Another Dutch CA Hacked

Web Admin of the Year by Anonymous Coward · 2011-12-08 02:19 · Score: 5, Insightful

So a CA, holder of the keys for SSL certs, had an externally facing db admin module with no password... Just wow...

Re:Web Admin of the Year by ledow · 2011-12-08 02:24 · Score: 4, Informative

Ignoring that - they had internal documents that were accessible from their web/database server. Everything else defies belief too but really wouldn't have mattered that much if it had been ONLY their web db that was accessed.
Re:Web Admin of the Year by g00head · 2011-12-08 02:25 · Score: 1

Very true, and a very good point

--
"I'd make a wooshing sound, but the post was so far over your head it was inaudible..."
Re:Web Admin of the Year by michelcolman · 2011-12-08 04:16 · Score: 2

But the biggest question is: why has it taken so long for them to be hacked? I suppose nobody suspected that they would be that stupid, so nobody bothered to even try? Talk about hiding information in plain view...
Re:Web Admin of the Year by EMN13 · 2011-12-08 05:42 · Score: 1

The hacked machine seems unrelated to the actual CA business, though - it's just a website, not a CA management tool or whatever. Source: http://forum.kpn.com/t5/News-stream/UPDATE-11-30-KPN-sluit-tijdelijk-website-Gemnet/ba-p/8477
Re:Web Admin of the Year by 19thNervousBreakdown · 2011-12-08 06:26 · Score: 1

Given the number of exploits for phpMyAdmin, whether it's passworded or not is practically irrelevant if it's exposed to the internet.
But, since browser manufacturers don't audit CAs (I've never heard either way whether they audit or not, but even if one of them claimed to do so, given the track record I'd have to call bullshit), this hardly matters anyway--it's just going to happen again and again, and it's already happened a number of times that we have no idea about.

--
<xml><I><am><so><damn>Web 2.0</damn></so></am></I></xml>
Re:Web Admin of the Year by John+Hasler · 2011-12-08 07:39 · Score: 3, Insightful

But the biggest question is: why has it taken so long for them to be hacked?
How do you know it did?

--
Warning: this article may contain humor, sarcasm, parody, and perhaps even irony. Read at your own risk.
Re:Web Admin of the Year by Anonymous Coward · 2011-12-08 08:27 · Score: 0

These people should be CA's let alone admins of anything other than a mylittlepwny website.

jawdrop by v1 · 2011-12-08 02:20 · Score: 5, Interesting

website was managed using PHP-MyAdmin, and this application allowed database access without a password.

At what point does this become "criminal negligence"?

And you'd expect there would be some sort of periodic audit process in place for anyone that manages a root certificate? hippa-style something or other? Or will they just set up any idiots with a CA that have good credit?

--
I work for the Department of Redundancy Department.

Re:jawdrop by Afforess · 2011-12-08 02:56 · Score: 3, Interesting

Actually, you could make the counter claim that the story title is bad.

After all, it isn't stealing to pick money off the ground, it isn't hacking to visit public web data.

--
If our elected representatives no longer represent us, do we still live in a Democracy?
Re:jawdrop by jon3k · 2011-12-08 02:58 · Score: 2

HIPAA*. It's short for "Health Insurance Portability and Accountability Act". Sorry, pet peeve.
Re:jawdrop by Anonymous Coward · 2011-12-08 04:23 · Score: 0

And you'd expect there would be some sort of periodic audit process in place for anyone that manages a root certificate? hippa-style something or other? Or will they just set up any idiots with a CA that have good credit?

HIPAA*. It's short for "Health Insurance Portability and Accountability Act". Sorry, pet peeve.
Aside from being an Americanism, the use was perfectly acceptable, as the writer was asking if there are/were any in depth, ineffective, burdensome
rules/regulations in place akin to what the American HIPPA law is/was supposed to do.
Re:jawdrop by Anonymous Coward · 2011-12-08 05:36 · Score: 1

The irony here is that your parent was literally spelling out his point. And you still failed to understand it, recognize your failure to understand it, and felt compelled to reply. And then made the same mistake GP was correcting.
Re:jawdrop by Anonymous Coward · 2011-12-08 06:13 · Score: 1

The title IS misleading. This is incompetence or negligence but 'hacking' in the title gets more eyeballs.

Lets play 'Pass The Blame!....' by EasyTarget · 2011-12-08 02:24 · Score: 4, Informative

this application allowed database access without a password

Nope, it doesn't.. not unless configured by a really clueless person, or (this being Holland) by someone who really couldn't give a f**k while being mis-managed by someone determined to spend as little as possible, or hopefully less.

(disclaimer; I'm a sysadmin who runs, amongst many other things, a MySQL server + PHPmyadmin for my company in the Netherlands, I do it properly but that's only because I care, nobody has ever checked..)

--
"Oops, I always forget the purpose of competition is to divide people into winners and losers." - Hobbes

Re:Lets play 'Pass The Blame!....' by johnkoer · 2011-12-08 02:38 · Score: 3, Informative

not unless configured by a really clueless person
I think that is what was being implied by the summary. When I read it, I didn't assume that that was how PHPmyadmin came out of the box. They probably should have used better wording like "nd this application was configured to allow database access without a password", to ensure they got the correct point across.

--
Johnkoerner.com
Re:Lets play 'Pass The Blame!....' by YeeHaW_Jelte · 2011-12-08 02:40 · Score: 2, Insightful

I haven't worked with PHPMyAdmin for years (luckily) but even having it accessible from public IP adresses is a serious oversight, password or not.

--

---
"The chances of a demonic possession spreading are remote -- relax."
Re:Lets play 'Pass The Blame!....' by Gaygirlie · 2011-12-08 02:59 · Score: 4, Interesting

Atleast to my eye it looks like they're trying to lay blame on PHPMyAdmin. Perhaps it's just poor wording but still, that's how it does come out. And well, everyone knows that anything can be made insecure if they're given in incompetent-enough hands.
Re:Lets play 'Pass The Blame!....' by Anonymous Coward · 2011-12-08 04:09 · Score: 1

Atleast to my eye it looks like they're trying to lay blame on PHPMyAdmin.
I agree completely. Even worse, my experience tells me that this article could very well show up in some IT department's policies as a reason behind a "best practice" of banning PHP itself. I've always thought it "rude" for programs to include the technology they use in their names. The technology gets a bad rap for the program's problems in the eyes of the technically-challenged.
Re:Lets play 'Pass The Blame!....' by arth1 · 2011-12-08 04:16 · Score: 2

(disclaimer; I'm a sysadmin who runs, amongst many other things, a MySQL server + PHPmyadmin for my company in the Netherlands, I do it properly but that's only because I care, nobody has ever checked..)
As a long time sysadmin, it has become my opinion that the way to use tools like phpmyadmin "properly" is not at all.
I once thought that they might be okay for home use, but have changed my mind on that too - it breeds a generation of "sysadmins" who don't know exactly what they're doing, or why, and in some cases don't even give a fuck about their ignorance. They may then expect the tools at work too, because they have made themselves dependent on them.
When the undigestables meet the stationary propeller, and they have to investigate what went wrong, they don't know how. When faced with systems where their tools aren't present and can't even be installed, they hit a stumbling block, if not a roadblock.
Re:Lets play 'Pass The Blame!....' by kyrio · 2011-12-08 05:12 · Score: 0

Uh... what? phpmyadmin is configured for external access by default. It asks you for passwords during setup. Unless you mean when configuring it manually, and not through the repos.
Re:Lets play 'Pass The Blame!....' by tbannist · 2011-12-08 05:24 · Score: 2

Your line of reasoning is a little off, you could use the same argument against every labor saving invention in the history of mankind (No spears for you caveman! Lest you forget how to properly kill a deer with your bare hands!). phpMyAdmin is very useful for doing a lot DB work quickly. I use it practically every day. It's an invaluable tool for developers, for examples, who are managing their own local databases and a useful tool for support personnel who can be trusted with some database access but aren't going to learn full SQL and the MySQL CLI interface.
Sysadmins who don't know exactly what they're doing aren't sysadmins, they're "unqualified applicants", and it's the job of the person doing the hiring to reject them and tell them to go learn what they're doing. Whether that's HR or an individual manager, it's their failure if they're hiring incompetent people.

--
Fanatically anti-fanatical
Re:Lets play 'Pass The Blame!....' by webnut77 · 2011-12-08 05:46 · Score: 1
Thank you for saying this so well.
Plus
1. phpMyAdmin (at least the way I use it) does not have its own passwords. It uses a MySQL user ids and passwords. If you fail at securing MySQL, it's not phpMyAdmin's fault.
2. If it's running under Apache httpd you can limit access in a lot of ways (i.e. by IP address and/or Apache login) so there is no problem with it running on an internet facing server.
3. You can be a CLI guru and still use a GUI to get things done.
Re:Lets play 'Pass The Blame!....' by TheSpoom · 2011-12-08 05:48 · Score: 1

Even if it ships without a password out of the box (and I think it does), that shouldn't allow free access to the database, unless their database accepted a connection, from the root user, with no password. Someone there doesn't know how to setup MySQL.

--
It's better to vote for what you want and not get it than to vote for what you don't want and get it.
- E. Debs
Re:Lets play 'Pass The Blame!....' by rev0lt · 2011-12-08 07:53 · Score: 1

Last time I checked many (most?) sysadmins don't know exactly what they're doing, and that's why graphical and wizard-based configuration tools are so popular. And no, I'm not talking about windows. There's nothing wrong with that, in most cases. Critical or public facing infrastructure should be the exception, though.
Re:Lets play 'Pass The Blame!....' by kdemetter · 2011-12-08 07:55 · Score: 1

There is difference between being able to access the database directly, and accessing the database through phpmyadmin :
- On any website i have used , by default direct access to the database is only possible for localhost .
- phpmyadmin is publiciy accessible for everyone, allowing you to administer the database, from any place.
- to get to phpmyadmin, you are required to authenticate.
If phpmyadmin doesn't have a password, the password on database isn't going to matter much , as you can change your password through phpmyadmin anyway.

--
Slipping shoelaces ?
Re:Lets play 'Pass The Blame!....' by rev0lt · 2011-12-08 07:58 · Score: 1

A developer that would need to use phpMyAdmin should already know enough SQL to use the CLI interface. There are plenty of graphical mysql administration tools that can easily work with a tunneled ssh connection. In the cases that is not feasible, the alternative should never be to upload a 3rd party tool, with a rich history of known vulnerabilities, to a production server.
Re:Lets play 'Pass The Blame!....' by kdemetter · 2011-12-08 08:01 · Score: 1

So you are blaming the tool for failures of the users ( sysadmins are users in this case ).
If they don't know how a tool works, the solution is not to stop using the tool. The solution is to learn how it works.

