Who's afraid of Mallory Wolf?

Ian Grigg iang at systemics.com
Tue Mar 25 16:15:22 EST 2003 

On Tuesday 25 March 2003 13:17, David Wagner wrote:

> I'm skeptical.  Just because the cost is
> subjective doesn't mean we should ignore the cost.

I agree with that ... I was converting the
subjective harm into an objective cost.
I certainly wasn't intending to ignore it :-)

> >But, luckily, there is a way to turn the above
> >subjective morass of harm into an objective
> >hard number:  civil suit.
> 
> That's using a questionable measuring stick.

That being part and parcel of the problem.
It's a subjective harm, there is no solid way
to move subjective to objective, by definition.

We can only make estimates.

What is beneficial here is that - at least -
we have one way to do this.  And, it is a
way that has lots of disinterested observers,
lots of experience, and lots of interested
parties.  Much as I dislike courts, it is a
"fair and auditable" way of dollarising a
harm.

Bear says:
> You honestly haven't heard of Fred Phelps?

Nope.  But, all we want is an estimated
cost of the attack.  Ask some lawyers
for a quote.  Ignore the guy's family, we
are only after an estimate of the cost.

David says:
> The damages paid out in a civil suit may be very
> different (either higher, or lower) than the true
> cost of the misconduct.  Remember, the courts are
> not intended to be a remedy for all harms, nor could
> they ever be.  The courts shouldn't be a replacement
> for our independent judgement.

This of course is true especially with the
low level of MITM activity that we've found
to date.  If such a case were to happen
once a year, I'd not be really confident of the
accuracy of the numbers, especially if we
were estimating based on lawyer's opinions
rather than awarded damages.

(But that wouldn't so much matter if the
numbers came out as also too low to
consider, as I suspect they will.)

If however, we had such MITMs once per
month, then costs could be averaged over
the size of the activity.  Something like
this:

  There are 500 million email users in the
  world today (guess!).  Cost of failures
  that could be rectified with proper crypto
  (amounts to 12 cases per year) is 12 million
  dollars.  Some judgements less than a
  million, some more.

  [ if you like, you could add in a fudge
  factor for unreported harms and other
  "judgement" calls. ]

  Now, the cost of prevention:  assume
  we pass a law to make every ISP sell
  every user a copy of OpenPGP to
  protect their privacy.  Bulk discount
  gives us $1 each copy, annually updated
  to cover for the inevitable new release.

  So, cost to protect:  500 million x $1.
  Saved costs in cases:  $12million.

That law won't get passed :-)



-- 
iang

---------------------------------------------------------------------
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to majordomo at wasabisystems.com

More information about the cryptography mailing list