This is what happens...
When you fogo a good QA Team.... Just ask S0NY when they dumped their own PS3 Key(s)...
Taiwanese networking kit maker D-Link leaked a private code-signing key onto the internet for anyone to download. This is rather embarrassing because this key can be used to trick Windows computers into trusting and running malware. An eagle-eyed netizen told tweakers.net on Thursday that the code-signing key appeared in a …
That's utter bullcrap. You know no everything on the internet is true right??? This is a long running myth along with their random generator was "return 4; //chosen by fair dice roll"
Both utterhorseshit, that only a total cretin would actually believe. Getting the keys from the cell hypervisor on the PS3 took 6 years of hacking and a lucky break
But why let the truth get in the way of a good internet myth.
"No one at D-Link was available to comment on the reported leak. No one at Microsoft was able to confirm whether or not Windows has stopped trusting code signed by the leaked key. No one was available to comment at Symantec, which owns the part of Verisign that issued the code-signing certificate to D-Link. Apple does not respond to The Reg's requests for comment. "
While I find largely disturbing D-Link are not commenting, since they are the red-faced people, here, I don't see the point of questioning MS, Apple or Symantec over the issue.
For MS and Apple, there's really not much they could do or have done to counter this blunder. If cert is legitimately signed, then of course let the install happen !
And even less for Symantec: if someone's been stupid enough to let a private key leak, how is it at all their problem ? Their job as CA has been done neat and clean ...
Are these certificates and passphrases in a declaration block at the top of the sourcecode, surrounded by comments, IN CAPS, to say "don't allow this information to be released"; or are they sprinkled throughout the sourcecode?
P.S. The above is my second attempt at posting that comment. On the first, I had to complete a Captcha question (which I seemed to have failed), for which I had to enable Flash. The second time I tried, there was no Captcha question. Is this anything to do with El Reg or have I been 'hit' by something?
I think "best practice" is that these certificates are stored on a handful of machines, away from the developers writing the software, and that only a handful of staff are therefore able to sign executables and only then as an act outside of the normal development process. Passcodes would live in sealed envelopes, or something, and would not normally reside on any machine.
Clearly that didn't happen here and we know of at least one certificate that has escaped as a result. I'm somewhat staggered that a company as big as D-Link would be willing to play so fast and loose with their company's reputation. Let's be clear; as of this morning, a D-Link signature carries slightly less weight than, say, mine. (And I'm not boasting.)
One final point: if your only D-Link product is a cheapish ADSL box or network switch, rather than waiting for D-Link to re-establish some credibility, you could just replace the box. I wonder how many admins will respond to this by plonking D-Link on their Sony list.
It is el-reg's lousy CDN contract. The CDN they use works OK if you get stuff. If you post and it has decided you are suspicious, this is what you get. That is buggy. You end up retrying multiple times losing your post every time in the process.
It is more common from abroad and from behind big CG-NATs as used in Mobile.
Why ever not? I'm thinking that in the worst case you just manually set the time, do the signing and then reboot? The fact that you say that existing signed code will continue to work suggests that any safeguards around expired keys are on the signing end, and surely it's possible to get around any restrictions?
I always figured that a shop like their would have more security than mine. In my company's shop, code signing certificates are kept on an air-gapped machine sitting on the QA director's desk. Once the QA department's tests have been completed and the product is ready to ship, the code gets burnt to disc, scanned and then copied to the code-signing machine. Once compiled, it is written to another disc and scanned again, this disc the gets duplicated so that we have a known-good golden copy of the code and the executable.
Biting the hand that feeds IT © 1998–2021