--
Slipping shoelaces ?
Re:Lets play 'Pass The Blame!....' by mark_elf · 2011-12-08 08:49 · Score: 1

Yeah pretty much. I know this is /. so we have to quibble about every goddamn thing, but if you're installing something like phpMyAdmin and it doesn't ask you about passwords, or whatever dumbass thing happened here, the problem is that somebody screwed the pooch by just leaving it that way. We gotta make it a little harder than that.
I think the takeaway from this story is that there are "sysadmins" that don't know what they are doing and occasionally demonstrate this in spectacular ways. There are also VP's that fire good people before they are finished because they themselves don't understand the business they are in. It sorta works? OK, that's good enough, you're fired.
Re:Lets play 'Pass The Blame!....' by Nefarious+Wheel · 2011-12-08 09:42 · Score: 1

There is difference between being able to access the database directly, and accessing the database through phpmyadmin :
- On any website i have used , by default direct access to the database is only possible for localhost .
- phpmyadmin is publiciy accessible for everyone, allowing you to administer the database, from any place.
- to get to phpmyadmin, you are required to authenticate.
If phpmyadmin doesn't have a password, the password on database isn't going to matter much , as you can change your password through phpmyadmin anyway.
One point - I've set up a couple of XAMPP installations, but I can't remember whether it allows multiple login fails without an air-gap. If it doesn't have a form of interrupt here, it's susceptible to a simple odometer attack. Can anyone remember?

--
Do not mock my vision of impractical footwear
Re:Lets play 'Pass The Blame!....' by Nefarious+Wheel · 2011-12-08 09:50 · Score: 1

It's easy for us to forget the complexity and blame the sysadmin, too. It might be wise to periodically remind the user community that these are machines with billions upon billions of intangible but very real moving parts. The number of utilities and GUI property pages we have to use are many - thousands - and when budgets are trimmed a little too tightly, some of the bits will become misaligned. Knowledge or no, the sysadmin has a fairly huge workload and you have to allow time to get it right before you go public and fire the sysadmin because you brought him on with capex instead of opex.

--
Do not mock my vision of impractical footwear
Re:Lets play 'Pass The Blame!....' by Anonymous Coward · 2011-12-08 18:34 · Score: 0

There are plenty of graphical mysql administration tools that can easily work with a tunneled ssh connection.
Like... phpMyAdmin! What, never occurred to you to do it that way?
Re:Lets play 'Pass The Blame!....' by rev0lt · 2011-12-08 19:55 · Score: 1

Why would you use a 3rd party bug-ridden application, when you can use the only slightly crappy MySQL Workbench, from the same guys that bring you MySQL?
Re:Lets play 'Pass The Blame!....' by tbannist · 2011-12-09 02:01 · Score: 1

Well, I think "bug-ridden" is more than a little bit of exaggeration, I can't remember the last time I ran into a bug in phpMyAdmin. However, if you have multiple people who need access to the database on an infrequent basis, it's easier to run one internal web application that has a tunnel configured to the database servers than to maintain and support the client application on a dozen different machines.

--
Fanatically anti-fanatical
Re:Lets play 'Pass The Blame!....' by rev0lt · 2011-12-09 02:24 · Score: 1

Secunia says the phpMyAdmin 3.x branch has had 20 advisories and 54 (patched) vulnerabilities. The older 2.x has more.
Re:Lets play 'Pass The Blame!....' by Anonymous Coward · 2011-12-09 02:42 · Score: 0

I'm a sysadmin who runs, amongst many other things, a MySQL server + PHPmyadmin for my company in the Netherlands
I hope you don't use PHPmyadmin with it publicly exposed. I see shit like below everyday in our logs. I've never used PHPmyadmin but as much as the script kiddies keep looking for it it must be full of holes.
Never publicly expose admin access your DB.
404 Not Found //admin/index.php: 1 Time(s) //admin/phpmyadmin/index.php: 1 Time(s) //admin/pma/index.php: 1 Time(s) //db/index.php: 1 Time(s) //dbadmin/index.php: 1 Time(s) //index.php: 1 Time(s) //myadmin/index.php: 1 Time(s) //mysql/index.php: 1 Time(s) //mysqladmin/index.php: 1 Time(s) //php-my-admin/index.php: 2 Time(s) //phpMyAdmin-2.2.3/index.php: 1 Time(s) //phpMyAdmin-2.2.6/index.php: 1 Time(s) //phpMyAdmin-2.5.1/index.php: 1 Time(s) //phpMyAdmin-2.5.4/index.php: 1 Time(s) //phpMyAdmin-2.5.5-pl1/index.php: 1 Time(s) //phpMyAdmin-2.5.5-rc1/index.php: 1 Time(s) //phpMyAdmin-2.5.5-rc2/index.php: 1 Time(s) //phpMyAdmin-2.5.5/index.php: 1 Time(s) //phpMyAdmin-2.5.6-rc1/index.php: 1 Time(s) //phpMyAdmin-2.5.6-rc2/index.php: 1 Time(s) //phpMyAdmin-2.5.6/index.php: 1 Time(s) //phpMyAdmin-2.5.7-pl1/index.php: 1 Time(s) //phpMyAdmin-2.5.7/index.php: 1 Time(s) //phpMyAdmin-2/index.php: 1 Time(s) //phpMyAdmin/index.php: 2 Time(s) //phpadmin/index.php: 1 Time(s) //phpmyadmin/index.php: 2 Time(s) //phpmyadmin1/index.php: 1 Time(s) //phpmyadmin2/index.php: 1 Time(s) //pma/index.php: 1 Time(s) //typo3/phpmyadmin/index.php: 1 Time(s) //web/index.php: 1 Time(s) //web/phpMyAdmin/index.php: 1 Time(s) //websql/index.php: 1 Time(s) //xampp/phpmyadmin/index.php: 1 Time(s)
Re:Lets play 'Pass The Blame!....' by tbannist · 2011-12-09 03:06 · Score: 1

Secunia says the phpMyAdmin 3.x branch has had 20 advisories spread over 4 years (2008-2011), 95% of which have been patched (5% have a vendor workaround), 10% of the issues were rated "highly critical", 5% were rated "moderately critical", 70% were rated "less critical" and 15% rated "not critical". No issues fell into the highest category "extremely critical". Half of the issues were cross-site scripting issues, and the two "highly critical" issues seem to require that someone already have logged into phpMyAdmin before they could exploit the issues (of improperly sanitized database fields).
Looking at the details seems to indicate that it's actually pretty secure. By contrast Uubuntu 11.10 has racked up 22 Secunia advisories and 89 vulnerabilities in 2 months. Would you then consider Ubuntu to be "bug-ridden"? Raw numbers can be deceptive.

--
Fanatically anti-fanatical
Re:Lets play 'Pass The Blame!....' by rev0lt · 2011-12-09 05:09 · Score: 1

Actually, I would consider Ubuntu to be bug-ridden, just compare it to FreeBSD 8.0. And you're comparing less than 5Mb of actual code with an entire operating system.
Re:Lets play 'Pass The Blame!....' by tbannist · 2011-12-09 06:15 · Score: 1

Woosh.

--
Fanatically anti-fanatical
Re:Lets play 'Pass The Blame!....' by kyrio · 2011-12-09 07:46 · Score: 1

Yes, external access to the database has to be manually enabled.

Nothing wrong with PHPMyAdmin by Anonymous Coward · 2011-12-08 02:26 · Score: 2, Insightful

Why blame the tool? It's like blaming the web browser that the people used to access PHPMyAdmin to access the unsecured database. It's the dits who didn't secure the database that are to blame. Put a password on it and PHPMyAdmin won't be able to get in. Unless there's an exploit I'm not aware of, of course.

Re:Nothing wrong with PHPMyAdmin by ggeens · 2011-12-08 04:21 · Score: 2

Why blame the tool? It's like blaming the web browser that the people used to access PHPMyAdmin to access the unsecured database.
AFAIK, PHPMyAdmin doesn't have its own security. The user/password is passed to the MySQL server. If they were able to create databases without a password, it would seem that MySQL was installed without a password for the mysql admin user. During installation, MySQL asks to set a root password. A long time ago, this was not the case.
This would seem that they had a very old MySQL setup and they never changed the password.

--
WWTTD?
Re:Nothing wrong with PHPMyAdmin by whoever57 · 2011-12-08 04:31 · Score: 1

During installation, MySQL asks to set a root password
Not on Centos, and I assume Red Hat.

--
The real "Libtards" are the Libertarians!
Re:Nothing wrong with PHPMyAdmin by kyrio · 2011-12-08 05:14 · Score: 1

It's asked me for a root pass on CentOS, and Debian and others that I've used.
Re:Nothing wrong with PHPMyAdmin by TheSpoom · 2011-12-08 05:59 · Score: 1

Echoing this sentiment. Every package management system I've used to setup MySQL asked to set a root password.

--
It's better to vote for what you want and not get it than to vote for what you don't want and get it.
- E. Debs
Re:Nothing wrong with PHPMyAdmin by whoever57 · 2011-12-08 08:31 · Score: 1

It's asked me for a root pass on CentOS,
Step 1: yum install mysql-server
Step 2: service mysqld start

No password required.

--
The real "Libtards" are the Libertarians!
Re:Nothing wrong with PHPMyAdmin by kyrio · 2011-12-09 07:44 · Score: 1

MySQL would have started itself after installing the package. So, where's the part when you install phpmyadmin and it asks you for passwords?
Re:Nothing wrong with PHPMyAdmin by whoever57 · 2011-12-09 08:27 · Score: 1

MySQL would have started itself after installing the package
That (incorrect) statement shows that you are not familiar with Centos.

So, where's the part when you install phpmyadmin and it asks you for passwords?
yum install phpmyadmin

Then you have to configure it. You may choose to protect the phpmyadmin installation with passwords, but (under Centos), nothing forces you to do this. The install defaults to phpmyadmin being allowed only from localhost, so there is a tiny bit of security.

--
The real "Libtards" are the Libertarians!
Re:Nothing wrong with PHPMyAdmin by kyrio · 2011-12-09 11:30 · Score: 1

Yeah, I just installed CentOS recently. I do believe you are full of shit as others have backed up what I said.
Re:Nothing wrong with PHPMyAdmin by whoever57 · 2011-12-09 12:13 · Score: 1

I have several Centos servers (as well as Gentoo servers and desktops, Ubuntu Desktops, etc.) that I adminster and I just installed Mysql and phpmyadmin the other day. So, I am quite confident in what I write. Perhaps you have a desktop machine that you play with?
But, since you are a self-important twit, let me demonstrate that you are wrong:
Installing:
mysql-server x86_64 5.1.52-1.el6_0.1 updates 8.1 M
Transaction Summary
====================
Install 1 Package(s)
Upgrade 0 Package(s)
Total download size: 8.1 M
Installed size: 23 M
Is this ok [y/N]: y
Downloading Packages:
mysql-server-5.1.52-1.el6_0.1.x86_64.rpm | 8.1 MB 0:25
Running rpm_check_debug
Running Transaction Test
Transaction Test Succeeded
Running Transaction
Installing : mysql-server-5.1.52-1.el6_0.1.x86_64 1/1
Installed:
mysql-server.x86_64 0:5.1.52-1.el6_0.1
Complete!
# chkconfig --list mysqld
mysqld 0:off 1:off 2:off 3:off 4:off 5:off 6:off
SEE -- It's not even configured to start on boot up. So, concrete proof that you don't know what you are talking about. Moving on:
# service mysqld start
Starting mysqld: [ OK ]
Did you see it ask for a password? No. Did you see it get started automatically? No. Now, who is really full of shit? FYI, Ubuntu would probably start the mysql server after installation, but Centos does not, nor does it ever ask for a password.

