sirkrite opened this issue on Dec 28, 2003 ยท 43 posts
soulhuntre posted Tue, 30 December 2003 at 5:09 AM
Attached Link: http://mindprod.com/jgloss/digitalsignatures.html
"It's actually fairly easy to forge an MS signature, and since most people have set their system to trust MS signatures then the module loads without asking." Actually, as it is a public key signature system it is almost IMPOSSIBLE to do so. In fact, there was only one case of a Microsoft signature key being lost to the wild and that signature key was promply disabled in an update - so none of the stuff it signs is valid. If you have any links to any information on how to forge a large bit number cryptographic key by all means, let us know. Post a link... I (and lots of folks on Slashdot who hate MS) would LOVE to know how to do it. "Genuine hackers have talent and skill, and can tunnel through just about anything when they put their minds to it....but how many genuine hackers are going to bother with a user? They have bigger fish to fry....." You know, as someone responsible for the security of a fair number of client systems (MS and Linux) on the web the mythical "real hacker" who can tunnel through security is almost entirely bogus. Unless the firewall has a flaw, for instance, a hacker cannot "tunnel through" it... they CAN get through ports you specifically open - but that is different. In point of fact it is fairly easy to make your computer the most secure thing in your existance. Even determined attacks will fail (even by "real hackers") when properly secured. The problem is so few people take the time to understand this stuff they are simply wide open out of a lack of knowledge. As always, a little understanding is a good thing. The link goes to a primer on digital signatures. (note: there was also a short window of vulnerability before a patch that allows ActiveX to bypass the signature check under low memory conditions in rare circumstances, it's been patched)