| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Sun, 31 Oct 2010 19:44:49 +0100
From: Christian Sciberras <uuf6429@...il.com>
To: "lesh@...phere.org" <lesh@...phere.org>
Cc: full-disclosure@...ts.grok.org.uk
Subject: Re: Evilgrade 2.0 - the update explotation
framework is back
> Christian, Vladis, are you the same person?
[sarcasm] Yes we are, it's a personality disorder issue. ;-) [/sarcasm]
> what are your motives?
What would one's be a motive to a discussion?
> do you really believe the things you are saying?
[sarcasm] No, I was just trying to sound cool going against most FD readers
out there. [/sarcasm]
> you seem to be just generally negative, jumping from point to point and
being very silly.
Negative? Is asking a change in the "standards saves us" religion, being
negative?
What seems silly to you might be sane and true to the rest of the world.
Oh and, maybe you're overly meditative to see several points in my
post....let me confess something....
there was only ONE point.
> there is a REAL attack vector that needs to be fixed, and you are saying
that it shouldn't be fixed as every
> line of code creates a POTENTIAL attack vector?
Remember stuxnet? and it's use of stolen certificates?
> a signing key might be stolen, so we shouldn't use it?
I've never said it's not.
> do you use passwords chris? why? they might be stolen?
Yes, I do. Ever heard of hacking/stealing an account?
> you can't possibly believe that?
Uhm, yes I do.
> I'm wondering what's going on?
> are you payed list-posters from an evil rival company? this is the only
idea I have.
Wow, so daft. Is someone on this damned list entitled to an opinion or a
fair discussion?
As to your theory, one question, which rival company (to those companies)?
I think that you're mostly confused as to what the point is. There are
places where code
should be signed and there are places where it shouldn't.
Evilgrade did reveal that some of these places aren't as they should, but
this does not
mean any and all sorts of updates should be signed.
The trade-of Valdis mentioned is one of my main deterrents to create such an
updating
system; why would I hand out the money for code signing when the ROI doesn't
even cover it??
One thing, you ought to think on; why aren't user-based sites ask for a PGP
signature?
Why do they use a simple password mechanism (if at all)?
PS: Keep up with the conspiracy theories, got to love 'em.
Cheers,
Chris.
On Sun, Oct 31, 2010 at 5:07 PM, [lesh] Ivan Nikolic <lesh@...phere.org>wrote:
> Hm, I'm new to this list. so I find this a bit strange.
>
> Christian, Vladis, are you the same person?
> what are your motives?
> do you really believe the things you are saying?
> you seem to be just generally negative, jumping from point to point and
> being very silly.
>
> "Just signing the update packages prevents this attack, so it's not that
> hard to fix."
>
> > > In my opinion, all in all, you're creating a yet another overly complex
> > > system with as yet more possible flaws.
> > > Don't forget tat each new line of code is a potential attack vector
> which
> > > affects any system.
>
> there is a REAL attack vector that needs to be fixed, and you are saying
> that it shouldn't be fixed as every
> line of code creates a POTENTIAL attack vector?
>
> > Only thing, there's the danger of someone using stolen certificates.
>
> a signing key might be stolen, so we shouldn't use it?
> do you use passwords chris? why? they might be stolen?
> you can't possibly believe that?
>
> > Amen to that.
> >
> > A more subtle issue is the tradeoff issue: Any time they have a code
> engineer
> > spending time building and feeding that code-signing infrastructure is
> time that
> > code engineer *isn't* spending writing actual new features the users
> *want*.
>
> code-signing infrastructure? ofcourse, code for those things is well known,
> packed in libraries,
> and trivial to use. ofcourse. and...
> and bla.
> I could go on, but probbably the whole list is aware of those things.
>
> I'm wondering what's going on?
> are you payed list-posters from an evil rival company? this is the only
> idea I have.
>
> * Valdis.Kletnieks@...edu (Valdis.Kletnieks@...edu) wrote:
> > On Sun, 31 Oct 2010 14:24:59 BST, Christian Sciberras said:
> >
> > > In my opinion, all in all, you're creating a yet another overly complex
> > > system with as yet more possible flaws.
> > > Don't forget tat each new line of code is a potential attack vector
> which
> > > affects any system.
> >
> > Amen to that.
> >
> > A more subtle issue is the tradeoff issue: Any time they have a code
> engineer
> > spending time building and feeding that code-signing infrastructure is
> time that
> > code engineer *isn't* spending writing actual new features the users
> *want*.
> >
> > Which user-requested feature are you going to heave over the side in
> order to
> > do code-signing instead? That question has to enter into the calculus as
> well.
>
>
>
> > _______________________________________________
> > Full-Disclosure - We believe in it.
> > Charter: http://lists.grok.org.uk/full-disclosure-charter.html
> > Hosted and sponsored by Secunia - http://secunia.com/
>
>
> --
> PGP 0x96085C00 http://lesh.sysphere.org
>
> _______________________________________________
> Full-Disclosure - We believe in it.
> Charter: http://lists.grok.org.uk/full-disclosure-charter.html
> Hosted and sponsored by Secunia - http://secunia.com/
>
Content of type "text/html" skipped
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
Powered by blists - more mailing lists