[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Liability for Key Cracking in Idle Hours?



I have a feeling that many businesses will set policies to try to stop
their workstations and computers from being used in key cracking attempts.

They don't now, mainly because for one thing they don't even know about it,
and for another thing, it would be a headache to try to administer such a
ban.

However, the notion that "IBM Corporation" or "Bank of America" will say
"Sure, use our idle CPU time to try to crack keys!" seems farfetched.

California is one jurisdiction that has made "hacking" a crime. Not clear
what this means, but some construe it to mean that any attempts to break
into the account of another--or crack a key--is a crime. Not tested in
court, etc. But will Bank of America want to decide whether a key cracking
effort is a "legitimate academic exercise" (such as the SSL Challenge was,
as it involved no damage to any party) or an attempt to use their computers
to break into an account or to otherwise compromise a transaction?

(I am NOT saying that key-cracking = hacking, in the negative sense of
"hacking," but I can certainly imagine cases where it would be. And when
Microsoft Network comes out, soon, I think a lot of people will want to
poke holes in its security, as we've already seen a bit of. Corporations
will not likely take kindly to being involved in something like this.)

Thus, I expect something in between the extremes:

-- corporations fear liability and will not openly encourage this, even to
make a few extra bucks (and it's not at all clear how such bucks would be
made, or if big companies would give a rat's ass about earning a few
dollars a night....)

-- but people with access to these machines will continue to use them for
key cracking, factoring, etc. challenges.

Could I be wrong in this? Sure. Maybe companies will not care. I doubt
this, though.

Damien may be able to tell us if Ecole Polytechnique has raised any
questions about his highly-publicized attack on the SSL Challenge key. I
will _speculate_ that the normally-security-conscious French are
considering policies against this. After all, this is one of the countries
that bans private possession of strong crypto. (Or, as a French computer
scientist told me recently, "Sure, one can apply for a license for
crypto...the procedure is the same as applying for a license for your own
private Exocet missile.")


--Tim May


---------:---------:---------:---------:---------:---------:---------:----
Timothy C. May            | Crypto Anarchy: encryption, digital money,
[email protected] (Got net?)  | anonymous networks, digital pseudonyms, zero
408-728-0152              | knowledge, reputations, information markets,
Corralitos, CA            | black markets, collapse of governments.
Higher Power: 2^756839    | Public Key: PGP and MailSafe available.
"National borders are just speed bumps on the information superhighway."