Imagine hacking into a key supplier's driver software and sneaking in defective metadata to Windows Update. Wouldn't this result in mass installation on various systems? Sounds like a serious vulnerability in security.
chaining accessing a likely air-gapped rsa private key to sign the malformed update with an already unlikely attack vector of a metadata parsing exploit itself means this is pretty pie in the sky
> chaining accessing a likely air-gapped rsa private key
Unfortunately, who knows if that's the case? Whoever was behind Stuxnet managed to steal the crown jewels of not just one but two different companies. There's a lot of companies with credentials to sign Windows kernel level code out there... which is also the reason why Apple is so insistent on getting rid of kext's - they want to get rid of the entire business model of allowing anyone but themselves to run kernel-level code on ordinary macOS machines.
I expect that many of the players have their private keys not only on accessible machines but also likely under version control. Probably on a cloud platform.
I always liked imagining big players like Apple, Sony, Microsoft, Nintendo, etc.. taking absurd measures to protect their private signing keys, something like that Coca-Cola recipe vault.
That was my assumption considering that is exactly what we did do for our covid certificates. Ran on the same infra as passports which is gold standard.
You can split any key into x/n pieces that require x outta n keys to approve a transaction.
All senior dev's, physical locations, board members, hell, even all stock holders, could cryptographically vote via an agreed upon method for any actions.
I've seen some documentaries implying that about some of the root keys for things like certificates, but you know that there are some laying around in easy to use format ...
I’ve noticed many new/green accounts that get shadowbanned before (with?) the first post. The accounts will be less than a day old and all comments will be [dead].
I think that how country like Japan do that generally. (They hardly have any services that featuring "grandfathering") and new contract and terms under the new plan would be established in the renewal window.
But in the US, I believe post-paid plans (as opposed to prepaid) there seem to be fairly major red tapes on changing terms while staying compliant with whatever rules set by FTC and also States' equivalent, and that probably makes this very tricky.
the rate change would need to be communicated. harder to slip by. as opposed to just another fee.
it also can wind up causing a legacy plan to cost more than a current one. at times insultingly so. again, if you don’t notice and do (auto)pay, this is just fine by the companies.
and if all that is enough to get you to move to the new plan, good, now it was you that made the choice. you will defend the choice more strongly than if it were made for you. for it was yours, after all.
in time, those with legacy plans will “upgrade,” switch companies (same difference) or die.
A few years ago (10?), AT&T got into a lot of trouble - they lost in court - for making unilateral changes to an unlimited plan.
1. The AT&T unlimited plan being talked about here includes the HBO Max streaming for $0.
2. Just a few months ago, Xfinity started breaking out their free streaming service on internet bills, and put in a statement that said that in either late 2024 or early 2025 they were going to start charging a monthly fee unless you cancelled that part. If any of y’all have Xfinity and don’t have a habit of reading your bills, you’d better go take a look!
3. I’d be willing to bet that the “new” AT&T unlimited plan has contract language that will let them also do what Xfinity is doing, and the “old” one doesn’t. Maybe AT&T is considering a sale/spinoff and needs to have that charge broken out for accounting/valuation purposes.
