On Tue, Apr 08, 2014 at 01:12:25PM -0400, Jonathan Thornburg wrote: > On Tue, Apr 08, 2014 at 11:46:49AM +0100, ianG wrote: > > While everyone's madly rushing around to fix their bits&bobs, I'd > > encouraged you all to be alert to any evidence of *damages* either > > anecdotally or more firm. By damages, I mean (a) rework needed to > > secure, and (b) actual breach into sites and theft of secrets, etc, > > leading to (c) theft of property/money/value etc. > > > [[...]] > > > > E.g., if we cannot show any damages from this breach, it isn't worth > > spending a penny on it to fix! > > This analysis appears to say that it's not worth spending money to > fix a hole (bug) unless either money has already been spent or damages > have *already* occured. This ignores possible or probable (or even > certain!) *future* damages if no rework has yet happened.
The first part (gather data) is OK. The second I thought was said facetiously. It is flawed, indeed, but it's also true that people have a hard time weighing intangibles. I don't know how we can measure anything here. How do you know if your private keys were stolen via this bug? It should be possible to establish whether key theft was feasible, but establishing whether they were stolen might require evidence of use of stolen keys, and that might be very difficult to come by. We shouldn't wait for evidence of use of stolen keys! Nico -- _______________________________________________ cryptography mailing list [email protected] http://lists.randombit.net/mailman/listinfo/cryptography
