On Mon, Jan 2, 2012 at 2:40 PM, Jeffrey Walton <[email protected]> wrote: > On Mon, Jan 2, 2012 at 2:44 PM, John Levine <[email protected]> wrote: >> Law is not software. Ticketmaster's CAPTCHA is a security system in >> the sense that it is obviously meant to keep out robo-purchasers. It >> doesn't matter that CAPTCHAs are not impossible to defeat, it matters >> that any reasonable person can understand what's going on. > [...] >> To draw a rough analogy, if I'm arrested for breaking into your house, >> it is not a defense that I couldn't have done it if you had a stronger >> lock on the door. > Would it be my house, or closer to a public business like Home Depot > or Walmart? (with the 'gaming' being me and my family walking into a > public store and making separate purchases to avoid '1 item per > household' limits, even though my family had no interest in the > product).
There's a non-trivial cost to the individual/business in implementing good security measures. There is a non-trivial cost to the people to strengthen poor security measures through law enforcement. The latter is always necessary, but if individuals can lower the cost to the people, shouldn't they be required to do so to some point and to some degree? Consider recent news articles about fire departments not battling house fires whose owners/occupants did not pay fire department fees. Couldn't the police and prosecutors do the same or a variation of the concept? I'm not referring here to immediate assistance, but to after the fact activity, such as investigations and prosecutions. I'm not saying that this would be a good idea -I'm not sure yet either way- but that the negative externalities of poor security measures are not zero, and that we ought to try to quantify them and use those numbers when setting public policy. > The problem I see with Tciketmaster's position is they hung a public > service off a public internet, and then claimed foul after someone > [cleverly] used it. Perhaps Ticketmaster's terms of service forbid the > practice, in which case I would expect a civil action. Right. Why should the people subsidize Ticketmaster by providing a deterrent that makes up (?) for Ticketmaster's weak security systems? Of course, I'm not sure that Ticketmaster had reason at the time to think that their security system was weak, and that question is of some importance. > An unanswered question (for me): what's the Ticketmaster/US Attorney > General connection? Why did Wiseguys' actions elicit a PATRIOT Act > like response? Who went to law school with whom and where? It seems to > me US Attorney resources would be better used elsewhere (such as an > investigation of the economic terrorist across the river on Wall > Street). I wouldn't suspect any nefarious connections between Ticketmaster and the DoJ, not yet. Let's suppose that the cost of prosecution was high, but let's also suppose that the deterrent effect of a successful prosecution is also high, then the savings from future cases avoided may be high enough to justify the action. (Add in the benefit to the DoJ of using otherwise-possibly-idle resources, and the benefit in terms of "power" that accrues from even attempting to use the muscle of the State.) On the other hand there is probably a very large, if hidden cost in the form of weak security systems surviving much longer, which creates weaknesses that might be exploited by those who can't be deterred by criminal sanction (think social order breakdowns, foreign powers, ...). Nico -- _______________________________________________ cryptography mailing list [email protected] http://lists.randombit.net/mailman/listinfo/cryptography
