|
Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com |
Subject: Re: Xato Advisory: Multiple Cart32 Vulnerabilities
From: Colin Hart (info
COLINHART.COM)Date: Tue Nov 14 2000 - 09:03:36 CST
- Next message: Roman Drahtmueller: "SuSE: miscellaneous"
- Previous message: Warning3: "Solaris libc locale bug exploit against non-exec stack"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
<snip>On November 6, 2000 Colin Hart and Cart32 issued a joint advisory (BID
>195) addressing the issue of the weak encryption. They also stated
>that they will not be releasing the actual algorithm. Because we do
>not agree with the concept of security through obscurity, we have put
>together this snippet of VBScript code to demonstrate how a password
>can be unencrypted: <snip>
You managed to make the point about "security through obscurity" more
effectively than you are aware!! In my conversations with Cart32 I respected
their wishes to withhold the algorithm but pointed out to them that it was
only a matter of time before someone else posted it, which proved correct,
but also confirms your point that security through obscurity is a
non-starter. My personal opinion is that vendors need to decide whether they
want to manage a problem by communicating in full with their customers and
the security community or by hoping it will go away and letting the
information proliferate in a non-managed way on IRC, etc. The
"full-disclosure" v "non-disclosure" and every shade in between has been
discussed at length here but I'm sure the debate will roll on.
My $0.02
Cheers
Colin Hart
infocolinhart.com
- Next message: Roman Drahtmueller: "SuSE: miscellaneous"
- Previous message: Warning3: "Solaris libc locale bug exploit against non-exec stack"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]