> OT for a hobby developer, who would the main target of such an enterpriseā¦
I just wonder if the company that signs his code will be forced to assume liability for it ā¦
Letās face it - the vast majority of malware in existence is produced exactly by developers of the type you have mentioned, and if someone who signs his code is not forced to assume liability for it, the very idea of code signing loses any practical meaningā¦
His customers, each having paid zero to a few dollars for the software,
Well, I think the vast majority of his ācustomersā would not mind paying more than few dollars to ensure that his āproductionā never gets installed on their PCsā¦
āforcedā by whom? Stalinās been dead a long time, dudeā¦
As far as *I* know, the only thing that could happen to the company signing the driver is that MSFT will revoke the cert. Oh well!
Whatever. But the vast majority of companies that would want this service donāt produce malware. They produce drivers for tiny markets, in their spare time, for the sheer joy of assisting the community of which they are a part. Or something.
The company doing the signing will probably WANT to do some minimal amount of due diligence, just to avoid having to keep getting new certs. But, whatever.
Nobody HAS to install a driver signed by āWeSignUrShitForTenEuros.comā ā Itās entirely up to the user. Like I saidā¦ whatever.
Itād be a damn-sight better than hobby devs not be able to have people use their stuff AT ALL without disabling driver signing completely.
Look -the very idea behind code signing is to make it possible to trace code originator in case if it turns out to be malicious. Therefore, if you sign a piece of software with your key and then it turns out that this particular piece of software, say, steals credit card numbers, it will be you who gets summoned to court, because it is signed with your key, and, hence, for the time being you are treated as its originator. What I meant in my previous post is whether you will be kept liable for everything that code signed with your key does, or whether you will be allowed just to shrug it off like āI donāt know anything - I sign anything for anyone who pays me few dollars for itā. In the latter case the whole idea of code signing does not seem to be particularly meaningful, donāt you thinkā¦
Stalinās been dead a long time, dudeā¦
Where is Mr. Kyler - I bet he is going to love itā¦
At least for the hobbyist, are there alternatives to the $400/year VeriSign
ID? Iād pay $50/year (the cost of some alternative certificate authorities)
but for the 0.1 drivers per year I write these days, I cannot justify the
high costs of the VeriSign certificate.
There was some talk at earlier driver conferences about alternate
certificate authorities being approved, but I have not heard anything about
whether this went through.
I just renewed my GlobalSign certificate, $400 for 3 years. It has
worked fine for me for the past two years. There are about 8
certificate authorities with valid cross-certificates available,
although because of mergers and acquisitions, thatās down to 3 different
corporations.
No. I think thereās room for a legitimate middle ground.
Letās say you and I start a web-based company, āA&P, LLCā, that signs drivers for people atā¦ I donāt knowā¦ US$50/driver.
Hereās how we do it: Company X sends us a request to sign their driver package. We:
a) Execute an NDA with Company X, that includes a āhold harmlessā clause saying A&P LLC wonāt be responsible for any crap we sign for Company X.
b) Have Company X send us their driver, in source code form, with build instructions.
c) We examine the driver (handwave, handwave), and if we donāt see anything we hate, we build it per the instructions.
d) We sign the .SYS file and the package.
e) We return this package to Company X and they can distribute it to their users.
Total time invested: 10 minutes.
Service to the community: Priceless.
I donāt expect A&P LLC would be liable for the driver if it didnāt work, failed to meet its specs, or if it did anything malicious. We didnāt MAKE it. We just signed the package.
So, somewhere between āWeāre fully responsibleā and āWe sign anythingāā¦
Actually, most of time, OEMs get the signed drivers from IHVs (ATi, Broadcom, Emulex, Intel, Nvidia, Qlogic etcā¦) who provide chips or adapters (video, network, storage) for their platforms. IHVs will have to signed their drivers. We do sign a lot of drivers. Fortunately, I donāt have to worry about it nor do I want to know what VeriSign, class 3 are. The only thing about verisign that I know is it would appear in my browser when I log into my bank or 401k accounts. All I have to do is providing a test CAT for our PQA just to be good enough to get rid of the āpress F8 thingyā.
