Full Disclosure mailing list archives

Re: Evilgrade 2.0 - the update explotation framework is back


From: Christian Sciberras <uuf6429 () gmail com>
Date: Sun, 31 Oct 2010 19:44:49 +0100

Christian, Vladis, are you the same person?

[sarcasm] Yes we are, it's a personality disorder issue. ;-) [/sarcasm]

what are your motives?

What would one's be a motive to a discussion?

do you really believe the things you are saying?

[sarcasm] No, I was just trying to sound cool going against most FD readers
out there. [/sarcasm]

you seem to be just generally negative, jumping from point to point and
being very silly.

Negative? Is asking a change in the "standards saves us" religion, being
negative?
What seems silly to you might be sane and true to the rest of the world.
Oh and, maybe you're overly meditative to see several points in my
post....let me confess something....
there was only ONE point.

there is a REAL attack vector that needs to be fixed, and you are saying
that it shouldn't be fixed as every
line of code creates a POTENTIAL attack vector?

Remember stuxnet? and it's use of stolen certificates?

a signing key might be stolen, so we shouldn't use it?

I've never said it's not.

do you use passwords chris? why? they might be stolen?

Yes, I do. Ever heard of hacking/stealing an account?

you can't possibly believe that?

Uhm, yes I do.

I'm wondering what's going on?
are you payed list-posters from an evil rival company? this is the only
idea I have.

Wow, so daft. Is someone on this damned list entitled to an opinion or a
fair discussion?
As to your theory, one question, which rival company (to those companies)?



I think that you're mostly confused as to what the point is. There are
places where code
should be signed and there are places where it shouldn't.
Evilgrade did reveal that some of these places aren't as they should, but
this does not
mean any and all sorts of updates should be signed.

The trade-of Valdis mentioned is one of my main deterrents to create such an
updating
system; why would I hand out the money for code signing when the ROI doesn't
even cover it??

One thing, you ought to think on; why aren't user-based sites ask for a PGP
signature?
Why do they use a simple password mechanism (if at all)?


PS: Keep up with the conspiracy theories, got to love 'em.


Cheers,
Chris.





On Sun, Oct 31, 2010 at 5:07 PM, [lesh] Ivan Nikolic <lesh () sysphere org>wrote:

Hm, I'm new to this list. so I find this a bit strange.

Christian, Vladis, are you the same person?
what are your motives?
do you really believe the things you are saying?
you seem to be just generally negative, jumping from point to point and
being very silly.

"Just signing the update packages prevents this attack, so it's not that
hard to fix."

In my opinion, all in all, you're creating a yet another overly complex
system with as yet more possible flaws.
Don't forget tat each new line of code is a potential attack vector
which
affects any system.

there is a REAL attack vector that needs to be fixed, and you are saying
that it shouldn't be fixed as every
line of code creates a POTENTIAL attack vector?

Only thing, there's the danger of someone using stolen certificates.

a signing key might be stolen, so we shouldn't use it?
do you use passwords chris? why? they might be stolen?
you can't possibly believe that?

Amen to that.

A more subtle issue is the tradeoff issue:  Any time they have a code
engineer
spending time building and feeding that code-signing infrastructure is
time that
code engineer *isn't* spending writing actual new features the users
*want*.

code-signing infrastructure? ofcourse, code for those things is well known,
packed in libraries,
and trivial to use. ofcourse. and...
and bla.
I could go on, but probbably the whole list is aware of those things.

I'm wondering what's going on?
are you payed list-posters from an evil rival company? this is the only
idea I have.

* Valdis.Kletnieks () vt edu (Valdis.Kletnieks () vt edu) wrote:
On Sun, 31 Oct 2010 14:24:59 BST, Christian Sciberras said:

In my opinion, all in all, you're creating a yet another overly complex
system with as yet more possible flaws.
Don't forget tat each new line of code is a potential attack vector
which
affects any system.

Amen to that.

A more subtle issue is the tradeoff issue:  Any time they have a code
engineer
spending time building and feeding that code-signing infrastructure is
time that
code engineer *isn't* spending writing actual new features the users
*want*.

Which user-requested feature are you going to heave over the side in
order to
do code-signing instead?  That question has to enter into the calculus as
well.



_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/


--
PGP 0x96085C00 http://lesh.sysphere.org

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Current thread: