a+ troll. -Travis
On Sun, Oct 31, 2010 at 9:24 AM, Christian Sciberras <[email protected]>wrote: > Only thing, there's the danger of someone using stolen certificates. > But I'm sure there's another fix for that. > > In my opinion, all in all, you're creating a yet another overly complex > system with as yet more possible flaws. > Don't forget tat each new line of code is a potential attack vector which > affects any system. > > Just my 2 cents... > > Chris. > > > > On Sun, Oct 31, 2010 at 1:09 PM, Mario Vilas <[email protected]> wrote: > >> Just signing the update packages prevents this attack, so it's not that >> hard to fix. >> >> On Sat, Oct 30, 2010 at 5:02 PM, <[email protected]> wrote: >> >>> On Sat, 30 Oct 2010 04:43:14 +0800, Jacky Jack said: >>> > It's now a time for vendors to re-consider their updating scheme. >>> >>> And do what differently, exactly? >>> >>> OK, so it's *possible* to fake out the iTunes update process. But which >>> is easier >>> and more productive: >>> >>> A) Laying in wait for some random to think "Wow, I should update iTunes" >>> and >>> hijack the process. >>> >>> B) Send out a few hundred thousand spam with a ' >>> From:[email protected]<from%[email protected]> >>> ' >>> with a link to a site you control and feed the the sheep some malware. >>> >>> Evilgrade looks like a nice tool to have if you're doing a pen test or a >>> targeted attack and can somehow get the victim to do an update (possibly >>> social >>> engineering), but for any software vendor feeding software updates to Joe >>> Sixpack this threat model is *so* far down the list it isn't funny. >>> Simply >>> compare the number of boxes pwned by (A) and (B) - how many people have >>> gotten >>> pwned because somebody hijacked their update from Symantec or wherever, >>> compared to the number pwned because they got a popup that said "Your >>> computer >>> is infected, click here to fix it"? >>> >>> Remember - just because a new tool useful for an attacker shows up, does >>> *not* >>> mean it's a game changer for the industry at large. >>> >>> >>> _______________________________________________ >>> Full-Disclosure - We believe in it. >>> Charter: http://lists.grok.org.uk/full-disclosure-charter.html >>> Hosted and sponsored by Secunia - http://secunia.com/ >>> >> >> >> >> -- >> HONEY: I want to… put some powder on my nose. >> GEORGE: Martha, won’t you show her where we keep the euphemism? >> >> _______________________________________________ >> Full-Disclosure - We believe in it. >> Charter: http://lists.grok.org.uk/full-disclosure-charter.html >> Hosted and sponsored by Secunia - http://secunia.com/ >> > > > _______________________________________________ > Full-Disclosure - We believe in it. > Charter: http://lists.grok.org.uk/full-disclosure-charter.html > Hosted and sponsored by Secunia - http://secunia.com/ > -- FD1D E574 6CAB 2FAF 2921 F22E B8B7 9D0D 99FF A73C http://pgp.mit.edu:11371/pks/lookup?search=tbiehn&op=index&fingerprint=on http://pastebin.com/f6fd606da
_______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
