←back to thread

Cyber Scarecrow

(www.cyberscarecrow.com)
606 points toby_tw | 3 comments | 18 Jun 24 08:08 UTC | HN request time: 0s | source
Show context
scosman ◴[18 Jun 24 08:25 UTC] No.40715334[source]
Fun concept.

If the creators read this, I suggest some ways of building trust. There’s no “about us”, no GitHub link, etc. It’s a random webpage that wants my personal details, and sends me a “exe”. The overlap of people who understand what this tool does, and people who would run that “exe” is pretty small.

replies(7): >>40715364 #>>40715425 #>>40715446 #>>40715473 #>>40716059 #>>40716538 #>>40723731 #
CyberScarecrow ◴[18 Jun 24 08:55 UTC] No.40715473[source]
Author of cyber scarecrow here. Thank you for your feedback, and you are 100% right. We also dont have a code signing certificate yet either, they are expensive for windows. Smartscreen also triggers when you install it. Id be weary of installing it myself as well, especially considering it runs as admin, to be able to create the fake indicators.

I have just added a bit of info about us on the website. I'm not sure what else we can do really. Its a trust thing, same with any software and AV vendors.

replies(18): >>40715568 #>>40715665 #>>40715733 #>>40716043 #>>40716134 #>>40716229 #>>40716260 #>>40716317 #>>40716684 #>>40716889 #>>40719030 #>>40719198 #>>40719439 #>>40720186 #>>40720416 #>>40720493 #>>40723898 #>>40727328 #
AnthonyMouse ◴[18 Jun 24 11:01 UTC] No.40716260[source]
> We also dont have a code signing certificate yet either, they are expensive for windows.

When someone is offering you a certificate and the only thing you have to do in order to get it is pay them a significant amount of money, that's a major red flag that it's either a scam or you're being extorted. Or both. In any case you should not pay them and neither should anyone else.

replies(3): >>40716777 #>>40717182 #>>40717330 #
firesteelrain ◴[18 Jun 24 12:46 UTC] No.40717182[source]
There's a reason it costs money and it's because the CAs have to undergo costly audits. Microsoft publishes a list of trusted CAs:

https://ccadb.my.salesforce-sites.com/microsoft/IncludedCACe...

replies(1): >>40717737 #
1. a1o ◴[18 Jun 24 13:38 UTC] No.40717737[source]
This looks like a random website and not a Microsoft website. How could I trust such list?
replies(1): >>40717888 #
2. firesteelrain ◴[18 Jun 24 13:52 UTC] No.40717888[source]
Because it came from this site: https://learn.microsoft.com/en-us/security/trusted-root/part...

I used Google to search for "list of microsoft trusted CA".

replies(1): >>40720899 #
3. firesteelrain ◴[18 Jun 24 18:54 UTC] No.40720899[source]
Looks like people have no experience with CA audits or security controls