Slashdot Mirror

Nothing but the article. This is how they should be posted. http://www.securityfocus.com/print/news/11400

For those of you who like to read articles in 1 single page instead of multiple pages to maximise advertising revenu.

For those of you who like to read articles starting with Page 1.

Have to agree with mr_mischief talking about the blueprints and what this really entails for the DOD.

I think for the DOD, this is there best option for the future. Even after running into this article Thwarted Linux backdoor hints at smarter hacks from what I've been reading on OSS the last couple years off and on and just last few weeks taking plunge into Linux. As the article says it was caught because of a "routine file integrity check" and "Other programmers soon figured out the trick, and by Thursday an investigation into how the development site was compromised was underway, headed by Linux chief Linus Torvalds, according to McVoy."

With MS there is a much better chance that some backdoor code is known, but not publicly and MS has learned of it, but since no one has contacted them about it they will sit on it for months. In the meantime country x's crackers have been exploiting it on certain government systems. And yes I use WinXP and will use Vista also, but I am also going to try to move most of my personal computers to Linux eventually, even if it's dual boot or VMware.

Wow the time, got to go to sleep.

"In essence they were created to provide compatibility with HFS, or the old Macintosh Hierarchical File System. The way that the Macintosh's file system works is that they will use both data and resource forks to store their contents. The data fork is for the contents of the document while the resource fork is to identify file type and other pertinent details."

http://www.securityfocus.com/infocus/1822

Maybe they're still using ssh-1.2.30 http://www.securityfocus.com/news/4831

The statement that people could introduce malicus code into Linux that then makes it's way into secure systems. Of course with companies outsourcing programming jobs to other countries the same thing could happen with a closed source system.

Forget outsourcing. Software companies that don't manage their development process closely enough (and that's most of them) often end up with unauthorized features. Usually they're added because somebody thought they were cool, but backdoors are not unknown.

I used to work at Borland, and the developers there are notorious for adding features totally on their own initiative. In one famous case, the unauthorized feature was a back door in a widely used database server. This back door was probably not created with malicious intent, but the security effect was the same. Any bets as to how many other similar back doors exist that haven't made the news?

The Interbase back door was only discovered when the product was open-sourced. And that nicely illustrates why open source is more secure than closed source. Borland's blunder demonstrates that you can't secure software simply by making source creation "employees only". A company can monitor the development process in order to prevent developers from creating security problems — as Borland should have done — but how do you separate companies with good auditing procedures from those that just claim they do? By contrast, opening up the source offers objective evidence as to the software's security — or lack thereof.

When I said critical I meant vulnerabilities that could cause the server to be compromised. IIS6 had never had any.

Now lets analyze your last post...

"How about a buffer overflow exploit? Doies that count?
http://lists.grok.org.uk/pipermail/full-disclosure /2005-April/033445.html"

Sorry, but that one does count because it's not real.

"How about this long list as compiled by a Microsoft MVP?
http://msmvps.com/blogs/bernard/archive/2004/06/10 /7882.aspx"

That list counts every vulnerability in Win2k3 since it was released, and is not relevant. IE/Media PLayer/Flash/SMB vulnerabilities cannot be exploited via IIS6.

"How about these honorable mentions as well?
http://www.aqtronix.com/Advisories/AQ-2003-02.txt (unannounced by Microsoft)
http://isc.sans.org/diary.php?date=2005-10-11
http://www.securityfocus.com/bid/9409"

Hmm. The first is a IIS5 vulnerability. Try reading past the first line next time.

The second one is not an IIS6 or IIS5 vulnerability. Not sure WTF you posted that for.

The third one is an Exchange Vulnerability. Exchange != IIS6

"Lets also not forget that....several vulnerabilities to underlying systems and Dlls caused IIS6 to be vulnerable as well."

Just because some dll or binary is vulnerable in Windows does not necessarily mean it can be exploited via IIS. You are grasping for straws here.

So lets sum your glorious rebuttal to my claim that IIS6 has had no critical vulnerabilities.

* You've posted a fake (Here's your sign!) vulnerability.
* You've posted a list of all of the vulnerabilities in Win2k3, and insinuated that they all can be exploited via IIS6
* You've posted two vulnerabilities that had nothing to do with any version of IIS, and one IIS5 vulnerability.
* You repeatedly brought up IIS5, when in fact I never brought up IIS5 and was specifically talking about IIS6.

Faster? Perhaps, but by who's measure? I've never seen a useful (yes, Microsoft's don't count as useful) Apache/IIS performance comparison.

