Slashdot Mirror

← Back to Stories (view on slashdot.org)

Lone Iranian Claims Credit For Comodo Hack

Posted by Soulskill on from the army-of-one dept.

nk497 writes "A boastful Iranian hacker has claimed sole responsibility for the Comodo security certificate attack, saying it had nothing to do with his government. The 21-year-old claimed via a note on PasteBin, 'I'm not a group of hacker, I'm single hacker with experience of 1,000 hackers.' While some researchers believed his claims, saying the media had accepted Comodo's claims that the attack was from the Iranian government too easily, others said it was impossible to tell if the hacker was real, or a PR move by Iran."

72 comments

  1. Read it wrong by QA · · Score: 0

    Anyone else read this as "lone attack on commode"? Gives it a whole new meaning.....

  2. Who do we believe? by Anonymous Coward · · Score: 0

    Then again, why should we care?

    Security certificates from external companies are all used by security agencies anyway - I for one don't want my stuff being snooped on.

    1. Re:Who do we believe? by ls671 · · Score: 1

      Hmm... If I understand your post correctly, let me comment a bit:

      Do you know how certificate signing work ?

      Done properly, one should never reveal its certificates private keys at any time. So in the end, a certificate signed by an external company should be as confidential as a self signed certificate or a certificate signed by a company you trust.

      This is the whole idea behind PKI.

      Granted, I have seen many people who do not understand this important point. I have seen cases where the the signing authority was aware of the private key but this should never occur if you know a bit about PKI 101.

      --
      Everything I write is lies, read between the lines.
  3. Dude can't speak English very well. by Anonymous Coward · · Score: 0

    I say we hack him ... to pieces.

    1. Re:Dude can't speak English very well. by Anonymous Coward · · Score: 0

      a 1,000 pieces

    2. Re:Dude can't speak English very well. by Anonymous Coward · · Score: 2, Funny

      Snake Plisskin. I've heard of you. I HEARD YOU WERE DEAD!

  4. An anonymous claim of skill? by Anonymous Coward · · Score: 0

    Probably trustworthy

    1. Re:An anonymous claim of skill? by _Sprocket_ · · Score: 4, Funny

      New infosec meme.... "with experience of 1,000 hackers."

    2. Re:An anonymous claim of skill? by kill-1 · · Score: 5, Funny

      Follow-ups:

      "I should mention my age is 21"

      "How smartass you are?"

      "My orders will equal to CIA orders"

      "I'm a GHOST"

      "I'm unstoppable, so afraid if you should afraid, worry if you should worry."

      "I did it one time, make sure I'll do it again" (reminds me of Steve Ballmer)

      "RSA 2048 was not able to resist in front of me"

    3. Re:An anonymous claim of skill? by Anonymous Coward · · Score: 0

      Oh, if I could give you more mod points, I would.

    4. Re:An anonymous claim of skill? by game+kid · · Score: 1

      "I'm unstoppable, so afraid if you should afraid, worry if you should worry."

      I think 1,000 hackers is a pretty cool guy. eh takes over comodos and doesn't afraid of anything.

      --
      You can hold down the "B" button for continuous firing.
    5. Re:An anonymous claim of skill? by _Sprocket_ · · Score: 1

      I think 1,000 hackers is a pretty cool guy. eh takes over comodos and doesn't afraid of anything.

      Dude. I was in to 1,000 Hackers before they were cool. Now they're just sell-outs.

  5. Why provide him a platform? by bogaboga · · Score: 2

    Isn't Slashdot providing this dude a platform for [free] publicity? Why is this story even here? Nothing about it is substantiated at all.

    The only thing I can guarantee is that there is a human being at the other end who is now in the news.

    1. Re:Why provide him a platform? by iamhassi · · Score: 1

      Dude? I thought this was a PR move by Iran?

      --
      my karma will be here long after I'm gone
  6. Humble by Anonymous Coward · · Score: 0

    Gotta love how he decided not to break RSA. *Decided*.

  7. Huh? by nog_lorp · · Score: 2

    This message is sort of retarded. First he tried to solve prime factorization, and then he was like "maybe I should hack a CA instead"? And later he will do us the favor of "proving it is not possible" to come up with a prime factorization algorithm?

    1. Re:Huh? by Anonymous Coward · · Score: 0

      pot, meet kettle.

