Status of Cryptography Research in implementation of the EUCD

Mon, 19 Aug 2002 11:01:38 +0100

Owen:

> There is another way to obtain the good ends that come from such research;
> to do so lawfully and remove harm from the process.
> 
>         -       Do the research under NDA and with the manufacturers consent.
> 
>         -       Charge the manufacturer for the benefit he will obtain from 
>                 a report on successful research as opposed to the true market
>                 cost of the research.

In that case, your fee will be negative. Microsoft does not benefit
from being told of yet another stack overflow on Windows. With about
fifty of them being discovered every year, the statistics of large
systems apply.  See my paper at the Toulouse conference on open source
software economics.

In general it is very rare for companies to want to know the truth
about their systems' security. That's why guys like me, when working
as consultants, are in a very small niche market. Generally clients
want not product criticism or even product improvement, but product
endorsement - and from someone their CEO has heard of. `We had a
security review carried out by Arthur Andersen', is what they always
wanted to pass upstairs. The name may have changed, but the game
remains the same...

>         -       Obtain the maximum research opportunities by operating on a 
>                 'no crack - no fee' basis.

That's precisely what DMCA / EUCD-UK are trying to achieve. No crack, no
fee. Crack, fee (large negative fee, i.e., fine)

>         -       Forgo the traditional academic kudos of being the first kid
>                 in class to wave his hand and shout, "I done it!".

That is how academia works. Are you suggesting that security engineering be
no longer an academic discipline? Should we limit ourselves to proving 
trivial corrollaries to pointless theorems? The students we produce would
be much less valuable to industry if we took that route

>         -       Obtain academic kudos, improved career prospects (and enjoy 
>                 the envy of others) simply by having a facility that is
>                 remarkably well funded and outside whose door the queue of
>                 household-name manufacturers stretches around the block. A 
>                 facility whose work is *the* sine qua non imprimatur of
>                 global excellence in its field.

You're suggesting that I go get a job at GCHQ?

>         -       The facility need not be localised and thus only be able to
>                 draw on a limited pool of talent. It could be virtualised 
>                 and global in nature. However is would have to run to 
>                 certain strict rules (confidentiality etc) which all joining
>                 must agree and abide by and also to show that they are
>                 capable of doing this (proven talent, secure systems etc.).

Ah, I see. You're talking about UKUSA, Echelon etc. At least I could live in
sunny Maryland rather than the dreary, rainy West Country :-)

> All one needs to do is to be willing to stay schtumm (and have the smarts).
> As the immortal Costner plagiarised, 'Provide the facility and people will
> come'.

But we have much more fun than the spooks do

Ross