From: Greg Broiles <gbroiles@netbox.com>
Date: Wed, 26 Feb 1997 07:28:36 -0800 (PST)
To: Marc Horowitz <marc@cygnus.com>
Subject: Re: Distributed cracks, law, and cryptoanarchy
In-Reply-To: <3310e0fa.5573759@library.airnews.net>
Message-ID: <3.0.1.32.19970226073415.006c23b8@mail.io.com>
MIME-Version: 1.0
Content-Type: text/plain


At 04:31 PM 2/24/97 -0500, Marc Horowitz wrote:
>>> The "you must report results only to the crack organizers" rule can be
>>> enforced if it's made into a contract. Even without a formal contract,
>
>I don't want to sign a formal contract.  I want to break the key.  I
>don't care about the money.  I can buy a lottery ticket if I want a
>small chance at winning a lot of money.
>
>I'll participate when I can download something, type make, run it, and
>forget about it.

If this is the case, it seems like it'd be useful to consider what sort of
social/legal/technical environment is most likely to result in "something"
that you can download, make, run, and forget.

Hence, discussion about legal and technical approaches which are likely to
satisfy organizers' desires to control the direction & results of their
projects. A distributed crack needs client software, and a coordinated
distributed crack needs some sort of coordination mechanism. The current
set of rewards available to potential organizers doesn't seem to be
inspiring an outpouring of effort. (No offense is intended to people who
are actually deploying things; the "lack of outpouring" comment refers to
the number of different efforts, not the commitment exhibited by those who
are working now.) 

>Invoving money money seems to be making it harder, not easier, to do
>this.  I thought the reason to crack the key was to demonstrate how
>weak DES is.  If the person who cracks the key collects the reward
>himself, so what?  A good, public nail in the coffin of restrictions
>on crypto is worth the risk that someone steals the $10k, IMHO.

That's a very noble sentiment, but until *you* write some software, the
risk that you're dismissing is *someone else's* risk - so you're balancing
a public good against someone else's loss, and deciding that it works out
nicely for you. Well, sure. You seem to be willing to give up the nominal
value of the prize (somewhere under $1, when discounted against the chance
of hitting the key) but you don't seem to be willing to invest anything
substantial (like many hours of programming time, or serious computing
horsepower) in the bruting effort. 

I'll cheerfully admit that my level of commitment is similar to yours - I
don't mind letting someone else's software eat up my idle cycles. But I'd
have to see some tangible benefit to me before I'd be willing to put any
real time or effort into a crack, and I suspect this is true of many
others, too. The value of the $10K prize alone isn't that attractive,
because with puny hardware it's a very long shot, and with meaningful
hardware, the cost of the hardware dwarfs the value of the prize. 

I don't think it's realistic or useful to pretend to ignore economics. I
believe that you are not ignoring economic considerations when you fail to
invest significantly in the bruting effort, and I don't think there's
anything wrong with that. My point is that if we want to see a brute-force
attack succeed, and we want the threat of other brute-force attacks to be
credible, we should find a way to organize rights & obligations such that
it looks rational to act as the organizer of a brute-force effort. The
current configuration doesn't seem to inspire widespread significant interest.


--
Greg Broiles                | US crypto export control policy in a nutshell:
gbroiles@netbox.com         | 
http://www.io.com/~gbroiles | Export jobs, not crypto.
                            |