--
The real "Libtards" are the Libertarians!
Re:Nothing wrong with PHPMyAdmin by kyrio · 2011-12-14 11:21 · Score: 1

Though I've never used Ubuntu, I would imagine it would do what all other distros do.

Err, wow - just wow. by Penguinisto · 2011-12-08 02:26 · Score: 2

"The hack was possible because the website was managed using PHP-MyAdmin, and this application allowed database access without a password."

I honestly don't know what to say. I mean, doing something like this on an internal network would be bone-headed enough, but doing it on an external-facing box? Under conditions where you would think security is paramount? I mean, you have to actually install and set up PHP MyAdmin - that shit isn't on by default.

But, the fault lies elsewhere as well. After all, who the fuck was supposed to be doing the compliance audits, pen-testing, network security, firewall security? You always hire a reputable outside person/company to do those things.

I honestly think the corp got what it deserved at this point... though the victim customers certainly don't deserve what they're about to get (a scramble for new certs, integrity checking, etc).

--
Quo usque tandem abutere, Nimbus, patientia nostra?

Re:Err, wow - just wow. by Pieroxy · 2011-12-08 04:48 · Score: 2

Under conditions where you would think security is paramount?
And this is why you don't know what to say. Security is not paramount. Net revenue is. And security costs money.

--
Write boring code, not shiny code!
Re:Err, wow - just wow. by Penguinisto · 2011-12-08 06:13 · Score: 1

Unfortunately, your statement is all too true in far too many cases.
Well, it is until the company gets bitten by the lack of it, in which case one or more of the following options are open:
1) fire the admin deemed most responsible for the breach (in this case, it'd be justified anyway)
2) over-react, spend a mountain of cash on security, and lock everything down to the point where nobody can use it without a lot of headache and heartache.
3) fire up the PR machine, and minimize as much of the reputation damage as possible.
The sad news is, most of the breaches aren't public, or even public enough. Sure, even the non-public ones will scare the crap out of the powers that be for awhile, and may even get you a bit of budget to clean the mess up. But, if you're the sysadmin? Unless you keep very careful records (and offsite copies for ready distribution to, say, Wikileaks) of budget refusals and of refusals to implement certain security controls, you're the one whose career is gonna fry for it.

--
Quo usque tandem abutere, Nimbus, patientia nostra?
Re:Err, wow - just wow. by bill_mcgonigle · 2011-12-08 06:47 · Score: 1

But, the fault lies elsewhere as well. After all, who the fuck was supposed to be doing the compliance audits, pen-testing, network security, firewall security? You always hire a reputable outside person/company to do those things.
I expected to find a bunch of "certified by X" badges on their website but it just says, basically, "we're safe. Trust us."
If they weren't on the government gravy train they probably would have been gone a long time ago.

--
My God, it's Full of Source!
OUTSIDE_IP=$(dig +short my.ip @outsideip.net)

CA System - Has Never Worked As Intended. by VortexCortex · 2011-12-08 02:37 · Score: 3, Funny

So, any CA can create a cert for any site (or even EVERY site via *.* -- WHO THOUGHT THIS WAS A GOOD IDEA?!). This means EVERY SINGLE CA must remain 100% secure all the time in order for us to be able to trust the CA system.

Now, this was pointed out from the beginning. "There is not a single point of failure -- No! There are MANY points of failure, any of which means a complete breakdown!"

A web of trust is the only real competing system, and still here we are, not even trying that out on a large scale. Say what you will, but know that all trust tree hierarchies are doomed to fail.

Come at me CA apologists. All your certs aren't belong to you.

Re:CA System - Has Never Worked As Intended. by Anonymous Coward · 2011-12-08 02:40 · Score: 0

This was a website hack ... not a hack of the CA. Besides, they are a reseller not actually a CA.
Re:CA System - Has Never Worked As Intended. by ledow · 2011-12-08 02:49 · Score: 4, Insightful

Personally, I now have more faith in the CA system than before.
When a rogue CA was spotted, within days it had was revoked AND ALL ITS CERTIFICATES FAILED, including ones running in government departments, in every major web browser (totally independently).
That's a pretty damn good response, and caused the collapse of the company and a government investigation - because browsers that have NOTHING to do with the CA's or the government unilaterally revoked a CA certificate in their browsers.
The point of the CA system is trust. At some point you have to trust someone. Web of trust is just trusting the majority of public opinion, statistics or some other automated metric. The CA system is trusting particular institutions and browser makers (who, if you don't trust anyway, you wouldn't be doing business with or using their product).
One CA abused that trust and they disappeared from the web overnight. But I still trust my CA. It's like saying that because one hosting company had a website vandal, everyone should just stop using website hosts.
And now it's in the news, every tiny little breach is going to come to light whereas before, unless you followed the OSCP revocations religiously, you'd never have known.
The CA system did exactly what it was designed to do and it worked much better than I would have ever expected. I don't see the Dutch CA failing as a failure of the system - the system worked and continues to work. It's like the Internet - it just routes around damage and carries on (by revoking the trust - which you can do yourself in any browser - in those who are untrustworthy).
Re:CA System - Has Never Worked As Intended. by AvitarX · 2011-12-08 02:54 · Score: 1

For a web of trust to work on a global scale, you're going to need super trustables, it will essentially end up like we have now.
This isn't e-mail where our interactions are pretty much limited to friends.

--
Wow, sent an e-mail as suggested when clicking on "use classic" banner, and got a fast response that addressed my msg
Re:CA System - Has Never Worked As Intended. by thegarbz · 2011-12-08 03:24 · Score: 1

This means EVERY SINGLE CA must remain 100% secure all the time in order for us to be able to trust the CA system.
You act like this is something that shouldn't be an outright requirement anyway, let alone something that a company entrusted with generating SSL keys should actually be capable of in the first place.
Frankly I hope their certificates get revoked and they get shutdown due to neglecting their only source of income, our trust in them. Maybe a few more companies going tits up will be a wakeup call.
Re:CA System - Has Never Worked As Intended. by Skuto · 2011-12-08 03:43 · Score: 1

or even EVERY site via *.* -- WHO THOUGHT THIS WAS A GOOD IDEA?!
I think Firefox and Chrome reject such certificates by default (for obvious reasons).
Re:CA System - Has Never Worked As Intended. by Anonymous Coward · 2011-12-08 03:53 · Score: 1

I'm sorry, but what a load of BS. The fact is that the DigiNotar breach was only quickly dealt with *once it was discovered* long after the breach actually occured, with fraudulent certs already being in the wild and actually used in Iran. Who knows how long it'll take next time before someone notices these fraudulent certificates. Heck, who knows how many CA's have been breached right now, only we don't know about them yet...
Re:CA System - Has Never Worked As Intended. by HFShadow · 2011-12-08 05:29 · Score: 1

Having every major browser vendor issue a software update, is far from what i'd consider to be "working". Why don't we have proper CRL's?
Re:CA System - Has Never Worked As Intended. by ledow · 2011-12-08 06:38 · Score: 1

Update? That's what CRL's are for, as you point out.
Opera was never "updated" to remove the Diginotar cert, for instance.
Re:CA System - Has Never Worked As Intended. by dveditz · 2011-12-08 06:59 · Score: 1

No browser would accept a *.* certificate. According to the spec '*' can only appear in the leftmost label and can match only within that label. Long ago Netscape originally supported an expressive regexp syntax; modern browsers follow the RFC.
Re:CA System - Has Never Worked As Intended. by arglebargle_xiv · 2011-12-09 18:10 · Score: 1

Personally, I now have more faith in the CA system than before.
Personally, I now have more faith in our financial system than before.

When a rogue CA was spotted, within days it had was revoked [...]
When Lehman Brothers screwed up, within days they had collapsed [...]

That's a pretty damn good response, and caused the collapse of the company and a government investigation
That's a pretty damn good response, and caused the collapse of the company and a government investigation

The point of the CA system is trust. At some point you have to trust someone [...]
The point of the financial system is trust. At some point you have to trust someone [...]

Summary is misleading by Barefoot+Monkey · 2011-12-08 02:38 · Score: 4, Informative

The hack was possible because the website was managed using PHP-MyAdmin, and this application allowed database access without a password.

That's a bit misleading. From what I gather the hack was possible because the database was configured to allow access without a password. Considering that, whether or not PHPMyAdmin is appropriate is a tiny matter by comparison. The summary makes it sound like PHPMyAdmin is to blame.

The dutch are doing the world a favor by Anonymous Coward · 2011-12-08 02:52 · Score: 0

Forcing the world into abandoning the ridiculous CA system.

Re:The dutch are doing the world a favor by Penguinisto · 2011-12-08 03:26 · Score: 1

And replace it with... what?
CAs are a lot like democracy. They both suck, but they tend to suck less than all other forms that have been tried up to now.

--
Quo usque tandem abutere, Nimbus, patientia nostra?

KPN revokes certificates by lbalbalba · 2011-12-08 02:57 · Score: 1, Informative

In response to the news, Gemnet's parent company KPN, has revoked a thousand certificates. Dutch original

Oh, that's really neato. by Anonymous Coward · 2011-12-08 03:09 · Score: 0

While idiots continue to make stuff like this possible, I won't be able to find a job.

Perfect.

PHP-MyAdmin is a major source of vulnerabilities by Anonymous Coward · 2011-12-08 03:17 · Score: 0

The team behind it should maybe think about adding some checks to ensure the application is configured correctly before allowing access. Why would they even allow no-password operation? I've seen so many incorrectly configured PHP-MyAdmin instances that it makes me sick. They should add a boot-strap script that ensure config, correct file permissions, etc, before entering the app.

Flabbergasted by Issarlk · 2011-12-08 03:21 · Score: 1

Once I though that CA where serious business, with the biggest of them hosted in bunkers with complete security for the keys.
Now I know it's just as secure as everything else on the net: as Lulzsec demonstrated this year, no security whatsoever.

Now I'm just waiting to learn that nuclear missiles launch consoles are web applications with a "secure" javascript password check to protect them.

Re:Flabbergasted by Anonymous Coward · 2011-12-08 03:53 · Score: 0

That's coming. See:
http://tech.slashdot.org/story/11/12/07/2330218/darpa-seeks-app-developers-for-war-app-store
Re:Flabbergasted by BumboChinelo · 2011-12-08 04:32 · Score: 1

Once I though that CA where serious business, with the biggest of them hosted in bunkers with complete security for the keys. .
Happy to hear it since I had the same idealistic vision and in the past was doubtfull of our company solution that uses a non networked machine to sign certs that is in a protected aread but not a bunker or faraday change. Only was to import/export data (requested and certs) is via DLT tape. Afterall it doesn't seem such a lousy solution
Re:Flabbergasted by psydeshow · 2011-12-08 06:26 · Score: 1

Well played, sir!

Damn by MadKeithV · 2011-12-08 03:27 · Score: 2

And here I thought the Dutch would have the national pride not to make their network security like Swiss Cheese.

Re:Damn by MarkGriz · 2011-12-08 04:10 · Score: 1

Maybe that little Dutch boy can plug this security dike.

