In blunder threatening Windows users, D-Link publishes code-signing key
[Via Ars Technica]
In a ham-fisted move that threatens computer users everywhere, developers at router manufacturer D-Link published a private cryptography key used to certify that software is trustworthy and not malware, a security researcher said.
The software signing key was released in late February on D-Link’s GPL source code sharing website, along with the source code from some of the company’s firmware, Yonathan Klijnsma, a threat intelligence analyst at Dutch security firm Fox IT, told Ars in an e-mail. D-Link used the key to cryptographically sign its software so it could be installed on computers running Microsoft Windows without the operating system generating a security warning. With it leaked to the world, anyone—including developers of keyloggers, remote access trojans, and other types of malware—could use the key to sign their malicious wares so they’re accepted as trusted D-Link software.
Social enginering is the easiest way to break an unbreakable code. One of the great stories regarding the breaking of Germany’s Enigma machine deals with the stupidity of people.
A German was supposed to send out a dummy message. Being human, he did not compose a new message. He just hit the letter L again and again. But a characteristic of the Enigma machine was that any letter could be substituted for any other, except the letter itself. So, because the dummy message had every letter but L, the British were able to decipher the settings for that day.
Other times, they realized that a message from one site always started with “Heil, Hitler”. The Germans made it much easier to break an unbreakable encryption.
If humans had not been involved, there would have been little chance of decoding the messages. We have even better essentially unbreakable systems today.
And here we see again how humans screw up important encryption processes. By releasing the key, D-link has made it possible for anyone to pretend to be D-link and have the computer say “This is a safe site.”
This is why governments should never have access to any sort of backdoor to our devices. Because someone will do something stupid and make every single one of those devices unsafe.
Against Stupidity, The Gods Themselves Contend In Vain.
Image: Satish Krishnamurthy