From: C Matthew Curtin <cmcurtin@megasoft.com>
Date: Thu, 18 Jul 1996 11:19:02 +0800
To: Lyal Collins <lyalc@ozemail.com.au>
Subject: Re: Cybank breaks new ground; rejects public-key encryption
In-Reply-To: <v03007606ae0dd5274a4e@[199.0.65.105]>
Message-ID: <199607161345.JAA08175@research.megasoft.com>
MIME-Version: 1.0
Content-Type: text/plain


>>>>> "Lyal" == Lyal Collins <lyalc@ozemail.com.au> writes:

Lyal> I hesitate to distribute the discomplied source code I used,
Lyal> asince it may get used by the unscrupulous to do trusting Cybank
Lyal> customers out of their hard earned money. Maybe, enough
Lyal> resquests will convince me otherwise.

People need to learn that the sort of snake oil that is being sold as
"secure" just won't cut it. Your concern for the customers of Cybank
is valid, however, so I propose something along these lines:

Announce, very publicly, such that every Cybanlk customer would hear
about it in time, that you have cracked their hokey little non-crypto
scheme, and that you intend to publish your work in a full-disclosure
paper to be published on Month Day, Year. I would recommend a number
of appropriate newsgroups, relevant mailing lists (individually
posted, not CC'd), and some letters to the editor of the New York
Times, San Jose Mercury News, the Wall Street Journal and other
high-readership papers. As soon as someone in the media carries it,
it'll spread like wildfire.

Further, I would recommend some guidelines about when to post the
published paper (and I would do it on a number of FTP sites as close
to simultaneous as you can.) Do it on a Monday, so there are plenty of
business days for Cybank to deal with it when the initial round of bad
guys trying the attack will strike. Do it between 1100 and 1700 ET, so
that you do it during business hours.

-- 
C Matthew Curtin        MEGASOFT, LLC        Director, Security Architecture
cmcurtin@research.megasoft.com   http://www.research.megasoft.com/~cmcurtin/
Hacker Security Firewall Crypto PGP Privacy Unix Perl Java Internet Intranet