From: Robert Hettinga <rah@shipwright.com>
Date: Sun, 15 Jun 1997 09:06:23 +0800
To: cypherpunks@toad.com
Subject: e$: Skins vs. Shirts
Message-ID: <v03020931afc8ee48fc8f@[139.167.130.246]>
MIME-Version: 1.0
Content-Type: text/plain




--- begin forwarded text


Sender: e$@thumper.vmeng.com
Reply-To: Robert Hettinga <rah@shipwright.com>
Mime-Version: 1.0
Precedence: Bulk
Date:  Sat, 14 Jun 1997 14:02:41 -0400
From: Robert Hettinga <rah@shipwright.com>
To: Multiple recipients of <e$@thumper.vmeng.com>
Subject:  e$: Skins vs. Shirts

At 10:28 am -0400 on 6/14/97, Adam Shostack wrote:


> 	Are FAT file lists stored as files?
>
> 	On a Unix box, /. refers to the file containing directory
> entries, the list of files in the directory.  If there is an analogous
> file on a dos box, you can explore.  (Does the bug work on Unix?  I've
> heard it only works if java or livescript are turned on, so it hasn't
> worried me enough to investigate.)

All this reminds me of something Tim May, Eric Hughes, and others have said
before. Once you've gotten to the point where loss of security equals, in a
very literal sense, loss of money, the incentive to publicize any given
security hole starts to go away.

Adam, above, is speculating about the mechanics of a Netscape security
hole, which, two years ago, would have gotten someone like Ian Goldberg a
grand and a t-shirt, but probably only after they had published it on the
net, just like Mssrs Goldberg and Wagner had to do, in order to get
Netscape's attention. That included directions for how to replicate the
problem. Back then, we wouldn't have been speculating about the mechanics
of the hole, because people would be playing with it to see how it worked.
As it is, latest hole was published in terms of its results only, and not
its mechanics. Instead, those precious details were relased only to
Netscape, and only for, NPR says, "an undisclosed sum".

Lest we think of this as latter-day greenmail, we have to remember that
greenmail actually had it's putative effect, which was to increase the
returns to the shareholders by increasing the stock price. It was never
fair to begrudge T. Boone Pickens the pound of flesh he extracted from
companies like Phillips Petroleum, mostly because the pound he cut off was
usually lard, anyway.  Not to compare Netscape to a Pritikin candidate, of
course. Nobody can see all the consequences of tens or hundreds of
thousands of lines of code, and the very best way to solve the semantic
problem that poses is the internet way, by swarming it to death.

With that in mind, I expect that the next stage in this increasing security
"price" escallation will be much more interesting.  It won't be long before
the first people who say anything about a new security hole will be people
who have money stolen from them, and not much will be said by the people
who discover those holes in the first place. And, of course, lots of those
people probably won't be so virtuous in their use of what they figure out,
either. We're about to enter a new era of parallel evolution, much like the
relationship between cheeetahs and Thompson's gazelles, where a constant
arms race makes predator and prey more efficient, excellerating evolution
in both species.

Now, I don't think this forgives people from publishing their source code,
far from it. I expect that people selling financial cryptography and allied
commercial products will still have to publish their source, or nobody will
trust it enough buy it.  I'm just saying that it will tend to be the
victims, and probably not the next generation of "moneypunks",  who will be
announcing the failure of any given commerce application.



So, instead being one of free shirts, the game will be one of payment in,
um, skins. And, before long, there will be many more skins out there
belonging to people who are spending money than the people who accidentally
built the wallets with holes in them could ever pay in gre$enmail.

Cheers,
Bob Hettinga






-----------------
Robert Hettinga (rah@shipwright.com), Philodox
e$, 44 Farquhar Street, Boston, MA 02131 USA
"... however it may deserve respect for its usefulness and antiquity,
[predicting the end of the world] has not been found agreeable to
experience." -- Edward Gibbon, 'Decline and Fall of the Roman Empire'
The e$ Home Page: http://www.shipwright.com/


----------
The e$ lists are brought to you by:

Intertrader Ltd:                "Digital Money Online"
<http://www.intertrader.com/library/DigitalMoneyOnline>

Where people, networks and money come together: Consult Hyperion
http://www.hyperion.co.uk                    info@hyperion.co.uk

Like e$? Help pay for it! <http://www.shipwright.com/beg.html>
For e$/e$pam sponsorship, mail Bob: <mailto:rah@shipwright.com>

Thanks to the e$ e$lves:
Of Counsel: Vinnie Moscaritolo <mailto:vinnie@webstuff.apple.com>
(Majordomo)^2: Rachel Willmer<mailto:rachel@intertrader.com>
Commermeister: Anthony Templer <mailto:anthony@atanda.com>
Interturge: Rodney Thayer <mailto:rodney@sabletech.com>




--- end forwarded text



-----------------
Robert Hettinga (rah@shipwright.com), Philodox
e$, 44 Farquhar Street, Boston, MA 02131 USA
"... however it may deserve respect for its usefulness and antiquity,
[predicting the end of the world] has not been found agreeable to
experience." -- Edward Gibbon, 'Decline and Fall of the Roman Empire'
The e$ Home Page: http://www.shipwright.com/