Newsgroups: sci.crypt
Path: msuinfo!caen!sdd.hp.com!wupost!psuvax1!fortran!so
From: so@fortran.cs.psu.edu (Nicol C. So)
Subject: Re: Ethics and software to find ZIP archive passwords
Message-ID: <nqHa8pw5@cs.psu.edu>
Sender: news@cs.psu.edu (Usenet)
Nntp-Posting-Host: fortran.cs.psu.edu
Organization: Penn State Computer Science
References: <1992Feb28.112824.18265@leland.Stanford.EDU> <15677@ncar.ucar.edu>
Date: Sat, 29 Feb 1992 18:59:31 GMT
Lines: 17

In article <15677@ncar.ucar.edu> prz@sage.cgd.ucar.edu (Philip Zimmermann) writes:
>Responding to Paul Kocher's inquiry about the ethics of publishing a tool
>that can help crack the encryption protection of PKZIP:
>
>I think that publishing methods of breaking a scheme weak enough to
>break is a good idea.  If you do this, it may lead to stronger schemes 
>that will benefit everyone.  Weaknesses should be exposed so that 
>improvements can be made.  If someone has cancer, they should be informed
>rather than be kept blissfully ignorant.  Eventually people will start 
>using stronger methods that can withstand attacks.

This is not a proper analogy.  Yes, I think people should be informed of
their illness, so I believe people should be informed of the weaknesses of
the cipher they use (and rely on).  But distributing a cracking program
is not the proper way of informing people of the problem.  It is more like
telling people that a psychiatric patient X has some particular problem and
teach them how to take advantage of Mr X.