Paying big bucks to someone who only cares about the money does not
ensure quality or liability. Try this for a laugh - try and connect
more than one model of HP printer to any PC. The drivers fight over
āwho is the real messiahā and you end up with a different mess every
time you boot. Complain to HP and they say ādonāt do thatā. Complain
to Verisign and it becomes blame-relay.
This is real, in this room. I have a scanner, a laser printer, and a
photo printer.
Solution? Well use more computersā¦
brucee
On 1/5/10, xxxxx@yahoo.ca wrote: > [quote] > The onesy-twosy > shops are not the important people. The important people are the Dells > and HPs of the world, who submit dozens or hundreds of driver packages > throughout the year. > [/quote] > > Tim, > > How dare you miss IBM? > > Actually, most of time, OEMs get the signed drivers from IHVs (ATi, Broadcom, Emulex, Intel, Nvidia, Qlogic etcā¦) who provide chips or adapters (video, network, storage) for their platforms. IHVs will have to signed their drivers. We do sign a lot of drivers. Fortunately, I donāt have to worry about it nor do I want to know what VeriSign, class 3 are. The only thing about verisign that I know is it would appear in my browser when I log into my bank or 401k accounts. All I have to do is providing a test CAT for our PQA just to be good enough to get rid of the āpress F8 thingyā. > > Calvin > > > ā > NTDEV is sponsored by OSR > > For our schedule of WDF, WDM, debugging and other seminars visit: > http://www.osr.com/seminars > > To unsubscribe, visit the List Server section of OSR Online at http://www.osronline.com/page.cfm?name=ListServer >
Paying big bucks to someone who only cares about the money does not
ensure quality or liability. Try this for a laugh - try and connect
more than one model of HP printer to any PC. The drivers fight over
āwho is the real messiahā and you end up with a different mess every
time you boot.
HP has become one of the worst. Their hardware is good, but their
driver people should be hung at dawn. When I install a printer, ALL I
WANT is a driver that turns GDI calls into dots on paper. I donāt want
600 megabytes of download, 39 DLLs, 22 full-time processes, 18 injected
hooks, 15 desktop icons, 13 unrelated utilities, 9 RSS subscriptions, 7
IE toolbars, a cheerful audio-driven help system and a partridge in a
pear tree. I did not buy my computer for the sole purpose of talking to
that printer.
It drives me nuts. Thatās why I bought an Epson last time. They arenāt
nearly as bad.
ā
Tim Roberts, xxxxx@probo.com
Providenza & Boekelheide, Inc.
>I donāt expect A&P LLC would be liable for the driver if it didnāt
work, failed to meet its specs, or if it did anything malicious. We
didnāt MAKE it. >We just signed the package.
So, somewhere between āWeāre fully responsibleā and āWe sign
anythingāā¦
To me, that would work nicely.
So what happens to the customer ? what does he do in case his system
crashes at home.? Who should he contact ? does the package installation
or the signing framework have enough information to tell the customer
that A&P LLC can only be trusted for delivery of package and not for
itās quality ?
Harish
-----Original Message-----
From: xxxxx@osr.com [mailto:xxxxx@osr.com]
Sent: Monday, January 04, 2010 1:44 PM
To: Windows System Software Devs Interest List
Subject: RE:[ntdev] Why is signing drivers such a mess?
No. I think thereās room for a legitimate middle ground.
Letās say you and I start a web-based company, āA&P, LLCā, that signs
drivers for people atā¦ I donāt knowā¦ US$50/driver.
Hereās how we do it: Company X sends us a request to sign their driver
package. We:
a) Execute an NDA with Company X, that includes a āhold harmlessā clause
saying A&P LLC wonāt be responsible for any crap we sign for Company X.
b) Have Company X send us their driver, in source code form, with build
instructions.
c) We examine the driver (handwave, handwave), and if we donāt see
anything we hate, we build it per the instructions.
d) We sign the .SYS file and the package.
e) We return this package to Company X and they can distribute it to
their users.
Total time invested: 10 minutes.
Service to the community: Priceless.
I donāt expect A&P LLC would be liable for the driver if it didnāt work,
failed to meet its specs, or if it did anything malicious. We didnāt
MAKE it. We just signed the package.