  8. rules, rules, rules by simoncpu+was+here · · Score: 1

    I'm glad there's no rule #34 of this Iranian hacker.

    1. Re:rules, rules, rules by coyote_oww · · Score: 3, Funny

      If he has the experience of 1000 hackers, it would still not involve a single woman.

  9. First Rule Of Iranian Hacker Club...... by Anonymous Coward · · Score: 0

    The first rule of Iranian hacker club.. Don't talk about Iranian hack club!!!!
    no wait.. the first rule of Iranian hacker club is actually "I do, that's all. You stop, I don't stop.". Thanks not nearly as catchy.

    1. Re:First Rule Of Iranian Hacker Club...... by Isaac+Remuant · · Score: 1

      It loses it's magic after Google Translate... :P

      On a serious note, Is it possible that the grammar mistakes are intentional? Would a decent hacker who'd have to deal with the English language all around make so many mistakes? I'm asking out of total ignorance here.

      --
      "Science can amuse and fascinate us all, but it is engineering that changes the world. " - Asimov.
    2. Re:First Rule Of Iranian Hacker Club...... by Anonymous Coward · · Score: 0

      I doesn't have running water...but I can hack comodo...

  10. Uhg... by Anonymous Coward · · Score: 1

    This is the first I saw a straightforward description of the hack... "SQL injection, then privilage escalation, got SYSTEM shell, remote desktop, investigation and I discovered trustdll.dll :)" Where trustdll.dll was a c# lib he decompiled and saw hard-coded credentials. This was it? Really?

  11. Of course it's a PR move by Weaselmancer · · Score: 4, Insightful

    I mean come on, really?

    'I'm not a group of hacker, I'm single hacker with experience of 1,000 hackers.'

    Sounds just like the Iraqi Information Minister or Kim Jong Il. "Oh no no no! I not a group or government no! I am super skilled hacker with skill of 1000 men. I can play 18 rounds of golf in 18 shots by getting 18 hole in one. Yes! I just that good!"

    --
    Weaselmancer
    rediculous.
    1. Re:Of course it's a PR move by bongey · · Score: 1

      18 rounds of golf in 18 shots

      Just 18 I could do it 1

    2. Re:Of course it's a PR move by Anonymous Coward · · Score: 1

      'I'm not a group of hacker, I'm single hacker with experience of 1,000 hackers.'

      Something tells me this guy will soon become a single dead hacker with experience of 1,000 virgins.

      Tip your server. I'll be here all the week.

    3. Re:Of course it's a PR move by Anonymous Coward · · Score: 1

      First, the Dear Leader did not claim to make 18 hole-in-ones. Just a hole-in-one one the first par 4, his first hole ever (although they didn't mention if he took a practice swing), and all the subsequent par 3s. I believe his final score was somewhere in the 40s.

      Second, I did the exact same thing once on Tiger Woods PGA Tour 2009 on Xbox, so I wasn't impressed.

    4. Re:Of course it's a PR move by Anonymous Coward · · Score: 0

      I mean come on, really?

      'I'm not a group of hacker, I'm single hacker with experience of 1,000 hackers.'

      Or like anon with the hyperbole ramped up to 11?

    5. Re:Of course it's a PR move by retchdog · · Score: 1

      it's 38 under par, so ~34 shots, and with five holes-in-one claimed.

      --
      "They were pure niggers." – Noam Chomsky
    6. Re:Of course it's a PR move by failedlogic · · Score: 1

      I think you are heading down the right direction here in finding this network based SCWMD assault (Security Certificates for the Web of Massively Disorganized). Unfortunately the hacker will be very difficult to identify. As you allude, a skilled hacker that can write press releases like the Iraqi Information Minister, instill fear like only Kim Jong Ill can do and yet still have the time to practice and play a perfect round of 18 rounds of golf. I think while the clues you offer are an attempt to be helpful, I don't think any one person could have such a skill set.

    7. Re:Of course it's a PR move by syousef · · Score: 1

      'I'm not a group of hacker, I'm single hacker with experience of 1,000 hackers.'

      Sounds just like the Iraqi Information Minister or Kim Jong Il. "Oh no no no! I not a group or government no! I am super skilled hacker with skill of 1000 men. I can play 18 rounds of golf in 18 shots by getting 18 hole in one. Yes! I just that good!"

