[Cryptography] HP accidentally signs malware, will revoke certificate

Henry Baker hbaker1 at pipeline.com
Sat Oct 11 10:15:02 EDT 2014

At 07:11 PM 10/10/2014, dan at geer.org wrote:
>[ public case study now in progress ]
>HP accidentally signs malware, will revoke certificate
>(Ars:) http://arstechnica.com/security/2014/10/hp-accidentally-signed-malware-will-revoke-certificate/

And we know this HP malware-signing incident is an "accident", because... ???


'But the briefing document suggests *another category of employees*­-*ones who are secretly working for the NSA* without anyone else being aware.  This kind of double game, in which the NSA works with and against its corporate partners, already characterizes some of the agency’s work, in which information or concessions that it desires are surreptitiously acquired if corporations will not voluntarily comply.  The reference to “under cover” agents jumped out at two security experts who reviewed the NSA documents for The Intercept.'

' “That one bullet point, it’s really strange,” said Matthew Green, a cryptographer at Johns Hopkins University.  “I don’t know how to interpret it.”  He added that the cryptography community in America would be surprised and upset if it were the case that *“people are inside [an American] company covertly communicating with NSA and they are not known to the company or to their fellow employees.”* '

'The ACLU’s Soghoian said technology executives are already deeply concerned about the prospect of clandestine agents on the payroll to gain access to highly sensitive data, including encryption keys, that could make the NSA’s work “a lot easier.” '

' “As more and more communications become encrypted, the attraction for intelligence agencies of stealing an encryption key becomes irresistible,” he said.  “It’s such a juicy target.” '

[Or simply sign malware??]

More information about the cryptography mailing list