> not publicly declaring the vulnerability is security by obscurity.. which does not work.
Now I know that you don't know what you're talking about. Anyone either passingly familiar with the field of information security, or capable of using basic logic, knows that this is incorrect in multiple ways.
First, because security by obscurity can increase the security of a system when you combine it with other measures.
Second, because you're using "security by obscurity" as a religious word without the slightest understanding of what it actually means, which is that, when designing a secure system (that is, when playing the role of the defender), relying on security by obscurity alone is bad.
This is not what is happening in the article. In the article, yohanes/TinyHack is playing the role of the attacker - the Akira ransomware has a cryptosystem and they are attacking it. "Security by obscurity" is entirely irrelevant here.
It's extremely obvious to either someone who thinks for a few seconds, or anyone with a basic understanding of the field, that the attackers primarily rely on security through obscurity, and that publicly revealing the vulnerabilities in the defenders' systems that you've discovered is almost always an extremely bad idea.
And that includes this case. Now that yohanes has disclosed the vulnerability in Akira, the authors can immediately patch it, and the upside is virtually non-existent: an educational lesson for someone new to the field, which could have easily been provided in a way that doesn't inhibit our ability to decrypt victims' files. If yohanes had instead kept the vulnerability a secret, they could have disseminated it to a limited number of other cybersecurity experts, and offered to decrypt files as a service, helping victims without revealing the vulnerability in the crypto.
You shouldn't comment if you don't have the slightest idea of what the words you're using actually mean.
I'm not. You're just factually wrong.
> not publicly declaring the vulnerability is security by obscurity.. which does not work.
Now I know that you don't know what you're talking about. Anyone either passingly familiar with the field of information security, or capable of using basic logic, knows that this is incorrect in multiple ways.
First, because security by obscurity can increase the security of a system when you combine it with other measures.
Second, because you're using "security by obscurity" as a religious word without the slightest understanding of what it actually means, which is that, when designing a secure system (that is, when playing the role of the defender), relying on security by obscurity alone is bad.
This is not what is happening in the article. In the article, yohanes/TinyHack is playing the role of the attacker - the Akira ransomware has a cryptosystem and they are attacking it. "Security by obscurity" is entirely irrelevant here.
It's extremely obvious to either someone who thinks for a few seconds, or anyone with a basic understanding of the field, that the attackers primarily rely on security through obscurity, and that publicly revealing the vulnerabilities in the defenders' systems that you've discovered is almost always an extremely bad idea.
And that includes this case. Now that yohanes has disclosed the vulnerability in Akira, the authors can immediately patch it, and the upside is virtually non-existent: an educational lesson for someone new to the field, which could have easily been provided in a way that doesn't inhibit our ability to decrypt victims' files. If yohanes had instead kept the vulnerability a secret, they could have disseminated it to a limited number of other cybersecurity experts, and offered to decrypt files as a service, helping victims without revealing the vulnerability in the crypto.
You shouldn't comment if you don't have the slightest idea of what the words you're using actually mean.