      Actually my first thought was Charlie Sheen...winning with the power of his mind once again....I know, I know, that was last week's meme.

      --
      These posts express my own personal views, not those of my employer
    8. Re:Of course it's a PR move by antdude · · Score: 1

      That is why I like to say "prove it!". :)

      --
      Ant(Dude) @ Quality Foraged Links (AQFL.net) & The Ant Farm (antfarm.ma.cx / antfarm.home.dhs.org).
    9. Re:Of course it's a PR move by Anonymous Coward · · Score: 0

      That would mean anon has the experience of over 9000 hackers!

    10. Re:Of course it's a PR move by AlienIntelligence · · Score: 1

      18 rounds of golf in 18 shots

      Just 18 I could do it 1

      Chuck? Chuck Norris? Is that you?

      -AI

      --
      For me, it is far better to grasp the Universe as it really is than to persist in delusion
    11. Re:Of course it's a PR move by Anonymous Coward · · Score: 0

      It's Charlie Sheen... he's taken up hacking now.

    12. Re:Of course it's a PR move by MrSenile · · Score: 1

      No, if it was Chuck Norris, he'd get all 18 holes in one without swinging, without the need for a ball, and without having to get out of bed to actually show up.

  12. I'm convinced by wrencherd · · Score: 4, Funny
    From TFA:

    The individual, who calls himself ComodoHacker

    Well, there you are.

    1. Re:I'm convinced by binaryseraph · · Score: 1

      Or to the rest of the SSL using world: CommodeHacker.

  13. haha by Anonymous Coward · · Score: 0

    I Lol'd

  14. Experience by Anonymous Coward · · Score: 0

    He failed to mention that he is a braggart with the experience of 1000 braggarts.

  15. It was really just the MCP by Dachannien · · Score: 1

    I've grown 2,415 times smarter since then.

    1. Re:It was really just the MCP by Anonymous Coward · · Score: 0

      I mean really?? give me a break this is hardly even written in the context of the first person. This is totally without a doubt a PR release.

  16. Having the skill of 1000 hackers... by sdguero · · Score: 1

    deserves 1000 virgins in the afterlife, right?

    1. Re:Having the skill of 1000 hackers... by sayfawa · · Score: 1

      No, no, no, the jihadists get the 1000 virgins. He gets the 1000 right hands.

      --
      Free the Quark 3 from asymptotic confinement! Bring your charm! Don't get down! All colours and flavours welcome!
  17. I am sorry. by Anonymous Coward · · Score: 0

    I read all of his Pastie's.

    If you want a laugh, read them.

    A lot of egotistical shit talk from a guy who doesn't realize RSA simply cannot be "cracked". It's impossible.

    If you had any common sense, you would use your "hacks" on the actual people who have/had access to having CR's resigned.

    Also, let's not just throw around "symmetric" and "asymmetric" when dealing with encryption and hashing, it just makes you look dumb.

    And working on a way to derive two prime factors of a number is ridiculous, you won't ever accomplish it. Simply because we are dealing with numbers larger than the processing ability of most computers that can be accessed (spare some), and the fact that primality tests aren't something you can simply "write".

    I thought I had an epiphany in math class a few weeks ago (pre-calc is boring as fuck, and my Ti-84 only can do so much, even with asm programmin), and realized that if you took any number, you can first run it against basic tests and tests of division. Even numbers out, numbers whom digits add up to a multiple of 3 are out, etc. After that, you are fucked.

    RSA is secure. Period. It's implementation can only be *so* secure.

    And lol, if you want to do something actually epic, and worth bragging about, steal the private RSA key and code yourself a resigner. Until then, stop acting like you did anything tremendously amazing.

    This is all >implying this kid isn't just frontin.

    -Thilo The "Hax"

    1. Re:I am sorry. by Anonymous Coward · · Score: 2, Insightful

      I read all of his Pastie's.

      If you want a laugh, read them.

      A lot of egotistical shit talk from a guy who doesn't realize RSA simply cannot be "cracked". It's impossible.

      If you had any common sense, you would use your "hacks" on the actual people who have/had access to having CR's resigned.

      Also, let's not just throw around "symmetric" and "asymmetric" when dealing with encryption and hashing, it just makes you look dumb.

