On Mon, 2 Sep 2013 14:45:00 -0400 Phillip Hallam-Baker <hal...@gmail.com> wrote: > > Do we know they produced fake windows updates without assistance > > from Microsoft? > > Given the reaction from Microsoft, yes. > > The Microsoft public affairs people have been demonstrating real > anger at the Flame attack in many forums.
But of course, sufficiently paranoid people might contend that perhaps the Microsoft people who complained might not have been briefed by the ones who cooperated. The problem with all such exercises is that they involve too many layers of recursive paranoia, but do not pay off with useful information that tells me how to act going forward. In the current case, the fact that they *could* potentially suborn process inside a vendor is an interesting thing to consider when doing design, and whether they *have* is less interesting to me. Clearly, as things like bad vendor drivers updates have been sent out using stolen keys in the past, and clearly vendors might simply make mistakes in the future. >From there, I can consider whether the "someone at vendor signs bad updates" security model component is productive to defend against or not, and how one might defend against it. (In the current case, I'd say only typed assembly language offers an interesting defense against bad binaries that get executed in kernel mode, regardless of why they are bad. Using typed assembly language effectively of course requires that the code be written in a high level language with strong typing to be preserved in the delivered machine code in the first place.) I leave speculation to pundits, and prefer to write code and design protocols. Perry -- Perry E. Metzger pe...@piermont.com _______________________________________________ The cryptography mailing list cryptography@metzdowd.com http://www.metzdowd.com/mailman/listinfo/cryptography