--- begin forwarded text Sender: e$@thumper.vmeng.com Reply-To: Robert Hettinga <rah@shipwright.com> Mime-Version: 1.0 Precedence: Bulk Date: Sat, 14 Jun 1997 14:02:41 -0400 From: Robert Hettinga <rah@shipwright.com> To: Multiple recipients of <e$@thumper.vmeng.com> Subject: e$: Skins vs. Shirts At 10:28 am -0400 on 6/14/97, Adam Shostack wrote:
Are FAT file lists stored as files?
On a Unix box, /. refers to the file containing directory entries, the list of files in the directory. If there is an analogous file on a dos box, you can explore. (Does the bug work on Unix? I've heard it only works if java or livescript are turned on, so it hasn't worried me enough to investigate.)
All this reminds me of something Tim May, Eric Hughes, and others have said before. Once you've gotten to the point where loss of security equals, in a very literal sense, loss of money, the incentive to publicize any given security hole starts to go away. Adam, above, is speculating about the mechanics of a Netscape security hole, which, two years ago, would have gotten someone like Ian Goldberg a grand and a t-shirt, but probably only after they had published it on the net, just like Mssrs Goldberg and Wagner had to do, in order to get Netscape's attention. That included directions for how to replicate the problem. Back then, we wouldn't have been speculating about the mechanics of the hole, because people would be playing with it to see how it worked. As it is, latest hole was published in terms of its results only, and not its mechanics. Instead, those precious details were relased only to Netscape, and only for, NPR says, "an undisclosed sum". Lest we think of this as latter-day greenmail, we have to remember that greenmail actually had it's putative effect, which was to increase the returns to the shareholders by increasing the stock price. It was never fair to begrudge T. Boone Pickens the pound of flesh he extracted from companies like Phillips Petroleum, mostly because the pound he cut off was usually lard, anyway. Not to compare Netscape to a Pritikin candidate, of course. Nobody can see all the consequences of tens or hundreds of thousands of lines of code, and the very best way to solve the semantic problem that poses is the internet way, by swarming it to death. With that in mind, I expect that the next stage in this increasing security "price" escallation will be much more interesting. It won't be long before the first people who say anything about a new security hole will be people who have money stolen from them, and not much will be said by the people who discover those holes in the first place. And, of course, lots of those people probably won't be so virtuous in their use of what they figure out, either. We're about to enter a new era of parallel evolution, much like the relationship between cheeetahs and Thompson's gazelles, where a constant arms race makes predator and prey more efficient, excellerating evolution in both species. Now, I don't think this forgives people from publishing their source code, far from it. I expect that people selling financial cryptography and allied commercial products will still have to publish their source, or nobody will trust it enough buy it. I'm just saying that it will tend to be the victims, and probably not the next generation of "moneypunks", who will be announcing the failure of any given commerce application. So, instead being one of free shirts, the game will be one of payment in, um, skins. And, before long, there will be many more skins out there belonging to people who are spending money than the people who accidentally built the wallets with holes in them could ever pay in gre$enmail. Cheers, Bob Hettinga ----------------- Robert Hettinga (rah@shipwright.com), Philodox e$, 44 Farquhar Street, Boston, MA 02131 USA "... however it may deserve respect for its usefulness and antiquity, [predicting the end of the world] has not been found agreeable to experience." -- Edward Gibbon, 'Decline and Fall of the Roman Empire' The e$ Home Page: http://www.shipwright.com/ ---------- The e$ lists are brought to you by: Intertrader Ltd: "Digital Money Online" <http://www.intertrader.com/library/DigitalMoneyOnline> Where people, networks and money come together: Consult Hyperion http://www.hyperion.co.uk info@hyperion.co.uk Like e$? Help pay for it! <http://www.shipwright.com/beg.html> For e$/e$pam sponsorship, mail Bob: <mailto:rah@shipwright.com> Thanks to the e$ e$lves: Of Counsel: Vinnie Moscaritolo <mailto:vinnie@webstuff.apple.com> (Majordomo)^2: Rachel Willmer<mailto:rachel@intertrader.com> Commermeister: Anthony Templer <mailto:anthony@atanda.com> Interturge: Rodney Thayer <mailto:rodney@sabletech.com> --- end forwarded text ----------------- Robert Hettinga (rah@shipwright.com), Philodox e$, 44 Farquhar Street, Boston, MA 02131 USA "... however it may deserve respect for its usefulness and antiquity, [predicting the end of the world] has not been found agreeable to experience." -- Edward Gibbon, 'Decline and Fall of the Roman Empire' The e$ Home Page: http://www.shipwright.com/