Full Disclosure mailing list archives
Re: Evilgrade 2.0 - the update explotation framework is back
From: Christian Sciberras <uuf6429 () gmail com>
Date: Sun, 31 Oct 2010 19:44:49 +0100
Christian, Vladis, are you the same person?
[sarcasm] Yes we are, it's a personality disorder issue. ;-) [/sarcasm]
what are your motives?
What would one's be a motive to a discussion?
do you really believe the things you are saying?
[sarcasm] No, I was just trying to sound cool going against most FD readers out there. [/sarcasm]
you seem to be just generally negative, jumping from point to point and
being very silly. Negative? Is asking a change in the "standards saves us" religion, being negative? What seems silly to you might be sane and true to the rest of the world. Oh and, maybe you're overly meditative to see several points in my post....let me confess something.... there was only ONE point.
there is a REAL attack vector that needs to be fixed, and you are saying
that it shouldn't be fixed as every
line of code creates a POTENTIAL attack vector?
Remember stuxnet? and it's use of stolen certificates?
a signing key might be stolen, so we shouldn't use it?
I've never said it's not.
do you use passwords chris? why? they might be stolen?
Yes, I do. Ever heard of hacking/stealing an account?
you can't possibly believe that?
Uhm, yes I do.
I'm wondering what's going on? are you payed list-posters from an evil rival company? this is the only
idea I have. Wow, so daft. Is someone on this damned list entitled to an opinion or a fair discussion? As to your theory, one question, which rival company (to those companies)? I think that you're mostly confused as to what the point is. There are places where code should be signed and there are places where it shouldn't. Evilgrade did reveal that some of these places aren't as they should, but this does not mean any and all sorts of updates should be signed. The trade-of Valdis mentioned is one of my main deterrents to create such an updating system; why would I hand out the money for code signing when the ROI doesn't even cover it?? One thing, you ought to think on; why aren't user-based sites ask for a PGP signature? Why do they use a simple password mechanism (if at all)? PS: Keep up with the conspiracy theories, got to love 'em. Cheers, Chris. On Sun, Oct 31, 2010 at 5:07 PM, [lesh] Ivan Nikolic <lesh () sysphere org>wrote:
Hm, I'm new to this list. so I find this a bit strange. Christian, Vladis, are you the same person? what are your motives? do you really believe the things you are saying? you seem to be just generally negative, jumping from point to point and being very silly. "Just signing the update packages prevents this attack, so it's not that hard to fix."In my opinion, all in all, you're creating a yet another overly complex system with as yet more possible flaws. Don't forget tat each new line of code is a potential attack vectorwhichaffects any system.there is a REAL attack vector that needs to be fixed, and you are saying that it shouldn't be fixed as every line of code creates a POTENTIAL attack vector?Only thing, there's the danger of someone using stolen certificates.a signing key might be stolen, so we shouldn't use it? do you use passwords chris? why? they might be stolen? you can't possibly believe that?Amen to that. A more subtle issue is the tradeoff issue: Any time they have a codeengineerspending time building and feeding that code-signing infrastructure istime thatcode engineer *isn't* spending writing actual new features the users*want*. code-signing infrastructure? ofcourse, code for those things is well known, packed in libraries, and trivial to use. ofcourse. and... and bla. I could go on, but probbably the whole list is aware of those things. I'm wondering what's going on? are you payed list-posters from an evil rival company? this is the only idea I have. * Valdis.Kletnieks () vt edu (Valdis.Kletnieks () vt edu) wrote:On Sun, 31 Oct 2010 14:24:59 BST, Christian Sciberras said:In my opinion, all in all, you're creating a yet another overly complex system with as yet more possible flaws. Don't forget tat each new line of code is a potential attack vectorwhichaffects any system.Amen to that. A more subtle issue is the tradeoff issue: Any time they have a codeengineerspending time building and feeding that code-signing infrastructure istime thatcode engineer *isn't* spending writing actual new features the users*want*.Which user-requested feature are you going to heave over the side inorder todo code-signing instead? That question has to enter into the calculus aswell._______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/-- PGP 0x96085C00 http://lesh.sysphere.org _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
_______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Current thread:
- Evilgrade 2.0 - the update explotation framework is back [ISR] - Infobyte Security Research (Oct 29)
- Re: Evilgrade 2.0 - the update explotation framework is back Jacky Jack (Oct 29)
- Re: Evilgrade 2.0 - the update explotation framework is back Benji (Oct 29)
- Re: Evilgrade 2.0 - the update explotation framework is back Jacky Jack (Oct 31)
- Re: Evilgrade 2.0 - the update explotation framework is back Valdis . Kletnieks (Oct 30)
- Re: Evilgrade 2.0 - the update explotation framework is back Dan Kaminsky (Oct 30)
- Re: Evilgrade 2.0 - the update explotation framework is back Mario Vilas (Oct 31)
- Re: Evilgrade 2.0 - the update explotation framework is back Christian Sciberras (Oct 31)
- Re: Evilgrade 2.0 - the update explotation framework is back Valdis . Kletnieks (Oct 31)
- Re: Evilgrade 2.0 - the update explotation framework is back [lesh] Ivan Nikolic (Oct 31)
- Re: Evilgrade 2.0 - the update explotation framework is back Christian Sciberras (Oct 31)
- Re: Evilgrade 2.0 - the update explotation framework is back Valdis . Kletnieks (Oct 31)
- Re: Evilgrade 2.0 - the update explotation framework is back Benji (Oct 29)
- Re: Evilgrade 2.0 - the update explotation framework is back Jacky Jack (Oct 29)
- Re: Evilgrade 2.0 - the update explotation framework is back Valdis . Kletnieks (Oct 31)
- Re: Evilgrade 2.0 - the update explotation framework is back Tim (Oct 31)