On Tuesday 25 March 2003 13:17, David Wagner wrote: > I'm skeptical. Just because the cost is > subjective doesn't mean we should ignore the cost.
I agree with that ... I was converting the subjective harm into an objective cost. I certainly wasn't intending to ignore it :-) > >But, luckily, there is a way to turn the above > >subjective morass of harm into an objective > >hard number: civil suit. > > That's using a questionable measuring stick. That being part and parcel of the problem. It's a subjective harm, there is no solid way to move subjective to objective, by definition. We can only make estimates. What is beneficial here is that - at least - we have one way to do this. And, it is a way that has lots of disinterested observers, lots of experience, and lots of interested parties. Much as I dislike courts, it is a "fair and auditable" way of dollarising a harm. Bear says: > You honestly haven't heard of Fred Phelps? Nope. But, all we want is an estimated cost of the attack. Ask some lawyers for a quote. Ignore the guy's family, we are only after an estimate of the cost. David says: > The damages paid out in a civil suit may be very > different (either higher, or lower) than the true > cost of the misconduct. Remember, the courts are > not intended to be a remedy for all harms, nor could > they ever be. The courts shouldn't be a replacement > for our independent judgement. This of course is true especially with the low level of MITM activity that we've found to date. If such a case were to happen once a year, I'd not be really confident of the accuracy of the numbers, especially if we were estimating based on lawyer's opinions rather than awarded damages. (But that wouldn't so much matter if the numbers came out as also too low to consider, as I suspect they will.) If however, we had such MITMs once per month, then costs could be averaged over the size of the activity. Something like this: There are 500 million email users in the world today (guess!). Cost of failures that could be rectified with proper crypto (amounts to 12 cases per year) is 12 million dollars. Some judgements less than a million, some more. [ if you like, you could add in a fudge factor for unreported harms and other "judgement" calls. ] Now, the cost of prevention: assume we pass a law to make every ISP sell every user a copy of OpenPGP to protect their privacy. Bulk discount gives us $1 each copy, annually updated to cover for the inevitable new release. So, cost to protect: 500 million x $1. Saved costs in cases: $12million. That law won't get passed :-) -- iang --------------------------------------------------------------------- The Cryptography Mailing List Unsubscribe by sending "unsubscribe cryptography" to [EMAIL PROTECTED]
