[gwoplock]

I confused by 2 things.

1) Why can't/hasn't Mircosoft/Nvidia/Root CA revoke the certificate yet? 2) Why are Nvidia's code signing certificates around to be stolen? From my experience most code signing certs are issued on HSMs.

Does anyone have deeper insights into what's going on.

[joe_guy]

https://www.techrepublic.com/article/nvidias-breach-might-he...

According to that source, one expired in 2014 and the other in 2018. I have no information beyond what's in that article.

This pcgamer article is... weird.

> If some hooligan signs off malware with a genuine code from Nvidia, your PC may not be able to catch the malware before it unpacks, and wreaks havoc on your system.

I don't know what that means. Unpacks? Catches? It feels like random words assembled in a way that doesn't mean much.

[vaxman]

That's because the Industry is still CHOCK FULL of people who are POSEURS.

In the ancient past, such influence was confined to weekly print magazines that mainly embellished upon the intellect of press releases from the once highly credible vendors (companies that were judged based on their length of time in business, annual sales, management team, etc). Then came the great tech purge, termination of most domestic tech people in the aftermath of the 2000 Dot-Com Bubble Burst (in April and again in October) and mass destruction of traditional vendors (even IBM, to a great extent). The workers who were over a certain age had to crack open their retirement, etc. and there really was no coming back from that, because the ensuing nuclear winter lasted until 2006. During that time, the "warm bodies" that had once been hired to write (HTML) scripts during the three year run-up to the Burst and had since returned to "living with their parents" (so almost no overhead) and emerged to fill what few temporary jobs there were for rock bottom prices ($10-$17/hr) even as "away teams" from India were beginning to arrive, pitching "themselves" (in reality, emailing their work to India overnight) at even lower prices ($7/hr!). Because there were virtually no highly skilled/trained people to guide these workers, they relied on the Internet for guidance (which got them into all sorts of trouble back in those days) and their perceptions being guided by the unfolding dystopia (eg, leading to the rise of PHP, created by some unemployed dude who wanted to post his resume bc CFM was too expensive) and ultimately the reconstitution of IBM (first order of business, update PHP lol!) and the rise of Amazon Web Services (to do the heavy lifting for these people that think a doorbell interrupt has something to do with Ring) and the rise of Linux (because people who don't pay rent aren't going to buy WindowsServer --an alien concept to Redmond where it was assumed Linux was taking off because of the inconsequential rise of "tech studs"). The correction began in 2006 and, well it takes about 20 years for a generation to move through the system, so we're still dealing with chatter-heads that non-tech people can't tell from the real deal (because in every respect, they seem like perfect professionals and have so many YEARS of experience now, but...think that doorbell interrupts are a "product" sold by Ring).

For extra credit (and tremendous profit), consider the impact this has had on cryptocurrency.

[randomhodler84]

I think they are trying to be coloquial, but it’s technically correct. most malware is packed (compressed), so indeed it might not be detectable from a naive scanner that ignores packed authenticode signed binaries. The PC itself means the anti malware scanner, catch being detect.