lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
Open Source and information security mailing list archives
| ||
|
From: and-bugtraq at doxdesk.com (Andrew Clover) Subject: [Bogus] Microsoft AuthenticodeT webcam viewer plugin Nick FitzGerald <nick@...us-l.demon.co.uk> wrote: > Does their AUP/ToS/etc require that their certs not be used for such > things?? I believe - and I haven't seen the agreement myself - that it says the signer's code may not be 'malicious'. This is of course difficult to define. If the software installs underhandedly, pops up porn and leaks browing habits, but its primary purpose is to make money for the attacker rather than the malice of causing harm to user, does it count as malicious? > Ownership of a certificate simply means that someone stumped up the > cash (for a Thawte code signing cert that is about US$100/year) and the > CA was "suitably convinced" that they really were (or genuinely > represented) who they said they were (or represented). Indeed. Unfortunately the "identity" is expressed as an arbitrary string which is of no use to anyone. There's a little further information in the cert, which the ActiveX download process does not allow to be shown, but not nearly enough to track down the real authors and hold them to account. > an Authenticode "all clear" means that if you were stupid enough to > "trust" (in the big sense) a piece of signed code the CA can help you > locate the rat-bag who signed it should you want to fry their balls... Unfortunately this has turned out not to be the case with Thawte at least, who refused to disclose details for miscreants like the infamous Xupiter. > That Autheticode has been "sold" (and worse, accepted by some) as anything > else but a poor-man's excuse for "nothing much" is somewhere between really > sad and criminal... Quite agree. And of course half the pages that use ActiveX downloads promote this with text claiming that Authenticode guarantees the code's safety. ObOriginalTopic: tl4000 has been around for about 4 months now AFAICR. By the same people as the original 'TIBS' dialler, but code is unrelated. Same aggressive installation tactics. -- Andrew Clover mailto:and@...desk.com http://www.doxdesk.com/
Powered by blists - more mailing lists