Secret Key protection (was Re: PKI creed)

[Owen Lewis]

----- Original Message -----
From: "John R T Brazier" <prunesquallor@proproco.co.uk>
To: <ukcrypto@maillist.ox.ac.uk>
Sent: 16 September 2000 22:46
Subject: RE: Secret Key protection (was Re: PKI creed)


>
> Carl Ellison/Brian Gladman said:
>
> > If we plot such security measures versus time and look at the trend, we
> > don't see computers becoming more secure over time -- they become less
> > secure.  What market force will change that (especially since the market
> > (the consumer) hates security(*) and wants nothing to get in the way
> between
> > him and his dancing pigs)?
>
> I can only agree with you. In my view e-commerce will grow in spite of the
> difficulties and my hope (maybe an unrealistic one) is that as fraud grows
> with it, the 'group' carrying the cost of this fraud will push for
improved
> security.
>

> Could I possibly suggest (with some evidence if you wish me to give it)
> that, in fact, no-one really gives a toss about credit card fraud? We live
> in a society where governments appropriate 40%+ of GNP to spend on their
own
> requirements (some useful to society, many not). Given the relatively high
> efficiency of Western businesses in generating wealth, credit card fraud -
> even if it is 40% on the Internet - is absorbable as long as the growth in
> business is fast enough.

Doesn't stack up. Take supermarkets as an example. These operate on a margin
(difference between gross sales and purchases) of somewhere between 10% and
2%. Were they to suffer 40% theft of goods by credit fraud (on top of the
levels of spoilage and other theft that are already reflected in their
margin, they would be bankrupt. Smaller businesses can be at least as
vulnerable. Not until one is working on gross margins in excess of 100% -
and there are some such businesses - can one have any hope of surviving a
theft rate of 40% and surviving. Even then - and this is why Brian is
probably right - reducing loss from credit fraud from 40%  to (say) 0.4%
would do two things:

            1. Short of doubling sales, year after year, it is the single
greatest contributor to bottom line profit that the business can have.

            2. If businesses A & B are direct competitors and A manages this
reduction but B does not, you had better believe that it is only a matter of
time before A ends up owning B. The shareholders of both will see to it.


>To give a simple parallel, the attrition of British
> slave ships was around 50%, yet the growth in the trade bankrolled the
> British Empire.

Sigh.....   Its no parallel at all. The trade in slaves bankrolled extremely
little (e.g. What did those Africans who sold their compatriots into
slavery, bankroll with their vast income?). Slavery or something
approximating to it fuelled every empire, from the Babylonian to the Russian
Soviet, because it is the most efficient means of producing a very cheap and
self sustaining labour force. To this can be added that it is the resource
of slave labour, indentured labour, penal labour and, to a lesser extent,
conscripted labour, that enabled natural resources to be exploited under
unavoidable conditions that occasioned 100% replacement of  the labour force
every few years. It was such expendable labour upon which every civilisation
to date has been built. It is possible (but not certain) that this century
will be the first in which the need for expendable labour will finally
disappear.

Even Marx understood much of this. Where have you been?
>
> Therefore, a lot of the wittering about security is actually misplaced:
the
> movement of large volumes of money is more important than insuring it all
> gets to the right place.

And that is actually true - if one views the overall picture. It is not
true, however, if one assesses the profitability of B in comparison to A in
a competitive world. God may be concerned with the former. I and other
humble beings are concerned with the latter.

Regards,

Owen