This guy disgusts me. He's so obviously either a fabrication by the iranian government or someone who has been brainwashed by their propaganda to the point that he would do irreparable harm to his fellow humans to prove some ideological point.
He claims some injustice about 10,000 Muslim soldiers being killed. How many Muslims in Iran are going to be killed for writing something against the clerics in Gmail?
"he would do irreparable harm to his fellow humans to prove some ideological point"
The harm is already there and possible, he's just forcing the issue. An "Anonymous" with a different agenda. It doesn't help "humanity" to believe that the CA system works when it's been totally subverted.
If this guy has done it, so have many others in all likelihood.
>he would do irreparable harm to his fellow humans to prove some ideological point
this is what humans do. At least have been doing from the times when humans started to be able to have an idea and right up to now, and no indications so far what things are going to change in any foreseeable future. And you're right - that ability and appetite for doing intentional harm makes humans a very disgusting species.
Off topic: Certificate Authorities are a plot point in Vernor Vinge's "Rainbows End". He's really the first novelist to grasp how dramatic revoking a certificate is.
When I hear of "the singularity", my mind immediately leaps to Ray Kurzweil. After reading your comment, I checked Wikipedia to confirm your statement. I just wanted to thank you for correcting my understanding.
If you read "A Deepness in the Sky" (and, perhaps not necessary but nice for the sake of story (a very good one, with its own ideas) and author's intent, his prior "A Fire Upon the Deep"), you'll encounter several other technological ideas -- e.g. smart "dust", biochemical mind "influence" ("focus"), etc. -- that are currently playing out in practical terms in the contemporary technological and research worlds.
What can make scientists with a literary gift so interesting is that their formal position helps them sit on the cusp, looking forward, while their literary skills help them articulate what they see coming.
That pastebin reeks of bullshit. Someone with those kind of skills, someone who actually fulfils the definition of "elite," would not be making ludicrous boasts such as these in public fora. They would either be working for governments or for top security firms, and in both cases would know to STFU.
It is pretty clear that 'Comodohacker' is the guy that hacked Comodo (check the first Pastebin where as 'proof' he releases the as yet unannounced email and pass of the CEO). As to the authenticity of the latest hack, perhaps that might be a bit bullshit, but I would not be surprised.
Yes, the way he/she is bragging about '1337 hacker' skills is pretty 'lulzy'. I am not a security geek, but I find it amusing to see someone bragging about skills I consider to be something not worth mentioning.
This person certainly has patience when it comes to Googling.
The most embarrassing thing that can happen to a security company is getting owned by someone like this.
I am perfectly willing to believe that this person has at least some responsibility for the attacks, what I don't believe is that he did it using all these 1337 swordfish style skillz as he describes.
I'd put money on all of them involving basic social engineering and spear phishing with PDFs.
1. Not all the hacks require ninja skills, there's plenty of big targets with really low security that you can hack just by using publicly available automated tools. Also you need to consider that lots of crackers don't carry out targeted attacks. They need to hack a CA, there's plenty CAs in the world, all you need to find is one with bad security. You don't need to go after a big one, you don't need to go after the most protected application/infrastructure of them.
2. A person can have great skills and publicly brag about his hacks (Kevin Mitnick is a good example)
3. Another version of this, someone can have ninja skills and can be an ass at the same time (quite common in security industry)
It would be foolish to dismiss this guy based on a belief that someone that good would not be working independently. Maybe he's got a record that governments and security firms don't want to touch. Maybe he's philosophically opposed to working with governments. Who knows?
At the moment, I'm reading Kevin Mitnick's Ghost in the Wires (awesome book, by the way). He pretty much owned the entire phone system in California. In some cases, he was able to do things even phone company techs were not able to do. About halfway through the book he describes how he was able to tap the people tapping his own phone lines. What he pulled off was absolutely massive. The phone companies didn't even want to report some of it because of how ridiculous they would look for letting it happen. And as good as he was, no employer wanted to touch him with a 10 foot pole.
My point is that unbelievably huge breaches can be and have been pulled off before. As for him announcing it publicly, I can only speculate on his motives. Maybe he wants to see them squirm. Maybe he's feeling a bit invincible right now. I don't know. But I sure wouldn't dismiss him as full of shit because the claims are so audacious or for the fact that he's bragging about it. We do know that a breach occurred and the victims sure as hell aren't going to reveal the full extent.
