If the creators read this, I suggest some ways of building trust. There’s no “about us”, no GitHub link, etc. It’s a random webpage that wants my personal details, and sends me a “exe”. The overlap of people who understand what this tool does, and people who would run that “exe” is pretty small.
I have just added a bit of info about us on the website. I'm not sure what else we can do really. Its a trust thing, same with any software and AV vendors.
When someone is offering you a certificate and the only thing you have to do in order to get it is pay them a significant amount of money, that's a major red flag that it's either a scam or you're being extorted. Or both. In any case you should not pay them and neither should anyone else.
Not many software promises to fend off attackers, asks for an email address before download, and creates a bunch of processes using a closed source dll the existence of which can easily be checked.
Then again, not many malware targeting consumers at random check for security software. You are more likely to see a malware stop working if you fake the amount of ram and cpu and your network driver vendor than if you have CrowdStrike, etc. running.
As a side note, I’ve been trying to figure out how to get an EV code signing cert that isn’t tied to me (want to make a tool Microsoft won’t like and don’t want retaliation to hurt my business) but I haven’t come up with a way to do it - which is a good thing I suppose.
https://ccadb.my.salesforce-sites.com/microsoft/IncludedCACe...
I used Google to search for "list of microsoft trusted CA".
Not for hacking non citizens
Also are you aware of the (very awesome) EDR evasion toolkit called scarecrow? Naming stuff is hard, I get that, but this collision is a bit much IMO.
* code signing certificate funding
* consulting/assessment to harden the application or concept itself as well as to make it more robust (they'll probably route through Cure53)
* consulting/engineering to solve for the "malware detects this executable and decides that the other indicators can be ignored" problem, or consulting more generally on how to do this in a way that's more resilient.
If you wanted to fund this in some way without necessarily doing the typical founder slog, might make sense to 501c3 in the US and then get funded by or license this to security tooling manufacturers so that it can be embedded into security tools, or to research the model with funding from across the security industry so that the allergic reaction by malware groups to security tooling can be exploited more systemically.
I imagine the final state of this effort might be that security companies could be willing to license decoy versions of their toolkits to everyone that are bitwise identical to actual running versions but then activate production functionality with the right key.
The major upside is the pricing: currently "free" [3] during testing, later about 10 USD/month. As there doesn't seem to be a revocation mechanism based on some docs I read, signed binaries might be valid even after a canceled subscription.
[1] https://azure.microsoft.com/en-us/products/trusted-signing
[2] https://learn.microsoft.com/en-us/azure/trusted-signing/quic...
[3] You need a CC and they will likely charge you at some point. Also I had to use some kind of business Azure/MS 365 account which costs about 5 USD/month. Not sure about the exact lingo, not an Azure/MS expert. The docs in [2] was enough for me to get through the process.
All code signing promises to give you the name of a real person or company that signed the binary. From there it's the end user's responsibility to decide if they trust that entity.
In practice the threat of the justice system makes any signed executable unlikely to be malicious. But that doesn't mean you have to uncritically trust a binary signed by Joe Hobo
This would be a boon for security folk who analyze/reverse malware: they can add/simulate this tool in their VMs to ensure the malware being analyzed doesn't deactivate itself!
I kinda think this functionality could be subverted into a kill switch for legit-licensed installs simply by altering the key.
- commenting under a pseudonymous profile
- asking for emails by saying "please email me. contact at cyberscarecrow.com"
- describing yourself in your FAQ entry for "Who are you?" by writing "We are cyber security researchers, living in the UK. We built cyber scarecrow to run on our own computers and decided to share it for others to use it too."
I frequently use pseudonymous profiles for various things but they are NOT a good way to establish trust.
What threats are those? Where are all the people going to jail for falsely signed software? The stuxnet authors seem to be in the wind.
Of course people stealing other people's signing keys is an issue. But EV code signing certificates are pretty well protected (requiring either a hardware dongle or 2FA). It's not impossible for a highly sophisticated attacker, but it's a pretty high bar.
That said, EV certs jumped in price over the past couple years. The total cost ends up being higher than the list price -- vendors tack on a non-trivial extra fee for the USB hardware token and shipping. All-inclusive I paid like $450 a year ago, and that was after getting a small repeat-customer discount.
So yes, Azure's service is substantially cheaper than an EV cert. And it also has the flexibility of being a monthly plan, rather than an annual commitment.