Slashdot Mirror
D-Link Accidentally Publishes Private Code Signing Keys
New submitter bartvbl writes: As part of the GPL license, D-Link makes its firmware source code available for many of its devices. When looking through the files I accidentally stumbled upon 4 different private keys used for code signing. Only one — the one belonging to D-Link itself — was still valid at the time. I have successfully used this key to sign an executable as D-Link. A Dutch news site published the full story (translated to english with Google Translate).
They revoked the keys in question in some time in September.
But if you disconnect the machine from the internet, or otherwise block the connection to the server that provides revocation information, will the Windows system still see an executable signed with the revoked key as valid?
I'm not an expert. Genuinely asking.
Google Chrome no longer even bothers, ignoring revocation lists completely.
That's not quite what your article says. It says that google stopped checking with the cecurity authority using the Online Certificate Status Protocol. However, the article also says that chrome replaced that with a local list of revoked certificates that can be updated without restarting the browser. So, chrome still does keep track of revoked certificates.
I'll leave the company name out (mostly to protect my source B-) )
This was in the early part of the cycle of:
- A handful of companies made graphics accelerator chips..
- A BUNCH of new companies also made graphics accelerator chips.
- There was a shakeout and only a few survived - not necessarily many - or any - of the original handful.
The company in question was one of the original few.
The hardware was good. But much of the performance advantages were due to some good algorithms in the driver, which were applicable to other good, bad, or moderate capability hardware, rather than depending on special features of the company's product.
As with many Silicon Valley companies, where the value added was so high that the administration could be utterly wacky or clueless and the company would still survive for years, this one had some managers make some dumb decisions.
One dumb decision was to try to save money by limiting the personnel to one new floppy disk per month. So the developers kept reusing the disks they had, when they shouldn't.
As a result, the golden master for an object-only release of the driver was built on a used disk, which had once held the complete sources of the driver in question. Apparently the "reformat" process used didn't overwrite the sectors - but the manufacturing process that cloned the golden master DID copy those sectors.
A customer tried an undelete utility and found almost the entire source code. Oops!
This news got out. Over the next couple years the great algorithms went from being a valuable trade secret (much of the company's "secret sauce") to a de facto industry standard.
Bantam Dominique roosters crow a four-note song. Once you've heard it as "Happy BIRTHday" you can't NOT hear it that way
I find their full bodied and unrestrained support for open source commendable.
There is NOTHING in the GPL (v1, v2 nor v3, nor any sub license alternative) that says the source code has to compile or that an executable be supplied with source code to use the GPL. The quote you reference (and I read it too, I've read the GPL numerous times!) states that if you DO supply a binary, i.e., "executable work", you must also supply all the source files including compiler scripts used for that binary when you distribute under the GPL. There is nothing in the GPL that says the code has to be executable, has to function correctly, nor has to compile from what you distribute under the GPL. The GPL is a copyright license, not a consumer protection law. It just states that if you code it, the source is made available to anyone that wants to use it or modify it, and that the modifications stay under the ascribed GPL license. That's all, nothing else, thank you for playing. Don't let the door hit you on the way out.
Here's some more info for you.
And since you're obviously too lazy to bother to follow links to find information on the web, here:
I'd just like to point out, before Dlink get too much criticism, that there are many companies that avoid this situation by violating the terms of the GPL by not making the source code available or even displaying the terms of the license.
Ok, Dlink made a mistake, however I think it is a good thing that they being sincere to the terms of the license. Well done Dlink, they will fix the problem and I will be happy to buy their products over other vendors who violate the terms of the GPL.
My ism, it's full of beliefs.