This is a highly ignorant response. There is no relying on security by obscurity - that concept doesn't even apply here, because we're not describing the defenders of a system under attack. This is ransomware that has already infected the system that you're supposed to be securing. Failing to realize that if you don't publicize the method of bypassing the weakness in the ransomware then you'll be able to save more victims indicates extreme stupidity and ignorance of the basics of the field.
Moreover, "This is a game of cat and mouse" suggests that it's not valuable for more victims to have their files decrypted, which is somewhere between malicious and insane.
If this were the case, then the existence of the Enigma machine, and also the existence of those Nazi communications which so kindly provided the daily seed for deciphering the codes, should have been published in the newspapers along the WWII.
I just hope that publishing the ransomware vulnerability was not ego-driven or anything like that, because they burned a period of time in which they could have helped many people.
> they burned a period of time in which they could have helped many people.
They absolutely did. hassleblad23 has absolutely no idea what they're talking about and no experience in the field. It was obviously the wrong move to publish the Akira weakness.
I don't think the Enigma machine example applies here.
The nazi communications were decrypted by a highly centralized and secrative group, making it very difficult for the Nazis to figure out how they were doing it.
But in this case any vulnerability in the ransomware will have to be exploited by many of the affected people to decrypt their files, which means wide distribution, which means that a leak to the ransomware developers will happen sooner than later. If there is no wide distribution of the vulnerability, the ransomware developers win anyway.
> I don't think the Enigma machine example applies here.
It absolutely does. Your claim is "security through obscurity applies when attacking a cryptosystem, so after you figure out how to break it, you should publish the details". By your logic, the Allies absolutely should have published the details of how they broke the Enigma.
> But in this case any vulnerability in the ransomware will have to be exploited by many of the affected people to decrypt their files, which means wide distribution
Yet again, you show your overwhelming ignorance of the field and basic logic. No, the decryption/exploit does not have to be widely distributed. It's extremely easy to realize that the good guys can just keep it tightly-held and provide a service where files are sent to them for decryption.
You should avoid spreading incorrect and harmful anti-information like this.
> not publicly declaring the vulnerability is security by obscurity.. which does not work.
Now I know that you don't know what you're talking about. Anyone either passingly familiar with the field of information security, or capable of using basic logic, knows that this is incorrect in multiple ways.
First, because security by obscurity can increase the security of a system when you combine it with other measures.
Second, because you're using "security by obscurity" as a religious word without the slightest understanding of what it actually means, which is that, when designing a secure system (that is, when playing the role of the defender), relying on security by obscurity alone is bad.
This is not what is happening in the article. In the article, yohanes/TinyHack is playing the role of the attacker - the Akira ransomware has a cryptosystem and they are attacking it. "Security by obscurity" is entirely irrelevant here.
It's extremely obvious to either someone who thinks for a few seconds, or anyone with a basic understanding of the field, that the attackers primarily rely on security through obscurity, and that publicly revealing the vulnerabilities in the defenders' systems that you've discovered is almost always an extremely bad idea.
And that includes this case. Now that yohanes has disclosed the vulnerability in Akira, the authors can immediately patch it, and the upside is virtually non-existent: an educational lesson for someone new to the field, which could have easily been provided in a way that doesn't inhibit our ability to decrypt victims' files. If yohanes had instead kept the vulnerability a secret, they could have disseminated it to a limited number of other cybersecurity experts, and offered to decrypt files as a service, helping victims without revealing the vulnerability in the crypto.
You shouldn't comment if you don't have the slightest idea of what the words you're using actually mean.
I already have tons of aliases for git, One of my fav's when I developed on a Mac was to also take a photo every time I pushed. I forgot about it for about a year, going into that archive was hilarious.
I've been out the mobile work for a while, but looking for a cross platform eco, ive spent time in a lot of stuff, from react, to unity, xmarian, and uno, all these with a c# backend. But once I found dart/flutter it was a game changer. I stil like my JS/TS, I still love c#, dart is interesting, but their cross platform workflow is imho the best.