--
Beauty is in the eye of the beerholder.
Re:Damn by Anonymous Coward · 2011-12-08 05:47 · Score: 0

Actually we don't really have national pride. A proper Dutchman has a mild dislike for his country*, the only reason we stay is because we dislike all other countries a little more ;)
* Many consider soccer to be an exception to this rule.

Ca subject name? by qha · 2011-12-08 03:30 · Score: 4, Interesting

So the first question I expected t.f.a. to answer:

What is the subject name of this Ca so I can remove it from my list of "trusted" Cas?

Re:Ca subject name? by Anonymous Coward · 2011-12-08 03:44 · Score: 0

"After the fiasco involving DigiNotar, another Dutch CA (Gemnet, a daughter of KPN-Telecom)..."
Re:Ca subject name? by qha · 2011-12-08 03:49 · Score: 2

Ok, so this Ca is already not included in Debian?
I can't find anything about it in the changelog for the ca-certificates package.
Re:Ca subject name? by qha · 2011-12-08 04:14 · Score: 1

Just asked a collegue to check his windows machine for any ca certificates named anything with Gemnet or KPN, no matches there either.
Re:Ca subject name? by qha · 2011-12-08 04:37 · Score: 1

I can't find any certificate that looks like this on Centos 6 either.
Re:Ca subject name? by Anonymous Coward · 2011-12-08 05:10 · Score: 1

What is the subject name of this Ca so I can remove it from my list of "trusted" Cas?
You would have to move to the Netherlands, become a muncipality and get hooked up to their private network to see a GEMNET-certificate. You haven't read TFA, have you?
Re:Ca subject name? by qha · 2011-12-08 19:54 · Score: 1

Thanks!
No, I just scanned through it looking for hints on what the ca subject might be. Now I have however and I have to admit it still isn't clear to me from the article that this is not a common ca or whatever we should call them.

Starting to feel like Uplink... by dragonhunter21 · 2011-12-08 03:43 · Score: 2

I'm kinda getting an Uplink vibe here, with all these "X was hacked" "Another X was hacked, the government is taking it very seriously" on and on and on.

--
Sent from my CR-48

The choice of trust is poorly designed by Marrow · 2011-12-08 04:22 · Score: 1

The keys are there to protect my communications. And yet I am not the one who is choosing who to use as the vendor for my trust. I am given a list of 3rd parties that I have never heard of instead.
There should not be 1000+ organizations in charge of the security of my communications. I should choose a vendor I trust, and then that vendor should decide if the website I am trying to reach is legitimate. The system is broken by design.

I'm just waiting... by Z00L00K · 2011-12-08 04:26 · Score: 1

For Verisign to get hacked.

--
If builders built buildings the way programmers wrote programs, then the first woodpecker would destroy civilization.

Re:I'm just waiting... by psydeshow · 2011-12-08 06:31 · Score: 1

I'm just waiting... for Verisign to get hacked.
Or burgled.
Or infiltrated by enemy agents.
Or infiltrated by government agents.
Or headed up by a clueless CEO who demands single sign-on access to everything and uses a password based on his birthday.
Or outsourced to Sony.
Re:I'm just waiting... by Kalriath · 2011-12-08 13:20 · Score: 1

It's not Verisign any more - it's Symantec. And in the near future all those "Verisign Secure" badges on the internet are changing to "Norton Secure".
So... job done I guess.

--
For a site about things like basic rights, Slashdot users sure do like to censor "dissent".

Enough is Enough by StikyPad · 2011-12-08 04:33 · Score: 1

These stories about Dutch CA's are really clogging up the system.

--
https://www.eff.org/https-everywhere

Re:Enough is Enough by Errol+backfiring · 2011-12-08 22:10 · Score: 1

Ok. Let me delete them for you. Surely the password needed to do that is somewhere on the web...

--
Nae king! Nae laird! Nae yurrupiean pressedent! We willna be fooled again!

Fail2ban jail for phpMyAdmin by Maow · 2011-12-08 04:37 · Score: 1

Not sure if it would've helped in this situation, as it seems the DB itself had no password, but since I don't run phpMyAdmin, I use a fail2ban jail which bans any IP trying to access phpMyAdmin since they're obviously up to no good.

Shameless plug:

Jails for phpMyAdmin, ssh as root, and, bad robots:
https://www.maow.net/fail2ban

And, it's using a self-signed certificate ... seems like the only CA I can trust is myself, and I don't really like the look of that shifty character in the mirror either.

this is just new. by Anonymous Coward · 2011-12-08 05:25 · Score: 0

Dutch ca's making it easy for trojans/viruses to do their work.. wouldn't be surprised if they are all linked somewhere..

Misleadling article by EMN13 · 2011-12-08 05:46 · Score: 1

According to KPN, the hacked website was not part of the CA's issuing system. Assuming they're being wholly truthful, this article is pure sensationalism: A company has a non-critical website that's hacked: whooptie.

Of course it's bad PR: it doesn't inspire confidence in their other security matters. However, its just as likely that they're concentrating on their actual business (managing certificates), and the site was an afterthought. In any case (maybe I'm just cynical) it doesn't surprise me that a very low traffic, low volume site is negligently secured.

Totally misleading headline.

Re:Misleadling article by Em+Adespoton · 2011-12-08 06:56 · Score: 1

Only partially misleading... the configuration provided access via a roundabout route to the admin credentials, which could be used to legitimately mess with the issuing system by escalating access privileges. It's not a case of "they left the issuing system wide open!" but it is a case of "they left an entry point to their management system wide open!" which can eventually result in the same thing... with fewer ways to track monkeying with the issuing system, as the attacker will be using legit creds, and may even be accessing via a legit admin's address.

Re:PHP-MyAdmin is a major source of vulnerabilitie by TheSpoom · 2011-12-08 05:54 · Score: 2

FFS, if you're depending on phpMyAdmin for your database security, you're doing it wrong. If phpMyAdmin, out of the box, can access your MySQL server, it means you haven't given a password to the root user on MySQL. Which means anyone that can connect to your MySQL server at all has full access.

Unless setup in a very specific way, all phpMyAdmin does is pass along your authentication information to MySQL.

--
It's better to vote for what you want and not get it than to vote for what you don't want and get it.
- E. Debs

Re:PHP-MyAdmin is a major source of vulnerabilitie by Penguinisto · 2011-12-08 06:23 · Score: 1

Someone please mod parent up.

TFA describes a complete failure not only of the company's security setup, but of its specific architecture and design. Even if you have to use phpMyAdmin that frickin' badly? Unless you're a web hosting provider running the damned thing in a sandbox, you deny visibility to it from the outside network for starters. Then there's still the matter of the default password-less state of the DB.

I mean, damn... what high school kid did they get to set this thing up? It's not 2001 anymore, where brain farts like that could be ignored, and the worst you had to worry about is some script kiddie defacing your company home page.

--
Quo usque tandem abutere, Nimbus, patientia nostra?

Thought Linux = Secure, Penguins... apk by Anonymous Coward · 2011-12-08 07:35 · Score: 0

Funny part is, it's NOT SHOWING THAT, especially on CA's this year! To wit/e.g.:

---

Linux's showing in CA's that utilize it that have been breached recently:

http://uptime.netcraft.com/up/graph?site=StartCom.com

http://uptime.netcraft.com/up/graph?site=GlobalSign.com

http://uptime.netcraft.com/up/graph?site=Comodo.com

http://uptime.netcraft.com/up/graph?site=DigiCert.com

http://uptime.netcraft.com/up/graph?site=www.gemnet.nl

The majority (5/6) of what was breached RAN LINUX (StartCom, GlobalSign, DigiCert, Gemnet, & Comodo)... per these articles verifying that:

http://itproafrica.com/technology/security/cas-hacked/

&

http://threatpost.com/en_us/blogs/site-dutch-ca-gemnet-offline-after-web-server-attack-120811

---

* Per my subject-line above, & all the YEARS here of hearing "Linux = Good/Secure & Windows = Bad/Insecure" b.s. just seems to be falling apart @ the seams for the outright "FUD" it truly was, eh?

(NOW - IF anyone reading doesn't LIKE that? Keep this in mind: IT"S FACTS, documented facts, from reputable sources!)

Yes, I also have more & from VERY recent history on Linux's security failings (but you can start with the above Penguins, & "Read 'em & WEEP"...)

APK

P.S.=> NOW, as I stated above? IF you don't like it, I have PLENTY MORE from recent history (very recent in fact & ongoing for years now, especially THIS year no less) on how "secure" Linux is showing itself to TRULY be (not!)...

(Especially now that it's being used more, especially on ANDROID bearing smartphones, where it's turning up as bad as, or worse than, Windows is on PC's (due to widespread usage? Any OS can be "shredded" on security & have its weakness' exposed)

However, the REAL trouble is, Linux is JUST STARTING THAT CYCLE!

By comparison, Windows has been fixing itself vs. that for years-to-decades now by comparison due to widespread marketshare/mindshare (nearly 95% in fact)...

... apk

Re:Thought Linux = Secure, Penguins... apk by Anonymous Coward · 2011-12-08 08:39 · Score: 0

Although I agree that linux doesn't seem to be much more secure than Windows lately, I totally fail to understand how this has anything to see with the present article that explicitly states that they let a phpmyadmin interface open in the wild without any password protection.

Or maybe you're trying (hard) to get an "offtopic" mod ?

CA System, "works" as intended; inherently broken by Onymous+Coward · 2011-12-08 07:56 · Score: 1

"But what's really scary, is that the evidence F-Secure found suggests that DigiNotar was hacked at least two years ago."

I don't agree that having one's ass hanging in the wind — thinking your SSL connections are secure while they're not — for two years is a system that "works".

It's astonishing in the current landscape where most everyone appears to be concerned and casting about for solutions to see someone thinking the CA system is fine. The foundation of the CA system involves giving each of hundreds of race-to-the-bottom entities complete authority over your SSL security. Even if "race-to-the-bottom" weren't their nature, you'd still have a bell curve of performance, and the tail on the left side is your maximal security. (You are here.) The system is inherently flawed.

Just posting facts (in my 1st post)... apk by Anonymous Coward · 2011-12-08 08:53 · Score: 0

"Although I agree that linux doesn't seem to be much more secure than Windows lately, I totally fail to understand how this has anything to see with the present article that explicitly states that they let a phpmyadmin interface open in the wild without any password protection." - by Anonymous Coward on Thursday December 08, @03:39PM (#38307568)

It goes to show you that for all the "smarts" many Penguins believe they have? The OS itself, especially if NOT setup security-hardened (& that means "above & beyond" even SeLinux's defaults) isn't anymore secured than its competitors (such as MacOS X &/or Windows 7/Server 2008 R2): They ALL have security-hardening possibilities far, Far, FAR above the default "norms" sent you by the oem's who make them.

* Linux also has a lot of other "security-hassles" that DON'T belong in the "I forgot to look @ my security settings, application & OS side both, & configurations of them alongside code running on them (ala bind variables & stored procedures vs. SQLInjection possibles for example)... ANDROID ALONE shows that much!

