Newsgroups: sci.crypt
Path: msuinfo!caen!zaphod.mps.ohio-state.edu!uwm.edu!news
From: rick@discus.mil.wi.us
Subject: Re: Ethics and software to find ZIP archive passwords
Message-ID: <1992Feb28.203520.7450@uwm.edu>
Sender: news@uwm.edu (USENET News System)
Organization: Jus' me.
References: <1992Feb28.112824.18265@leland.Stanford.EDU> <15677@ncar.ucar.edu>
Date: Fri, 28 Feb 1992 20:35:20 GMT
Lines: 38

prz@sage.cgd.ucar.edu (Philip Zimmermann) writes:
>Responding to Paul Kocher's inquiry about the ethics of publishing a tool
>that can help crack the encryption protection of PKZIP:
>
>I think that publishing methods of breaking a scheme weak enough to
>break is a good idea.  If you do this, it may lead to stronger schemes 
>that will benefit everyone.  Weaknesses should be exposed so that 
>improvements can be made.  If someone has cancer, they should be informed
>rather than be kept blissfully ignorant.  Eventually people will start 
>using stronger methods that can withstand attacks.

This sounds similar to a discussion on alt.security...  Should crackers
(not the kind you eat) be allowed to take their best shot at machines'
security in hopes of finding holes? (...which could then be 'plugged'.)

Personally, I think that if a cracker can do his/her dirty-work using
their *own* cpu-/net-time then let them.  (Now let's not have everyone
uploading .ZIP archives containing $CLOCK files onto my BBS...  Ahem!)

You can't make it immoral to try to figure out something *general*.
Now if they're just brute-forcing *one* *particularly* *sensitive* *file*,
THAT's another story.  The difference is the academic aspect.

If the cracker is attacking each target afresh using brute-force (or
some only-slightly-refined attack) then the object of his/her labor is
the DATA.  However, if the cracker is developing a *method*, the object
of their labor is (crudely) "research".

Otherwise, some of the best cryptanalysts should be considered criminals.

DISCLAIMER:
	I specifically *despise* anyone who would _distribute_ some
	sort of turn-key software expressly for the purpose of aiding
	brainless crackers.  If you have any respect for the field of
	cryptanalysis, I appeal to you not to distribute copies of
	such programs as "crack".

     Rick Miller                                rick@discus.mil.wi.us
