EEPI - Electronic Entertainment Policy Initiative
EEPI Home Page
EEPI Discussions Mailing List Information
[ EEPI-Discuss ] Re: One Week to Shattered Security: Lessons from the Sony PSP Exploit Saga
>Date: Wed, 22 Jun 2005 08:40:46 -0700 >From: Lauren Weinstein <lauren@vortex.com> ... >There's a key question that we need to explore. Given this new >environment, to what extent do "closed" systems still make sense? >The answers will vary between applications and situations, but it >clearly is foolhardy in the extreme to simply assume that security >paradigms, even those based on the most advanced encryption and >signature models, will long remain invulnerable to successful >attacks. These penetrations will range from those initiated by >persons who are simply intellectually curious without evil or >financial motivations, to individuals who may have very dark >intentions indeed. Lauren, I agree this is a key issue. Closely connected to this issue is the issue of anti-circumvention law. Strong anti-circumvention laws give teeth to "system-closing" technology, by criminalizing the circumvention of such technology. So, ultimately, if anyone expects such technology to be effective, it is only with its strict legal enforcement, as you have made it clear how the technology by itself ultimately is not effective. So I would maintain that the core issue here is the legal one: how strong are we willing to make anti-circumvention (tort) law? I would argue that anti-circumvention law is *extremely* dangerous to free expression and privacy in any strong form. Especially, stronger law that applies to weaker technology. There *is* strong technology out there, isn't there? For example, systems used by banks to protect electronic financial transactions? While I'm sure they are not absolutely foolproof, the fact that our financial system has not collapsed due to information violation is reassuring at this point. Asymmetric encryption was a great advance, for example, and it seems to continue to be workable as long as the finite characteristics of the protocol generally keep up with the finite processing power of computing devices, i.e., make the keys long enough that computers cannot break them by brute force without becoming completely ineffective in terms of costs and benefits. Ultimately, the cost/benefit calculation is important in determining whether closed systems can be effective. Different contexts may be more or less vulnerable in this sense, so each one requires it's own cost/benefit evaluation. For example, in the financial realm each electronic bank transfer is uniquely encrypted, so the cost of decrypting the data is almost certain to be more than the possible gain from accessing that data. Protection is not absolute, but there is little incentive to risk resources to try to come up with the one-in-a-million transfer that pays for breaking the whole set of transfers together. Sure, it's more expensive to design and operate such systems, and some contexts may not admit to such designs at all. At the end of the day, Sony must estimate whether it's worth increasing the costs of development/implementation, as compared to the potential losses from violation (assuming that *some* method would in fact be both effective and sufficiently affordable to maintain sufficient demand to remain profitable). But, I don't want the *government* protecting the technologists' bottom line by prosecuting violation of weak systems with stiff penalties. Let the market maintain incentives for effective design. Strong regulation applying to weak technology results in moral hazard and market ineffectiveness. Dan _______________________________________________ EEPI-Discuss mailing list information: http://lists.eepi.org/mailman/listinfo/eepi-discuss