

A message from Comodo Hacker - __hudson__
http://pastebin.com/74KXCaEZ

======
nikcub
I crossed paths with the guys behind globaltrust.it years ago. I ended up
auditing a code project they had written for a co. in the financial services
industry that required good security, audit trails, client authentication etc.

After the third remote exploit that I found, my recommendation was that they
throw it out and start again, it was a huge jumble of PHP. This hurt their
feelings, and a 6 month long argument ensued where they defended their
competency.

When I heard 'Italian certificate provider' last week, I thought it could be
them, because they went on to launch a certificate project. I am more
surprised that Comodo didn't do any due diligence on their resellers. All they
had to do was to email my client to ask how their project went, and they would
have found out about the clusterfuck.

------
Xk
> At first I decided to hack RSA algorithm, I did too much investigation on
> SSL protocol, tried to find an algorithm for factoring integer, analyzed
> existing algorithms, for now I was not able to do so, at least not yet, but
> I know it's not impossible and I'll prove it

Huh. He kind of lost all credibility at that point. Breaking RSA isn't
something you just _decide_ to do. I'll wait for the day when he announces
he's broken it.

~~~
daeken
Hasn't everyone woken up some day and said "hey, I'm gonna break RSA today"? I
guess that only happens when you have the experience of 1000 hackers...

~~~
ericmsimons
LOL. Does this guy think he's really going to scare us with lines that
could've come from a Michael Bay movie??

~~~
regularfry
Aren't they just naively translated idioms which don't sound quite so
hackneyed in Farsi? Dunno, just guessing.

------
gabbo
Am I the only one to expect the guy who compromised a CA and generated a
number of very high-value certs to use one of those certs to sign his message?

------
jrockway
So it takes the "skill of 1000 programmers" to write a program to send POST
requests to an HTTP API? He must have been writing his client in Java...

~~~
Confusion
I wonder whether that hyperbole of '1000 ...' is due to mistranslating some
Iranian idiom. Not that it would make the assertion any better.

------
mak120
I come off with the feeling it is actually composed by an Iranian (possibly a
team but could be an individual) who is clearly motivated to make "politically
correct" (from the POV of the Iranian govt.) speeches. He goes to great
lengths to praise his government, ambassador and president while denouncing
all dissidents, separatists, Israel and the US. I cannot help feeling he/they
have some connection with the government. Possibly the whole teenage cyberpunk
rhetoric was deliberate (see repeated "hard for you easy for me" and "I was so
fast" and the absurd "I will factor large integers") and little more than a
poorly executed smoke screen to divert attention.

------
schrototo
If that is indeed the guy, he certainly sounds like a _massive_ douchebag.

~~~
pan69
About 1000 times a douchebag.

~~~
trotsky
welcome to lone wolf penetrations

------
Volscio
Update with part of the decompiled TrustDLL code:

<http://pastebin.com/DBDqm6Km>

------
eggdude
My favorite line: "easy for me, so hard for others"

------
mcorrientes
He sounds like a douchebag because he thinks, he is awesome after hacking a
CA.

The most stuff is just lame, but I still appreciate the way how he infiltrated
the system.

------
clueless
I think I kind of know, but for the uninitiated, can someone tell us what the
potential practical consequences of this hack could have been?

~~~
wmf
If you combined these evil SSL certs with the right BGP hijack, you could read
a lot of people's email and such. And since reading mail lets you reset
passwords on everything else, he could have basically owned millions of
people.

~~~
kragen
BGP, or DNS, or your DSL modem or cable modem, or an open access point, or the
router in an internet cafe, or...

------
Volscio
I thought the most interesting part about this was that he claimed to be a
21yo Iranian who took sole credit, while having a problem with the lack of
controversy surrounding the Stuxnet US/Israel project.

------
dancavallaro11
Oooh, my favorite part is on line 136, when he claims "RSA 2048 was not able
to resist in front of me". That's a pretty, um, "interesting" characterization
of the level of sophistication of his attack.

------
thebooktocome
That's some serious Miyamoto Musashi rhetoric there. The guy's either a grade
A rationalist or a massive douchebag. I put odds at 5/95.

~~~
kragen
Can you elaborate on the "grade A rationalist" remark? Does attempting to
compensate for one's cognitive biases generally blind one to how one sounds to
others?

------
gbrindisi
Well, it's finally arrived the time to rethink the whole CA system.

------
phlux
I LOVE the fact that I live in a world that I get to read some hackers
manifesto online:

 _My Rules as I rule to internet, you should know it already..._

Although, I do have to agree with his points about Echelon.

EDIT: His command of the English language is irrelevant -- I stand by my
comment above, which is the fact that we are even reading stuff like this
makes the 16-year-old-cyberpunk-playing self from the '80s quite happy.