Regardless of whether or not these claims are true, it sounds to me like it's time to
1. Have a proper & independent security audit of all root CAs.
2. Have a long, hard think about the SSL policies of some major websites. Facebook and GitHub, for instance, use certs issued by two different CAs. This makes it that much harder for me to make an informed judgement about their validity.
3. Rethink the whole trust model. It hinges on the policies of some companies out to make money, rather than out to secure the internet. These money-grabbing folks seem a lot more interested in the money-grabbing part than in the securing part.
CAs will continue to be broken into, or be pressured by governments. If the trust model doesn't change, nothing else will matter. The best suggestion I've seen is to allow certs to be signed by multiple CAs (currently the X.509 certificate format doesn't allow this). Subverting multiple certificate authorities is much harder. (This will also need browser checks to ensure they're from truly different organizations, rather than just different names, or even from different countries for the paranoid.) It also gives software vendors a nice way to show which CAs they trust -- rather than including the list of keys with their software, instead they can sign the CAs certifying keys, and revoke when they are no longer trusted.
http://www.youtube.com/watch?v=Z7Wl2FW2TcA The original Comodo attack was discussed by Moxie Marlinspike at Blackhat USA 2011 - quite an interesting discussion on the issue.
when are google going to either (1) support notary servers or (2) open chrome's api so that perspectives can do their job properly (the current experimental chrome extension is a horrible hack that doesn't even work for me)?
22 comments
[ 3.1 ms ] story [ 58.0 ms ] threadhttps://pastebin.com/u/ComodoHacker
And to his latest post:
http://pastebin.com/1AxH30em
He claims some injustice about 10,000 Muslim soldiers being killed. How many Muslims in Iran are going to be killed for writing something against the clerics in Gmail?
The harm is already there and possible, he's just forcing the issue. An "Anonymous" with a different agenda. It doesn't help "humanity" to believe that the CA system works when it's been totally subverted.
If this guy has done it, so have many others in all likelihood.
this is what humans do. At least have been doing from the times when humans started to be able to have an idea and right up to now, and no indications so far what things are going to change in any foreseeable future. And you're right - that ability and appetite for doing intentional harm makes humans a very disgusting species.
What can make scientists with a literary gift so interesting is that their formal position helps them sit on the cusp, looking forward, while their literary skills help them articulate what they see coming.
Yes, the way he/she is bragging about '1337 hacker' skills is pretty 'lulzy'. I am not a security geek, but I find it amusing to see someone bragging about skills I consider to be something not worth mentioning.
This person certainly has patience when it comes to Googling.
The most embarrassing thing that can happen to a security company is getting owned by someone like this.
I'd put money on all of them involving basic social engineering and spear phishing with PDFs.
1. Not all the hacks require ninja skills, there's plenty of big targets with really low security that you can hack just by using publicly available automated tools. Also you need to consider that lots of crackers don't carry out targeted attacks. They need to hack a CA, there's plenty CAs in the world, all you need to find is one with bad security. You don't need to go after a big one, you don't need to go after the most protected application/infrastructure of them.
2. A person can have great skills and publicly brag about his hacks (Kevin Mitnick is a good example)
3. Another version of this, someone can have ninja skills and can be an ass at the same time (quite common in security industry)
At the moment, I'm reading Kevin Mitnick's Ghost in the Wires (awesome book, by the way). He pretty much owned the entire phone system in California. In some cases, he was able to do things even phone company techs were not able to do. About halfway through the book he describes how he was able to tap the people tapping his own phone lines. What he pulled off was absolutely massive. The phone companies didn't even want to report some of it because of how ridiculous they would look for letting it happen. And as good as he was, no employer wanted to touch him with a 10 foot pole.
My point is that unbelievably huge breaches can be and have been pulled off before. As for him announcing it publicly, I can only speculate on his motives. Maybe he wants to see them squirm. Maybe he's feeling a bit invincible right now. I don't know. But I sure wouldn't dismiss him as full of shit because the claims are so audacious or for the fact that he's bragging about it. We do know that a breach occurred and the victims sure as hell aren't going to reveal the full extent.
....but that's a... less.... oh nevermind
1. Have a proper & independent security audit of all root CAs. 2. Have a long, hard think about the SSL policies of some major websites. Facebook and GitHub, for instance, use certs issued by two different CAs. This makes it that much harder for me to make an informed judgement about their validity. 3. Rethink the whole trust model. It hinges on the policies of some companies out to make money, rather than out to secure the internet. These money-grabbing folks seem a lot more interested in the money-grabbing part than in the securing part.
firefox plugin - http://www.networknotary.org/firefox.html background - http://perspectives-project.org/