Search Mailing List Archives


Limit search to: Subject & Body Subject Author
Sort by: Reverse Sort
Limit to: All This Week Last Week This Month Last Month
Select Date Range     through    

[liberationtech] Auditing of Auto-Update of software commonly used by Human Rights Defenders

Fabio Pietrosanti (naif) lists at infosecurity.ch
Mon May 19 13:02:27 PDT 2014


Il 5/18/14, 6:24 PM, Rich Kulawiec ha scritto:
> On Thu, May 15, 2014 at 07:36:07AM +0200, Fabio Pietrosanti (naif) wrote:
>> i think that would be very important to organize a project to Audit the
>> functionalities of Auto-Update of software commonly used by human rights
>> defenders.
> Yes, but I'll go one step further: auto-update is a horrible idea -- even
> if the connection is encrypted.
But the problem is still there:
- there's plenty of small software with auto-update functionalities to
be audited/exploited
- there's probably many that provide their download instructions /
installation files over http

Auditing most of them would make the people more resilient against
easier/stupid attacks, increasing the attack difficulty for the adversary.

But you should not just ask people to switch to a "more secure
software", but also understand what software do they use, working
towards to secure what they "are using today" .

-- 
Fabio Pietrosanti (naif)
HERMES - Center for Transparency and Digital Human Rights
http://logioshermes.org - http://globaleaks.org - http://tor2web.org




More information about the liberationtech mailing list