The Crypto Winter

Mon Nov 19 12:55:38 PST 2001

On Monday, November 19, 2001, at 12:36 PM, Faustine wrote:
> But then, that sounds suspiciously resonant with "if they're too lazy 
> or stupid
> to get it, then screw em", doesn't it. I think the real flaw 
> there--what keeps
> me so uncomforable with it (even though my gut tells me it's a logical
> conclusion)--is reflected in the sheer number of people I've seen 
> change their
> minds once they found out a little more about how insecure they really 
> are.
>
> Haven't you ever been in a discussion/argument/presentation about 
> computer
> security with someone, and at some point you notice that moment when it 
> finally
> registers, you know that it really penetrated something...and they must 
> have
> that sickening queazy little feeling in the pit of their stomachs when 
> they
> say:
>
> "Oh my God, I had no idea".

No, I can't say that I have. I have never wasted my time trying to 
convince sheeple that they need to make backups, put good locks on their 
doors, use encryption, not give their SS numbers to others, and so on.

You didn't quote all of my material (which is fine), but it's important 
that folks remember the point I made about bank vault security: was it 
requested/demanded by the "industry" or by "the customer" (Joe Sixpack)?

The answer is actually more interesting: the drive for better vaults was 
largely driven by _insurance_ issues. I suspected this when I first 
started thinking about security and crypto, and then I tracked down some 
comments from the safe makers (like Mosler). After bank robberies, when 
safes had to be replaced, banks would look at the economic tradeoffs in 
deciding whether to get a newer model from companies like Mosler. If 
they were insured, as became more common as the 20th Century unfolded, 
their insurance premiums depended on their overall security measures.

This applied as well to _new_ banks. This meant that neither the 
customer (Joe Sixpack) nor the branch manager had to be "convinced" or 
"sold" on the importance or value of good security. Rather, the normal 
market discounting forces took care of the issue. Actuaries, 
underwriters, risk estimators, and security experts think about things 
some people never think will happen to them. Educating the masses is not 
the main issue.

If you had read much of the past traffic of the list, Faustine, you 
would know about this point.

Will the same happen with online security and crypto? It already has. 
The credit card companies already have imposed rules for merchants, a 
major part of why SSL and 128-bit crypto and all the rest is happening. 
Lawsuits over leaking of medical records are already happening, and some 
large tort judgements will likely cause increases in security (including 
better encryption, more use of capability-based architectures to limit 
access, etc.)

Sure, Grandma and Sis aren't using PGP 8.13 to encrypt their notes to 
you. So?

Crypto is economics. Security is economics. Has been since the days of 
measures and countermeasures with spears and fences and walls and 
castles and siege engines.  "Educating the residents of villages" is 
neither here nor there.

Not that I'm discouraging you from going out to and trying to get that 
"I didn't know that!" glimmer of awareness that maybe good locks are 
better than bad locks. Knock yourself out.

But as a reason why certain interesting technologies are not being 
deployed, it's a side show.

--Tim May
"You don't expect governments to obey the law because of some higher 
moral development. You expect them to obey the law because they know 
that if they don't, those who aren't shot will be hanged." - -Michael 
Shirley