If you found out you could easily crack a commercial "protection" method, what do you do? First, you stay anonymous, because otherwise they will try to get you, no matter what your intentions are. I think it is best to send the information, anonymously, with a working example to the company. But chances are that they will sit on it due to fear of loosing market share or being sued by users. So the question is, is it more ethical to allow the userbase to have their information cracked by "bad guys," possibly without their knowledge, or publish the information so that the userbase is aware of the security breach, and can do something about it? It depends on the situation, of course. But no one will believe you if you say "I can crack xyz programs 'protected' data" without showing how it works. When it comes right down to it, individuals have to be responsible about the cryptosystems they use. And you are much better off knowing that your data is possibly crackable rather than not knowing it, and having hackers crack it without your knowledge. Hopefully this whole incident will get software companies thinking more seriously about using scholarly-tested secure cryptosystems. -Thomas