More secure? Why do you think that? IIS6 has never had a critical vulnerability discovered for it. In the same time frame you can't say that for Apache 1.x and 2.x.

SubVirt is the training wheels version, check this:

http://www.securityfocus.com/columnists/402

Want to Talk?

http://www.securityfocus.com/comments/columns/402/ 33600#33600

SubVirt is the training wheels version, check this:

http://www.securityfocus.com/columnists/402

Want to Talk?

http://www.securityfocus.com/comments/columns/402/ 33600#33600

This is regarding Linux rather than Windows but:

Host machine with Vserver kernel running Tripwire or Aide
    with configuration adjustments to detect changes in client "machines"

Host machine well protected
  client machines doing ftp or web services or email or.....

Although Vserver is particular to Linux: Other schemes doing
reasonably strong virtualization can also do the job in Linux,
Solaris (Zones), BSD (Containers), Windows, etc.

It should greatly decrease the ability of something as clever as
BluePill to do damage if it was infecting a well-partitioned virtual
machine rather than a regular machine.

Vserver: http://linux-vserver.org/
AIDE: http://www.securityfocus.com/infocus/1424

what about honeytokens?

All my calls come from (202) 456-1414

"Hacker's, the good ones, can earn a decent living playing both sides of the game. A cheesy salary on the inside and much more lucrative compensation from the outside. An organized distribution of hackers, not necessarily organized consciously by hackers, but by an outside interest is a growing threat to corporate interests."

Yes.
Forgetting this whole thread above, Slashdot and it's mindlessness - the keywords here are "not necessarily organized consciously and outside interest(s).
You sir, have hit the nail squarely.
Some continue to "whistle through the graveyard" and others just hope it's "just their imagination" unlike most of these commenters at least the former sense something.
Think reserved APIs, and *legal* hardware calls and parse accordingly.

Start here for the first clue, SCREAM accordingly.

http://www.securityfocus.com/columnists/402

Not just ALL your base. :-)

To be impacted with the worm, users have to actively download the code. Messenger conversations initiated by the worm carry texts like "jaja look a that" or "mira este video" as well as a web address from where it is downloaded.

The 6,377 byte worm exploits a JavaScript flaw in Yahoo's implementation and when opened, collects addresses in the user's webmail folders and then starts to spread. The worm takes a novel approach in that it does not require the user to click on any attachment for it to function; the e-mail only needs to be opened within Yahoo Mail. By late Monday, Yahoo had already disabled the functionality in Yahoo Mail that allowed the worm to spread.

After reading 12 of the 17 page MS document I shake my head... Some malware do not run properly in VM. Some packers are known to detect VM environment and prevent the file from normal execution. What about smarter polymorphs which change and adapt not to mention their analysis', tests, etc., did not include a full scope of what malware targets: "Runtime environment simulation is still primitive. For example, we have not implemented Instant Messaging or P2P applications/servers." Couple this with: "The biggest benefit is more rapid response to complex threats. As the synergy between viruses, Trojans, worms, rootkits and exploits grows, waiting for a solution becomes more dangerous." And lest I forget "This two-part article series looks at how cryptography is a double-edged sword: it is used to make us safer, but it is also being used for malicious purposes within sophisticated viruses. Part two continues the discussion of armored viruses and then looks at a Bradley worm - a worm that uses cryptography in such a way that it cannot be analyzed. (source). So what happens when malware writers get a clue and start creating their own forms of crypto to hide their actions. For any company to create a product whether its hardware or software based, they'd only be lying to a degree about their ability to detect complex threats no matter what engine their malware snoopers were using.

Other than the TCP/NetBIOS stuff (that never, to the best of my knowledge, had a remote exploit that let anyone take control of the box), a box running 98SE runs no services. No uPNP exploit. No DCOM/RPC. No Messenger. No nothing. For all intents and purposes, it's already firewalled when you plug it into the wall.

Then the best of your knowledge is sadly mistaken.

http://www.microsoft.com/technet/archive/win98/dow nloads/igmpw98.mspx?mfr=true

http://www.cert-in.org.in/vulnerability/civn-2005- 32.htm

http://www.securityfocus.com/bid/1163

http://www.cert-rs.tche.br/listas/infoseg/msg00260 .html

http://www.microsoft.com/technet/security/bulletin /ms01-059.mspx

Those are just a few issues with the TCP/IP stack, NETBIOS, uPNP on Windows 98 that I found within 60 seconds of searching Google. I remember running 98SE back in the day - there used to be patch after patch for it, just like for any modern OS today. Don't kid yourself or anyone else that 98 is a secure OS. Likening it to being firewalled out of the box is rediculous.