      And working on a way to derive two prime factors of a number is ridiculous, you won't ever accomplish it. Simply because we are dealing with numbers larger than the processing ability of most computers that can be accessed (spare some), and the fact that primality tests aren't something you can simply "write".

      I thought I had an epiphany in math class a few weeks ago (pre-calc is boring as fuck, and my Ti-84 only can do so much, even with asm programmin), and realized that if you took any number, you can first run it against basic tests and tests of division. Even numbers out, numbers whom digits add up to a multiple of 3 are out, etc. After that, you are fucked.

      RSA is secure. Period. It's implementation can only be *so* secure.

      And lol, if you want to do something actually epic, and worth bragging about, steal the private RSA key and code yourself a resigner. Until then, stop acting like you did anything tremendously amazing.

      This is all >implying this kid isn't just frontin.

      -Thilo The "Hax"

      Are you talking about yourself? You're only in high school. The extent of your formal math knowledge is beneath basic calculus. Shut up and get over yourself.

    2. Re:I am sorry. by Anonymous Coward · · Score: 0

      A lot of egotistical shit talk from a guy who doesn't realize RSA simply cannot be "cracked". It's impossible.

      Well, with our current knowledge it is considered to be "impossible", or rather infeasible. But there has been many problems no one seemed to be able to solve that have been solved since.

      Throwing around words like "impossible" is just plain stupid and show that you yourself doesn't have enough experience in the field. Experts in the field are careful to use words like "impossible" or "never", since they know that breakthroughs can come at any time and sometimes systems are cracked by using another, not previously foreseen, attack vector.

      For example, there are attacks on RSA when the two factors (the private and the public keys) are of very different sizes. So even if this attack doesn't work in the generic case, you might be able to use a battery of attacks to find a weakness in a given system.

      A breakthrough in quantum computing might render some cryptographic systems weak, systems that today are considered very strong.

      Hell, just compare it to computer graphics. When I started using my first computer, no one would imagine that full length feature films were made entirely using photo realistic rendering. Today, no one lifts an eyebrow when these films are released. So much for "impossible"...

  18. hacker by kerrykoyi · · Score: 0

    i think the hacker is terrible ,i dont like them~~but i think they must be very excellent. wholesale clothing

  19. single by Anonymous Coward · · Score: 0

    Of *course* you're single. I don't think anyone assumed you had a girlfriend, so there was really no need to clarify.

  20. He sounds VERY pro-government! by damoncz · · Score: 4, Interesting

    I am an Iranian dissident living outside Iran and this guy is VERY pro-government, which is a rarity in Iran if you are following the news.. Line 41: "A message in Persian: Janam Fadaye Rahbar" Means "my life sacrificed for the Leader". Only Khamenei goons otter that. I smell something fishy. Can't be a lone hacker...

    1. Re:He sounds VERY pro-government! by iamhassi · · Score: 1

      Means "my life sacrificed for the Leader". Only Khamenei goons otter that. I smell something fishy. Can't be a lone hacker...

      Maybe he took the blue pill...

      --
      my karma will be here long after I'm gone
    2. Re:He sounds VERY pro-government! by Anonymous Coward · · Score: 0

      Viagra?

    3. Re:He sounds VERY pro-government! by Anonymous Coward · · Score: 0

      "I am an Iranian dissident living outside Iran and this guy is VERY pro-government, which is a rarity in Iran if you are following the US propaganda..

      FTFY

    4. Re:He sounds VERY pro-government! by Anonymous Coward · · Score: 0

      Can't be a lone hacker...

      Why not?

      Do you think it's literally impossible for people to be in favor of the current Iranian government, at least when they're not themselves part of, affiliated with, or employed by said government?

      The problem with people like you is that you make up your mind based on your own prejudices, and then stick to those and interpret everything that happens accordingly. Hacking from Iran? Oh, hacking is bad, and the Iranian government is bad, therefore it MUST have been the government. Case closed! Nothing else is even possible, and any new information etc. will be interpreted accordingly. If it fits your prejudice, you just accept it at face value; if it doesn't, it's misinformation, untrue, propaganda, a lie, a joe job, psyops, or otherwise fishy.

      That's not to say that you're necessarily wrong. But you fail to convince, and the more you do this, the more credibility you lose. And by "you", I don't mean you personally, I mean dissidents etc. in general, no matter whether they're Iranian, Chinese, Cuban etc.

