Search Mailing List Archives


Limit search to: Subject & Body Subject Author
Sort by: Reverse Sort
Limit to: All This Week Last Week This Month Last Month
Select Date Range     through    

[liberationtech] Auditing of Auto-Update of software commonly used by Human Rights Defenders

Blibbet blibbet at gmail.com
Fri May 23 13:41:37 PDT 2014


There was a good thread on this topic on the OSS-Security list, and 
another, probably this list about 6 months ago.

It'd be worth studying Tor's Thandy, a secure update tool. I wish I 
could recall why Tor abandoned Thandy, that might be important. :-( 
There might be clues in Trac.
https://gitweb.torproject.org/thandy.git/blob/HEAD:/specs/thandy-spec.txt
https://trac.torproject.org/projects/tor/wiki/org/roadmaps/Thandy

BTW, when auditing auto-updates, don't both Windows and Apple use CDNs 
like Akamai, to push out their new updates? I seem to recall some 
Snowden-related articles mentioning CDNs including Akamai; a great place 
for an adversary to update system binaries.




More information about the liberationtech mailing list