---

"Or maybe you're trying (hard) to get an "offtopic" mod ?" - by Anonymous Coward on Thursday December 08, @03:39PM (#38307568)

Hmmm, on that note from you? No, I just post facts from reputable sources as I did in the post you replied to... would you like MORE, & from recently?? I can supply them, in seconds, & again - from reputable sources with concrete, verifiable, & truthful data.

(I can "speculate" also & say you're attempting to "bury the truth" by getting others to "downmod" my posts, whether it has verifiable facts that do NOT make Linux appear very secure in it, or not!)

APK

P.S.=> I just KNEW, long ago, that all the "Linux = GOOD/SECURE, & Windows = BAD/INSECURE" business stated for YEARS around here was b.s. is all - "security-by-obscurity" (because of Linux's 1.19% of marketshare mainly) was what Linux users had going for them... not an "inherently more secure OS"!

(Additionally? Especially @ the kernel level where Linux's "mainstream" 2.6 kernel has more unpatched security vulnerabilities & more "remotely exploitable" ones than does Windows Server 2003 (which as easy work-arounds for its 2 remotely vulnerable ones no less), AND, Linux has more & by over 4x as many no less, & per SECUNIA.COM stats on that much)... apk

Re:Just posting facts (in my 1st post)... apk by Anonymous Coward · 2011-12-08 09:09 · Score: 0

"Although I agree that linux doesn't seem to be much more secure than Windows lately, I totally fail to understand how this has anything to see with the present article that explicitly states that they let a phpmyadmin interface open in the wild without any password protection." - by Anonymous Coward on Thursday December 08, @03:39PM (#38307568)
It goes to show you that for all the "smarts" many Penguins believe they have? The OS itself, especially if NOT setup security-hardened (& that means "above & beyond" even SeLinux's defaults) isn't anymore secured than its competitors (such as MacOS X &/or Windows 7/Server 2008 R2): They ALL have security-hardening possibilities far, Far, FAR above the default "norms" sent you by the oem's who make them.
* Linux also has a lot of other "security-hassles" that DON'T belong in the "I forgot to look @ my security settings, application & OS side both, & configurations of them alongside code running on them (ala bind variables & stored procedures vs. SQLInjection possibles for example)... ANDROID ALONE shows that much!

So, nothing even remotely related to the current article ?

No, I just post facts from reputable sources as I did in the post you replied to... would you like MORE, & from recently?? I can supply them, in seconds, & again - from reputable sources with concrete, verifiable, & truthful data.
(I can "speculate" also & say you're attempting to "bury the truth" by getting others to "downmod" my posts, whether it has verifiable facts that do NOT make Linux appear very secure in it, or not!)
APK
P.S.=> I just KNEW, long ago, that all the "Linux = GOOD/SECURE, & Windows = BAD/INSECURE" business stated for YEARS around here was b.s. is all - "security-by-obscurity" (because of Linux's 1.19% of marketshare mainly) was what Linux users had going for them... not an "inherently more secure OS"!
ok, so I can say "Bill Gates is rich", "Windows Vista sucks", "the earth orbits around the sun" on any slashdot article and not be modded off-topic because it's a fact ?

(Additionally? Especially @ the kernel level where Linux's "mainstream" 2.6 kernel has more unpatched security vulnerabilities & more "remotely exploitable" ones than does Windows Server 2003 (which as easy work-arounds for its 2 remotely vulnerable ones no less), AND, Linux has more & by over 4x as many no less, & per SECUNIA.COM stats on that much)... apk
Wrong. the Linux 2.6 kernel has more *KNOWN* and *PUBLICLY PUBLISHED* security vulnerabilities (although some linux fanboys might argue on the definition of "security vulnerabilities"). Microsoft keeps their hidden, deeply buried (the so-called "security" by obscurity). You (or anyone on Earth for that matter) have NO IDEA of which OS has the more security vulnerabilities. Claiming to know that unknowable information is pure FUD and BS.

CA's & Security (what I posted) = pertinent by Anonymous Coward · 2011-12-08 09:41 · Score: 0

"So, nothing even remotely related to the current article ?" - by Anonymous Coward on Thursday December 08, @04:09PM (#38307986)

The article's on CA's, security, & yes, even Linux (because the "hacked/cracked" servers RUN LINUX at GEMNET): THUS, as to what I posted (all fact based, deals in CA's that run LINUX and that were security breached... period) = VERY pertinent, on those very grounds, alone...

APK

P.S.=>

"Wrong. the Linux 2.6 kernel has more *KNOWN* and *PUBLICLY PUBLISHED* security vulnerabilities (although some linux fanboys might argue on the definition of "security vulnerabilities"). - by Anonymous Coward on Thursday December 08, @04:09PM (#38307986)

I agree on UNKNOWN security vulnerabilities, but I never mentioned those - I STATED KNOWN UNPATCHED SECURITY VULNERABILITIES LISTED @ SECUNIA.COM...

So, would you prefer I use the National Vulnerabilities Database here instead -> http://web.nvd.nist.gov/view/vuln/search-results?query=Linux+kernel&search_type=all&cves=on from NIST??

I could you know... however, later than "2.6 mainstream base code" versions of the Linux kernel patch the holes, but, that assuming that those that use it actually DID update their OS (that's largely a manual thing via rpm, yum, apt-get etc. on Linux usually).

Problem is, when you UPDATE a Linux kernel? It also BREAKS APPS ON IT, like mad too... I've had it happen!

---

"Microsoft keeps their hidden, deeply buried (the so-called "security" by obscurity)." - by Anonymous Coward on Thursday December 08, @04:09PM (#38307986)

Rightfully so - they're NOT an "Open 'SORES'" based company, & their sourcecode's their lifeblood... by way of comparison, regarding sourcecode of current OS source? Linux isn't doing well there, RECENTLY TOO, mind you, either:

---

KERNEL.ORG COMPROMISED:

http://linux.slashdot.org/story/11/08/31/2321232/Kernelorg-Compromised

---

"Proof's in the pudding", right there above, recently too mind you (again, per my usual, just facts)...

I'll also tell you, right now, for a FACT & from experience here (17++ yrs. professionally coding mostly)?

Sending "Open 'SORES'" code into a compiler & step-tracing it (because you have the actual sources) is far, Far, FAR EASIER to find "security bugs" in, than is disassembly of closed source code (or even fuzzing it sending it data it may not be able to handle)...

Closed source actually works BETTER for security, especially in that regard in fact, because it's "closed"... period!

... apk

Re:CA's & Security (what I posted) = pertinent by Anonymous Coward · 2011-12-08 19:11 · Score: 0

"So, nothing even remotely related to the current article ?" - by Anonymous Coward on Thursday December 08, @04:09PM (#38307986)
The article's on CA's, security, & yes, even Linux (because the "hacked/cracked" servers RUN LINUX at GEMNET): THUS, as to what I posted (all fact based, deals in CA's that run LINUX and that were security breached... period) = VERY pertinent, on those very grounds, alone...
APK
P.S.=>
I disagree, you sound like those guys that scream "OMFG Windows was pwned ... again" because some guy didn't put an admin password on his Windows XP install or because IE has a flaw ..., except that here the component hacked (mysql database with no password + phpmyadmin accessible from the internet) is not even part of linux. And don't tell me IE is not part of Windows, they got sued and lost big because it is.

"Wrong. the Linux 2.6 kernel has more *KNOWN* and *PUBLICLY PUBLISHED* security vulnerabilities (although some linux fanboys might argue on the definition of "security vulnerabilities"). - by Anonymous Coward on Thursday December 08, @04:09PM (#38307986)

I agree on UNKNOWN security vulnerabilities, but I never mentioned those - I STATED KNOWN UNPATCHED SECURITY VULNERABILITIES LISTED @ SECUNIA.COM...
So, would you prefer I use the National Vulnerabilities Database here instead -> http://web.nvd.nist.gov/view/vuln/search-results?query=Linux+kernel&search_type=all&cves=on from NIST??
I could you know... however, later than "2.6 mainstream base code" versions of the Linux kernel patch the holes, but, that assuming that those that use it actually DID update their OS (that's largely a manual thing via rpm, yum, apt-get etc. on Linux usually).
Problem is, when you UPDATE a Linux kernel? It also BREAKS APPS ON IT, like mad too... I've had it happen!
---

"Microsoft keeps their hidden, deeply buried (the so-called "security" by obscurity)." - by Anonymous Coward on Thursday December 08, @04:09PM (#38307986)
Rightfully so - they're NOT an "Open 'SORES'" based company, & their sourcecode's their lifeblood... by way of comparison, regarding sourcecode of current OS source? Linux isn't doing well there, RECENTLY TOO, mind you, either:
---
KERNEL.ORG COMPROMISED:
http://linux.slashdot.org/story/11/08/31/2321232/Kernelorg-Compromised
---
"Proof's in the pudding", right there above, recently too mind you (again, per my usual, just facts)...
I'll also tell you, right now, for a FACT & from experience here (17++ yrs. professionally coding mostly)?
Sending "Open 'SORES'" code into a compiler & step-tracing it (because you have the actual sources) is far, Far, FAR EASIER to find "security bugs" in, than is disassembly of closed source code (or even fuzzing it sending it data it may not be able to handle)...
Closed source actually works BETTER for security, especially in that regard in fact, because it's "closed"... period!
... apk
Again I disagree, as Secunia themselves said (If I remember correctly, because some idiot used their figures as sound proof of Firefox being less secure than IE) : this is comparing oranges and apples. And the fact that you use trolling terms such as "Open Sores" doesn't help me to try to understand your argument. Flaws in closed source can be harder to find, but it also mean that we (user) cannot check for them either and that we don't know when they're patched or what is or is not patched. Security through obscurity is an illusion (just as much as blindly believing linux is perfectly secure).
Car analogy: if someone wants to steal A car, he will take easy one. If someone wants to steal YOUR car, he will steal it, period.
Re:CA's & Security (what I posted) = pertinent by Anonymous Coward · 2011-12-08 21:40 · Score: 0

diclaimer: using both windows and linux here (50/50)

I could you know... however, later than "2.6 mainstream base code" versions of the Linux kernel patch the holes, but, that assuming that those that use it actually DID update their OS (that's largely a manual thing via rpm, yum, apt-get etc. on Linux usually).
don't know what linux you are using but on most distrib ('buntu's, redhat's) it's fully automatic, kinda like window$: it asks for your admin password, you (un)select your updates, click the "update" button. Done

Problem is, when you UPDATE a Linux kernel? It also BREAKS APPS ON IT, like mad too... I've had it happen!
Problem is, when you UPDATE a Windows ? It also BREAKS APPS ON IT, like mad too... I've had it happen!
sevice pack anyone ? migrating from XP to Vista to 7 anyone ?
I had to reinstall my windows from scratch 4 times in 3 years because of these ...
my linux partition though : upgrading since 'buntu 7.10 up to 10.04 flawlessly from that point-of-view*.