Apropos of nothing in particular... that brings back a memory (I used to dispatch for a 911 center in the 910 area code). You get some weird stuff in 911 centers sometimes (go figure, right?). In this case, the thing that sticks in my mind is this payphone that used to be on Bald Head Island by the gazebo. It apparently developed some sort of intermittent fault (possibly due to exposure to salt air, but who really knows?) where it would occasionally call 911 on its own. Or at least that seemed to be the case. We'd occasionally get a call from it, with no one speaking on the other end, and we'd send BHI public safety out there and they wouldn't find anybody around it.
Now you might speculate that it was kids playing or something, but based on the time(s) of the calls, the demographics of the island, etc. we always believed it was just some sort of phone malfunction.
Wild! I wonder if the line was shorting out and pulse-dialing random numbers, and it just happened to be 911 sometimes, but that's a total shot in the dark. (I vaguely thought payphones had some kind of special connection to the CO, not like a normal phone line you can just DTMF or pulse dial on, but maybe that's made up.)
That was my first thought. In NZ, 911 has redirected to our emergency number 111 for about 25 years now, but before that, 911 led to a recorded message telling you to hang up and dial 111. I found this out by getting there by accident by pressing the hang-up button a lot of times quickly (for curiosity reasons). In NZ pulse coding for 911 is 1 pulse, then 9 pulses, then 9 again (our rotary dials going the other way is why we use an emergency number starting with 1). I probably pressed the hang-up button once, then decided to press it a bunch more times.
(I vaguely thought payphones had some kind of special connection to the CO, not like a normal phone line you can just DTMF or pulse dial on, but maybe that's made up.)
FWIW, at one time (relative to here in the US at least) there were at least two different major "kinds" of payphones. COCOTS (Customer Owned Coin Operated Telephones)[1] and what I call (for lack of a better term) "telephone company payphones". The latter being owned and controlled by the local telco. Part of the difference is how signaling works. For a COCOT, it is the case that the line is a plain jane line, that you could - ahemcough theoretically cough - beige box onto and dial calls using DTMF or pulse dialing. For those phones, the "magic" that made it a "pay" phone was inside the phone itself. For the "telephone company payphones" the line was configured differently and tones were sent in-band over the line to tell the switch that the coins had been deposited. This is the idea behind the old "red box" notion of recording the coin tones and playing them back to get free calls.
So yeah, a COCOT line could almost certainly be subject to something like random shorts being interpreted as pulse dialing and could possibly call 911. For a telephone company payphone I'm less sure if those supported pulse dialing or not. The lack of coin tones shouldn't matter since calls to 911 are always free, but I'm not sure if the line was different in other ways as well, or not.
Which one the BHI phone was, I never knew. But this was in the late 90's and by then a lot of the old skool telephone company payphones had disappeared in favor of COCOT's so if I had to guess, I'd guess it was a COCOT.
I do IT support for a 911 center. We get about one of these per month coming from landlines on the ILEC's old copper cable plant.
On one serendipitous occasion the fault came from a school district I also support. The fault came from a contingency landline kept around in case the VoIP phone system lost digital PSTN connectivity. I was able to plug-in to the line w/ a butt set and hear clicky, buzzy, nightmarishly bad PSTN sounds thru it.
We turned it over to the ILEC and they "fixed" it. Given the number of "roadkill" splice pedestals I see in my area I feel pretty confident the ILEC isn't doing any maintenance of the copper cable plant at all. (It makes me pretty irritated, considering the favorable tax subsidies they received to build it.)
Given the number of "roadkill" splice pedestals I see in my area I feel pretty confident the ILEC isn't doing any maintenance of the copper cable plant at all.
Yep. In a number of places the old ILEC's have publicly declared their intention to deprecate the old copper based PSTN. In other areas, they seem to be practicing a sort of "malicious neglect" and just letting it decay on the vine, to avoid spending money on maintenance.
It's unrelated (as far as I know) but in an interesting bit of synchronicity, a BHI public safety officer died under somewhat mysterious/controversial circumstances somewhere in that area. It was a few years after I moved out of the area and I'm not familiar with all of the details.
