lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Message-ID: <20101031160706.GH12619@sysphere.members.linode.com>
Date: Sun, 31 Oct 2010 17:07:06 +0100
From: "[lesh] Ivan Nikolic" <lesh@...phere.org>
To: full-disclosure@...ts.grok.org.uk
Subject: Re: Evilgrade 2.0 - the update explotation
 framework is back

Hm, I'm new to this list. so I find this a bit strange.

Christian, Vladis, are you the same person?
what are your motives?
do you really believe the things you are saying? 
you seem to be just generally negative, jumping from point to point and being very silly.

"Just signing the update packages prevents this attack, so it's not that hard to fix."

> > In my opinion, all in all, you're creating a yet another overly complex
> > system with as yet more possible flaws.
> > Don't forget tat each new line of code is a potential attack vector which
> > affects any system.

there is a REAL attack vector that needs to be fixed, and you are saying that it shouldn't be fixed as every 
line of code creates a POTENTIAL attack vector?

> Only thing, there's the danger of someone using stolen certificates.

a signing key might be stolen, so we shouldn't use it?
do you use passwords chris? why? they might be stolen?
you can't possibly believe that?

> Amen to that.
> 
> A more subtle issue is the tradeoff issue:  Any time they have a code engineer
> spending time building and feeding that code-signing infrastructure is time that
> code engineer *isn't* spending writing actual new features the users *want*.

code-signing infrastructure? ofcourse, code for those things is well known, packed in libraries, 
and trivial to use. ofcourse. and...
and bla.
I could go on, but probbably the whole list is aware of those things.

I'm wondering what's going on?
are you payed list-posters from an evil rival company? this is the only idea I have.

* Valdis.Kletnieks@...edu (Valdis.Kletnieks@...edu) wrote:
> On Sun, 31 Oct 2010 14:24:59 BST, Christian Sciberras said:
> 
> > In my opinion, all in all, you're creating a yet another overly complex
> > system with as yet more possible flaws.
> > Don't forget tat each new line of code is a potential attack vector which
> > affects any system.
> 
> Amen to that.
> 
> A more subtle issue is the tradeoff issue:  Any time they have a code engineer
> spending time building and feeding that code-signing infrastructure is time that
> code engineer *isn't* spending writing actual new features the users *want*.
> 
> Which user-requested feature are you going to heave over the side in order to
> do code-signing instead?  That question has to enter into the calculus as well.



> _______________________________________________
> Full-Disclosure - We believe in it.
> Charter: http://lists.grok.org.uk/full-disclosure-charter.html
> Hosted and sponsored by Secunia - http://secunia.com/


-- 
PGP 0x96085C00 http://lesh.sysphere.org

Content of type "application/pgp-signature" skipped

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