Ted Lemon wrote:
> Amateurs in the crypto world seem to get bitten by this fairly
> frequently - read the recent transcripts to the New York preliminary
> injunction on the DeCSS case for supporting evidence. If you're out
> to prove a point, and you're riding the fine edge of legality and
> civil disobedience in doing it, it helps to make sure that you keep
> your nose clean and stay focused on what you're really trying to do,
> rather than, e.g., venting your anger or trying to get people who
> didn't ask you to help them to pay for your "help."
Yes, this also my opinion -- "one may question a guy's right
to charge for advice that was not requested but why should he
provide it for free?". And, there are also IMO other sides to the
issue (public trust, public gullibility, unchecked fraud, government
indirect responsibility, regulation, etc.) so that , I suggested we
could reflect on how security risks must not be handled as it is. In
fact, if there would be a pre-defined reward for those that find holes
in today's increasing electronic and "secure" systems then companies
could rely in that reward both as a payment cap and as way to separate
reward from extortion. I can imagine a company writing, for the benefit
of all:
We support open assessment of risks -- if you find a security fault
in our systems, please tell us first so that we can fix it first. We commit
ourselves to making public all such communications after a solution
is found so that publication will not compromise the system further. We
also reward any recognized security fault called to our attention, up to
US $1,000 from a minimum of US$ 50 -- value to be defined by us in
relationship to known faults and to its relevance. To be ellegible for
the reward, we must be the first and only to be informed about it. The
company reserves the right to consider legal measures to the full extent
of law if a fault is discovered or a reward is pursued by illegal actions.
Of course, the above is not perfect and is probably too short to
satisfy all the legals ins and outs, but the idea is to use the reward
mechanism in a positive way to counter what I may call a "tendency"
and its potential bad effects, while preserving the good ones -- especially
to enhance security in a quasi-public review process.
Comments?
Ed Gerck
