"Lyal" == Lyal Collins <lyalc@ozemail.com.au> writes:
Lyal> I hesitate to distribute the discomplied source code I used, Lyal> asince it may get used by the unscrupulous to do trusting Cybank Lyal> customers out of their hard earned money. Maybe, enough Lyal> resquests will convince me otherwise. People need to learn that the sort of snake oil that is being sold as "secure" just won't cut it. Your concern for the customers of Cybank is valid, however, so I propose something along these lines: Announce, very publicly, such that every Cybanlk customer would hear about it in time, that you have cracked their hokey little non-crypto scheme, and that you intend to publish your work in a full-disclosure paper to be published on Month Day, Year. I would recommend a number of appropriate newsgroups, relevant mailing lists (individually posted, not CC'd), and some letters to the editor of the New York Times, San Jose Mercury News, the Wall Street Journal and other high-readership papers. As soon as someone in the media carries it, it'll spread like wildfire. Further, I would recommend some guidelines about when to post the published paper (and I would do it on a number of FTP sites as close to simultaneous as you can.) Do it on a Monday, so there are plenty of business days for Cybank to deal with it when the initial round of bad guys trying the attack will strike. Do it between 1100 and 1700 ET, so that you do it during business hours. -- C Matthew Curtin MEGASOFT, LLC Director, Security Architecture cmcurtin@research.megasoft.com http://www.research.megasoft.com/~cmcurtin/ Hacker Security Firewall Crypto PGP Privacy Unix Perl Java Internet Intranet