Acceptable risk scenarios involve discovery and events. I.e. things must happen. The simple fact that things can be cracked means nothing. Are they being cracked and at what cost? It seems as though the owner of the asset under protection must make the choice.
Now take for example priceless baseball cards left in a closet safely stored away in a cardboard box owned by the young son of the house. The value is not known to the mother who throws the box out as clutter. The assumption the son made was his closet was safe and exclusive, yet his mother had a different idea.
If the owner of a car parks it with the idea that it is safe, leaving his Picasso etchings in the backseat only to return to find that the Picassos were picked, then the courts will come into play. They will ask TI and this wonderful team of developers what the risk scenario was on this damn thing that did not work.
The team can say many things but what they cannot say is the risk is or was acceptable. So the classic issue of notification to all owners of the now cracked security system is in order so they might be made aware of the shortcoming. Also a prudent reserve should be placed aside by the TI team for claims against their flawed product.
All in all the product is defective (just like Microsoft's OS) so the question is, what is the remedy to the consumer? What's in it for their pain and suffering?
I'm sure the answer is 'nothing' because crypto people should not be sued for the products they produce that cause injury. The problem is the law does not see it that way. I shall send this blog posting to an attorney right away since I'm sure there is a class action and product recall in the making. Just kidding.
Posted by Jim at January 31, 2005 08:37 AM