On 21-Oct-2012 19:32, xxxxx@broadcom.com wrote:
> With such a virus in the wild, the very concept of code signing becomes totally
pointless - software developers will be unknowingly producing malicious binaries
that are built from totally harmless sources, and signing them with their own
certificates.
Yep, this is basically same as explained by Thompson back in 1984.
You cannot “automate” trust, or trust blindly.
http://www.ece.cmu.edu/~ganger/712.fall02/papers/p761-thompson.pdf
It may be impossible for Microsoft to ever repair that damage.
Believe or not, it seems that they are very busy exactly doing that,
and we may see something quite soon.
All NDAs aside, who else can do such job - Apple? Google? Kaspersky’s
labs? Nope, only MS can do this.
– pa