*another point-of-view is that some options changed place, some default programs where installed in new distrib while other where not maintained anymore, but that's not limited to open source in any case.

regarding sourcecode of current OS source? Linux isn't doing well there, RECENTLY TOO, mind you, either:
---
KERNEL.ORG COMPROMISED:
http://linux.slashdot.org/story/11/08/31/2321232/Kernelorg-Compromised
you're kidding right ? did you miss the memo: the linux source code is versionned with git. i.e. it is distributed all over the world and hash-tagged. Any modification of the code at kernel.org would have been spotted right on the first repo sync. I sure hope window$ source code versionning system has the same security, otherwise we're doomed ...

NB: sorry for the window'$' thing, but given your obviously trollish "open sores", I couldn't resist.

Another /. user said it on the Diginotar case: by D,Petkow · 2011-12-08 09:56 · Score: 0

"Bob has a problem requiring secure communication. He decides to use certificates. Now Bob has two problems."

Time to by Anonymous Coward · 2011-12-08 19:36 · Score: 0

Time to remove the Dutch government from our Trusted Roots

manolo shoes by Anonymous Coward · 2011-12-08 19:58 · Score: 0

Manolo Blahnik Blue Suede Pointed Toe Pump are alwatys show the high sociaty in the past,because the price is too high,and now you have the chioce to own it ,we provide the Manolo Blahnik shoes with high quality and the lower price.You will get what you see in the picture,it is your turn now.manolo blahnik something blue satin pump,made of blue suede with a high heel approximately 10cm,it has blue inside lining.
Pop element:with black suede and a pointed-toe pump
Height:10cm covered heel
Material:suede
Color:blue
Weight:0.5kg
Toe:pointed
manolo blahnik shoes
manolo shoes
christian louboutin shoes
christian louboutin shoes on sale
cheap christian louboutin shoes

Facts are facts... apk by Anonymous Coward · 2011-12-09 00:30 · Score: 0

Disagree ALL you like but facts remain facts here http://it.slashdot.org/comments.pl?sid=2564492&cid=38306582

(There's no "apples to oranges" comparison there at all whatsoever, only FACTS that Linux was compromised MULTIPLE TIMES running @ 5 CA's... period!)

APK

P.S.=> The topic is CA's being breached - how do you figure I am off topic, as you stated in your 1st reply, by my simply pointing out that those same CA's run Linux? apk

Again: FACTS, are facts... apk by Anonymous Coward · 2011-12-09 00:37 · Score: 0

Disagree ALL you like but facts remain facts here http://it.slashdot.org/comments.pl?sid=2564492&cid=38306582

(There's no "apples to oranges" comparison there at all whatsoever!)

* FACTS that Linux was compromised MULTIPLE TIMES running @ 5 CA's... period!

APK

P.S.=> Mind you, again: The topic is CA's being breached - so, how do you figure I am off topic, as you stated in your 1st reply, by my simply pointing out that those same CA's run Linux?

Now next I suppose you'll try to tell the rest of us that the LINUX SOURCECODE REPOSITORY BEING BREACHED, as it was, IS A "GOOD THING", right?? apk

OK then, here is a fact... apk by Anonymous Coward · 2011-12-09 02:10 · Score: 0

Linux has nothing to do whatsoever with the current topic, cry, SCREAM, bold as much as you want, now I know for sure that you're just an offtopic troll who can't answer simply to a simple question and eludes or twists facts and their meanings as pleases him.

P.S.=> the topic is CA's being breached because they let a pasword-less database accessible through the internet. This has nothing to do with linux and that's a fact (another fact: I'm not a linux fanboi at all, just in case that would be your next silly argument).

If it had been breached because some asshole admin didn't set a password to his linux user account or because of some linux's kernel or userland (e.g. GNU but not limited to it) flaw, then you'd have been on-topic.
Here you're just an obvious flamebaiting offtopic troll, and I dislike you as much as I dislike all the linux fanbois around here that have a surge of pleasure everytime they read that a Windows box has been breached, without trying to make the difference between "Windows has been breached" and "some guy installed a flawed/backdoored program on his Windows computer"

Answer a simple question then... apk by Anonymous Coward · 2011-12-09 02:44 · Score: 0

Ahem: Did the 5 breached CA's run Linux? Yes or No will do, especially in regard to this statement from you:

"Linux has nothing to do whatsoever with the current topic" - by Anonymous Coward on Friday December 09, @09:10AM (#38314022)

This clearly shows otherwise:

---

Linux's showing in CA's breached recently too? Ok:

http://uptime.netcraft.com/up/graph?site=StartCom.com

http://uptime.netcraft.com/up/graph?site=GlobalSign.com

http://uptime.netcraft.com/up/graph?site=Comodo.com

http://uptime.netcraft.com/up/graph?site=DigiCert.com

http://uptime.netcraft.com/up/graph?site=www.gemnet.nl

The majority (5/6) of what was breached RAN LINUX (StartCom, GlobalSign, DigiCert, & Comodo)... per these articles verifying that:

http://itproafrica.com/technology/security/cas-hacked/

&

http://threatpost.com/en_us/blogs/site-dutch-ca-gemnet-offline-after-web-server-attack-120811

---

* Fact is, each of those CA servers run Linux, and were breached - period.

(OR, are you going to TRY TO TELL US THEY RUN WINDOWS and WERE BREACHED?)

APK

P.S.=> Next, you can attempt to put your "spinmaster b.s." onto these further documented facts AND CURRENT INFORMATION ON LINUX SECURITY BREACHES, once again from reputable sources, only to FAIL again on your part. This all puts your bullshit to rest easily with CURRENT information:

---

KERNEL.ORG COMPROMISED:

http://linux.slashdot.org/story/11/08/31/2321232/Kernelorg-Compromised

---

Linux.com pwned in fresh round of cyber break-ins:

http://www.theregister.co.uk/2011/09/12/more_linux_sites_down/

---

Mysql.com Hacked, Made To Serve Malware:

http://it.slashdot.org/story/11/09/26/2218238/mysqlcom-hacked-made-to-serve-malware

---

Well, well: Once again, we have a set of servers that run Linux being breached (very, Very, VERY BAD security breaches too, regarding Linux's own sourcecode repository too, no less!)

Toss ANDROID (yes, a Linux since it uses a Linux kernel) in also, since it's being "shredded" on the mobile phone security-front rampantly for years now?

You get the picture...

* TOP THAT ALL OFF W/ DUQU ROOTKIT/BOTNET BEING SERVED FROM LINUX SERVERS, PER THIS ARTICLE (very recent):

http://it.slashdot.org/story/11/11/30/1610228/duqu-attackers-managed-to-wipe-cc-servers

ALL OF THAT IS VERY RECENT INFORMATION FROM THE PAST FEW MONTHS NOW, no less...

... apk/b

That's an easy one... apk by Anonymous Coward · 2011-12-09 03:20 · Score: 0

Ahem: Did the 5 breached CA's run Linux? Yes or No

The answer to that very specific question is "Yes"
But what you're saying (or trying desperately to prove to stay on-topic) is that it is because it is running linux that gemnet was breached.
So the answer to your (implicit) question :

Ahem: Did this CA, mentionned in this article, get breached because it was running Linux? Yes or No

is very explicitly and clearly : "No" (would you dare answer yes to that easy question ?)
And there you are, proven "off-topic troll flamebaiter".

As for the other AC post below about the kernel.org, I don't think he meant: "it's a good thing that kernel.org was hacked", instead I think he was trying to explain to you: "it had absolutely zero effect on the linux source code", whereas you're abusively trying to use that information to "prove" that open source sucks (which is totally unrelated) and that linux sourcecode was somehow compromised (which it was absolutely not).
And there you are, proven "off-topic troll flamebaiter" twice in a row

Since you won't read what I wrote or won't want to understand it because it goes against all your beliefs, I'll just let you the same opportunity you gave me :
* question 1: was gemnet compromised because it was running linux ? yes or no
* question 2: was the linux source code compromised ? yes or no

Your "YES" answer says it all... apk by Anonymous Coward · 2011-12-09 03:35 · Score: 0

"The answer to that very specific question is "Yes"" - by Anonymous Coward on Friday December 09, @10:20AM (#38314790)

Aha, you now ADMIT Linux had something to do w/ the CA's being breached - after all, they DO run Linux!

Yes - despite the b.s. in your other words quoted in my "p.s." below once more!

---

"As for the other AC post below about the kernel.org, I don't think he meant: "it's a good thing that kernel.org was hacked", instead I think he was trying to explain to you: "it had absolutely zero effect on the linux source code"" - by Anonymous Coward on Friday December 09, @10:20AM (#38314790)

LMAO - ok... "sure, sure - having your sourcecode repository breached by hacker/cracker types is a GOOD THING"... Yea, 'right' ( We KNOW that there ARE NO OTHER AC POSTERS REPLYING TO ME, only yourself... So, that "all said & aside" - Who are you trying to fool other than yourself here, in trying to create the illusion of "support for yourself"?)

APK

P.S.=> Still, per my subject-line above? Well, your answer says it all, & that's all there is to it, in regards to your statement here earlier then:

"Linux has nothing to do whatsoever with the current topic" - by Anonymous Coward on Friday December 09, @09:10AM (#38314022)

Beg to differ - your own words quoted @ the outset of my reply show clearly otherwise: You even stated yourself, quoted above, that the breached CA's run Linux...

Thus, lol, I'd think that Linux has just a "little WEE BIT" (lol, not) to do with things here, regarding what happened (Windows didn't in the cases I pointed out of 5 CA's breached)...

... apk

Re:Your "YES" answer says it all... apk by Anonymous Coward · 2011-12-09 04:05 · Score: 0

Here we are, not answering to simple questions and twisting the meaning of someone's words. Typical troll.

Aha, you now ADMIT Linux had something to do w/ the CA's being breached
No

Aha, you now ADMIT Linux is running the gemet CA that has been breached
Yes, I never denied it

In case you didn't know there is a HUGE difference of meaning between these two sentences (you're non-native speaker, uh ? don't worry, I'm not either, but at least I know that difference).

"sure, sure - having your sourcecode repository breached by hacker/cracker types is a GOOD THING"
I never ever said that it was a good thing nor did the other AC

We KNOW that there ARE NO OTHER AC POSTERS REPLYING TO ME, only yourself... So, that "all said & aside" - Who are you trying to fool other than yourself here, in trying to create the illusion of "support for yourself"?
And some troll-typical pseudo-paranoïa to continue with.

And the final nail on the coffin : you running away from these very simple questions:
* question 1: was gemnet compromised because it was running linux ? yes or no
* question 2: was the linux source code compromised ? yes or no

See, all typical troll (you're exactly like the ones in The Book). Pheeew that was fun. Goodbye troll.

"Rinse, Lather, & Repeat"... apk by Anonymous Coward · 2011-12-09 04:31 · Score: 0

http://it.slashdot.org/comments.pl?sid=2564492&cid=38314978

AND YES:

---

1.) The Linux sourcecode repository kernel.org was breached (and it runs Linux too) - this is NOT A GOOD THING!

---

2.) Linux running on ANY OF THE 5 CA's I LIST ABOVE is indicative of 2 things:

a.) Penguins can't secure their own setups properly!

b.) Linux != "secure", per my p.s. below (which you heard here on /. especially, for YEARS, which the link above shows it is ANYTHING BUT SECURE!)

(After all - the 5 CA's breached weren't running Windows or MacOS X, now were they? No!)

