[cryptography] To Protect and Infect Slides

Griffin Boyce griffin at cryptolab.net
Thu Jan 2 12:15:50 PST 2014


Il 02.01.2014 13:37 Jacob Appelbaum ha scritto:
> 
> I'm less interested in the payload than how it is deployed - are the
> Apple signing keys only controlled by Apple?

   Not exactly.  There are more moving parts to Apple signing 
certificates and keys than most people realize.

   The process for signing an app is: 1) generate a private key, 2) use 
that to generate a Certificate Signing Request (which you send to 
Apple), 3) Apple sends you the approved certificate (automated process), 
4) convert that file to (.pem/.cer), 5) generate p12 file using that 
cert and your private key (and its password) together, 6) generate the 
provisioning file to actually build the signed app in xcode.

   While that seems like an arduous and in-depth process, getting signed 
malware only requires a $99 payment to Apple and a super basic 
"application process" to become an Apple developer.  One could probably 
get more mileage by distributing malware that disables signature check.

> Do they fall under the business records provision of the PATRIOT act?

   Probably, considering that AFAIK Lavabit's SSL cert was considered 
such when it was ordered turned over.

Open source that shit,
Griffin



More information about the cypherpunks mailing list