| TIP: Click on subject to list as thread! | ANSI |
| echo: | |
|---|---|
| to: | |
| from: | |
| date: | |
| subject: | Re: Code signing |
From: "Rich"
This is a multi-part message in MIME format.
------=_NextPart_000_1102_01C6D325.7EB52810
Content-Type: text/plain;
charset="iso-8859-1"
Content-Transfer-Encoding: quoted-printable
Why did you edit away part of my reply and the statements to which =
they respond that make clear that the subject is not what you spin in =
your message. I'll remind you in case you have something to say on =
topic. Note that the signing to which you refer is a great example of =
where the user can make a trust decision.
Rich
"Rich" wrote in message news:4500ee78$1{at}w3.nls.net...
No. You look at the signing certificate to see if you trust both =
the signing party and the certification path. If you do not, do not =
trust the signed entity. If something is not signed, you don't have = even
this option. How do you choose what to trust?
The average Joe relies on the identity of the signing party alone =
and assumes that the certification authorities that are not distrusted =
have been vetted.
In practice, have you ever known this to be a problem with signed =
code? How much actual malware do you hear of that is signed? I can't =
think of any that wasn't some PR stunt by someone that signed a demo =
which he released under his own name anyway.
Rich
"Antti Kurenniemi"
wrote in message =
news:450054c1{at}w3.nls.net...
The concept of "signed" executables / activex / whatnot makes me =
want to=20
slap someone every time I see it mentioned. Yeah, sure, it's =
signed - now=20
what? Should I visit Redmond to ask someone if they really signed =
this, or=20
if this is just a trick - a message box saying this executable is =
signed?=20
The rate at which these new "improvements" keep popping up is such =
that no=20
average Joe can ever really know if he's being fooled or if it =
really is=20
legit...
Antti Kurenniemi
"Mike N." wrote in message =
news:pnj2g29u6tgjufkn0s6vmuher5quibj0f0{at}4ax.com...
On Thu, 7 Sep 2006 21:13:07 -0700, "Rich" wrote:
> In practice, have you ever known this to be a problem with signed =
code? =20
>How much actual malware do you hear of that is signed? =20
>I can't think of any that wasn't some PR stunt by someone that signed =
a=20
>demo which he released under his own name anyway.
Adware uses this quite frequently to get in.
=
http://www.symantec.com/avcenter/reference/techniques.of.adware.and.spywa=
re.pdf#search=3D%22%22signed%20activex%22%20adware%22
Check out page 10 from spazbox.net
The dialer below qualifies as malware. Although you get a prompt =
because
of date expiration, the certificate chain is not shown, so it's not =
clear
if there would have been a warning before -
=
http://www.symantec.com/security_response/print_writeup.jsp?docid=3D2004-=
121917-5031-99
It's clear that signing is only an extra step for malware writers, =
not
an obstacle. If it becomes necessary to sign malware - under Vista =
for
example, there is no reason to expect that it won't be signed.
------=_NextPart_000_1102_01C6D325.7EB52810
Content-Type: text/html;
charset="iso-8859-1"
Content-Transfer-Encoding: quoted-printable
Why did you edit =
away part of my=20
reply and the statements to which they respond that make clear that the = subject=20
is not what you spin in your message. I'll remind you in case you = have=20
something to say on topic. Note that the signing to which you =
refer is a=20
great example of where the user can make a trust decision.
Rich
* Origin: Barktopia BBS Site http://HarborWebs.com:8081 (1:379/45)SEEN-BY: 633/267 270 5030/786 @PATH: 379/45 1 106/2000 633/267 |
|
| SOURCE: echomail via fidonet.ozzmosis.com | |
Email questions or comments to sysop@ipingthereforeiam.com
All parts of this website painstakingly hand-crafted in the U.S.A.!
IPTIA BBS/MUD/Terminal/Game Server List, © 2025 IPTIA Consulting™.