---

Facts are FACTS... period!

APK

P.S.=> In the end? Well... So much for the "Linux is secure" b.s. 'FUD' you saw spread about on /. FOR YEARS to mislead "noobs" with, ala:

http://www.google.com/search?q=%22Linux+is+secure%22+site:slashdot.org&hl=en&gbv=1&prmd=imvns&ei=xy7iTqyvKenc0QHksc3XBQ&start=0&sa=N

It's turning up PURE B.S. ... lol!

... apk

Troll harder APK by Anonymous Coward · 2011-12-09 04:40 · Score: 0

http://it.slashdot.org/comments.pl?sid=2564492&cid=38315334

stop running away from my questions.

Your questions were answered by Anonymous Coward · 2011-12-09 05:15 · Score: 0

Your questions were answered here http://it.slashdot.org/comments.pl?sid=2564492&cid=38315648 so why lie about that (as you CLEARLY ARE, per this statement quoted from your reply I just replied to):

"stop running away from my questions." - by Anonymous Coward on Friday December 09, @11:40AM (#38315750)

* Ahem, lol, once more - See the link above, lol...

(Quit telling lies, troll. Linux is FAR from secure - Despite all the "FUD" b.s. spread around here on /. for years & YOU ADMITTED THE CA'S BREACHED I PUT UP LISTS OF THEM ALL RAN LINUX - as well as numerous other security breaches regarding Linux utilizing servers & yes, that makes Linux a part of what's going on, clearly & repeatedly, on "Linux security" (lol, weak)).

APK

P.S.=> Not only were they answered, but they were also easily shot-down on your questions there point by point...

In fact, you were trashed SO EASILY, I've just GOTTA say it (as-is-per-my-usual style):

This? This was just "too, Too, TOO EASY - just '2EZ'"... lol!

... apk

Re:Your questions were answered by Anonymous Coward · 2011-12-09 06:04 · Score: 0

the question were :

* question 1: was gemnet compromised because it was running linux ? yes or no (FYI answer was no)
* question 2: was the linux source code compromised ? yes or no (FYI answer was no)
And you answered none.
Instead you answered your own twisted (and stupidly switched, are you dyslexic or what ?) questions :

1. was the linux source code repository serveur (aka kernel.org) compromised ? yes
2. was a CA running linux compromised ? yes
I think you being non-native english speaker gives you some trouble understanding some basic nuance of English.

Quit telling lies, troll. Linux is FAR from secure
I NEVER said it was secure, I dare you to find ONE quote were I said so (will be difficult for you since I didn't)

YOU ADMITTED THE CA'S BREACHED I PUT UP LISTS OF THEM ALL RAN LINUX
True, and YOU refuse to admit that Gemnet CA's breach was not due to it running linux (see my question 1. above)

Not only were they answered, but they were also easily shot-down on your questions there point by point...
False, as I just proved here above, you switched the answer and changed the question instead of honnestly answering "yes" or "no", because you cannot answer "yes" or "no" to these question. "yes" would be a lie and "no" would destroy your belief system. You're like a child that cannot admit Santa Claus doesn't exist when told so.

In fact, you were trashed SO EASILY, I've just GOTTA say it (as-is-per-my-usual style):
This? This was just "too, Too, TOO EASY - just '2EZ'"... lol!
Yeah, keep trolling some more so that everyone around knows what you are .. a huge big troll :-)
oh man, you sure are a big joke :-D

CA's breached that run Linux ("Read all about it") by Anonymous Coward · 2011-12-09 06:58 · Score: 0

LMAO -> http://it.slashdot.org/comments.pl?sid=2564492&cid=38306582

:)

APK

P.S.=> U FAIL TROLL, vs. documented current facts from reputable sources... apk

APK trolling debunked (the hard way) :-) by Anonymous Coward · 2011-12-09 09:19 · Score: 0

:-)

http://it.slashdot.org/comments.pl?sid=2564492&cid=38314790
http://it.slashdot.org/comments.pl?sid=2564492&cid=38315334
http://it.slashdot.org/comments.pl?sid=2564492&cid=38316804

Oh you're so gettting your troll's ass kicked today :-D

NEWS AT 11: APK PUBLICLY ADMIT HE'S AN OFFTOPIC TROLL BY NOT ANSWERING DIRECT AND SIMPLE QUESTIONS AND CHANGING THE MEANING OF OTHER PEOPLE'S ANSWERS

* question 1: was gemnet compromised because it was running linux ? NO
* question 2: was the linux source code compromised ? NO
* question 3: did I ever claimed that linux = secure ? NO
* question 4: did APK changed question he didn't want to answer ? YES
* question 5: did APK admit he was wrong when confronted with current facts from reputable sources ? NO
* question 6: did APK lie about what I said and didn't say ? YES
* question 7: did APK got his ass kicked repeatedly today ? HELL YEAH

You sure are a big failure in life, you must really be incompetent in your IT-related work, that's why we never hear of you outside of forums (from which you systematically get banned for trolling) and on slashdot.

How should we call you from now on ? the Runaway Troll ?

News @ 11: Multiple security blunders 4 Linux by Anonymous Coward · 2011-12-09 10:33 · Score: 0

KERNEL.ORG COMPROMISED:

http://linux.slashdot.org/story/11/08/31/2321232/Kernelorg-Compromised

---

Linux.com pwned in fresh round of cyber break-ins:

http://www.theregister.co.uk/2011/09/12/more_linux_sites_down/

---

Mysql.com Hacked, Made To Serve Malware:

http://it.slashdot.org/story/11/09/26/2218238/mysqlcom-hacked-made-to-serve-malware

---

Linux's showing in CA's breached recently too? Ok:

http://uptime.netcraft.com/up/graph?site=StartCom.com

http://uptime.netcraft.com/up/graph?site=GlobalSign.com

http://uptime.netcraft.com/up/graph?site=Comodo.com

http://uptime.netcraft.com/up/graph?site=DigiCert.com

http://uptime.netcraft.com/up/graph?site=www.gemnet.nl

The list of CA Servers BREACHED that RUN LINUX (StartCom, GlobalSign, DigiCert, Comodo, GemNet)... per these articles verifying that:

http://itproafrica.com/technology/security/cas-hacked/

&

http://threatpost.com/en_us/blogs/site-dutch-ca-gemnet-offline-after-web-server-attack-120811

---

Toss ANDROID (yes, a Linux since it uses a Linux kernel) in also, since it's being "shredded" on the mobile phone security-front rampantly for years now?

You get the picture...

* TOP THAT ALL OFF W/ DUQU ROOTKIT/BOTNET BEING SERVED FROM LINUX SERVERS, PER THIS ARTICLE (very recent):

http://it.slashdot.org/story/11/11/30/1610228/duqu-attackers-managed-to-wipe-cc-servers

APK

P.S.=> Linux Security Blunders DOMINATE the "new NEWS/NewsFlash" bulletin here today (lol)... apk

News @ 11: APK/TRT can't answer simple questions by Anonymous Coward · 2011-12-09 11:13 · Score: 0

And still no answer from The Runaway Troll (TRT aka APK) to the orignal question: How is this related to the present article ? (aka: a server was hacked because a stupid admin let a password-less MySQL database accessible from the Internet through phpmyadmin).

http://it.slashdot.org/comments.pl?sid=2564492&cid=38319182

So many facts that proves APK's wrong that it's just shows that APK is The Wrongness Made Flesh

P.S.=> APK troll getting his ass kicked DOMINATE the "new NEWS/NewsFlash" bulletin here today (lol)... apk

Goodbye My Troll !

:-)

Do 5 CA's BREACHED I listed run Linux? by Anonymous Coward · 2011-12-09 12:28 · Score: 0

Answer = Yes: "Good security track-record" (lol, NOT!)...

* Your questions' been answered in my subject-line above, & your childish reactions say worlds about it...

(After all: I simply posted documented current facts from reputable sources on Linux related security failures - Boy, lmao: It really seems to have you "rattled in your game", troll...)

APK

P.S.=> Says it all, answers it all - nothing more need be said (move along, lmao)...

... apk

That's still not the point APK/TRT :-) by Anonymous Coward · 2011-12-09 21:09 · Score: 0

Come on Runaway Troll, be courageous for once, answer the actual questions asked, not the one you decide to change to !

* question 1: was gemnet compromised because it was running linux ? NO (and thus APK == offtopic troll, proven fact)
* question 2: was the linux source code compromised ? NO
* question 3: did I ever claimed that linux = secure ? NO
* question 4: did APK changed question he didn't want to answer ? YES
* question 5: did APK admit he was wrong when confronted with current facts from reputable sources ? NO
* question 6: did APK lie about what I said and didn't say ? YES
* question 7: did APK got his ass kicked repeatedly these days ? HELL YEAH

I'll be nice with you: I'll add a fact that you can't deny: a car analogy (slashdot loves car analogy you know):
A guy park is car with windows open and a GPS on the seat. Someone steal the GPS.

What you (runaway troll) say is that the GPS was stolen because the car is running on Gas.

APK said:"IT should have *used LPG ! OMFG LMAO 2EZ"

so answer this silly question: was the GPS stolen because the car was running on gas or because the window was open ?

:-) you're really the most ridiculously self-contradicting troll I've ever seen APK

Thought PC = Awesome, Mac Haters... apk by Anonymous Coward · 2011-12-09 23:32 · Score: 0

Funny part is, it's NOT SHOWING THAT, especially on CA's this year! To wit/e.g.:

---

PC's showing in CA's that utilize it that have been breached recently:

http://uptime.netcraft.com/up/graph?site=StartCom.com

http://uptime.netcraft.com/up/graph?site=GlobalSign.com

http://uptime.netcraft.com/up/graph?site=Comodo.com

http://uptime.netcraft.com/up/graph?site=DigiCert.com

http://uptime.netcraft.com/up/graph?site=www.gemnet.nl

All of what was breached WERE PC ... per these articles verifying that:

http://itproafrica.com/technology/security/cas-hacked/

&

http://threatpost.com/en_us/blogs/site-dutch-ca-gemnet-offline-after-web-server-attack-120811

---

* Per my subject-line above, & all the YEARS here of hearing "PC = Good & Mac = Evil" b.s. just seems to be falling apart @ the seams for the outright "FUD" it truly was, eh?

(NOW - IF anyone reading doesn't LIKE that? Keep this in mind: IT"S FACTS, documented facts, from reputable sources!)

Yes, I also have more & from VERY recent history on PC's security failings (but you can start with the above Mac Haters, & "Read 'em & WEEP"...)

APK

P.S.=> NOW, as I stated above? IF you don't like it, I have PLENTY MORE from recent history (very recent in fact & ongoing for years now, especially THIS year no less) on how "secure" PC is showing itself to TRULY be (not!)...

However, the REAL trouble is, PC is JUST STARTING THAT CYCLE!

By comparison, Mac has been fixing itself vs. that for years-to-decades now by comparison...

