Updates need to be authenticated, to prevent attackers from tricking you into installing a malicious update. This was one of the techniques that the computer worm Stuxnet used. For years, though, hackers have been using valid signing authorities to create valid authentication signatures for bad updates. Many of the supply-chain vulnerabilities I’ll talk about in Chapter 5 are the result of faulty authentication.
