Re: prove me wrong, go to jail
Ted Lemon wrote: Amateurs in the crypto world seem to get bitten by this fairly frequently - read the recent transcripts to the New York preliminary injunction on the DeCSS case for supporting evidence. If you're out to prove a point, and you're riding the fine edge of legality and civil disobedience in doing it, it helps to make sure that you keep your nose clean and stay focused on what you're really trying to do, rather than, e.g., venting your anger or trying to get people who didn't ask you to help them to pay for your "help." Yes, this also my opinion -- "one may question a guy's right to charge for advice that was not requested but why should he provide it for free?". And, there are also IMO other sides to the issue (public trust, public gullibility, unchecked fraud, government indirect responsibility, regulation, etc.) so that , I suggested we could reflect on how security risks must not be handled as it is. In fact, if there would be a pre-defined reward for those that find holes in today's increasing electronic and "secure" systems then companies could rely in that reward both as a payment cap and as way to separate reward from extortion. I can imagine a company writing, for the benefit of all: We support open assessment of risks -- if you find a security fault in our systems, please tell us first so that we can fix it first. We commit ourselves to making public all such communications after a solution is found so that publication will not compromise the system further. We also reward any recognized security fault called to our attention, up to US $1,000 from a minimum of US$ 50 -- value to be defined by us in relationship to known faults and to its relevance. To be ellegible for the reward, we must be the first and only to be informed about it. The company reserves the right to consider legal measures to the full extent of law if a fault is discovered or a reward is pursued by illegal actions. Of course, the above is not perfect and is probably too short to satisfy all the legals ins and outs, but the idea is to use the reward mechanism in a positive way to counter what I may call a "tendency" and its potential bad effects, while preserving the good ones -- especially to enhance security in a quasi-public review process. Comments? Ed Gerck
Re: prove me wrong, go to jail
Comments? I think your proposal is not entirely unreasonable, although I wonder if the people who have the most interest in a secure system are not the banks, but the insurance companies and the customers. My impression of banks is that as long as they can quantify the potential loss, they can just set the margins to allow for a reasonable profit over the loss. That way, they don't have to worry about security unless a cost/benefit analysis shows that additional security will produce a significant profit. I suspect that this is the reasoning that resulted in the security hole in the metro card machines. WRT public gullibility, the only gullibility that's present here, really, is the willingness to pay the additional margin. If I'd rather pay 10% and not have to audit the bank, than pay 5% and have to audit the bank, then my decision not to audit the bank is an entirely rational one. In order for your scheme to work, you'd have to convince *someone* that auditing the bank will drop the margin by more than the cost of doing the audit, and indeed by enough more that it's an attractive prospect. _MelloN_
Truth-In-Advertising proposal, was Re: prove me wrong, go to jail
Ted Lemon wrote: Ed Gerck wrote [reinserted for context]: In fact, if there would be a pre-defined reward for those that find holes in today's increasing electronic and "secure" systems then companies could rely in that reward both as a payment cap and as way to separate reward from extortion. I can imagine a company writing, for the benefit of all: We support open assessment of risks -- if you find a security fault in our systems, please tell us first so that we can fix it first. We commit ourselves to making public all such communications after a solution is found so that publication will not compromise the system further. We also reward any recognized security fault called to our attention, up to US $1,000 from a minimum of US$ 50 -- value to be defined by us in relationship to known faults and to its relevance. To be ellegible for the reward, we must be the first and only to be informed about it. The company reserves the right to consider legal measures to the full extent of law if a fault is discovered or a reward is pursued by illegal actions. Of course, the above is not perfect and is probably too short to satisfy all the legals ins and outs, but the idea is to use the reward mechanism in a positive way to counter what I may call a "tendency" and its potential bad effects, while preserving the good ones -- especially to enhance security in a quasi-public review process. Comments? My impression of banks is that as long as they can quantify the potential loss, they can just set the margins to allow for a reasonable profit over the loss. That way, they don't have to worry about security unless a cost/benefit analysis shows that additional security will produce a significant profit. Almost verbatim from a friend's comment and who used to be a lawyer for banks in the city of London (N. Bohm), such experience as I have of the attitudes of banks causes me to believe that unless constrained by law or otherwise persuaded by powerful social forces, banks will not be willing to trust their customers to take the necessary precautions, but will expect them to take the risk of failing to take the precautions -- and also to take the costs of the bank's own failed precautions. In order for your scheme to work, you'd have to convince *someone* that auditing the bank will drop the margin by more than the cost of doing the audit, and indeed by enough more that it's an attractive prospect. No, I don't think we need an YACA -- Yet Another Centralized Authority. We can simply include a provision for "cool-off" limit: Cool-Off Limit: if we do not act and make public the comment provided in secret within a cool-off time limit of 30 business days of proven receipt, we agree that the comment can be made public by the proponent -- regardless of our future use and reward for the comment. In other words, in the absence of mandated standards and YACAs, our approach to this issue would be to try to provide a credible Truth-In-Advertising label, even though the mechanisms necessary to provide the independent verification of that label may be somewhat weak or missing to date. Given a worldwide Internet, with no worldwide uniformity or government, maintaing the independency of such verification channels may be the best way to provide such Truth-In-Advertising -- even if not all channels are equally efficient/reliable/fair to all. Cheers, Ed Gerck