Home page logo

fulldisclosure logo Full Disclosure mailing list archives

Re: Evilgrade 2.0 - the update explotation framework is back
From: Valdis.Kletnieks () vt edu
Date: Sun, 31 Oct 2010 10:40:01 -0400

On Sun, 31 Oct 2010 14:24:59 BST, Christian Sciberras said:

In my opinion, all in all, you're creating a yet another overly complex
system with as yet more possible flaws.
Don't forget tat each new line of code is a potential attack vector which
affects any system.

Amen to that.

A more subtle issue is the tradeoff issue:  Any time they have a code engineer
spending time building and feeding that code-signing infrastructure is time that
code engineer *isn't* spending writing actual new features the users *want*.

Which user-requested feature are you going to heave over the side in order to
do code-signing instead?  That question has to enter into the calculus as well.

Attachment: _bin

Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]