Search Mailing List Archives


Limit search to: Subject & Body Subject Author
Sort by: Reverse Sort
Limit to: All This Week Last Week This Month Last Month
Select Date Range     through    

[liberationtech] Auditing of Auto-Update of software commonly used by Human Rights Defenders

Fabio Pietrosanti (naif) lists at infosecurity.ch
Fri May 23 12:39:37 PDT 2014


Il 5/20/14, 4:24 AM, Tony Arcieri ha scritto:
>
> Also note that most software update systems are one key (or sadly in
> many cases, zero keys) away from being remote code execution
> vulnerabilities.
>
> All of these attacks are covered by The Update Framework:
>
> http://theupdateframework.com/
But it's not so unrealistic that most of that small software being used
by people on-field will move or change their update framework.

Still the activity to be done is to:
a) identify mostly used software by people on-field
b) audit them
c) have the manufacturer to fix their existing update procedures

But we just do not have any kind of data on the security status of small
softwares being used by people on-field on their outdated windows/osx
machines.

What i know for sure is that those kind of techniques are heavily
exploited by governmental agencies and no-one from the security
community is trying to fix that kind of problem.

-- 
Fabio Pietrosanti (naif)
HERMES - Center for Transparency and Digital Human Rights
http://logioshermes.org - http://globaleaks.org - http://tor2web.org




More information about the liberationtech mailing list