From: technopagan priest <tedwards@wam.umd.edu>
To: cypherpunks@toad.com
Message Hash: 79fdaf11294067ba56f455aa9d28662b352e6ad03ea7745c97e40ec7af7007ba
Message ID: <199309280518.AA18205@rac5.wam.umd.edu>
Reply To: N/A
UTC Datetime: 1993-09-28 05:21:24 UTC
Raw Date: Mon, 27 Sep 93 22:21:24 PDT
From: technopagan priest <tedwards@wam.umd.edu>
Date: Mon, 27 Sep 93 22:21:24 PDT
To: cypherpunks@toad.com
Subject: Easy cracking
Message-ID: <199309280518.AA18205@rac5.wam.umd.edu>
MIME-Version: 1.0
Content-Type: text/plain
If you found out you could easily crack a commercial "protection"
method, what do you do?
First, you stay anonymous, because otherwise they will try to get
you, no matter what your intentions are.
I think it is best to send the information, anonymously, with a
working example to the company. But chances are that they will
sit on it due to fear of loosing market share or being sued by
users.
So the question is, is it more ethical to allow the userbase to
have their information cracked by "bad guys," possibly without
their knowledge, or publish the information so that the userbase is
aware of the security breach, and can do something about it?
It depends on the situation, of course. But no one will believe you
if you say "I can crack xyz programs 'protected' data" without
showing how it works.
When it comes right down to it, individuals have to be responsible about
the cryptosystems they use. And you are much better off knowing that
your data is possibly crackable rather than not knowing it, and having
hackers crack it without your knowledge.
Hopefully this whole incident will get software companies thinking more
seriously about using scholarly-tested secure cryptosystems.
-Thomas
Return to September 1993
Return to “technopagan priest <tedwards@wam.umd.edu>”