I really can't seem to find a concrete and descriptive answer.

It's just that... I hesitated to install something in a way I had never done before. It makes sense why it needs that kind of thing to work but still. It says that its "intended" purpose is code signing and code signing only, but I don't think its "power" is limited to only that. Is there any way to make sure that it's only doing code signing?

Any help or advice is appreciated!

 

The risk is that it can be used to sign malware that will have free access to the kernel. As far as I know, that can only happen if R2R decides to distribute malware or the keys fall into a bad actor's hand.

 

And I would sooner trust my computer in the hands of R2R, than any government anywhere in the world!

 

Me too. BUT. Don't keep sensitive information on your DAW anyway. Just don't. Be prepared for it to become a brick and cya and life will be good.

(Who hacks the hackers??)

 

Last edited: Oct 28, 2023

Absolutely agree 100%

 

But... it's installed on not only my DAW but my whole PC, right?

 

I'm left with the question: "Are root certificates limited to their intended purposes listed in certmgr.msc?"

 

It's good that you're getting informed.

You can also keep your production machine offline if you're that worried about it.

You can get another computer plenty powerful enough to go online/download with for super cheap. I've seen them for $50 or less if you really want to save. Another 60 will get you a new 2T USB 3 drive to transfer stuff with.

Just tossing out ideas.

 

I mean the pc your DAW is on. Get a cheap laptop if you have to, do your banking, taxes, websurfing, whatever on it. Keep passwords on it. A $80 Chromebook can handle that stuff. Keep your warez isolated. And your porn

(Edit, didn't see previous post)

 

Last edited: Oct 28, 2023

I don't know too much about certificates but I know that some cert files can be used for Man in the Middle(MITM) attacks, where the cert basically can listen or manipulate the conversation. This can be basically anything, passwords, files etc. It is hard to know and I don't really know for a way to check really.

Edit: For the kernel thing, I wouldn't necessarily say it is bad because of it. User level malware can do crazy stuff anyways. But getting rid of a kernel level malware might be way harder than user level one(for example they can persist even after a clean install) but they are very rare AFAIK.

 

Yeah, also read about that in this article: https://www.malwarebytes.com/blog/n...shouldnt-trust-a-trusted-root-certificate/amp

Just don't know if something similar can or can't be done if the certificate is listed only for code signing like the R2R one. Yes or no?
Of course, in the worst scenario this can be used to sign malware but you have to download and execute that first.

Edit: In certmgr.msc, are the intended purposes what it is supposed to do, or what it can only do?

 

Last edited: Oct 28, 2023

Thank you very much for the ideas, but it really doesn't currently suit me + it's inconvenient.
Appreciate it though

 

Who really cares? Your production machine DOES NOT BELONG on the internet so it doesn't matter. And no. There is no need for anything to be having to connect anywhere on the net in order to do production work (audio or video). For one thing having a hot internet connection loading up all sorts of junk constantly in the network stack eats up processor time and system resources that could be better spent on your production. Aside from the fact that if there is any updater junk running in the background most likely it's undoing all your hard work keeping yourself from being spied upon and or deleting your app cracks. I have heard peeps on here say that you must be net connected or some production stuff wont work. I say DISCONNECT the net, and either get the scene release of whatever app it is, or if a proper warez'd version is unavailable, shit can it and use something else entirely. One thing you can say for capitalism, there will always be another (or perhaps more than one) app to choose from that does the exact same thing.

The R2R certificate is probably one of the most docile things you could run. Although I tend to shy away from elaborate, long-way-around type app hacks and stick with simpler ones that are more to the point. Case in point - like the already mentioned R2R/Steiny hack compared to the V.R./Steiny hack. The V.R. steiny solution is much simpler and does the job just as well or better.

 

I found this from the microsoft documents under the page "Working with Certificates - WCF":
Also note the value of the Intended Purposes field of the certificate should include an appropriate value, such as "Server Authentication" or "Client Authentication".

Looks like Microsoft at least says that you need to have appropriate purpose for the function of the certificate. But...
It seems to me that the intended purpose tab is too broad and vague to conclude that. But I think, with not much confidence if I'm being honest, the authentication and code signing should be 2 different things at least.

 

In R2R we trust

 

idk, crabs maybe ? the flu ? aids ? paranoia ?

 

After reading that, I very much agree and have the same opinion. Thank you very much for finding this!

Edit: I'll still try to find the definitive answer to this. If I do, I'll post my findings here.

 

I don't have a "production machine". I have my personal PC which I would like to use to produce music in my spare time.

 

Many audio products today need Internet authentication. So how would you purpose to keep your production machine off-line?

 

I was going to mention something along those same lines.
Hot-take? With no evidence whether a certificate is limited to its intended purpose, I'll stand by R2R's reputation and knowledge of 1s & 0s and say that I'd find it difficult to believe that they'd put out anything that could be easily exploited by an outside source.