Exactly. Ethics is just the wrong way to think about it.
It's like the people emptying weak brainwallets. Is it unethical to empty the brainwallet for "password123"? Is it unethical to pick up a quarter lying on the sidewalk? No and no.
Saying that strangers on the internet are bound by ethics is unrealistic.
Instead, we should build systems that are resilient.
For example:
* A brainwallet generator should estimate passphrase complexity and warn if it's too low
* Tor Browser should show a red lock icon for plain HTTP and warn users clearly that their traffic may be read
Blame the program, not the person. Calling the inevitable attacker "unethical" just isn't useful. Saying the user is dumb or Doing It Wrong isn't useful either.
Good crypto software should be resistant to both misuse (by Adam) and abuse (by Eve)
You seem to be completely misunderstanding ethics. Just because you 'can' do something does not mean it should be done or is ethical to do so. You 'can' break into your neighbor's house and steal <whatever>. Just because you have that capacity does not make it suddenly ethical to do so, even if they leave their doors unlocked.
GP didn't say that strangers on the internet are bound by ethics. Ethics are not a thing we are 'bound' by. They are a value judgment we make based on whatever social contract we think we have with those around us.
If passphrase complexity is "too low", that's also a judgment. There are no universal truths about what is adequate complexity. What you think is adequate today will not be adequate tomorrow. If someone's passphrase was inadequate and was cracked, was it ethical for the cracker to take advantage of it? If the passphrase passed a certain complexity, did it suddenly become unethical?
I think in the case of brainwallets, the actual contract with the network is that anyone who knows the password has authority to transfer the funds. When you send funds to a password-based address that is literally what you are declaring. There is no additional "off-book" requirements for accessing the funds like, you must know the password and also be a specific person.
There are similar scenarios but they are also different in important ways. A properly generated private key would have to be first stolen. An improperly generated private key, or an improperly generated signature that reveals the key are technological faults which expose the funds.
But when it comes to so-called brain-wallets, if you know the password then I think you have the right to move the funds.
Without the law, the actual "contract" you have re ownership of anything is that you can prevent anyone else from owning those things. If someone else can manage to "steal" your thing, they own it now.
I think that's not a world anyone wants to live in aside from an-caps.
I'm not speaking of lawlessness, I mean the actual lawful contract of who owns or can transfer or take possession of the data. Bitcoin introduces all sorts of novel ways to store and assign ownership of the Satoshi. Flags like ANYONE_CAN_PAY and scripts which equate to ANYONE_CAN_SPEND, or in this case a script which equates to SPEND_WITH_PWD.
The vast majority of people have zero understanding of the underlying crypto contract they are entering when they use Bitcoin. But there are experts who can explain what these scripts actually mean and who in turn can access the funds and under what conditions. Like buying other commodities electronically, it is best to consult an expert if you don't know what you're doing. That doesn't change the terms of the underlying contract.
Back in the real world, contracts have a lot to do with intent. Generally, if you didn't intend to give money to whoever picks it up first, a court would rule that nobody but the intended recipient has the right to pick up the money.
Even if you leave a duffel bag full of money beside a motorway, it's not legally the property of whoever picks it up first. That would be a perfectly reasonable legal argument. In order to give it away to whoever picks it up first, you need to create clear intent - a posting in plain English, for example. Making it easy to pick up isn't intent to allow anyone to pick it up.
Code isn't contract, and behaviour isn't contract either.
> In order to give it away to whoever picks it up first, you need to create clear intent - a posting in plain English, for example.
So we have someone who takes that proverbial duffel bag full of money, lays it down on the information superhighway, and puts a sign on it which says, 'SPEND_WITH_PASSWORD'. So Malory picks up the bag, opens it up with the password, and spends the money. They didn't "intend" for that to happen, but they signed a contract which says exactly that. The best example I've heard where this is not a valid defense is the life insurance policy written by Aviva France which allowed retroactive trading (a.k.a printing money) and where the policy could now be worth billions of dollars. [1]
Can code ever be a contract? I think so. What if the code functions exactly as designed, and exactly as advertised, is it then a contract? A world where you don't have the freedom to follow clear and obvious labels does not function very well. If someone puts a water fountain on a public way, and then sues people for drinking from it claiming they stole the water, I would hope those claims would be thrown out and the claimant censured.