DRM? What DRM? You can't do DRM when you've got no security model.

98 has DRM in WMP7+ just like XP does.

98 runs services also. They're not user processes, so they don't appear in Task manager on 98. Just because you can't see them doesn't mean that they don't exist. How do you think NETBIOS works? By magic?

If I had to recommend a secure OS to anyone, 98 would come way down my list. I'd at least choose something that was still vendor supported.

Won't work, see: http://www.securityfocus.com/archive/1/431027

Essentially, MS has hardcoded IPs in system files which bypass DNS resolution.

>The point is: is it legal? Enough people have maintained that it is not to warrant a serious investigation into the matter.

Mark Rasch, J.D., has written more than you probably want to know about the legality of mass NSA collection of calling records. Read his column and you'll be better informed than almost everyone.

In response to your claim that the program is "patently illegal", many people are going to claim it is "perfectly legal". I see there are already several replies to that effect. It's probably the case that both are overstatements. The truth is that not too much is known about the process by which the calling records were obtained, and it looks like the legality of the program depends a lot on that.

The short story, as I understand it, is this: If the government compelled the phone companies to specifically track calls to and from a phone number (known as a pen "register" and a "trap and trace") without a warrant, that would be illegal (under FISA there's some exception if the person is not a citizen or permanent resident, but there are other requirements). If, however, the phone company voluntarily gave the NSA their normal billing records, then the government officials probably didn't commit a crime, but it seems likely that the phone companies did. A lot of people think that's what happened, and an important point in favor of this was the refusal of QWest to give up records, but the truth is we don't know exactly what happened. Until we know more, it's not entirely clear if the government committed a crime or if they just encouraged/coerced the phone companies to commit crimes. There may even be the possibility that no one committed a crime, though that doesn't look likely to me. Of course, there's a difference between what is legal and what is moral or wise (people often overlook this), so even if it's legal you could still decide it is wrong.

If you want to know more, I suggest you start with this excellent article on Security Focus, which goes into a lot more detail about the issues involved. It says of the author, "Mark D. Rasch, J.D., is a former head of the Justice Department's computer crime unit, and now serves as Senior Vice President and Chief Security Counsel at Solutionary Inc." So, it sounds like he's pretty well qualified to offer an opinion.

xmtrx.GeekPoints--;

I'm pretty sure a Matrix hacking game would concentrate on buffer overflows.

The other irony -

Ths, coming from Oracle... who Litchfield has been bashing non-stop, for NOT patching holes for years -

http://search.securityfocus.com/swsearch?sbm=%2F&m etaname=alldoc&query=litchfield+oracle&x=26&y=7

While still in its early stages, wouldn't something like the JAP Anonymity project undermind the entire purpose and usability of data retention?

Despite being in its "early stages", the JAP project already provided a backdoor to the German police.

http://www.securityfocus.com/news/6779

Tor is more trustworthy, but those of us who wear tin-foil attire may still wonder how many tor nodes are being run by 3-letter agencies.

This two-part article series looks at how cryptography is a double-edged sword: it is used to make us safer, but it is also being used for malicious purposes within sophisticated viruses. Part two continues the discussion of armored viruses and then looks at a Bradley worm - a worm that uses cryptography in such a way that it cannot be analyzed. Then it is shown how Skype can be used for malicious purposes, with a crypto-virus that is very difficult to detect.(SecurityFocus

So the bad news is that your agent keys are usable by the root user. The good news, however, is that they are only usable while the agent is running -- root could use your agent to authenticate to your accounts on other systems, but it doesn't provide direct access to the keys themselves. This means that the keys can't be taken off the machine and used from other locations indefinitely.

Is there any way to keep root from using your agent, even though it can subvert unix file permissions? Yes, you can. If you supply the -c option when you import your keys into the agent, then the agent will not allow them to be used without confirmation. When someone attempts to use your agent to authenticate to a server, the ssh-agent will run the ssh-askpass program. This program will pop up on your X11 desktop and ask for confirmation before proceding to use the key.

At this point you're probably going to realize that we're still fighting a losing battle. The local root account can access your X11 desktop, all your processes, you name it. If you can't trust the root user, you're in trouble.

