[Dailydave] NSRL status check

Kevin Stadmeyer leviticus at gmail.com
Tue Dec 12 16:49:22 EST 2006 

I think the best way would be a combination of both techniques. I don't look
at it as a question of not trusting software vendors but rather a question
of degrees of comfort regarding privacy related information. It is a good
thing to verify that whoever says they wrote the software actually wrote it,
but you also need to be sure that its doing what its supposed to be doing
and nothing more (i.e., sending back personally identifiable information
when they say its anonymous) which is where the user generated white list
would come in. The A/V software can pop up a box similar to SSL certs saying
"Yes it was written by X Company, but only 25% of users trust it to connect
to the internet"

I dont think that's paranoia, its just common sense.

On 12/12/06, Joanna Rutkowska <joanna at invisiblethings.org> wrote:
>
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
>
> dan at geer.org wrote:
> > The National Software Reference Library has or had a listing of the
> > hash values for known good software, known good in the sense of
> > what is on installation media or what otherwise still has its
> > integrity intact.
> >
> > I say "has or had" as on first glance it appears that this listing
> > is stationary since sometime in 2004.  Would someone here know the
> > history and fate of this list?  On the face of it such a list seems
> > useful in forensic situations at least.
> >
>
> Instead of white-listing all the good executables (which is of course
> much better then listing all the bad ones, but scales very poor as well)
> it would be much better, IMO, to require that all vendors sign their
> executables with a certificate. That could be even a self-signed
> certificate - the point is that we could then list all the certificates
> that we trust. In other words we would have a list of all the software
> vendors we trust together with fingerprints for the certificates they
> use for signing their programs.
>
> Yes, I know that all the paranoid people would say: "software vendors
> can not be trusted!". But that's actually what it is - a paranoia ;) And
> it's better to trust software vendors that your A/V vendors ;) Sorry to
> all A/V vendors - it's nothing personal - I just don't believe in
> blacklisting :/
>
> joanna.
> -----BEGIN PGP SIGNATURE-----
>
> iD8DBQFFfqKTORdkotfEW84RAlnyAKD6Dxdz2Sgq3lnFmWtOoYsFr9lA3gCgif7B
> LWE1Rt4y+oU/ciS/Oky1fdw=
> =E3pZ
> -----END PGP SIGNATURE-----
> _______________________________________________
> Dailydave mailing list
> Dailydave at lists.immunitysec.com
> http://lists.immunitysec.com/mailman/listinfo/dailydave
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.immunitysec.com/pipermail/dailydave/attachments/20061212/42f9d8dc/attachment.htm

More information about the Dailydave mailing list