From: Marc Horowitz <marc@cygnus.com>
Date: Wed, 26 Feb 1997 13:23:02 -0800 (PST)
To: Greg Broiles <gbroiles@netbox.com>
Subject: Re: Distributed cracks, law, and cryptoanarchy
In-Reply-To: <3310e0fa.5573759@library.airnews.net>
Message-ID: <t53bu97s1q2.fsf@rover.cygnus.com>
MIME-Version: 1.0
Content-Type: text/plain


Greg Broiles <gbroiles@netbox.com> writes:

>> That's a very noble sentiment, but until *you* write some software, the
>> risk that you're dismissing is *someone else's* risk - so you're balancing
>> a public good against someone else's loss, and deciding that it works out
>> nicely for you. Well, sure. You seem to be willing to give up the nominal
>> value of the prize (somewhere under $1, when discounted against the chance
>> of hitting the key) but you don't seem to be willing to invest anything
>> substantial (like many hours of programming time, or serious computing
>> horsepower) in the bruting effort. 

When I wrote my message, this thought occurred to me.  I should have
assumed someone would call me on it :-)

My perception of the situation (which may or may not be accurate) is
that the technology, while perhaps not the best possible, exists.
What seems to be preventing coordination is bickering about what to do
with the money, including the fear that someone else will claim the
money.  As you have pointed out, the value of a $10K prize is not that
attractive.  If people are doing anything at all, it is not for the
prospect of economic gain.  I'm hoping that someone who has other
incentives besides the money will agree with my evaluation (and yours,
I think) of the risks, and move forward with the project.

>> My point is that if we want to see a brute-force attack succeed,
>> and we want the threat of other brute-force attacks to be credible,
>> we should find a way to organize rights & obligations such that it
>> looks rational to act as the organizer of a brute-force effort. The
>> current configuration doesn't seem to inspire widespread
>> significant interest.

By these arguments, the rc5-48 attack would have never happened.  I'm
not sure what the incentives were for that, but I think the same
incentives apply to a DES attack.  I don't think the money figured
prominently into the first attack.  My message was intended to cause
those who might work on the second attack to look past the money, and
at whatever other incentives they might have.  

>> I don't think it's realistic or useful to pretend to ignore economics.

I'm not trying to ignore economics.  I'm trying to show that, for some
of us, there are other incentives than money.  For me and you, these
incentives aren't strong enough.  For someone else, they might be.  I
can't make them do anything, but I can certainly try to encourage
them.

		Marc