However this will prevent root on machines to which you've forwarded the agent from accessing your agent.

I agree with HD Moore, as far as production web sites are concerned: "There is no way to report a vulnerability safely".

I'm very sure that both the UK and the United States during WW2 were very busy searching for saboteurs and pro-nazi sympathizers within their respective citizenry, and used quite an array of wiretapping and other techniques to do so.

"The problem is, far Far FAR FAR more often it is not."

Agreed, but it is still there. Another semi-related factor is that encrypted conversations are more likely to attract attention than non-encrypted ones, no?

"But it is ALWAYS subject to abuse."

So are the FLIR heat-sensing cameras that most police helicopters come equipped with nowadays, and have carried since the mid-90's if memory serves. Those can see through quite a few obstacles that can otherwise conceal. That isn't a very valid excuse to intentionally hobble law enforcement authorities. If an authority is being abusive, we have the means and the right -- no, the duty -- to remove such people from positions of power, and punish them if necessary.

"Being Free means that we accept the risk that the "bad guys" will abuse that Freedom to hurt/kill some of our citizens."

Being 'Free' means that occasionally it may happen, not that we should refuse to prevent it from happening.

"Only we can do that by surrendering our Freedom for the illusion of "safety".

Freedom from ...? Ever since the first Telegraph was put into place, governments can and have monitored them whenever they deemed it necessary. There are plenty of perfectly legal warrantless means of doing so. ...and it's not just me saying this.

/P

>Let us all keep in mind that everything going on with the NSA is perfectly LEGAL.

SecurityFocus columnist Mark Rasch thinks the pen register statute applies, forbidding the collection of call records with a court order or a FISA warrant. His opinion is also that even with a warrant the surveillance has to be targeted. One loophole might be that the phone companies keep this kind of data as an inevitable part of their operations and can share it if they choose -- but 18 U.S.C. 2702(a)(3) forbids them to turn it over to the government. Customer Proprietary Network Information (CPNI) is also protected under 47 USC 222. Then there's the issue of breach of contract, or fraud, from the telcos violating their privacy policies. The remaining wiggle room is not enough to say "perfectly legal", let alone "perfectly LEGAL".

Mark Rasch is a former prosecutor and holds a Juris Doctor degree. He's former head of the Justice Department's computer crime unit.

Some "good" news, however - SP2 seems to prevent this music from playing in the background.

It could be an extensions issue, as others have suggested. It could just be his browsing habits.

As long as I stay on a few sites I frequent it never crashes. But every so often I go off searching for something, hitting lots of odd pages, and whenever I do that, sooner or later firefox goes boom.

Pretty sure it has to do with this.

Firefox is quite stable as long as you feed it nothing too wierd, but it will crash and burn on garbage input, and if you hit enough webpages from different sites these days you'll eventually find some real trash.

There is an excellent write-up on the legal battlefield for turning over phone records etc by Mark Rasch over at SecurityFocus News http://www.securityfocus.com/columnists/403?ref=rs s in case anyone wants to brush up on the corresponding laws.

Congratulations, Noam, you did it! You registered a domain for the purposes of posting a little rant to indict the entire Security Profession. Then you got Slashdotted. Bravo.

Good thing you included a link to your consulting services in the article byline. Otherwise, people wouldn't know where to go to hire such an insightful luminary. You were also smart enough to make your article inflammatory against the entire security profession, just to drive readership. Again, well done.

The truth is, this could have been a half-decent article that I might share with my C-level folks if it weren't so full of accusations against security professionals. In fact, it would have made a half-decent rant if it weren't so full of inconsistencies and half-truths. What we are left with is drivel, and marketing-driven drivel at that. At least have the courage to post it on your site or your company's site so people can identify it for what it is.

After reading your article, you were so successful in getting me enraged that I had to know, "Who is this jerk, Noem Eppel?" I did a little research.

Are you the same Noem Eppel who said:

The onus should be on the software and security industry - those that are responsible for designing the products - to make software which is not only safe to use by default, but easy to secure.

  In 2004?

But today says:

We as security professional [sic] are drastically failing ourselves, our community and the people we are meant to protect.

Who next will you point your finger at?

I think we can all agree that the state of security is bad, but your insinuation that security professionals are some kind of slackers, content with their own failure because there are "enjoying a surge in business and growing salaries" is disgusting. If you want to indict the character of a profession, you'd better have stronger ground than that to stand on. If you said the same thing about doctors being slackers who are content with their failure because diseases are on the rise, you would be mocked and scorned.

