The Crypto Winter
Tim May
tcmay at got.net
Mon Nov 19 12:55:38 PST 2001
On Monday, November 19, 2001, at 12:36 PM, Faustine wrote:
> But then, that sounds suspiciously resonant with "if they're too lazy
> or stupid
> to get it, then screw em", doesn't it. I think the real flaw
> there--what keeps
> me so uncomforable with it (even though my gut tells me it's a logical
> conclusion)--is reflected in the sheer number of people I've seen
> change their
> minds once they found out a little more about how insecure they really
> are.
>
> Haven't you ever been in a discussion/argument/presentation about
> computer
> security with someone, and at some point you notice that moment when it
> finally
> registers, you know that it really penetrated something...and they must
> have
> that sickening queazy little feeling in the pit of their stomachs when
> they
> say:
>
> "Oh my God, I had no idea".
No, I can't say that I have. I have never wasted my time trying to
convince sheeple that they need to make backups, put good locks on their
doors, use encryption, not give their SS numbers to others, and so on.
You didn't quote all of my material (which is fine), but it's important
that folks remember the point I made about bank vault security: was it
requested/demanded by the "industry" or by "the customer" (Joe Sixpack)?
The answer is actually more interesting: the drive for better vaults was
largely driven by _insurance_ issues. I suspected this when I first
started thinking about security and crypto, and then I tracked down some
comments from the safe makers (like Mosler). After bank robberies, when
safes had to be replaced, banks would look at the economic tradeoffs in
deciding whether to get a newer model from companies like Mosler. If
they were insured, as became more common as the 20th Century unfolded,
their insurance premiums depended on their overall security measures.
This applied as well to _new_ banks. This meant that neither the
customer (Joe Sixpack) nor the branch manager had to be "convinced" or
"sold" on the importance or value of good security. Rather, the normal
market discounting forces took care of the issue. Actuaries,
underwriters, risk estimators, and security experts think about things
some people never think will happen to them. Educating the masses is not
the main issue.
If you had read much of the past traffic of the list, Faustine, you
would know about this point.
Will the same happen with online security and crypto? It already has.
The credit card companies already have imposed rules for merchants, a
major part of why SSL and 128-bit crypto and all the rest is happening.
Lawsuits over leaking of medical records are already happening, and some
large tort judgements will likely cause increases in security (including
better encryption, more use of capability-based architectures to limit
access, etc.)
Sure, Grandma and Sis aren't using PGP 8.13 to encrypt their notes to
you. So?
Crypto is economics. Security is economics. Has been since the days of
measures and countermeasures with spears and fences and walls and
castles and siege engines. "Educating the residents of villages" is
neither here nor there.
Not that I'm discouraging you from going out to and trying to get that
"I didn't know that!" glimmer of awareness that maybe good locks are
better than bad locks. Knock yourself out.
But as a reason why certain interesting technologies are not being
deployed, it's a side show.
--Tim May
"You don't expect governments to obey the law because of some higher
moral development. You expect them to obey the law because they know
that if they don't, those who aren't shot will be hanged." - -Michael
Shirley
More information about the cypherpunks-legacy
mailing list