard the fable of the dead donkey auction allow me to explain.

A business man sees an advertisement in the local paper about a donkey for sale. He goes by to buy the donkey and the farmer informs him that unfortunately the donkey has passed away. The business man insists this isn’t a problem, pays $10, and hauls away the dead donkey.

The next day the man puts a raffle for the donkey in the local paper. Over the next week he sells 200 tickets at $1 a piece. When the winner of the raffle comes to pick up the donkey, he informs the unfortunate winner that the donkey has passed away. The business man refunds the $1 to the winner for the ticket and sends her on her way. The business man walks away a happy man as he profited a handsome $189 ($200 – $10 – $1).

The moral of the story is simple: Oversell your product – and do it by a lot. If anyone notices that your product doesn’t do what you said it does (i.e. the donkey is dead) simply refund their money. In many industries this is impossible, you can’t claim a car you are selling has 300 horsepower and sell one with far less, consumers will notice. Sadly, the security industry is highly competitive and the customers can’t easily verify the effectiveness of a product, so vendors often result to selling dead donkies.

Take for instance some recent testing I did on some UTM appliances from two well known vendors. On promised to support 10,000 simultaneous sessions! This is a whopping number of sessions – especially for an appliance meant for a 30 user network where its not uncommon never see more than 200 simultaneous connections. Another product of about equal cost from another vendor boast support for 25,000 simultaneous connections!

So I strapped the first one to the test bench and used this simple little code to test the number of supported simultaneous sessions. The first test box that supports 10,000 sessions, goes to 600 sessions before it grinds to a halt – a mere 6% of the promised amount! (output here) At this point, the box won’t allow another single session through – effectively the network is down. The second appliance which promises a whopping 25,000 simultaneous connections, gets to 722 simultaneous connections before it starts resetting all connections – a mere 2.8% of the promised amount! (output here)

Looking at other metrics the trend only continues. Both of these are antivirus gateway appliances, but when I throw my ancient set of test viruses I just built from my email inbox, one stops 80% while the other (the self proclaimed UTM leader) stops about 50%. (email me if you’d like to have my virus test set)

Sadly, these vendors have figured out that it’s profitable to simply over-promise and if someone notices (which they won’t) just say you’re sorry and refund their money.

At Untangle, we’d like to believe that this behavior eventually erodes the business-customer trust relationship and long term is not a net positive for the company. Unfortunately, its inarguably a net positive in the short term so many security companies find accurately representing their product a difficult thing to do.