1993-09-28 - Re: Verilog encryption broken

Header Data

From: markh@wimsey.bc.ca (Mark C. Henderson)
To: Bruce R Koball <cypherpunks@toad.com
Message Hash: 5a1ac7d8b81ed4449c3e0997ccc9644e8fd75d8f4059cafbbf77e74d37fd13bc
Message ID: <m0ohWe6-0001EbC@vanbc.wimsey.com>
Reply To: N/A
UTC Datetime: 1993-09-28 04:31:23 UTC
Raw Date: Mon, 27 Sep 93 21:31:23 PDT

Raw message

From: markh@wimsey.bc.ca (Mark C. Henderson)
Date: Mon, 27 Sep 93 21:31:23 PDT
To: Bruce R Koball <cypherpunks@toad.com
Subject: Re: Verilog encryption broken
Message-ID: <m0ohWe6-0001EbC@vanbc.wimsey.com>
MIME-Version: 1.0
Content-Type: text/plain


> A recent anonymous posting in the comp.lang.verilog newsgroup on Usenet
> has generated a raging controversey and threatens to shake up the
> electronic design automation (EDA) community.  The posting was a program
> that broke the encryption scheme used to protect the proprietary
> libraries that are part of Cadence Design Systems high-end IC design
> tool Verilog-XL.  Verilog is a sophisticated CAD tool that allows
...

This does bring up an interesting ethical question.

What should one do when one discovers that a vendor is marketing
an encryption scheme for the protection or to limit the use of
specific information, which is easy to break.

Obviously, one is neither doing the vendor nor the customers of that
vendor a favour by posting a detailed account of the weakness of
the system.

One the other hand, if one justs sits on the information, it is clear 
that other people will be able to deduce the weakness in the system 
and actually use it to steal information; and why not, I suppose 
anyone who puts trust in "smoke and mirrors security" probably 
deserves exactly what they get. 

The world abounds with weak encryption algorithms which are being 
used to protect information of consderable value. The case with 
Verilog, and their use of an easily "crackable" scheme is far from 
unique. 

Still I don't have an answer. Say one discovers that a vendor is 
protecting its customers' information using a simple "crackable" 
linear encryption function. Is that information something to reveal, 
something to keep secret or what? If one were to approach the
vendor in question with that kind of information, I can imagine
all sorts of legal entanglements that might arise. 

There are other instances which are similar. Information on the
(in)security of various operating systems comes to mind.

Comments?

-- 
Mark Henderson      markh@wimsey.bc.ca (personal account)
RIPEM key available by key server/finger/E-mail
  MD5OfPublicKey: F1F5F0C3984CBEAF3889ADAFA2437433





Thread