Greg Broiles <gbroiles@netbox.com> writes:
That's a very noble sentiment, but until *you* write some software, the risk that you're dismissing is *someone else's* risk - so you're balancing a public good against someone else's loss, and deciding that it works out nicely for you. Well, sure. You seem to be willing to give up the nominal value of the prize (somewhere under $1, when discounted against the chance of hitting the key) but you don't seem to be willing to invest anything substantial (like many hours of programming time, or serious computing horsepower) in the bruting effort.
When I wrote my message, this thought occurred to me. I should have assumed someone would call me on it :-) My perception of the situation (which may or may not be accurate) is that the technology, while perhaps not the best possible, exists. What seems to be preventing coordination is bickering about what to do with the money, including the fear that someone else will claim the money. As you have pointed out, the value of a $10K prize is not that attractive. If people are doing anything at all, it is not for the prospect of economic gain. I'm hoping that someone who has other incentives besides the money will agree with my evaluation (and yours, I think) of the risks, and move forward with the project.
My point is that if we want to see a brute-force attack succeed, and we want the threat of other brute-force attacks to be credible, we should find a way to organize rights & obligations such that it looks rational to act as the organizer of a brute-force effort. The current configuration doesn't seem to inspire widespread significant interest.
By these arguments, the rc5-48 attack would have never happened. I'm not sure what the incentives were for that, but I think the same incentives apply to a DES attack. I don't think the money figured prominently into the first attack. My message was intended to cause those who might work on the second attack to look past the money, and at whatever other incentives they might have.
I don't think it's realistic or useful to pretend to ignore economics.
I'm not trying to ignore economics. I'm trying to show that, for some of us, there are other incentives than money. For me and you, these incentives aren't strong enough. For someone else, they might be. I can't make them do anything, but I can certainly try to encourage them. Marc