[Cryptography] The Trust Problem

Jerry Leichter leichter at lrw.com
Thu May 22 11:45:06 EDT 2014 

On May 22, 2014, at 10:54 AM, ianG <iang at iang.org> wrote:
Just on the "claims" thread:
> On 22/05/2014 08:06 am, ianG wrote:
>> Claims are also important because it sets a statement that can be tested
>> over time.  So what is the cost of a broken claim?  Can a company put a
>> credible claim on the table?
> Snapchat treated claims with fairly callous regard:
> 
> http://www.zdnet.com/how-to-lie-cheat-and-steal-like-snapchat-all-the-way-to-the-bank-7000029758/
> 
> What was the cost to them?  Are they being rewarded for lying or punished?
Startups are like patent trolls:  They have a huge upside and a small downside. We all celebrate rapid innovation and rollout of not-quite-there products, and a whole "it's easier to ask forgiveness than permission" culture.  It gets us all kinds of new stuff.  But it also guarantees that the stuff will be full of security and privacy issues, because avoiding them is very time-consuming and gets in the way of functionality.

It's not like this is really new, either.  Windows got where it was at its peak for many reasons - but among them was the view that users want magic functionality, quickly.  People want their applications to integrate with each other, even if they weren't built to work that way, so it should be easy for applications to do all kinds of things to each other.  That Internet thing - people want it, so just open up your "personal" machine, built on the assumption that you didn't need to protect yourself from yourself, to the bigger world.  All of these things lead to huge success.  So of course others followed along.

If a startup is given a choice between path A, which will produce 10 million new users in weeks but might lead to a huge security or privacy problem (but of course we can convince ourselves that "it's very unlikely); or path B, which is safe but which might mean only a few hundreds of thousands of new users and as a result no next-round funding and a likely death of the company ... well, path A is hard to resist.  And if path A requires a little "creativity" with the facts; well, so what, everyone does that.  We can always apologize and fix things later.

These are fundamental tradeoffs, and you can't make them go away.  Producing "new stuff" involves risks - and with a startup, many of those risks get dumped on others because the startup itself doesn't much to lose.  Larger companies face the potential (not always realized, of course) of government and individual lawsuits, and they have real money at stake.  So they tend to be somewhat more risk-averse.

Personally, I'm conservative about taking on such risks, which means there are many new, shiny toys I choose to pass on.  The whole point of starting this thread was to ask "How can I make better judgements about actual risk, so that I'm not forced to pass on stuff I'd like to use and which really is reasonably safe?"
                                                        -- Jerry

-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 4813 bytes
Desc: not available
URL: <http://www.metzdowd.com/pipermail/cryptography/attachments/20140522/6f2aa118/attachment.bin>

More information about the cryptography mailing list