From: Marc Horowitz <marc@MIT.EDU>
Date: Mon, 27 Sep 93 22:46:19 PDT
To: cypherpunks@toad.com
Subject: Re: Easy cracking
In-Reply-To: <199309280518.AA18205@rac5.wam.umd.edu>
Message-ID: <9309280541.AA00928@steve-dallas.MIT.EDU>
MIME-Version: 1.0
Content-Type: text/plain


>> If you found out you could easily crack a commercial "protection"
>> method, what do you do?

I'd send it off to CERT anonymously.  They have good relationships
with vendors, who often put out patches CERT presents them with
security-related problems.  If I saw no response after 6-12 months
(about a vendor release cycle), I might start being more public about
it.

This solution means that the problem has a reasonable chance of
getting solved, without causing too much damage in the interim.

If I had reason to believe that some security hole was being used
heavily and maliciously by someone, I would explain this to CERT and
wait a significantly smaller period of time, like a week or two,
before going public.  This would prevent people from being unknowingly
hurt by a bug.

It's important not to go too public too quickly, because people have a
tendency to panic.  When the 1988 Internet Worm was discovered,
peoples' reaction was to pull the plug on the net.  This was
counterproductive, since it made it difficult to tell people how to
protect themselves against the Worm.  Parts of the MILNET remained
disconnected for weeks.

		Marc