top | item 43386167

(no title)

You have to read my comment in context of the immediate parent which I replied to, not the OP.

The immediate parent comment says that if the vulnerability is publicly declared, attackers can easily patch it.

Paraphrasing my response: not publicly declaring the vulnerability is security by obscurity.. which does not work.

Don't attack a strawman.

discuss

drtgh|11 months ago

If this were the case, then the existence of the Enigma machine, and also the existence of those Nazi communications which so kindly provided the daily seed for deciphering the codes, should have been published in the newspapers along the WWII.

I just hope that publishing the ransomware vulnerability was not ego-driven or anything like that, because they burned a period of time in which they could have helped many people.

throw10920|11 months ago

> they burned a period of time in which they could have helped many people.

They absolutely did. hassleblad23 has absolutely no idea what they're talking about and no experience in the field. It was obviously the wrong move to publish the Akira weakness.

hassleblad23|11 months ago

I don't think the Enigma machine example applies here.

The nazi communications were decrypted by a highly centralized and secrative group, making it very difficult for the Nazis to figure out how they were doing it.

But in this case any vulnerability in the ransomware will have to be exploited by many of the affected people to decrypt their files, which means wide distribution, which means that a leak to the ransomware developers will happen sooner than later. If there is no wide distribution of the vulnerability, the ransomware developers win anyway.

throw10920|11 months ago

> Don't attack a strawman.

I'm not. You're just factually wrong.

> not publicly declaring the vulnerability is security by obscurity.. which does not work.

Now I know that you don't know what you're talking about. Anyone either passingly familiar with the field of information security, or capable of using basic logic, knows that this is incorrect in multiple ways.

First, because security by obscurity can increase the security of a system when you combine it with other measures.

Second, because you're using "security by obscurity" as a religious word without the slightest understanding of what it actually means, which is that, when designing a secure system (that is, when playing the role of the defender), relying on security by obscurity alone is bad.

This is not what is happening in the article. In the article, yohanes/TinyHack is playing the role of the attacker - the Akira ransomware has a cryptosystem and they are attacking it. "Security by obscurity" is entirely irrelevant here.

It's extremely obvious to either someone who thinks for a few seconds, or anyone with a basic understanding of the field, that the attackers primarily rely on security through obscurity, and that publicly revealing the vulnerabilities in the defenders' systems that you've discovered is almost always an extremely bad idea.

And that includes this case. Now that yohanes has disclosed the vulnerability in Akira, the authors can immediately patch it, and the upside is virtually non-existent: an educational lesson for someone new to the field, which could have easily been provided in a way that doesn't inhibit our ability to decrypt victims' files. If yohanes had instead kept the vulnerability a secret, they could have disseminated it to a limited number of other cybersecurity experts, and offered to decrypt files as a service, helping victims without revealing the vulnerability in the crypto.

You shouldn't comment if you don't have the slightest idea of what the words you're using actually mean.