Interpretation. There are many ways of interpreting a software product, and one important one is security updates. This comes back to one the building blocks of trust -- knowing that your business partner can be relied upon to fix a problem if it occurs on their watch. There's money to be made, and customer loyalty to be won, in finding the security vulnerabilities and getting reliable patches out to market as quickly as possible. It doesn't matter that the majority of your customers wouldn't know a buffer overflow from a broken fan belt, but they do know that you are fixing the problem -- that you are looking after them -- and that encourages them to trust you.

Companies should be advertising their security updates as part of their sales material: "Buy our product, it does X, Y and Z, and if it goes wrong we'll fix it". (Maybe in a slightly more polished form than that -- I never claimed to be a good copywriter -- but to me that's a compelling sales pitch.) We've all been burned too many times by companies that took our money, handed over a product, and then conveniently forgot we existed when the wares started to go wrong. In other industries this problem is overcome by warranties, but in the software industry we have chosen not to guarantee that our product works. But if we want our customers to trust us, we have to give them faith that we'll fix problems that we cause, and regular bug fixes and security updates are one of our best ways of doing so.

Authenticity. Once again we're back to the heartland of security -- Authenticity and Authentication. (Security people can breathe a sigh of relief, as this one's in all the textbooks.) We are the specialists in telling you what's real and what's fake. We have all sorts of tools and techniques to sign, to checksum, to watermark, to prove which is the forgery and which is the real deal. This is something we can go out and lead with.

But again, we're heading in slightly the wrong direction. For the past few years, our focus has been on stopping the bad guys, not on making life easier for the good guys. Digital Rights Management is the poster child of this movement, and few other security mechanisms have ever caused so much public disgust . DRM takes the view that the bad guys must be stopped at all costs, even if that leads down the path of suing your own customers, of deliberately designing functionality out of products -- 'Defective by Design' -- of associating hard-won corporate reputations with bully-boy legal tactics.

Kelly reminds us that Authenticity is actually a prized value to the customer, not just to the vendor. This is why I'm willing to admit in writing that I downloaded some pirate software from the Pirate Bay a few weeks ago -- because I stopped the download and never installed it. I value the authenticity of what I buy; I don't want to put a piece of pirated software on my machine because, like something the cat dragged home, you never know where it's been. Put that piece of software on the same machines that holds all my e-mail, my work, my bank account details? No thanks, I'll wait until I can eventually get hold of a copy of the original, authentic software. The same goes for all sorts of products: yes, you can buy cheap copies of designer clothes in all sorts of places, but over time you learn that the authentic clothes usually last longer and look better. Given the choice of an expensive Nokia phone or a cheap 'Nokai' phone from my local market, I know which one is likely to be more reliable in the long run.

We need to remember that the good guys pay our wages. Your customers aren't stupid, they can tell the difference between a cheap fake and a valuable original, and they're often willing to pay for the real thing. Authentication mechanisms don't have to make life impossible for the forger: often it's enough just to make it clear which is real and which is fake.