Do you know what gave you away, Mr. Eppel? The constant barrage of unrelated statistics loosely stitched together to reinforce your 'expertise'. Having a day job myself, I don't have time to refute your editorial line by line, so here's my favorite from your article:

In some cases, even our best recommended security practices are failing.

In a recent experiment, AvanteGarde deployed half a dozen systems in honeypot style, using default security settings. It then analyzed the machines' performance by tallying the attacks, counting the number of compromises, and timing how long it took an attack to successfully hijack a computer once it was connected to the Internet. The average time until a successful compromise was just four minutes!

Which information security professional thinks that "our best recommended security practices" includes deploying systems "using default security settings".

Of course, we are assuming that you are an information security professional. I think it telling that you post no CV, no credentials, not even an email address to offer up your authority to speak on the subject. You use the pronoun, "we", to claim your place among the accused, but offer no evidence, convincing or otherwise, as to why you should be considered a peer among the noble practitioners of this worthy vocation.

Mr. Eppel, you have done what no other journalist, blogger, cyber-idiot, or troll has managed to do. You have insulted my profession and me beyond excuse. I've never felt the need to respond to anything as strongly as your piece of drivel.

I'm posting this reply to Slashdot rather than your site, because I don't believe you have earned the traffic your article has already generated. Although I may be modded down, I would gladly give every bit of karma I have to see this garbage ripped from the web and you forced to apologize publicly for your outrageous remarks.

Go read COBIT or something and leave those of us who are trying to make things better alone.

Warmonger. Troll. Charlatan.

I'm really not sure I could agree with that.

If you follow the bugtraq mailing list you'll have seen several recent posts expressing increasing dissatisfaction with the way that Oracle has handled security issues. Including several mentions of one bug being fixed whilst nearly identical (and also public) ones have been ignored.

For a good example of that please see this post from a week or two ago describing a "fixed" bug lasting over a year..

Have you seen Oracle's security record recently?
Anyone who reads bugtraq or the like will know it is shocking.
Take a look at http://www.securityfocus.com/archive/1/432399 this for an example

Heh, social engineering is a technique that essentially all humans are vulnerable to. Also, phone companies are actually one of the top targets of social engineering. That combination makes for a pretty high likelihood of peoples' phone-line-related data to be effectively public domain...

There isn't really much way to be "secure" against social engineering because it exploits the one system you can't secure - the human mind. I know people who do this sort of stuff (I don't mean theft though heh) for fun on a fairly regular basis and they can all screw with pretty much any person. It's really amazing how easily you can manipulate someone of any personality type, actually. heh.

The only people who I've found to be highly resistant to any sort of social engineering are the type of people who know how to do it as well. It requires a certain mindset to be able to catch on to when a person might be trying to manipulate you. Unfortunately that sort of mindset usually involves always having a certain amount of suspicion towards peoples' statements all the time...

Some reading material:

http://www.securityfocus.com/infocus/1527

http://www.morehouse.org/hin/blckcrwl/hack/soceng. txt

http://www.kuro5hin.org/story/2004/6/3/223758/2267

http://rf-web.tamu.edu/security/secguide/V1comput/ Social.htm

etc. etc..

Anti-virus solutions will also be required, and these must be designed to ensure that excessive delay in telephony packets transiting the network is not introduced.

Phishing attacks on VoIP networks involve attackers faking the number of the phone they are using, making it look as though a legitimate organisation is making the call... However, anti-spoofing packet filters in the network will help prevent hackers or spammers hiding behind acceptable addresses.

Its unethical for people who don't understand computer security to offer computer security advice. As for the Slashdot Editors, there are so many more important things they could have covered today, such as the attempt in Georgia to imprison people for performing computer forensics without a private investigator's license. (Its also unethical for people who don't understand computer security to attempt to use legislation to corner the market on it.)

OpenBSD vpn(8) man page
Zero to IPSec in 4 minutes
OpenBSD IPSec with Cisco HOWTO (slightly old, but may still be useful to you as a pointer in the right direction)
And don't forget to check out the mailing list archives

I use OpenBSD on my Sokeris firewalls and they run very well indeed.

Here are the links to the router backdoor articles translated from german: The Netgear WG602 Accesspoint contains an undocumented administrative backdoor. Original, and Followup

Not really applicable.

