

Diginotar and Comodo hacker the same guy and claims to have owned 4 other CAs - mike-cardwell
https://www.f-secure.com/weblog/archives/00002231.html

======
mike-cardwell
Link to his pastebin:

<https://pastebin.com/u/ComodoHacker>

And to his latest post:

<http://pastebin.com/1AxH30em>

~~~
illumin8
This guy disgusts me. He's so obviously either a fabrication by the iranian
government or someone who has been brainwashed by their propaganda to the
point that he would do irreparable harm to his fellow humans to prove some
ideological point.

He claims some injustice about 10,000 Muslim soldiers being killed. How many
Muslims in Iran are going to be killed for writing something against the
clerics in Gmail?

~~~
mentat
"he would do irreparable harm to his fellow humans to prove some ideological
point"

The harm is already there and possible, he's just forcing the issue. An
"Anonymous" with a different agenda. It doesn't help "humanity" to believe
that the CA system works when it's been totally subverted.

If this guy has done it, so have many others in all likelihood.

------
celticjames
Off topic: Certificate Authorities are a plot point in Vernor Vinge's
"Rainbows End". He's really the first novelist to grasp how dramatic revoking
a certificate is.

~~~
e40
Vernor Vinge is also the person that came up with the idea of the singularity.
Prescient more than your average author, it seems.

~~~
pasbesoin
If you read "A Deepness in the Sky" (and, perhaps not necessary but nice for
the sake of story (a very good one, with its own ideas) and author's intent,
his prior "A Fire Upon the Deep"), you'll encounter several other
technological ideas -- e.g. smart "dust", biochemical mind "influence"
("focus"), etc. -- that are currently playing out in practical terms in the
contemporary technological and research worlds.

What can make scientists with a literary gift so interesting is that their
formal position helps them sit on the cusp, looking forward, while their
literary skills help them articulate what they see coming.

~~~
e40
"A Fire Upon the Deep" is one of my favorite books of all time. Ranks up there
with "Dune" and the Foundation trilogy.

------
jvc26
<http://www.youtube.com/watch?v=Z7Wl2FW2TcA> The original Comodo attack was
discussed by Moxie Marlinspike at Blackhat USA 2011 - quite an interesting
discussion on the issue.

------
sspencer
What do you suppose is the street value of the keys to 4 CAs?

------
Tharkun
Regardless of whether or not these claims are true, it sounds to me like it's
time to

1\. Have a proper & independent security audit of all root CAs. 2\. Have a
long, hard think about the SSL policies of some major websites. Facebook and
GitHub, for instance, use certs issued by two different CAs. This makes it
that much harder for me to make an informed judgement about their validity.
3\. Rethink the whole trust model. It hinges on the policies of some companies
out to make money, rather than out to secure the internet. These money-
grabbing folks seem a lot more interested in the money-grabbing part than in
the securing part.

~~~
wnoise
CAs will continue to be broken into, or be pressured by governments. If the
trust model doesn't change, nothing else will matter. The best suggestion I've
seen is to allow certs to be signed by multiple CAs (currently the X.509
certificate format doesn't allow this). Subverting multiple certificate
authorities is much harder. (This will also need browser checks to ensure
they're from truly different organizations, rather than just different names,
or even from different countries for the paranoid.) It also gives software
vendors a nice way to show which CAs they trust -- rather than including the
list of keys with their software, instead they can sign the CAs certifying
keys, and revoke when they are no longer trusted.

------
JonnieCache
That pastebin reeks of bullshit. Someone with those kind of skills, someone
who actually fulfils the definition of "elite," would not be making ludicrous
boasts such as these in public fora. They would either be working for
governments or for top security firms, and in both cases would know to STFU.

~~~
derrida
It is pretty clear that 'Comodohacker' is the guy that hacked Comodo (check
the first Pastebin where as 'proof' he releases the as yet unannounced email
and pass of the CEO). As to the authenticity of the latest hack, perhaps that
might be a bit bullshit, but I would not be surprised.

Yes, the way he/she is bragging about '1337 hacker' skills is pretty 'lulzy'.
I am not a security geek, but I find it amusing to see someone bragging about
skills I consider to be something not worth mentioning.

This person certainly has patience when it comes to Googling.

The most embarrassing thing that can happen to a security company is getting
owned by someone like this.

~~~
JonnieCache
I am perfectly willing to believe that this person has at least some
responsibility for the attacks, what I don't believe is that he did it using
all these 1337 swordfish style skillz as he describes.

I'd put money on all of them involving basic social engineering and spear
phishing with PDFs.

------
andrewcooke
when are google going to either (1) support notary servers or (2) open
chrome's api so that perspectives can do their job properly (the current
experimental chrome extension is a horrible hack that doesn't even work for
me)?

firefox plugin - <http://www.networknotary.org/firefox.html> background -
<http://perspectives-project.org/>

------
peterwwillis
_it is so unusual like greater than sign in all programming languages is " <"
but in XUDA it is "{"_

....but that's a... less.... oh nevermind