      And yes, I realize that most likely there's a lot of shit going on behind the scenes and unlike you, I don't know one tenth of it, but you'll still have to convince people.

    5. Re:He sounds VERY pro-government! by AB3A · · Score: 1

      Mod parent up for informative post.

      This boastful diatribe is not the mark of a really smart person. It seems more like a cult member taunting the public.

      I do not doubt that he could be crazy and smart at the same time. I think Iran's leadership has noticed the power of the stuxnet virus/worm. They're rightfully embarrassed. However, instead of fixing their problems and moving on, they're lashing out with dweebs like this deluded idiot.

      The fact is that our CA platforms of trust are quite vulnerable. We should be afraid, though perhaps not from drooling whack jobs like this. Take time to review where your trust has been given, and then make some decisions. However, I wouldn't lose much sleep over something like this.

      --
      Nearly fifty percent of all graduates come from the bottom half of the class!
    6. Re:He sounds VERY pro-government! by GameboyRMH · · Score: 1

      Who says he isn't the Iranian equivalent of The Jester?

      --
      "When information is power, privacy is freedom" - Jah-Wren Ryel
    7. Re:He sounds VERY pro-government! by Anonymous Coward · · Score: 0

      Maybe it's the otter that smells fishy.

  21. He didn't mean he had the skill of 1000 hackers by CrazyJim1 · · Score: 1

    He meant to say he had the skill of a 1000 hacks.

    --
    God spoke to me.
  22. Easy Question? by Anonymous Coward · · Score: 0

    Did anyone use the forged certs? In what circumstances?

    If they were deployed on a countrywide scale in Iran, it doesn't matter whether it was a lone user or a team of government hackers; the end result is the same and the government is certainly just as culpable. Unfortunately, I'm not having a lot of luck finding an answer to that question in my several minutes of googling. Anyone have a good reference on this question?

  23. Newer Info by LoneHighway · · Score: 1

    Jacob Appelbaum tweeted this earlier. Comodohacker may be for real.

    It appears that the #comodogate hacker has posted the secret key for Mozilla's cert: http://pastebin.com/X8znzPWH

    1. Re:Newer Info by netsharc · · Score: 1

      BTW it's not "Mozilla's cert", it's the cert faking to be addons.mozilla.org that he created and signed through the compromised CA...

      --
      What time is it/will be over there? Check with my iPhone app!
    2. Re:Newer Info by Xest · · Score: 2

      Why would that make him legit? Just means if he's an Iranian propaganda agent that the actual group of Iranians, from perhaps Iranian military establishments that did the hack gave it to this PR guy to paste.

      We know the hack was real, we know it came from Iran, nothing there changes that. That doesn't in any way prove he was a lone individual. only that he is at least connected to the person or people that really did the attacks.

  24. At least we know where they get the virgins by SmallFurryCreature · · Score: 1

    To bad suicide bombers, the virgins? It is this guy... mind you, if you examine world history especially in the sunnier parts... they might not mind.

    --

    MMO Quests are like orgasms:

    You may solo them, I prefer them in a group.

  25. Re:Hack Like An Lone Iranian by Zanadou · · Score: 1

    Would you like to sell a vowel?

  26. Lolz by Anonymous Coward · · Score: 0

    Well that was quite a funny read, apparently he rules teh internetz, everyone better watch out for the guy who has the skillz of 1,000 hackers, programmers and *coughs* project managers??? He might just PM our asses to death, though it is nice to see one man with the combined abilities of 3,000, he should deffo be running some kind of multinational corporation on his own.

  27. I doubt the Iranian govt. would say anything by Anonymous Coward · · Score: 0

    I doubt the Iranian government would make any kind of comment about the Comodo hack, even one like this (which might ultimately be traced somehow). It's possible for individuals to cause amazing damage (Gary McKinnon, Robert Morris etc) so why not this guy?

  28. More info by raulfragoso · · Score: 1

    An interview with ComodoHacker: http://erratasec.blogspot.com/2011/03/interview-with-comodohacker.html His twitter account is @ichsunx

  29. till.. by 0dugo0 · · Score: 1

    He had me till HAARP.

  30. You's a trollin.. by Anonymous Coward · · Score: 0

    Do not feed the trolls.

  31. I hacked... by Anonymous Coward · · Score: 0

    ...with the force of one thousand suns!