The right answer is, of course, no one should be laying their money down with a sign on it that says 'SPEND_WITH_PASSWORD' if that's not what they want to have happen -- because trying to recover that money after the fact when someone picks it up is going to be challenging, to say the least. But I do think it's an interesting argument to say that the person who did pick it up with the right password actually did nothing legally wrong, and even ethically or morally wrong.
Even more-so, I find arguments that 'SPEND_WITH_PASSWORD' should actually mean 'SPEND_WITH_PASSWORD_AND_CONSENT' to be highly problematic for a decentralized blockchain which can trade smart assets. A crypto-currency should be expected to do what it says on the label, and users should be expected to read the label before using it. See, for example, the many cases of inadvertently large transaction fees, and even that's a more clear cut example of programming error, or human error, than 'SPENT_WITH_PASSWORD' which does exactly what it says.
A machine flag on a data record which doesn't even say SPEND_WITH_PASSWORD, but is instead a set of machine instructions, to be interpreted by a machine that nobody really fully understands, is not human-readable English, and can reasonably be set without intent to allow anyone to spend it - it's easy to mess up and make it less secure than you intended.
Therefore, it's not a contract, by definition, no matter what a subset of the population would like to think. Also - what if there's a crypto bug somewhere in Bitcoin, or a popular key/password generator? If it turned out all SPEND_WITH_PASSWORD transactions are far weaker than expected, does that mean it would be perfectly legal for anyone to steal money from all such transactions? I can't see a court saying "yes" to that, any more than they'd say that if your computer wasn't secure enough it'd be legal to access your bank account details and steal all your money from your bank. Or you could also bring up the argument that you'd get your money back if you'd sent money to the wrong person by PayPal/Faster Payments/whatever and had to take it to court, and the term "smart contract" doesn't actually change what's almost the same action.
This doesn't necessarily mean the blockchain needs to include some sort of "revoke transaction" functionality, but it is something that you can take to court if you find out who stole your money. New tech doesn't mean that courts suddenly break every rule that's been developed over hundreds of years. Courts are very used to dealing with "irrevocable" transactions.
To talk about ethics completely independent of ability is to divorce philosophy from reality.
If I can brute force a password with a TI-83, then that should be a different conversation than if I can do so with a few hundred million dollars, a backbone tap, and a government cluster.
To argue otherwise is navel-gazing about whether the red I see is the same red you see. Maybe? But more importantly, what does it matter?
So if you murder someone with an assault rifle, you're a monster, but if you did it with your bare hands, your methods should be applauded and studied?
I'm not even going for reductio ad absurdum here, this seems to literally be what you're saying.
Did I at any point make a value judgement, as you did?
I simply said, as did dcposch, that to talk about ethics independent of ability is useless from a functional perspective. And to go farther, that applying anything other than amorality to internet actors is without functional value.
A rebuttal, if you feel otherwise, would take the form of "No, I believe pure ethical evaluation is still useful because..."
This is totally preposterous logic. It's very easy to commit many very serious crimes, like murder and rape. Ability to carry out an act has nothing to do with its morality.
I can see how you got to the conclusion you did but I think you're making the wrong analogies like the gp.
The penny you pick up on the street, despite any argument to the contrary, hasn't been put there for safekeeping. It's lost and it's value is so low that it's immaterial if you return it or not. Actually the loss in productivity and the impossibility of the task is such returning it, unless you saw the person who dropped it, is probably a negative thing.
Now if that was $65000 then you might keep it because you can and it benefits you, but the ethical thing to do is to attempt to return it to its owner.
Compare that to a weak password though, as far as you know it isn't even lost. You're just assuming that it will be stolen so it might as well be you. Do you feel the same way about the contents of other peoples houses? Pretty much anyone who wants has the ability to enter your home, we don't do that because of ethics.
You or I don't enter others' homes because of ethics, but I think lock companies bear out my point. There are a lot of technically questionable lock products out there, but people still buy them and companies produce them.
Because most people feel even a bad lock changes the ethical calculus. Because ease of transgression has a direct bearing on the actually realised ethical result.
The issue with the original "that's not ethnical" comment was not "Yes it is" but rather "You're right, but how is that relevant to this discussion?"
