a+ troll.
-Travis
On Sun, Oct 31, 2010 at 9:24 AM, Christian Sciberras uuf6...@gmail.comwrote:
Only thing, there's the danger of someone using stolen certificates.
But I'm sure there's another fix for that.
In my opinion, all in all, you're creating a yet another overly complex
system with
Don't troll people, troll!
On Tue, Nov 2, 2010 at 3:09 PM, T Biehn tbi...@gmail.com wrote:
a+ troll.
-Travis
On Sun, Oct 31, 2010 at 9:24 AM, Christian Sciberras uuf6...@gmail.comwrote:
Only thing, there's the danger of someone using stolen certificates.
But I'm sure there's another
It would indeed be vulnerable to that, and you're also right about this
attack vector being quite small.
But IMHO an updates mechanism that signs it's packages it quite easy to
implement, so we're talking about getting a tangible benefit from a small
effort. Preventing the signing key from being
On Sun, Oct 31, 2010 at 10:36 AM, valdis.kletni...@vt.edu wrote:
On Sun, 31 Oct 2010 13:09:27 BST, Mario Vilas said:
Just signing the update packages prevents this attack, so it's not that hard
to fix.
Except if a signing key gets compromised, as happened to one Linux vendor
recently,
No, he's just saying that a bank might be accidentally broken and
robbedaccidentally.of course
On Mon, Nov 1, 2010 at 4:13 PM, Jeffrey Walton noloa...@gmail.com wrote:
On Sun, Oct 31, 2010 at 10:36 AM, valdis.kletni...@vt.edu wrote:
On Sun, 31 Oct 2010 13:09:27 BST, Mario Vilas
On Mon, Nov 1, 2010 at 12:26 PM, Jhfjjf Hfdsjj taser3...@yahoo.com wrote:
On Sun, Oct 31, 2010 at 10:36 AM, valdis.kletni...@vt.edu wrote:
On Sun, 31 Oct 2010 13:09:27 BST, Mario Vilas said:
Just signing the update packages prevents this attack, so it's not that
hard
to fix.
Except if a
On Sun, Oct 31, 2010 at 10:36 AM, valdis.kletni...@vt.edu wrote:
On Sun, 31 Oct 2010 13:09:27 BST, Mario Vilas said:
Just signing the update packages prevents this attack, so it's not that hard
to fix.
Except if a signing key gets compromised, as happened to one Linux vendor
recently,
I do not believe anyone is 'ptoposing' anything. All he said was that package
signing should not be taken as a silver bullet, for experience has shown that
the key's themselves are capable of being compromised if a vendor is
successfully attacked.
Exactly what I would expect from *.edu
I
Just signing the update packages prevents this attack, so it's not that hard
to fix.
On Sat, Oct 30, 2010 at 5:02 PM, valdis.kletni...@vt.edu wrote:
On Sat, 30 Oct 2010 04:43:14 +0800, Jacky Jack said:
It's now a time for vendors to re-consider their updating scheme.
And do what
Only thing, there's the danger of someone using stolen certificates.
But I'm sure there's another fix for that.
In my opinion, all in all, you're creating a yet another overly complex
system with as yet more possible flaws.
Don't forget tat each new line of code is a potential attack vector which
On Sun, 31 Oct 2010 13:09:27 BST, Mario Vilas said:
Just signing the update packages prevents this attack, so it's not that hard
to fix.
Except if a signing key gets compromised, as happened to one Linux vendor
recently, causing a lot of kerfluffle... Setting up a proper signing system
On Sun, 31 Oct 2010 14:24:59 BST, Christian Sciberras said:
In my opinion, all in all, you're creating a yet another overly complex
system with as yet more possible flaws.
Don't forget tat each new line of code is a potential attack vector which
affects any system.
Amen to that.
A more
Hm, I'm new to this list. so I find this a bit strange.
Christian, Vladis, are you the same person?
what are your motives?
do you really believe the things you are saying?
you seem to be just generally negative, jumping from point to point and being
very silly.
Just signing the update packages
Christian, Vladis, are you the same person?
[sarcasm] Yes we are, it's a personality disorder issue. ;-) [/sarcasm]
what are your motives?
What would one's be a motive to a discussion?
do you really believe the things you are saying?
[sarcasm] No, I was just trying to sound cool going
It's now a time for vendors to re-consider their updating scheme.
And do what differently, exactly?
To name a few, developers can do code signing, ssl certificates
verification like our favorite Firefox and methods used by AV vendors.
There have been cheap/free SSL certificate vendors like
Valdis,
I've read all of your postings on this thread and I just don't buy
what you're saying.
Except if a signing key gets compromised, as happened to one Linux vendor
recently, causing a lot of kerfluffle... Setting up a proper signing system
involves a certain amount of actual cost and
On Sun, 31 Oct 2010 17:07:06 BST, [lesh] Ivan Nikolic said:
Christian, Vladis, are you the same person?
Nope, as far as I know...
what are your motives?
Can't speak for Christian, I'm just here trying to counterbalance all
the ZOMG it needs to be More Secure - quite often that's a knee-jerk
On Sat, 30 Oct 2010 04:43:14 +0800, Jacky Jack said:
It's now a time for vendors to re-consider their updating scheme.
And do what differently, exactly?
OK, so it's *possible* to fake out the iTunes update process. But which is
easier
and more productive:
A) Laying in wait for some random to
On Sat, Oct 30, 2010 at 8:02 AM, valdis.kletni...@vt.edu wrote:
On Sat, 30 Oct 2010 04:43:14 +0800, Jacky Jack said:
It's now a time for vendors to re-consider their updating scheme.
And do what differently, exactly?
We really need autoupdate baked into the platform.
A) Laying in wait for
[ISR] - Infobyte Security Research
ISR-evilgrade | www.infobytesec.com
Infobyte Security Research is pleased to announce the release of evilgrade 2.0
with a lot of new modules and a bunch of squashed bugs.
[-] RELEASE DETAILS
BRIEF OVERVIEW
Evilgrade is a modular framework that allows the user
It's now a time for vendors to re-consider their updating scheme.
On Fri, Oct 29, 2010 at 6:25 PM, [ISR] - Infobyte Security Research
nore...@infobytesec.com wrote:
[ISR] - Infobyte Security Research
ISR-evilgrade | www.infobytesec.com
Infobyte Security Research is pleased to announce the
Actually, that time probably would've been a v1, but I'm fine with it being
left as it is.
On Fri, Oct 29, 2010 at 9:43 PM, Jacky Jack jacksonsmth...@gmail.comwrote:
It's now a time for vendors to re-consider their updating scheme.
On Fri, Oct 29, 2010 at 6:25 PM, [ISR] - Infobyte Security
22 matches
Mail list logo