lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list] 
Message-ID: <5AC3521D.10705@security-explorations.com>
Date: Tue, 03 Apr 2018 12:06:21 +0200
From: Security Explorations <contact@...urity-explorations.com>
To: fulldisclosure@...lists.org
Subject: [FD] [SE-2011-01] Security contact at Canal+ Group ?


Hello All,

Over the recent month we have been trying (with no success) to obtain
information from various entities regarding the replacement process of
set-top-box devices conducted by the NC+ operator in Poland [1]. The
basis of the above can be found in this message [2].

We have received a key confirmation from NC+ operator that "the goal
of a replacement process of set-top-boxes is to improve security level
of a broadcasted signal, which is a requirement of agreements signed
with content providers". However when we inquired about the basis of
charging end-users a monthly fee for a replacement process of flawed
(vulnerable to ST chipsets flaws) set-top-box devices, no response
was received.

So, we asked NC+ for an official contact at the parent company (Canal+
Group). Again, no response was received.

We asked CERT-FR (French Government Cert) for assistance and a contact
to Canal+ Group and they responded that this is not their role to pass
this information to us (CERT-FR directed us to ST, which has not been
responding to our messages / refused to provide information regarding
impact and addressing of the vulnerabilities found in their chipsets).

So, we asked Vivendi, a parent company of Canal+ Group for an official
contact where our inquiries could be sent. Again, there was no response.

Thus this message.

If anyone of you knows a security contact at Canal+ Group where we could
direct our inquiries pertaining to security / replacement process of STB
devices vulnerable to STMicroelectronics flaws, please let us know.

Thank you.

Best Regards,
Adam Gowdiak

---------------------------------------------
Security Explorations
http://www.security-explorations.com
"We bring security research to a new level"
---------------------------------------------

References:
[1] SE-2011-01 Vendors status
     http://www.security-explorations.com/en/SE-2011-01-status.html
[2] [SE-2011-01] Regarding liabilities in SW / HW (ST chipsets flaws)
     http://seclists.org/fulldisclosure/2018/Feb/50


_______________________________________________
Sent through the Full Disclosure mailing list
https://nmap.org/mailman/listinfo/fulldisclosure
Web Archives & RSS: http://seclists.org/fulldisclosure/

Powered by blists - more mailing lists