From: technopagan priest <tedwards@wam.umd.edu>
Date: Mon, 27 Sep 93 22:21:24 PDT
To: cypherpunks@toad.com
Subject: Easy cracking
Message-ID: <199309280518.AA18205@rac5.wam.umd.edu>
MIME-Version: 1.0
Content-Type: text/plain



If you found out you could easily crack a commercial "protection"
method, what do you do?

First, you stay anonymous, because otherwise they will try to get
you, no matter what your intentions are.

I think it is best to send the information, anonymously, with a
working example to the company.  But chances are that they will
sit on it due to fear of loosing market share or being sued by
users.  

So the question is, is it more ethical to allow the userbase to
have their information cracked by "bad guys," possibly without
their knowledge, or publish the information so that the userbase is
aware of the security breach, and can do something about it?

It depends on the situation, of course.  But no one will believe you
if you say "I can crack xyz programs 'protected' data" without
showing how it works.

When it comes right down to it, individuals have to be responsible about
the cryptosystems they use.  And you are much better off knowing that
your data is possibly crackable rather than not knowing it, and having
hackers crack it without your knowledge.

Hopefully this whole incident will get software companies thinking more
seriously about using scholarly-tested secure cryptosystems.

-Thomas