So, somewhere between āWeāre fully responsibleā and āWe sign
anythingāā¦
c) We examine the driver (handwave, handwave), and if we donāt see
anything we
hate, we build it per the instructions.
Total time invested: 10 minutes.
Service to the community: Priceless.
I donāt expect A&P LLC would be liable for the driver if it didnāt
work,
failed to meet its specs, or if it did anything malicious. We didnāt
MAKE it.
We just signed the package.
If you are going to spend 10 minutes looking at the code you might as
well not bother.
For open source projects you could come up with a workable solution
though:
a. Company X sends us the source code and build instructions
b. We build the binaries, sign them, and sign the source archive and
make it available on our website for anyone to inspect.
That way our liability is to confirm that the binaries we built were
built from the source, and anyone can prove (as much as you trust us and
the certificate system) that the binaries they have were built from the
source that they can obtain and inspect. Youād probably make the source
code open to public inspection for some time (7 days?) before doing the
build and sign to reduce the chance of signing a malicious driver or
something.
Someone like Sourceforge could do it, and have some criteria that the
project have been hosted on sourceforge for some time (3 months?) before
allowing access to the signing process.
It doesnāt work for non-open source stuff of course, but who trusts
closed source code anyway?
The customer goes to the author if their system crashes. A&P signing the
driver in no way abrogates the author from their responsibility for
maintaining their code. The author has to make sure that what he sends to
A&P is a final cut, because every time A&P signs a driver there is a charge
ā no ādo oversā because the author sent the wrong source files. Unless the
author tells them who signed the driver or the customer has the smarts to
run CertMgr and looks at the signature, the customer really doesnāt need to
know about A&P.
-----Original Message-----
From: xxxxx@lists.osr.com
[mailto:xxxxx@lists.osr.com] On Behalf Of Arora, Harish
Sent: Monday, January 04, 2010 5:18 PM
To: Windows System Software Devs Interest List
Subject: RE: [ntdev] Why is signing drivers such a mess?
I donāt expect A&P LLC would be liable for the driver if it didnāt
work, failed to meet its specs, or if it did anything malicious. We
didnāt MAKE it. >We just signed the package.
So, somewhere between āWeāre fully responsibleā and āWe sign
anythingāā¦
To me, that would work nicely.
So what happens to the customer ? what does he do in case his system
crashes at home.? Who should he contact ? does the package installation
or the signing framework have enough information to tell the customer
that A&P LLC can only be trusted for delivery of package and not for
itās quality ?
Harish
-----Original Message-----
From: xxxxx@osr.com [mailto:xxxxx@osr.com]
Sent: Monday, January 04, 2010 1:44 PM
To: Windows System Software Devs Interest List
Subject: RE:[ntdev] Why is signing drivers such a mess?
No. I think thereās room for a legitimate middle ground.
Letās say you and I start a web-based company, āA&P, LLCā, that signs
drivers for people atā¦ I donāt knowā¦ US$50/driver.
Hereās how we do it: Company X sends us a request to sign their driver
package. We:
a) Execute an NDA with Company X, that includes a āhold harmlessā clause
saying A&P LLC wonāt be responsible for any crap we sign for Company X.
b) Have Company X send us their driver, in source code form, with build
instructions.
c) We examine the driver (handwave, handwave), and if we donāt see
anything we hate, we build it per the instructions.
d) We sign the .SYS file and the package.
e) We return this package to Company X and they can distribute it to
their users.
Total time invested: 10 minutes.
Service to the community: Priceless.
I donāt expect A&P LLC would be liable for the driver if it didnāt work,
failed to meet its specs, or if it did anything malicious. We didnāt
MAKE it. We just signed the package.
So, somewhere between āWeāre fully responsibleā and āWe sign
anythingāā¦
On 1/4/2010 5:08 PM Tim Roberts wrote:
> HP has become one of the worst. Their hardware is good, but their
> driver people should be hung at dawn. When I install a printer, ALL I
> WANT is a driver that turns GDI calls into dots on paper. ā¦
Donāt blame the developers ā I guarantee it isnāt their choice to
include all the extra āvalue addā with the printer drivers.
