Newsgroups: sci.crypt
Path: msuinfo!caen!zaphod.mps.ohio-state.edu!think.com!wupost!darwin.sura.net!gatech!psuvax1!fortran!so
From: so@fortran.cs.psu.edu (Nicol C. So)
Subject: Re: Ethics and software to find ZIP archive passwords
Message-ID: <8hH*&ow5@cs.psu.edu>
Sender: news@cs.psu.edu (Usenet)
Nntp-Posting-Host: fortran.cs.psu.edu
Organization: Penn State Computer Science
References: <1992Feb28.112824.18265@leland.Stanford.EDU>
Date: Sat, 29 Feb 1992 18:50:50 GMT
Lines: 22

In article <1992Feb28.112824.18265@leland.Stanford.EDU> kocherp@leland.Stanford.EDU (Paul Carl Kocher) writes:
>     I have written some fairly fast routines that use a brute-force
>approach to check passwords against the 16-bit checksum in zip files' 
>encryption headers. ...
>
>     I fear that if I release this, it will be mostly used by people
>to get unauthorized access to others' data.  On the other hand, anyone 
>who is determined enough could easily write a similar program.  Does
>anyone have experience releasing programs, like this, that could be
>misused?  My present inclination is to not release it, but I would 
>welcome suggestions.

I would suggest you to consider the question: what benefit will other
people gain from your release of the program?  My opinion is, if you
have discovered a weakness in some cipher used in real life, point it
out by all means.  Better still, explain to people how the problem can
be fixed (if a fix is possible) and how they can avoid the problem when
they design a new cipher.  However, I don't think releasing the program
really helps people.  Few people have a legitimate reason for breaking
a cipher.  If they forget their keys, let them learn from their mistakes.
Enabling everyone to break a cipher is not the right method to solve the
forgotten key problem.
