To trust or not to trust?

Avast Blog

 

@ tgell

Thanks for posting

Just goes to show once again, that certs are NO guarantee, and increasingly becoming nearly useless, in my opinion.

**** happens, human error, that's all it takes. And even the big boys can mess up

*

Yeah me too.

I DL'd just 2 of the files mentioned, one each from both categories mp3converter.exe & rambst.exe



mp3converter.exe Scanner results (1/36) found malware!

rambst.exe Scanner results (3/36) found malware!

Amazing

 

There's nothing wrong with digital signatures -- they are a powerful technology. You have to remember that the signature says nothing about what the file contains -- all it does is verify who the file comes from. If Company X somehow had someone inject malicious code into their software without their knowledge and then signed this code, it is human error and not the fault of the digital signature. Bottom line: if the signature is valid, the user can be sure that the package was not tampered with from the time it was signed until the time the signature was checked. It says nothing (nor is it supposed to) about what happened before it was signed.

The job of the signature is to protect the contents while in transit. If you think about it, that's all it can do. For instance, when you buy a M$ Windows DVD from Best Buy, you can be pretty sure it's a legit copy. However, who is to say that some rogue at M$ hasn't put a backdoor in the kernel code (or even in the C compiler used to compile Windows)? You don't know and can never know. You just have to trust M$. So, even though the DVD is good and matches all hashes, etc., there is no way for the digital signature to read the minds of those who signed it. So, again, it comes down to trust. With or without signatures you have to trust a software vendor not to do bad things. The signatures just ensure that no one else has done bad things.

This is just another case of an AV company trying to downplay digital signatures because they want you to believe that only their idiotic method of a malware blacklist can somehow fight the malware problem when indeed it has failed miserably as general experience has proved over the decades.

 

Good post Chronomatic

 

If the private key can be stolen easily (recent RealTek signed rootkits) from the principle (it's a file and while used in the automated process, there is quite high probabilty it'd be without any other protection), then you lose at least partially the trust in the whole signature system.

If even the big good guys can distribute malware either digitally signed or pressed in cds, this breaks the trust again.

In the end, what are you getting? Ssome file which may or may be not from the respectable company which may or may be not infected. Hmmm...

It's not the AV companies which are 'trying to downplay digital signatures'. It's the description of one incident which is breaking the trust and there were more of these in the past.

The rest of the blahblah is funny as usual. Why isn't there this http://www.rhyolite.com/anti-spam/you-might-be.html for an antivirus world? All these 'antivirus does not work', 'antivirus companies write viruses', 'I use secure operating system' would be just sorted in the checklists, so it would speed up the discussion a bit.


Jindroush, not speaking for his employer avast!

 

Then the people at RealTek are idiots and need a refresher course in key management. When creating a key-pair, typically the user creates a passphrase to protect the private key, so that in the event someone else has physical access to the private key, it does them no good whatsoever. They would either have to brute-force the password or somehow obtain it through social engineering. Of course, the more people who know the passphrase, the more likely it is. That's why a large software company should think very carefully about key management. There are various protocols (such as Shamir's Secret which is being used for DNSSEC keys) that can be used to break the key into parts among several different people, etc..

It's not the job of the digital signature to detect malware. All it does is determine if the file is really from the person who signed it. Again, the user is going to have to trust the vendor at some point.

An isolated incident of someone getting their keys stolen is hardly reason for proclaiming the sky is falling.

 

If you want the automated system for signing, it's always possible to steal the whole self-contained system.

I'd say few incidents. And I don't see anything in the original blog claiming that the sky is falling.