At 04:31 PM 2/24/97 -0500, Marc Horowitz wrote:
The "you must report results only to the crack organizers" rule can be enforced if it's made into a contract. Even without a formal contract,
I don't want to sign a formal contract. I want to break the key. I don't care about the money. I can buy a lottery ticket if I want a small chance at winning a lot of money.
I'll participate when I can download something, type make, run it, and forget about it.
If this is the case, it seems like it'd be useful to consider what sort of social/legal/technical environment is most likely to result in "something" that you can download, make, run, and forget. Hence, discussion about legal and technical approaches which are likely to satisfy organizers' desires to control the direction & results of their projects. A distributed crack needs client software, and a coordinated distributed crack needs some sort of coordination mechanism. The current set of rewards available to potential organizers doesn't seem to be inspiring an outpouring of effort. (No offense is intended to people who are actually deploying things; the "lack of outpouring" comment refers to the number of different efforts, not the commitment exhibited by those who are working now.)
Invoving money money seems to be making it harder, not easier, to do this. I thought the reason to crack the key was to demonstrate how weak DES is. If the person who cracks the key collects the reward himself, so what? A good, public nail in the coffin of restrictions on crypto is worth the risk that someone steals the $10k, IMHO.
That's a very noble sentiment, but until *you* write some software, the risk that you're dismissing is *someone else's* risk - so you're balancing a public good against someone else's loss, and deciding that it works out nicely for you. Well, sure. You seem to be willing to give up the nominal value of the prize (somewhere under $1, when discounted against the chance of hitting the key) but you don't seem to be willing to invest anything substantial (like many hours of programming time, or serious computing horsepower) in the bruting effort. I'll cheerfully admit that my level of commitment is similar to yours - I don't mind letting someone else's software eat up my idle cycles. But I'd have to see some tangible benefit to me before I'd be willing to put any real time or effort into a crack, and I suspect this is true of many others, too. The value of the $10K prize alone isn't that attractive, because with puny hardware it's a very long shot, and with meaningful hardware, the cost of the hardware dwarfs the value of the prize. I don't think it's realistic or useful to pretend to ignore economics. I believe that you are not ignoring economic considerations when you fail to invest significantly in the bruting effort, and I don't think there's anything wrong with that. My point is that if we want to see a brute-force attack succeed, and we want the threat of other brute-force attacks to be credible, we should find a way to organize rights & obligations such that it looks rational to act as the organizer of a brute-force effort. The current configuration doesn't seem to inspire widespread significant interest. -- Greg Broiles | US crypto export control policy in a nutshell: gbroiles@netbox.com | http://www.io.com/~gbroiles | Export jobs, not crypto. |