I've been digging around inside Invasion.........

[Guest crimminsky]

if you quickview the invasion.exe file on you PC you get some interesting info, might help a few people. also if you open the file in dos, right at the end of the code there is a web address (see below)

www.public-trust.com/cgi-bin/CRL/300/cdp.crl0'

If you cut this down to

www.public-trust.com

it takes you to a page all about BALTIMORE......interesting eh.

hope this helps somebody...because I don't understand code etc..

:oops:

[Guest TSCRYPTO]

I couldnt get invasion to install on my SPV.

Tried executing it on the PC (like Intertellar Flames) - no good.

Tried pasting it into the phones memory - no good.

Any thing else I could do?

[Guest Emad]

Copy onto storage card, then create a shortcut. Place the shortcut into your start menu. Run from start menu on phone. Ta-da :D

The web address is probably as the file is actually signed - hence it working. I'd still like to know where it came from..

[Guest crimminsky]

but surely you just need to include some of that code into an unsigned app and then it will work on the SPV....or am I just being very optimistic????

[Guest Emad]

I think you are - if it were that simple we'd be there already! I think each file has an individual key coded for it based on the Orange certificate and on its exact filesize etc. Its something like a 128bit RSA encryption (can't remember exactly - anyone?), so its kinda hard to crack.. You can't just take one off one file and stick it in another. As far as I know :D

[Guest Steve_Medin]

Yes, public-trust.com is a Baltimore property. One of the items contained in a certificate is a location where anyone interested can determine whether the certificate has been revoked. Known as a CRL or certificate revocation list, this address contains a list of certs that were used to sign software that has been found to either have errors or disrupt the carrier networks.

In cases outside Smartphone use, CRLs were mainly used to determine if a person's certificate is still valid. In the Smartphone case, since each application and version is signed by a different certificate at the public service offered by Baltimore and Geotrust, when we revoke a certificate, Orange can review the certificates on the list and decide which to actually revoke on the phone.

Let's say an app has a virus. It wakes up at 2am and calls a foreign country for an hour. Orange finds out about this app and revokes it. From that point forward, no unsuspecting users can install the virus, and any future attempts to run the problem app will fail.

Not only do certificates ensure that apps are from reliable people, they also allow for problem software to be shut down centrally by Orange through a message broadcast over its networks. Of course, numerous stages of safeguards are taken into account before an over-the-air revocation would occur.

On the other note in this thread, yes, signatures are generated as a hash over the content of the file and require the private key of a certificate that is trusted by the phone. Signatures cannot be copied from one file to another. For that matter, no single byte in a signed file can change without invalidating the signature. That's the major point, nothing has been tampered with in transit since the software was delivered to Baltimore from a company that passes an identity investigation.

If it was that easy to tamper with certs and signatures, I'd be in another line of work.

[Guest awarner [MVP]]

Hey we have another insider as a member :lol:

Welcome Steve to the SPV training camp ;)

[Guest bobroberts]

it's good to get some kinda insight on why we have the security certificates on a mobile and the kind of virus that might affect the network. i'd never really thought about it before, it just seemed annoying...

bobroberts

[Guest ClintEastman]

Have you tried any of the software from this forum steve?

Good post by the way! :wink:

[Guest Shire29]

"Lick My Face!!!!"

;)

LOL nice quote.

Cheers, Shire

[Guest Ed]

Kiss my face?

[Guest ClintEastman]

"jurassic park!!"

PS Where's my update Orange!!! GRRRR....

[Guest Steve_Medin]

No, but I plan to. We're getting our test devices in the next few days.

We're still wrestling internally with freeware's survival in a platform that mandates that a developer bear a cost. A lot of options are being discussed, and everyone is very aggressively pursuing the bargain.

I have to commend Orange's efforts in this area, too. They are as vocal as all of you.

[Guest DJHope]

Thats nice to hear steve! I tell you i am going to be one very pissed off SPV user if freeware dosnt survive.

[Guest ClintEastman]

True, until i unlocked my phone it was just that, a phone. Now it's so much more!

Free the wares!!!

PS Thanks Stave for giving us an insight into whats going on.

[Guest sprouts42]

So who is forcing the apps to be signed? Just Microsoft?

[Guest Steve_Medin]

Orange. The Smartphone can be run in a variety of modes. Orange chose this one.