āJohn
P.S. For some HP printers, you can download either a āconsumerā or
ācorporateā driver package. The corporate package omits most of the
extra stuff.
It aint their driver people that spam you with all of that shovelware
d
-----Original Message-----
From: Tim Roberts Sent: Monday, January 04, 2010 3:11 PM To: Windows System Software Devs Interest List Subject: Re: [ntdev] Why is signing drivers such a mess?
Bruce Ellis wrote: > Paying big bucks to someone who only cares about the money does not > ensure quality or liability. Try this for a laugh - try and connect > more than one model of HP printer to any PC. The drivers fight over > āwho is the real messiahā and you end up with a different mess every > time you boot.
HP has become one of the worst. Their hardware is good, but their driver people should be hung at dawn. When I install a printer, ALL I WANT is a driver that turns GDI calls into dots on paper. I donāt want 600 megabytes of download, 39 DLLs, 22 full-time processes, 18 injected hooks, 15 desktop icons, 13 unrelated utilities, 9 RSS subscriptions, 7 IE toolbars, a cheerful audio-driven help system and a partridge in a pear tree. I did not buy my computer for the sole purpose of talking to that printer.
It drives me nuts. Thatās why I bought an Epson last time. They arenāt nearly as bad.
ā Tim Roberts, xxxxx@probo.com Providenza & Boekelheide, Inc.
And why does windows insist that simple ādriversā like printer
interfaces must be in the kernel.
Thatās not even old school, itās brain-dead.
Only apple competes for silliness.
Printer drivers should be user procs - correct me if Iām wrong.
brucee
On Tue, Jan 5, 2010 at 10:52 AM, Doron Holan wrote: > It aint their driver people that spam you with all of that shovelware > > d > > > > -----Original Message----- > From: Tim Roberts > Sent: Monday, January 04, 2010 3:11 PM > To: Windows System Software Devs Interest List > Subject: Re: [ntdev] Why is signing drivers such a mess? > > > Bruce Ellis wrote: >> Paying big bucks to someone who only cares about the money does not >> ensure quality or liability. Try this for a laugh - try and connect >> more than one model of HP printer to any PC. The drivers fight over >> āwho is the real messiahā and you end up with a different mess every >> time you boot. > > HP has become one of the worst. ?Their hardware is good, but their > driver people should be hung at dawn. ?When I install a printer, ALL I > WANT is a driver that turns GDI calls into dots on paper. ?I donāt want > 600 megabytes of download, 39 DLLs, 22 full-time processes, 18 injected > hooks, 15 desktop icons, 13 unrelated utilities, 9 RSS subscriptions, 7 > IE toolbars, a cheerful audio-driven help system and a partridge in a > pear tree. ?I did not buy my computer for the sole purpose of talking to > that printer. > > It drives me nuts. ?Thatās why I bought an Epson last time. ?They arenāt > nearly as bad. > > ā > Tim Roberts, xxxxx@probo.com > Providenza & Boekelheide, Inc. > > > ā > NTDEV is sponsored by OSR > > For our schedule of WDF, WDM, debugging and other seminars visit: > http://www.osr.com/seminars > > To unsubscribe, visit the List Server section of OSR Online at http://www.osronline.com/page.cfm?name=ListServer > > > ā > NTDEV is sponsored by OSR > > For our schedule of WDF, WDM, debugging and other seminars visit: > http://www.osr.com/seminars > > To unsubscribe, visit the List Server section of OSR Online at http://www.osronline.com/page.cfm?name=ListServer >
It occurs to me that creating an entity to sign such packages is not the
only form of solution.
Enabling the end-user system to āsignā the package as permissible would
suffice as well.
This clearly makes it the end-userās responsibility and removes the issue of
finding the source. It restores the āas-isā quality of service but it only
works on the single machine. How you secure that feature so that, for
instance, malware does not find a way to āsignā itself is a challenge of
course, but perhaps smart people can figure out how to ālocalizeā the
solution to the machine.
I am under the impression that the big issue would be the very limited
ability of the O/S Loader (on 64-bit platforms) to verify BOOT start
drivers. How you give it another certificate for embedded signatures to be
validated against seems to be the challenge.
