←back to thread

Cyber Scarecrow

(www.cyberscarecrow.com)
606 points toby_tw | 1 comments | 18 Jun 24 08:08 UTC | HN request time: 0s | source
Show context
scosman ◴[18 Jun 24 08:25 UTC] No.40715334[source]
Fun concept.

If the creators read this, I suggest some ways of building trust. There’s no “about us”, no GitHub link, etc. It’s a random webpage that wants my personal details, and sends me a “exe”. The overlap of people who understand what this tool does, and people who would run that “exe” is pretty small.

replies(7): >>40715364 #>>40715425 #>>40715446 #>>40715473 #>>40716059 #>>40716538 #>>40723731 #
CyberScarecrow ◴[18 Jun 24 08:55 UTC] No.40715473[source]
Author of cyber scarecrow here. Thank you for your feedback, and you are 100% right. We also dont have a code signing certificate yet either, they are expensive for windows. Smartscreen also triggers when you install it. Id be weary of installing it myself as well, especially considering it runs as admin, to be able to create the fake indicators.

I have just added a bit of info about us on the website. I'm not sure what else we can do really. Its a trust thing, same with any software and AV vendors.

replies(18): >>40715568 #>>40715665 #>>40715733 #>>40716043 #>>40716134 #>>40716229 #>>40716260 #>>40716317 #>>40716684 #>>40716889 #>>40719030 #>>40719198 #>>40719439 #>>40720186 #>>40720416 #>>40720493 #>>40723898 #>>40727328 #
AnthonyMouse ◴[18 Jun 24 11:01 UTC] No.40716260[source]
> We also dont have a code signing certificate yet either, they are expensive for windows.

When someone is offering you a certificate and the only thing you have to do in order to get it is pay them a significant amount of money, that's a major red flag that it's either a scam or you're being extorted. Or both. In any case you should not pay them and neither should anyone else.

replies(3): >>40716777 #>>40717182 #>>40717330 #
DougN7 ◴[18 Jun 24 12:02 UTC] No.40716777[source]
Besides paying money you also go through a (pretty simplistic) audit. It’s about the only way we have to know who published some code, which is important. If you can come up with a better way you should implement it and we’ll all follow.

As a side note, I’ve been trying to figure out how to get an EV code signing cert that isn’t tied to me (want to make a tool Microsoft won’t like and don’t want retaliation to hurt my business) but I haven’t come up with a way to do it - which is a good thing I suppose.

replies(1): >>40718312 #
hunter2_ ◴[18 Jun 24 14:34 UTC] No.40718312[source]
Can you have someone else go through the process of getting it, like a Craigslist rando to whom you pay cash?
replies(1): >>40719796 #
wongarsu ◴[18 Jun 24 16:48 UTC] No.40719796{3}[source]
If said Craigslist rando likes getting police visits and potentially being criminally liable for helping you commit a felony ...

All code signing promises to give you the name of a real person or company that signed the binary. From there it's the end user's responsibility to decide if they trust that entity.

In practice the threat of the justice system makes any signed executable unlikely to be malicious. But that doesn't mean you have to uncritically trust a binary signed by Joe Hobo

replies(1): >>40722040 #
newzisforsukas ◴[18 Jun 24 20:43 UTC] No.40722040{4}[source]
> In practice the threat of the justice system makes any signed executable unlikely to be malicious.

What threats are those? Where are all the people going to jail for falsely signed software? The stuxnet authors seem to be in the wind.

replies(1): >>40722161 #
1. wongarsu ◴[18 Jun 24 20:59 UTC] No.40722161{5}[source]
The threat is that if you sign malware with your name you will be quickly connected with said malware. If you don't live in a country that turns a blind eye to cyber crime that is a quick ticket to jail.

Of course people stealing other people's signing keys is an issue. But EV code signing certificates are pretty well protected (requiring either a hardware dongle or 2FA). It's not impossible for a highly sophisticated attacker, but it's a pretty high bar.