Dailydave mailing list archives

Re: NSRL status check

From: "Kevin Stadmeyer" <leviticus () gmail com>
Date: Tue, 12 Dec 2006 16:49:22 -0500

I think the best way would be a combination of both techniques. I don't look
at it as a question of not trusting software vendors but rather a question
of degrees of comfort regarding privacy related information. It is a good
thing to verify that whoever says they wrote the software actually wrote it,
but you also need to be sure that its doing what its supposed to be doing
and nothing more (i.e., sending back personally identifiable information
when they say its anonymous) which is where the user generated white list
would come in. The A/V software can pop up a box similar to SSL certs saying
"Yes it was written by X Company, but only 25% of users trust it to connect
to the internet"

I dont think that's paranoia, its just common sense.

On 12/12/06, Joanna Rutkowska <joanna () invisiblethings org> wrote:

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

dan () geer org wrote:
> The National Software Reference Library has or had a listing of the
> hash values for known good software, known good in the sense of
> what is on installation media or what otherwise still has its
> integrity intact.
>
> I say "has or had" as on first glance it appears that this listing
> is stationary since sometime in 2004.  Would someone here know the
> history and fate of this list?  On the face of it such a list seems
> useful in forensic situations at least.
>

Instead of white-listing all the good executables (which is of course
much better then listing all the bad ones, but scales very poor as well)
it would be much better, IMO, to require that all vendors sign their
executables with a certificate. That could be even a self-signed
certificate - the point is that we could then list all the certificates
that we trust. In other words we would have a list of all the software
vendors we trust together with fingerprints for the certificates they
use for signing their programs.

Yes, I know that all the paranoid people would say: "software vendors
can not be trusted!". But that's actually what it is - a paranoia ;) And
it's better to trust software vendors that your A/V vendors ;) Sorry to
all A/V vendors - it's nothing personal - I just don't believe in
blacklisting :/

joanna.
-----BEGIN PGP SIGNATURE-----

iD8DBQFFfqKTORdkotfEW84RAlnyAKD6Dxdz2Sgq3lnFmWtOoYsFr9lA3gCgif7B
LWE1Rt4y+oU/ciS/Oky1fdw=
=E3pZ
-----END PGP SIGNATURE-----
_______________________________________________
Dailydave mailing list
Dailydave () lists immunitysec com
http://lists.immunitysec.com/mailman/listinfo/dailydave

_______________________________________________
Dailydave mailing list
Dailydave () lists immunitysec com
http://lists.immunitysec.com/mailman/listinfo/dailydave

Current thread:

NSRL status check dan (Dec 11)
- Re: NSRL status check Gadi Evron (Dec 12)
- Re: NSRL status check Joanna Rutkowska (Dec 12)
  - Re: NSRL status check Kevin Stadmeyer (Dec 12)
- <Possible follow-ups>
- Re: NSRL status check Holt Sorenson (Dec 12)
  - Re: NSRL status check Lance Spitzner (Dec 12)
- Re: NSRL status check Joanna Rutkowska (Dec 12)