[Dailydave] NSRL status check

[Joanna Rutkowska]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

dan at geer.org wrote:
> The National Software Reference Library has or had a listing of the
> hash values for known good software, known good in the sense of
> what is on installation media or what otherwise still has its
> integrity intact.
> 
> I say "has or had" as on first glance it appears that this listing
> is stationary since sometime in 2004.  Would someone here know the
> history and fate of this list?  On the face of it such a list seems
> useful in forensic situations at least.
> 

Instead of white-listing all the good executables (which is of course
much better then listing all the bad ones, but scales very poor as well)
it would be much better, IMO, to require that all vendors sign their
executables with a certificate. That could be even a self-signed
certificate - the point is that we could then list all the certificates
that we trust. In other words we would have a list of all the software
vendors we trust together with fingerprints for the certificates they
use for signing their programs.

Yes, I know that all the paranoid people would say: "software vendors
can not be trusted!". But that's actually what it is - a paranoia ;) And
it's better to trust software vendors that your A/V vendors ;) Sorry to
all A/V vendors - it's nothing personal - I just don't believe in
blacklisting :/

joanna.
-----BEGIN PGP SIGNATURE-----

iD8DBQFFfqKTORdkotfEW84RAlnyAKD6Dxdz2Sgq3lnFmWtOoYsFr9lA3gCgif7B
LWE1Rt4y+oU/ciS/Oky1fdw=
=E3pZ
-----END PGP SIGNATURE-----