Economic Model for Key Cracking

[cman@communities.com (Douglas Barnes)]

So far, list members have mostly presented two points of view on the
economics of key cracking:

  o It's free, since it uses spare CPU cycles
  o It should be priced at the cost of the dedicated computer
    hardware needed to do it.

Both of these approaches are wrong. The first approach fails because
it doesn't scale -- there probably aren't enough people willing to
crack lots of keys purely for the research interest, hack value, or the
goodness of their heart.

At the same time, many people and companies have lots of unused CPU
time on their hands. Economically, this CPU time is scrap material --
and there are companies out there that do nothing but buy up scrap
equipment for pennies on the dollar.

Therefore it should be possible to create a market in spare CPU cycles
for tasks like this that require massive parallel computing. An
earlier suggestion for bounties on keys (basically the Chinese lottery
approach) is a step in this direction.

I'd also like to point out that a hacker who can sniff out SSL-encrypted
packets on a hacked network is going to be vastly harder to catch than
someone who trolls through his or her physical community dumpster diving
and bribing clerks. The ability to anonymously gather and decrypt credit
card numbers has a vastly lower "cost" in terms of likelyhood of
prosecution. If it drops down to under $100 per key, it's probably at a
good break-even point to do it wholesale. Certainly the out-of-pocket
cost of cracking a 40-bit SSL key is less than that right now for a
great many people, even without creating a market.