Re: Xato Advisory: Multiple Cart32 Vulnerabilities

[Colin Hart <info () COLINHART COM>]

<snip>On November 6, 2000 Colin Hart and Cart32 issued a joint advisory (BID
> 195) addressing the issue of the weak encryption.  They also stated
> that they will not be releasing the actual algorithm.  Because we do
> not agree with the concept of security through obscurity, we have put
> together this snippet of VBScript code to demonstrate how a password
> can be unencrypted: <snip>

You managed to make the point about "security through obscurity" more
effectively than you are aware!! In my conversations with Cart32 I respected
their wishes to withhold the algorithm but pointed out to them that it was
only a matter of time before someone else posted it, which proved correct,
but also confirms your point that security through obscurity is a
non-starter. My personal opinion is that vendors need to decide whether they
want to manage a problem by communicating in full with their customers and
the security community or by hoping it will go away and letting the
information proliferate in a non-managed way on IRC, etc. The
"full-disclosure" v "non-disclosure" and every shade in between has been
discussed at length here but I'm sure the debate will roll on.

My $0.02

Cheers

Colin Hart
info () colinhart com