Ted Lemon wrote:
> Ed Gerck wrote [reinserted for context]:
>
> >In fact, if there would be a pre-defined reward for those that find holes
> >in today's increasing electronic and "secure" systems then companies
> >could rely in that reward both as a payment cap and as way to separate
> >reward from extortion. I can imagine a company writing, for the benefit
> >of all:
> >
> > We support open assessment of risks -- if you find a security fault
> > in our systems, please tell us first so that we can fix it first. We commit
> > ourselves to making public all such communications after a solution
> > is found so that publication will not compromise the system further. We
> > also reward any recognized security fault called to our attention, up to
> > US $1,000 from a minimum of US$ 50 -- value to be defined by us in
> > relationship to known faults and to its relevance. To be ellegible for
> > the reward, we must be the first and only to be informed about it. The
> > company reserves the right to consider legal measures to the full extent
> > of law if a fault is discovered or a reward is pursued by illegal actions.
> >
> >Of course, the above is not perfect and is probably too short to
> >satisfy all the legals ins and outs, but the idea is to use the reward
> >mechanism in a positive way to counter what I may call a "tendency"
> >and its potential bad effects, while preserving the good ones -- especially
> >to enhance security in a quasi-public review process.
> >
> > Comments?
>
> My impression of banks is that as long as they can quantify the potential
> loss, they can just set the margins to allow for a reasonable profit
> over the loss. That way, they don't have to worry about security
> unless a cost/benefit analysis shows that additional security will
> produce a significant profit.
Almost verbatim from a friend's comment and who used to be a lawyer
for banks in the city of London (N. Bohm), such experience as I have of
the attitudes of banks causes me to believe that unless constrained by
law or otherwise persuaded by powerful social forces, banks will not be
willing to trust their customers to take the necessary precautions, but
will expect them to take the risk of failing to take the precautions -- and
also to take the costs of the bank's own failed precautions.
> In order for your scheme to work, you'd have to
> convince *someone* that auditing the bank will drop the margin by more
> than the cost of doing the audit, and indeed by enough more that it's
> an attractive prospect.
No, I don't think we need an YACA -- Yet Another Centralized Authority.
We can simply include a provision for "cool-off" limit:
Cool-Off Limit: if we do not act and make public the comment provided
in secret within a cool-off time limit of 30 business days of proven receipt,
we agree that the comment can be made public by the proponent -- regardless
of our future use and reward for the comment.
In other words, in the absence of mandated standards and YACAs, our
approach to this issue would be to try to provide a credible Truth-In-Advertising
label, even though the mechanisms necessary to provide the independent
verification of that label may be somewhat weak or missing to date.
Given a worldwide Internet, with no worldwide uniformity or government,
maintaing the independency of such verification channels may be the best
way to provide such Truth-In-Advertising -- even if not all channels are
equally efficient/reliable/fair to all.
Cheers,
Ed Gerck
