Security by asking the drunk whether he's drunk

Jerry Leichter leichter at
Wed Dec 24 06:42:43 EST 2008

  Just one minor observation:

On Dec 22, 2008, at 5:18 AM, Peter Gutmann wrote:
> This leads to a scary rule of thumb for defenders:
> 1. The attackers have more CPU power than any legitimate user will  
> ever have,
>   and it costs them nothing to apply it.  Any defence based on  
> resource
>   consumption is in trouble.
> 2. The attackers have more money than any legitimate user will ever  
> have, and
>   it costs them nothing to apply it.  Any defence built around  
> financial
>   outlay as a limiting factor is in trouble.
>   Corollary: Systems that can't defend themselves against a  
> situation where
>   the financial cost of any operation (for example registering a new  
> account)
>   is effectively zero is in trouble.
This one is a bit more complicated.  Attackers have access to large  
amounts of money *in relatively small units*.  No matter how many  
credit card accounts you steal, it would be pretty much impossible to  
create an actual, properly populated, physical storefront in a decent  
shopping area.  You can be fairly confident that a physical store is  
what it appears to be.

Granted, what you're discussing is on-line fraud.  My point is that  
this is yet another difference between the on-line and brick-and- 
mortar worlds, and one that leads us astray when we try to apply our  
real-world reasonableness filters to the on-line world.  There are  
many inter-related elements here.  Perhaps the biggest factor is  
*time*:  On-line frauds can be setup, draw in victims, and disappear  
very quickly - only to reappear someplace else.  This allows them to  
built using what is effectively the float on stolen identities - much  
of which will be found and revoked by the end of a billing cycle.  The  
real world has much more inertia - there are many steps involved in  
building out a physical storefront, they take time, and your money has  
to be "good" across that entire time.  Note that many real-world  
frauds rely on the ability to short-cut what are normally time- 
consuming procedures and disappear before the controls can kick in.   
(Think of check kiting, or of the guys from what appear to be long- 
established local paving companies that "pave" your driveway with  
cheap oil and are gone by the next morning.)

EV certificates (unsuccessfully) attempt to bring some of this real- 
world checking on line:  They are expensive, and you have to pay in  
one lump.  They're not going to accept a bunch of credit cards.  They  
check your identity, which if done right takes time *and indirectly  
checks that you actually have a history*.  Of course, the actual  
practice is different and, given the incentives in the industry -  
where there is no penalty for giving out an invalid EV certificate,  
and a reward for getting the job done quickly - this is all illusion.

Long-running frauds, while certainly not unknown (hello, Bernie  
Madoff), are relatively rare:  Every day out there is another chance  
to get caught.  The preferred mode of fraud will always be "get 'em  
hooked, fleece 'em, get out of town - as fast as you can".  Can we get  
some of the advantages of this real-world fact in the on-line world?   
The best example I know of is CMU's Perspectives effort:  If something  
"looks the same" to many observers over a period of time, it's more  
likely to be trustworthy.  Of course, if this kind of thing catches  
on, it will be much harder for a startup to gain instant recognition.   
The Internet "need for speed" isn't compatible with safety.  Some  
tradeoffs are inevitable.

                                                         -- Jerry

The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to majordomo at

More information about the cryptography mailing list