Hi all, i think that would be very important to organize a project to Audit the functionalities of Auto-Update of software commonly used by human rights defenders.
Most of Governmental's managed client-side attacks are done trough proper MITM to tweak the target into downloading and/or executing something. It's plenty of major and minor software that have security vulnerabilities that could be exploited in the following processes and procedures: - Auto-Update of software - Version Checking (to notify a new existing version) - Web Page providing Download/Update information If only one of the previously defined functionalities can be exploited by a clever MITM (because not properly secure), the target (a normal target, not a paranoid one) is likely compromised. In past the IT Security and Hacking environment looked at this problems, but then no big progress has been done, everything has been abbandoned and auto-update/version-checking/software-download-methods has been of the pure interests of governmental agencies. Organizations that now take care of the security of software being used by human rights defenders should look at this kind of problem a bit deeper, by organizing such a projet and/or providing proper funding for such purpose. -- Fabio Pietrosanti (naif) HERMES - Center for Transparency and Digital Human Rights http://logioshermes.org - http://globaleaks.org - http://tor2web.org -- Liberationtech is public & archives are searchable on Google. Violations of list guidelines will get you moderated: https://mailman.stanford.edu/mailman/listinfo/liberationtech. Unsubscribe, change to digest, or change password by emailing moderator at compa...@stanford.edu.
