Il 02.01.2014 13:37 Jacob Appelbaum ha scritto:
I'm less interested in the payload than how it is deployed - are the Apple signing keys only controlled by Apple?
Not exactly. There are more moving parts to Apple signing certificates and keys than most people realize. The process for signing an app is: 1) generate a private key, 2) use that to generate a Certificate Signing Request (which you send to Apple), 3) Apple sends you the approved certificate (automated process), 4) convert that file to (.pem/.cer), 5) generate p12 file using that cert and your private key (and its password) together, 6) generate the provisioning file to actually build the signed app in xcode. While that seems like an arduous and in-depth process, getting signed malware only requires a $99 payment to Apple and a super basic "application process" to become an Apple developer. One could probably get more mileage by distributing malware that disables signature check.
Do they fall under the business records provision of the PATRIOT act?
Probably, considering that AFAIK Lavabit's SSL cert was considered such when it was ordered turned over. Open source that shit, Griffin