Home page logo

bugtraq logo Bugtraq mailing list archives

Re: Xato Advisory: Multiple Cart32 Vulnerabilities
From: Colin Hart <info () COLINHART COM>
Date: Tue, 14 Nov 2000 15:03:36 -0000

<snip>On November 6, 2000 Colin Hart and Cart32 issued a joint advisory (BID
195) addressing the issue of the weak encryption.  They also stated
that they will not be releasing the actual algorithm.  Because we do
not agree with the concept of security through obscurity, we have put
together this snippet of VBScript code to demonstrate how a password
can be unencrypted: <snip>

You managed to make the point about "security through obscurity" more
effectively than you are aware!! In my conversations with Cart32 I respected
their wishes to withhold the algorithm but pointed out to them that it was
only a matter of time before someone else posted it, which proved correct,
but also confirms your point that security through obscurity is a
non-starter. My personal opinion is that vendors need to decide whether they
want to manage a problem by communicating in full with their customers and
the security community or by hoping it will go away and letting the
information proliferate in a non-managed way on IRC, etc. The
"full-disclosure" v "non-disclosure" and every shade in between has been
discussed at length here but I'm sure the debate will roll on.

My $0.02


Colin Hart
info () colinhart com

  By Date           By Thread  

Current thread:
  • Re: Xato Advisory: Multiple Cart32 Vulnerabilities Colin Hart (Nov 15)
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]