I'm definitely buying a Mac next week and throwing away my PC

... apk

5 CA's that run Linux = Breached by Anonymous Coward · 2011-12-10 00:14 · Score: 0

That's the topic (w/ the rest of Linux's RECENT "security blunders") -> http://it.slashdot.org/comments.pl?sid=2564492&cid=38320100

* It's not much use "ranting & raving" vs. the lists of FACTS from reputable sources in the link above I listed there, in regards to Linux's poor security trackrecord (especially the past few yrs. now).

APK

P.S.=> It's THAT simple, period...

... apk

Impersonating me now? Please... apk by Anonymous Coward · 2011-12-10 00:17 · Score: 0

That's really weak when you ac trolls resort to attempting to impersonate me here... lol!

* Especially when you "cut & paste" my original posts & edit/alter what's in them & "sign off" as myself... pitiful!

APK

P.S.=> That's usually also the signal of my getting the better of the ac trolls around here as well, so, "patting self on back"... apk

Again: FACTS, are facts... apk by Anonymous Coward · 2011-12-10 00:57 · Score: 0

Disagree ALL you like but facts remain facts here http://it.slashdot.org/comments.pl?sid=2564492&cid=38306582

* FACTS that PC were compromised MULTIPLE TIMES running @ 5 CA's... period!

APK

P.S.=> Mind you, again: The topic is CA's being breached - so, how do you figure I am a troll, as you stated in your 1st reply, by my simply pointing out that those same CA's run PC?

Now next I suppose you'll try to tell the rest of us that PC BEING BREACHED, as it was, IS A "GOOD THING", right?? apk

Impersonating me YET AGAIN? Please... apk by Anonymous Coward · 2011-12-12 01:43 · Score: 0

You cannot take away from the facts I posted here that are current from this year recently:

http://it.slashdot.org/comments.pl?sid=2564492&cid=38320100

That show Linux is being rampantly exploited in CA's that used it, on its sourcecode repository (very bad), linux.com & mysql's website (+ more)...

APK

P.S.=> Cutting & pasting my replies + altering their statements don't take away from what's above or lessen it @ all, because what I put up in the link above's documented FACTS from reputable sources... apk

Re:Impersonating me YET AGAIN? Please... apk by Anonymous Coward · 2011-12-12 08:28 · Score: 0

You cannot take away from the facts I posted here that are current from this year recently:
http://it.slashdot.org/comments.pl?sid=2564492&cid=38324454
That show PCs are being rampantly exploited in CA's that used it, on linux sourcecode repository (very bad), linux.com & mysql's website (+ more)...
(not) APK
P.S.=> Cutting & pasting your replies + altering their statements doesn't take away from what's above or lessen it @ all, because what I put up in the link above's documented FACTS from reputable sources... (not) apk

APK wrote: I'm definitely buying a Mac next week and throwing away my PC

"Rinse, Lather, & REPEAT"... apk by Anonymous Coward · 2011-12-12 09:31 · Score: 0

You cannot take away from the facts I posted here that are current from this year recently:

http://it.slashdot.org/comments.pl?sid=2564492&cid=38320100

That show Linux is being rampantly exploited in CA's that used it, on its sourcecode repository (very bad), linux.com & mysql's website (+ more)...

APK

P.S.=> Cutting & pasting my replies + altering their statements don't take away from what's above or lessen it @ all, because what I put up in the link above's documented FACTS from reputable sources... apk

"Rinse, Lather, & REPEAT (again)"... (not) apk by Anonymous Coward · 2011-12-12 20:51 · Score: 0

http://it.slashdot.org/comments.pl?sid=2564492&cid=38324862

APK loves this game :-)

How many security blunders happened on Linux? by Anonymous Coward · 2011-12-13 00:34 · Score: 0

You cannot take away from the facts I posted here that are current from this year recently:

http://it.slashdot.org/comments.pl?sid=2564492&cid=38320100

That show Linux is being rampantly exploited in CA's that used it, on its sourcecode repository (very bad), linux.com & mysql's website (+ more)...

APK

P.S.=> Cutting & pasting my replies + altering their statements don't take away from what's above or lessen it @ all, because what I put up in the link above's documented FACTS from reputable sources... apk

How many security blunders happened on PC? by Anonymous Coward · 2011-12-14 02:12 · Score: 0

You cannot take away from the facts I posted here that are current from this year recently:

http://it.slashdot.org/comments.pl?sid=2564492&cid=38324862

That show PCs are being rampantly exploited in CA's that used it, on linux's sourcecode repository (very bad), linux.com & mysql's website (+ more)...

(not) APK

P.S.=> Cutting & pasting your replies + altering their statements don't take away from what's above or lessen it @ all, because what I put up in the link above's documented FACTS from reputable sources... (not) apk

Re:How many security blunders happened on PC? by Anonymous Coward · 2011-12-14 04:54 · Score: 0

http://it.slashdot.org/comments.pl?sid=2564492&cid=38320100

Don't you get it APK ? by Anonymous Coward · 2011-12-14 07:45 · Score: 0

You've shot yourself in the foot :-)

href=http://it.slashdot.org/comments.pl?sid=2564492&cid=38324862

Correlation is not causation, only an ignorant or a troll thinks so, and I forced you to repeatedly show your ignorance for everyone to see (as well as your amazing capacity to not perceive sarcasm and irony ...)

Linux's "fine security in 2011" (lol, NOT!) by Anonymous Coward · 2011-12-14 07:52 · Score: 0

KERNEL.ORG COMPROMISED:

http://linux.slashdot.org/story/11/08/31/2321232/Kernelorg-Compromised

---

Linux.com pwned in fresh round of cyber break-ins:

http://www.theregister.co.uk/2011/09/12/more_linux_sites_down/

---

Mysql.com Hacked, Made To Serve Malware:

http://it.slashdot.org/story/11/09/26/2218238/mysqlcom-hacked-made-to-serve-malware

---

Linux's showing in CA's breached recently too? Ok:

http://uptime.netcraft.com/up/graph?site=StartCom.com

http://uptime.netcraft.com/up/graph?site=GlobalSign.com

http://uptime.netcraft.com/up/graph?site=Comodo.com

http://uptime.netcraft.com/up/graph?site=DigiCert.com

http://uptime.netcraft.com/up/graph?site=www.gemnet.nl

The list of CA Servers BREACHED that RUN LINUX (StartCom, GlobalSign, DigiCert, Comodo, GemNet)... per these articles verifying that:

http://itproafrica.com/technology/security/cas-hacked/

&

http://threatpost.com/en_us/blogs/site-dutch-ca-gemnet-offline-after-web-server-attack-120811

---

Toss ANDROID (yes, a Linux since it uses a Linux kernel) in also, since it's being "shredded" on the mobile phone security-front rampantly for years now?

You get the picture...

* TOP THAT ALL OFF W/ DUQU ROOTKIT/BOTNET BEING SERVED FROM LINUX SERVERS, PER THIS ARTICLE (very recent):

http://it.slashdot.org/story/11/11/30/1610228/duqu-attackers-managed-to-wipe-cc-servers

APK

P.S.=> Linux Security Blunders DOMINATE in 2011, despite all /. "FUD" for years saying "Linux = SECURE" (what a crock of shit that's turning out to be, especially on ANDROID)... apk

Electronics's "fine security in 2011" (lol, NOT!) by Anonymous Coward · 2011-12-14 21:47 · Score: 0

KERNEL.ORG COMPROMISED:

http://linux.slashdot.org/story/11/08/31/2321232/Kernelorg-Compromised

---

Linux.com pwned in fresh round of cyber break-ins:

http://www.theregister.co.uk/2011/09/12/more_linux_sites_down/

---

Mysql.com Hacked, Made To Serve Malware:

http://it.slashdot.org/story/11/09/26/2218238/mysqlcom-hacked-made-to-serve-malware

---

Electronics showing in CA's breached recently too? Ok:

http://uptime.netcraft.com/up/graph?site=StartCom.com

http://uptime.netcraft.com/up/graph?site=GlobalSign.com

http://uptime.netcraft.com/up/graph?site=Comodo.com

http://uptime.netcraft.com/up/graph?site=DigiCert.com

http://uptime.netcraft.com/up/graph?site=www.gemnet.nl

The list of CA Servers BREACHED that WERE MADE OF ELECTRONIC COMPONENTS (StartCom, GlobalSign, DigiCert, Comodo, GemNet)... per these articles verifying that:

http://itproafrica.com/technology/security/cas-hacked/

&

http://threatpost.com/en_us/blogs/site-dutch-ca-gemnet-offline-after-web-server-attack-120811

---

Toss ANDROID (yes, an electronic device since it uses electronics) in also, since it's being "shredded" on the mobile phone security-front rampantly for years now?

You get the picture...

* TOP THAT ALL OFF W/ DUQU ROOTKIT/BOTNET BEING SERVED FROM ELECTRONIC DEVICES, PER THIS ARTICLE (very recent):

http://it.slashdot.org/story/11/11/30/1610228/duqu-attackers-managed-to-wipe-cc-servers

APK

P.S.=> Electronics Security Blunders DOMINATE in 2011, despite all /. "FUD" for years saying "Electronics Awesome and Mechanics Sucks" (what a crock of shit that's turning out to be, especially on ANDROID)... apk

:-) this little game is becoming funnier by the day... (not) apk

Linux's "fine security in 2011" (lol, NOT!) by Anonymous Coward · 2011-12-15 00:46 · Score: 0

http://it.slashdot.org/comments.pl?sid=2564492&cid=38374376

APK

PC's "fine security in 2011" (lol, NOT!) by Anonymous Coward · 2011-12-16 04:06 · Score: 0

http://it.slashdot.org/comments.pl?sid=2564492&cid=38324862

(not) APK

Linux security blunders in 2011 (lmao) by Anonymous Coward · 2011-12-16 04:13 · Score: 0

Linux != secure in 2011, despite /. penguin fud 4 yrs 2 the contrary http://it.slashdot.org/comments.pl?sid=2564492&cid=38374376

PC security blunders in 2011 (lmao) by Anonymous Coward · 2011-12-16 21:38 · Score: 0

PC != secure in 2011, despite Mac haters fud 4 yrs 2 the contrary http://it.slashdot.org/comments.pl?sid=2564492&cid=38324862

Linux != secure in 2011 by Anonymous Coward · 2011-12-17 00:50 · Score: 0

The truth about Linux -> http://it.slashdot.org/comments.pl?sid=2564492&cid=38374376

PC != secure in 2011 by Anonymous Coward · 2011-12-17 02:05 · Score: 0

The truth about PC -> http://it.slashdot.org/comments.pl?sid=2564492&cid=38324862

Re:PC != secure in 2011 by Anonymous Coward · 2011-12-17 02:49 · Score: 0

Don't u mean PC's n Servers running Linux instead? http://it.slashdot.org/comments.pl?sid=2564492&cid=38374376
Re:PC != secure in 2011 by Anonymous Coward · 2011-12-17 05:21 · Score: 0

No, no, I meant PC and Servers using electronics components ! http://it.slashdot.org/comments.pl?sid=2564492&cid=38381284

Tons of Linux Servers went down in 2011? Yes by Anonymous Coward · 2011-12-17 07:13 · Score: 0

Were Windows Servers in 2011 "going down" (lol, like Linux ones), here-> http://it.slashdot.org/comments.pl?sid=2564492&cid=38374376 ???

152 comments