zlacker

Leaked stolen Nvidia cert can sign Windows malware

submitted by Zuider+(OP) on 2022-03-05 09:40:34 | 178 points 73 comments
[view article] [source] [go to bottom]

NOTE: showing posts with links only show all posts
◧◩
12. h2odra+Zi[view] [source] [discussion] 2022-03-05 12:59:59
>>ramsha+69
> Code signed with this cert will, in the right conditions, be accepted by Windows even though the certificate has expired.

The right conditions: https://twitter.com/BillDemirkapi/status/1499735326406938625

22. asah+as[view] [source] 2022-03-05 14:10:03
>>Zuider+(OP)
For keys issued 6+ years ago...

https://twitter.com/BillDemirkapi/status/1499735326406938625

◧◩◪◨
26. gruez+Mu[view] [source] [discussion] 2022-03-05 14:32:21
>>pintxo+Nj
Hardware tokens are mandated for EV code signing certificates[1], but not for regular certificates. However, the certificate was from a while ago so that requirement probably wasn't a thing back then.

[1] https://www.digicert.com/signing/code-signing-certificates "REQUIRES TWO-FACTOR AUTHENTICATION USING HARDWARE TOKEN"

◧◩
27. gruez+5v[view] [source] [discussion] 2022-03-05 14:34:38
>>bratwu+B8
If malware makes it onto your machine, it's already game over. The certificate allows the attacker to load an arbitrary driver, but the attacker doesn't need that to steal all your data.

relevant xkcd: https://xkcd.com/1200/

◧◩◪◨⬒
32. Genbox+Rw[view] [source] [discussion] 2022-03-05 14:49:46
>>chousu+jf
Sure, Fedora has Secure Boot. So does Ubuntu, Debian and FreeBSD. According to DistroWatch[1], 26 Linux distros out of 927 have built-in support for Secure Boot, so I stand by what I said.

[1] https://distrowatch.com/search.php?pkg=shim&relation=lessequ...

◧◩◪◨⬒
33. Genbox+jy[view] [source] [discussion] 2022-03-05 15:00:30
>>jart+Yp
Most manufactures decided to include Microsoft's signing key into firmware. That is not something Microsoft is in control of. Pre-loaded (factory) keys are much harder for Linux as it seems every distro wants their own signing key, and from an administration perspective, that is not easy to keep track of.

Everyone can load their own signing keys into firmware. However, if you want something that "just works", Microsoft signs a package called Shim[1] that can be loaded on most computers due to the pre-loaded keys.

A relationship with Microsoft is not needed in any way or form to have Secure Boot.

[1] https://launchpad.net/ubuntu/+source/shim

◧◩◪
44. hulitu+PS[view] [source] [discussion] 2022-03-05 17:11:30
>>keving+Bw
> We don't want grandma doing the equivalent of 'curl http://x | sudo bash' 4 times a week.

That's why we have web browsers running untrusted remote code.

◧◩
61. stuu99+qi2[view] [source] [discussion] 2022-03-06 03:37:41
>>pintxo+k8
Signed binaries use will come into being with trusted computing, they are embedding Denuvo in the operating system, aka future compilers will allow game companies and companies like autodesk to sign their exe's and the exe's if cracked can be added to a list that windows 11 can force update the bios to add these cracked exes to a list that will refuse to run.

That's the gist of trusted computing they are building an alternative internet/mainframe computer inside yours that they only have access to.

Where have you been the last 23+ years? The videogame industry has been stealing PC games since 1997 with ultima online. Hear it from the dev's themselves.

Don't think MMO's killed local PC games? Listen here kids.

https://youtu.be/lnnsDi7Sxq0?t=1134

EA killed ultima 9 when the UO beta got massive interest, that lead to the death of PC games as local applications, the industry from then on there was a massive war to back end all PC games, they couldn't immediately do that to quake and urneal because we'd been treated too good with Warcraft 1-3, Descent 1-3, Quake 1-3, and build engine games like Duke 3d. The entire industry has always wanted to kill piracy and Ultima online gave the entire industry the go ahead once they realized that many of our fellow programmers and gamers were irrationally stupid beyond their wildest dreams.

Anyone playing quake and Descent at the time fear the loss of dedicated servers and level editors which used to come with the games, we knew if Ultima online was successful that Publishers would want to back end every fucking PC game and that's the end of the personal computer and the return of IBM and mainframe computing.

"Signed exe's" and trusted computing is the return of mainframe computing of the 60's in new bullshit language but I don't expect the mmo/steam generation to do anything but froth at the mouth. When they were the ones killing gaming and gave birth to microtransactions.

You can't put MTX in diablo 1, warcraft 1-3, or starcraft 1 because they are local applications that run entirely from your pc. None of the code has been stolen out of the game carved back behind a user account and login requirement. Like with most PC games these days.

We're losing gaming history and generation mmo is to blame for their general cluelessness of the evil of mainframe computing.

[go to top]