lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite for Android: free password hash cracker in your pocket
[<prev] [next>] [day] [month] [year] [list]
From: and-bugtraq at doxdesk.com (Andrew Clover)
Subject: [Bogus] Microsoft AuthenticodeT webcam viewer plugin

Nick FitzGerald <nick@...us-l.demon.co.uk> wrote:

> Does their AUP/ToS/etc require that their certs not be used for such
> things??

I believe - and I haven't seen the agreement myself - that it says the
signer's code may not be 'malicious'.

This is of course difficult to define. If the software installs
underhandedly, pops up porn and leaks browing habits, but its primary
purpose is to make money for the attacker rather than the malice of
causing harm to user, does it count as malicious?

> Ownership of a certificate simply means that someone stumped up the
> cash (for a Thawte code signing cert that is about US$100/year) and the
> CA was "suitably convinced" that they really were (or genuinely
> represented) who they said they were (or represented).

Indeed. Unfortunately the "identity" is expressed as an arbitrary
string which is of no use to anyone. There's a little further information
in the cert, which the ActiveX download process does not allow to be
shown, but not nearly enough to track down the real authors and hold them
to account.

> an Authenticode "all clear" means that if you were stupid enough to
> "trust" (in the big sense) a piece of signed code the CA can help you
> locate the rat-bag who signed it should you want to fry their balls...

Unfortunately this has turned out not to be the case with Thawte at least,
who refused to disclose details for miscreants like the infamous Xupiter.

> That Autheticode has been "sold" (and worse, accepted by some) as anything
> else but a poor-man's excuse for "nothing much" is somewhere between really
> sad and criminal...

Quite agree. And of course half the pages that use ActiveX downloads promote
this with text claiming that Authenticode guarantees the code's safety.

ObOriginalTopic: tl4000 has been around for about 4 months now AFAICR. By
the same people as the original 'TIBS' dialler, but code is unrelated. Same
aggressive installation tactics.

-- 
Andrew Clover
mailto:and@...desk.com
http://www.doxdesk.com/


Powered by blists - more mailing lists