They started with a fork of the NetBSD codebase and maintained compatibility for a long while. Many drivers in the Net/OpenBSD tree used to be ifdef-ed for specific OS related parts. In fact one of the reason for OpenBSD to survive for so long especially on obscure architectures has been the fact that it used to rely heavily on Net for low level hardware specific code (disclaimer - I do not know if this is still the case as I have not looked at their source since 3.3).

As a result GPL-ing is not an option. Your codebase is heavily dependant on somebody's else's codebase which is BSD.

As far as the financial difficulties, all business and businesslike entities using GPL rely on support, custom code and consulting for their day to day living expenses. You do not get that money if you have this attitude:
http://www.securityfocus.com/archive/1/428749/30/9 0/threaded. This is just one fresh example (this week).

Another essential factor is that if you write software in the real world you have to go out of your ivory tower on a daily basis and check what your competitors doing. OpenBSD tends to believe its own PR about their security prowess and does not follow Linux, FreeBSD and other OS development as much as it should. One example for this is how it missed the appearance of hardware RNG in AMD hardware for several years. They simply did not know it is there (I actually pointed it to Theo myself a year ago). I bet that they have missed other stuff in a similar fashion as well.

Frankly, the days when Open Source OS projects were PFY jobs and flaming each other out of existence on mailing lists was business as usual are long gone.

Time to grow up or face the dark stairway down down and down towards oblivion.

http://www.securityfocus.com/columnists/331/1

Further info of this security advisory available on CVE-2006-0058 and from Security Focus

There is a reason air traffic control systems don't run Windows XP.

Of course not, that would be insanely stipid, wouldn't it. The FAA is too smart for that, they use Windows 95! (see last paragraph!)

Kinda makes you want to take the bus, eh?

Here's your clue re social engineering: Social Engineering Fundamentals, Part I: Hacker Tactics

Seems it has allready been done.

because those 2.4 kernels get those remote exploits all the time.

Vist http://www.securityfocus.com/ sometime. You'll find Microsoft VERY accessable.

Many people think that an SSL certificate somehow guarantees a trustful vendor.

It doesn`t, but it could! When are consumer unions going to hand out certs that expire monthly? If a company doesn`t handle complaints satisfactory... then it has to get a certificate someplace else. Crappy new privacy policy? no new cert, disapearing backup tapes with social security numbers and no plan to prevent this heaponing in the future? no new cert....

In case of banks this helps them as well as they often end up with the bill for fraud (if not because of the law then because of lost trust in systems that are cheaper than snail mail and brick and mortar). Banks don`t want certificate authoraties that are happy to *sell* certs to the phishers that steal from them. Consumer umions would happily give out certificates for free... to organisations that take running an e-comerce site seriously. Its either that or having goverment regulatory bodies for the banking industry deal with this. They tend to know the diffrence between a bank and some guy offering "lones" to gamblers who wants to know your credid card numbers.

And when are browsers gonna display the logo of the certificate authority? Early browsers already had these logo`s. It is many times more informative than a plain padlock icon. Browser could just replace the URL field and browser logo with the signed identity and the CA logo. If all people see is a padlock then all they know is that someone is doing some work on security... This tells you nothing if that someone can be a "cheap certs fast" kind of authority doing no work as well as it could be a militant consumer union or, even worse, a regulatory authority kind of group.

If competition between signing authorities is the answer then they should compete on service quality, not certificate price... For that to heapon users should know what authority they are using the moment they open a site. Maybe then authorities can begin to build a real reputation rather then a "cheap certs fast" reputation among the few website operators that care. And if users arent gonna drop the root certs of people who hand out microsoft.com code signing certificates to people other then microsoft, then browser people should be able to revoke root certs for them. Especially if there is no appology and no serious plan for preventing things like that in the future.

Now certificate authorities don`t do anything to earn trust. Everyone knows verisign resells controversial foreign "lawfull interception" equipment as well as selling certificates right? Imagine what this equipment could do with a verisign private key... These clowns don`t care one bit for their reputation. If they did they would at least sell this equipment under a diffrend name. Somehow they still own most of the certificate market though. And verint as comverse is now known does provide equipment that is part of an inteligence trading deal between a european country and Israel.

For users to care about the reputation of certificate authorities logo`s/brand names are all we got. They might help joe six pack deal with reputations. Joe may not know crypto but if they sees the verisign logo on the evening news with the word "scandal" next to it he might recognise the logo the next day when he visits a bank like site.

Yeah, I thought Linux was perfect. I could keep going on forever. But I won't.

Yeah, I thought Linux was perfect. I could keep going on forever. But I won't.