Without specific details on implementing the exploit, how are we know how to protect ourselves? The 'keep it secret' philosophy strikes at the heart of true security. The 'trust me, it's true' carries no weight, and it doesn't matter who says it. Without implementation details, there is no way to independently verify the veracity of the claim.

The comparison with bomb-schematics is entirely off-base. First of all, those schematics are typically just implementations of already well-known and innocuous circuits. Second, as a youth in the days before such things as personal computers, I had no trouble building all manner of explosive devices using information readily available at the library. In fact, my best bomb was built using information found in the chemistry text we used in school!

In my opinion, a more relevant comparison is found in locksmithing. Did you know that a master key can be easily reconstructed with access to any lock and key that is part of a master-grouping? http://www.crypto.com/masterkey.html The group that discovered this tried to follow your rules and as a result, I was at risk longer than necessary. Having implementation details was critical to my assessment of the risk and getting that information earlier would have reduced my risk because the bad guys would not have had a head start.

Vulnerabilities need to be publicized so that proper pressure can be brought to bear on the developers, manufacturers, distributors, and implementors of technology.

I do not think that it is reasonable to prohibit schematics or demonstrations from being made public. I really have to wonder where HID gets any ability to force someone to cancel such a demonstration. While I will agree that the public value of such activities is questionable at best, our society depends on the free and open exchange of ideas, knowledge, technology, and methods in order to continue advancing. No restriction on that exchange should occur without serious deliberation and crucial need.

Removing bomb making schematics from the web has no beneficial effect. Unless you are HID or another manufacturer, preventing such a demonstration is detrimental to the public. People tend to believe what they can actually observe and replicate themselves. Such a demonstration moves the vulnerabilities into the believable and meaningful realm which is important and useful.

i am the father of the magnetic striped card. it has NO security in the card. the security is provided by the accepting devices and system. after 35 years of industry usage of the magnetic stripe, losses are under 8 % of the transaction value and 85% of the losses are non payment by the card holder. the issue is not what are the security exposures of the RFID tag. rather the issue should be is the using system and accepting devices providing the correct protection.

While I believe in the First Amendment and without too much reflection say yes, you have the right to put up a schematic on how to make a bomb on a Web site, there is the ethical issue. And on that it is easier to say, at least for me, that it should not be done.
Besides having a responsibility to ourselves we also have a responsibility to the society we live in as well.
Ephraim

Much like the first posts, I believe that any attempt to suppress the free exchange of information is wrong. Period.

As mentioned in the above posts, suppressing information the industry, law enforcement or the general public can work with will only serve to delay the time those entities have to protect themselves from creative crackers. It is far easier to break something than it is to keep it fixed. That is all the head start most creative minds need (good or evil). Ultimately, understanding limitations and work-arounds on systems such as these are very important in the troubleshooting arena.

To think that Ethics and Morality should rule in this process is naive. Industry is under too much internal pressure to suppress weaknesses for fear of losing funding or customers, and thus, should not be fully trusted. One can find examples of this in the newspapers almost every day.

Further, to say that Ethically or Morally we shouldn't share this or similar information on the web is reaching into the realm of the 1950's. To assume that everyone/anyone is going to follow the moral high ground or worse yet, to put in place legislation protecting said high ground is asking for trouble. Criminal acts are committed outside the law...thus the term criminal.

Know your enemy and, above all, know your weaknesses.