[cryptography] To Protect and Infect Slides
Griffin Boyce
griffin at cryptolab.net
Thu Jan 2 12:15:50 PST 2014
Il 02.01.2014 13:37 Jacob Appelbaum ha scritto:
>
> I'm less interested in the payload than how it is deployed - are the
> Apple signing keys only controlled by Apple?
Not exactly. There are more moving parts to Apple signing
certificates and keys than most people realize.
The process for signing an app is: 1) generate a private key, 2) use
that to generate a Certificate Signing Request (which you send to
Apple), 3) Apple sends you the approved certificate (automated process),
4) convert that file to (.pem/.cer), 5) generate p12 file using that
cert and your private key (and its password) together, 6) generate the
provisioning file to actually build the signed app in xcode.
While that seems like an arduous and in-depth process, getting signed
malware only requires a $99 payment to Apple and a super basic
"application process" to become an Apple developer. One could probably
get more mileage by distributing malware that disables signature check.
> Do they fall under the business records provision of the PATRIOT act?
Probably, considering that AFAIK Lavabit's SSL cert was considered
such when it was ordered turned over.
Open source that shit,
Griffin
More information about the cypherpunks
mailing list