[17650] in bugtraq
Re: Xato Advisory: Multiple Cart32 Vulnerabilities
daemon@ATHENA.MIT.EDU (Colin Hart)
Tue Nov 14 11:20:47 2000
Mime-Version: 1.0
Content-Type: text/plain; charset="iso-8859-1"
Content-Transfer-Encoding: 7bit
Message-Id: <006b01c04e4c$10e68e00$0501020a@morpheus.theunderworld.com>
Date: Tue, 14 Nov 2000 15:03:36 -0000
Reply-To: Colin Hart <info@COLINHART.COM>
From: Colin Hart <info@COLINHART.COM>
To: BUGTRAQ@SECURITYFOCUS.COM
<snip>On November 6, 2000 Colin Hart and Cart32 issued a joint advisory (BID
>195) addressing the issue of the weak encryption. They also stated
>that they will not be releasing the actual algorithm. Because we do
>not agree with the concept of security through obscurity, we have put
>together this snippet of VBScript code to demonstrate how a password
>can be unencrypted: <snip>
You managed to make the point about "security through obscurity" more
effectively than you are aware!! In my conversations with Cart32 I respected
their wishes to withhold the algorithm but pointed out to them that it was
only a matter of time before someone else posted it, which proved correct,
but also confirms your point that security through obscurity is a
non-starter. My personal opinion is that vendors need to decide whether they
want to manage a problem by communicating in full with their customers and
the security community or by hoping it will go away and letting the
information proliferate in a non-managed way on IRC, etc. The
"full-disclosure" v "non-disclosure" and every shade in between has been
discussed at length here but I'm sure the debate will roll on.
My $0.02
Cheers
Colin Hart
info@colinhart.com