But if a way could be created to ensure the usefulness of a signature was
scoped to the machine on which it was generated, then, at least you would
not be enabling malware except if you inflicted it on yourself. That is
what freedom is all about right? The freedom to shoot oneās own foot?
And then there is the whole DRM thingā¦ back come the lawyers
But in 10 minutes I can probably determine if the obvious intent of the driver is to insert malware. Thatās all I would want to do.
Absolutely. I agree. This is ALMOST as secure as having A&P LLC sign random stuff, EXCEPT for the fact that if A&P LLC sign some malware, itās barely conceivable that Microsoft could revoke their cert. No way to do that if people sign their own stuff.
Why wouldnāt they? WHQL doesnāt check for āsmartā vs āstupidā.
(Indeed, Iām not sure how you would design a test for thatā¦) They
doesnāt even install the driver. If you pass DTM, you get a logo.
And why does windows insist that simple ādriversā like printer
interfaces must be in the kernel.
They donāt. Most printer drivers live in user-mode.
ā
Tim Roberts, xxxxx@probo.com
Providenza & Boekelheide, Inc.
Printer drivers have been in um since win2k. At some point we removed support for km printer drivers, but i do not know the exact release
d
-----Original Message-----
From: Bruce Ellis Sent: Monday, January 04, 2010 4:53 PM To: Windows System Software Devs Interest List Subject: Re: [ntdev] Why is signing drivers such a mess?
So how did HP get all this shit signed?
And why does windows insist that simple ādriversā like printer interfaces must be in the kernel.
Thatās not even old school, itās brain-dead.
Only apple competes for silliness.
Printer drivers should be user procs - correct me if Iām wrong.
brucee
On Tue, Jan 5, 2010 at 10:52 AM, Doron Holan wrote: > It aint their driver people that spam you with all of that shovelware > > d > > > > -----Original Message----- > From: Tim Roberts > Sent: Monday, January 04, 2010 3:11 PM > To: Windows System Software Devs Interest List > Subject: Re: [ntdev] Why is signing drivers such a mess? > > > Bruce Ellis wrote: >> Paying big bucks to someone who only cares about the money does not >> ensure quality or liability. Try this for a laugh - try and connect >> more than one model of HP printer to any PC. The drivers fight over >> āwho is the real messiahā and you end up with a different mess every >> time you boot. > > HP has become one of the worst. Their hardware is good, but their > driver people should be hung at dawn. When I install a printer, ALL I > WANT is a driver that turns GDI calls into dots on paper. I donāt want > 600 megabytes of download, 39 DLLs, 22 full-time processes, 18 injected > hooks, 15 desktop icons, 13 unrelated utilities, 9 RSS subscriptions, 7 > IE toolbars, a cheerful audio-driven help system and a partridge in a > pear tree. I did not buy my computer for the sole purpose of talking to > that printer. > > It drives me nuts. Thatās why I bought an Epson last time. They arenāt > nearly as bad. > > ā > Tim Roberts, xxxxx@probo.com > Providenza & Boekelheide, Inc. > > > ā > NTDEV is sponsored by OSR > > For our schedule of WDF, WDM, debugging and other seminars visit: > http://www.osr.com/seminars > > To unsubscribe, visit the List Server section of OSR Online at http://www.osronline.com/page.cfm?name=ListServer > > > ā > NTDEV is sponsored by OSR > > For our schedule of WDF, WDM, debugging and other seminars visit: > http://www.osr.com/seminars > > To unsubscribe, visit the List Server section of OSR Online at http://www.osronline.com/page.cfm?name=ListServer >
explain to me why user level ādriversā need to be signed.
if i buy a printer i want it to print, not ask me or not tell me why
it is screwing up.
if i use said printer and it had malware in user land itās not gonna kill me.
brucee
On Tue, Jan 5, 2010 at 12:31 PM, wrote: >
> > Whyā¦ you ask us on the list, of course. ?WE can tell āsmartā versus āstupidā! > > Peter > OSR > > > ā > NTDEV is sponsored by OSR > > For our schedule of WDF, WDM, debugging and other seminars visit: > http://www.osr.com/seminars > > To unsubscribe, visit the List Server section of OSR Online at http://www.osronline.com/page.cfm?name=ListServer >