mailing list archives
Re: Evilgrade 2.0 - the update explotation framework is back
From: Valdis.Kletnieks () vt edu
Date: Sun, 31 Oct 2010 10:40:01 -0400
On Sun, 31 Oct 2010 14:24:59 BST, Christian Sciberras said:
In my opinion, all in all, you're creating a yet another overly complex
system with as yet more possible flaws.
Don't forget tat each new line of code is a potential attack vector which
affects any system.
Amen to that.
A more subtle issue is the tradeoff issue: Any time they have a code engineer
spending time building and feeding that code-signing infrastructure is time that
code engineer *isn't* spending writing actual new features the users *want*.
Which user-requested feature are you going to heave over the side in order to
do code-signing instead? That question has to enter into the calculus as well.
Full-Disclosure - We believe in it.
Hosted and sponsored by Secunia - http://secunia.com/