If you found out you could easily crack a commercial "protection" method, what do you do? First, you stay anonymous, because otherwise they will try to get you, no matter what your intentions are. I think it is best to send the information, anonymously, with a working example to the company. But chances are that they will sit on it due to fear of loosing market share or being sued by users. So the question is, is it more ethical to allow the userbase to have their information cracked by "bad guys," possibly without their knowledge, or publish the information so that the userbase is aware of the security breach, and can do something about it? It depends on the situation, of course. But no one will believe you if you say "I can crack xyz programs 'protected' data" without showing how it works. When it comes right down to it, individuals have to be responsible about the cryptosystems they use. And you are much better off knowing that your data is possibly crackable rather than not knowing it, and having hackers crack it without your knowledge. Hopefully this whole incident will get software companies thinking more seriously about using scholarly-tested secure cryptosystems. -Thomas
If you found out you could easily crack a commercial "protection" method, what do you do?
I'd send it off to CERT anonymously. They have good relationships with vendors, who often put out patches CERT presents them with security-related problems. If I saw no response after 6-12 months (about a vendor release cycle), I might start being more public about it. This solution means that the problem has a reasonable chance of getting solved, without causing too much damage in the interim. If I had reason to believe that some security hole was being used heavily and maliciously by someone, I would explain this to CERT and wait a significantly smaller period of time, like a week or two, before going public. This would prevent people from being unknowingly hurt by a bug. It's important not to go too public too quickly, because people have a tendency to panic. When the 1988 Internet Worm was discovered, peoples' reaction was to pull the plug on the net. This was counterproductive, since it made it difficult to tell people how to protect themselves against the Worm. Parts of the MILNET remained disconnected for weeks. Marc
participants (2)
-
Marc Horowitz -
technopagan priest