coapp-developers team mailing list archive

["Rivera, Rafael" <rafael@xxxxxxxxxxxxxxxxx>]

Anyone can push malware through Windows Update with little effort.
Microsoft doesn't perform a useful security audit of published binaries;
they simply rely on the fact that signing requires a slew of IDs and
secret handshakes which are difficult to fake (i.e. remain an anonymous
baddie).

I think Garrett's approach is okay. It's impossible to think of every
single possible security breach scenario therefore we should focus on
implementing various doodads to mitigate issues if/as they arise.
Killbits and revoking certificates are good examples.

/rafael

On 4/16/2010 1:08 PM, Garrett Serack wrote:
> What specifically do you mean by compromised?
> 
> If you mean defective, well, that is a small potential problem. It is in any system.
> 
> If you mean that a package is published and someone is trying to pass it off as someone else's package, well that's why we have a requirement for a publisher to digitally signing the code.  If they lose control of their signing keys, we laugh and all code published with their cert after the loss of control can be killed by revoking the certificate, and/or implement a killbit system (since we can identify WinSxS libraries uniquely). 
> 
> Actually, we should probably build a killbit system regardless, as it can assist in the defective case too.
> 
> And, yes WU can install drivers and code from third parties; which is why they require any binaries passing thru WU to be signed and run thru a bunch of validation tools.
> 
> 
> 
> Garrett Serack | Open Source Software Developer | Microsoft Corporation 
> I don't make the software you use; I make the software you use better on Windows.