Bugtraq mailing list archives
Re: Xato Advisory: Multiple Cart32 Vulnerabilities
From: Colin Hart <info () COLINHART COM>
Date: Tue, 14 Nov 2000 15:03:36 -0000
<snip>On November 6, 2000 Colin Hart and Cart32 issued a joint advisory (BID
195) addressing the issue of the weak encryption. They also stated that they will not be releasing the actual algorithm. Because we do not agree with the concept of security through obscurity, we have put together this snippet of VBScript code to demonstrate how a password can be unencrypted: <snip>
You managed to make the point about "security through obscurity" more effectively than you are aware!! In my conversations with Cart32 I respected their wishes to withhold the algorithm but pointed out to them that it was only a matter of time before someone else posted it, which proved correct, but also confirms your point that security through obscurity is a non-starter. My personal opinion is that vendors need to decide whether they want to manage a problem by communicating in full with their customers and the security community or by hoping it will go away and letting the information proliferate in a non-managed way on IRC, etc. The "full-disclosure" v "non-disclosure" and every shade in between has been discussed at length here but I'm sure the debate will roll on. My $0.02 Cheers Colin Hart info () colinhart com
Current thread:
- Re: Xato Advisory: Multiple Cart32 Vulnerabilities Colin Hart (Nov 15)