Dutch DigiNotar Servers Were Fully Hacked

ChristW writes "The final report that was handed to the Dutch government today indicates that all 8 certificate servers of the Dutch company DigiNotar were fully hacked. (Report PDF in English.) Because the access log files were stored on the same servers, they cannot be used to find any evidence for or against intrusion. In fact, blatant falsification has been found in those log files. A series of so-far unused certificates has also been found. It is unknown if and where these certificates have been used."

Falsified Logs!

[Beardydog]

Color me impressed. Log_Modifier may not fill many gigaquads, but it sure ain't free.

Re:Falsified Logs!

My first thought as well.

Re:Falsified Logs!

[rwa2]

In other news, it sounds like someone is going to be setting up an authlog blackhole in the near future...

Did they check their .bash_history ? The silly script kiddie that got into my RH4 box back in the 90s forgot to clean his traces there. I mean, he bothered to run "history -c " , but it didn't actually stop his session from dumping everything there again after he logged out.

Re:Falsified Logs!

And they're still recruiting.

Ten years on, it's amazing how many things that game got right.

Re:Falsified Logs!

[X0563511]

quick and dirty: cron jobs that wipe the history file every minute.

I thought of that in about 5 seconds.

Re:Falsified Logs!

[rve]

quick and dirty: cron jobs that wipe the history file every minute.

I thought of that in about 5 seconds.

The more canonical solution is rm ~/.bash_history && ln -s /dev/null ~/.bash_history

Re:Falsified Logs!

Aye, I've never got one of those 'frame x for hacking' missions working, so I just avoid them altogether.

Re:Falsified Logs!

unset HISTFILE

Re:Falsified Logs!

[Sadsfae]

FTA, looks like it was a Microsoft Windows infrastructure, all the vectors were Windows servers.

Re:Falsified Logs!

[X0563511]

Oooh now that is dirty.

Define "blatant falsification"

[TWX]

Were the Hex strings loaded with DEADBEEF or B00B135 or something?

Re:Define "blatant falsification"

[mfh]

Binary art of someone being blatant, methinks...

Re:Define "blatant falsification"

Wasn't deadbeef the default hex value of some IBM memory banks from way back when or something like that?

Re:Define "blatant falsification"

[TWX]

It's been used a lot. It sticks out obviously when going through a lot of raw data, so it makes for a good catch string on green-bar paper.

Shhhh... Don't let Peta find out about this...

Re:Define "blatant falsification"

Wasn't deadbeef the default hex value of some IBM memory banks from way back when or something like that?

It was also a default debug address in Mac OS 7 (once you pressed the old "programmer's key" on the keyboard).

Re:Define "blatant falsification"

X86 binary instructions....

Nothing to see here...

This hack never happened.

- Signed: DigiNotar

Who's to blame? (hint)

[ntropia]

You know, for a server being violated is always a matter of probability, same story about hardware failures ("when", not "if"). Some of the variables in this equation is how "interesting" your server could. And a server releasing certificates is quite "interesting", if you ask me. So if you keep the logs of such an important server on the machine itself, there isn't much to say: the administrators of such a server are incompetent.

Re:Who's to blame? (hint)

[fluor2]

it's not fair to blame the administrators. you should blame the people who hired them.

Re:Who's to blame? (hint)

[rahvin112]

Yes, because those people are likely the ones that said "We are not buying another machine for log data" or said "we can't afford segregated network segments and secure communication to protect the signing servers". In my experience you can usually trace failures like this back to an unwilligness to spend money, not necessarily blatant incompetence.

It's just as likely that the management prevented proper security as it is that the IT staff were morons.

Re:Who's to blame? (hint)

[plover]

I think there's plenty of blame to go around on this one. From the top to the bottom, these guys were thoroughly incompetent. A good admin stepping into the job would have pressed for effective security policies, and balked if they weren't implemented. A competent CISO would have started with them. A competent CEO / CIO should have known they needed a CISO, being a security company after all.

Re:Who's to blame? (hint)

[Opportunist]

No, blame the person writing the specs and requirements. Because the admin can't do JACK if his CISO is a dick.

Blunders like this ain't an admin's fault. This isn't some config switch set improperly or a port in the firewall left unguarded. It's a fault in the security paradigm and the security strategy of the company. This is NOT an administrator's fault. In companies of a certain size (and I guess DigiNotar would be one) the average admin doesn't even have the information to make a decision like that. A watchful admin might notice it, he might even mention it "upstairs", but he cannot DO anything about it if it doesn't get green lighted from above.

Don't blame the techs for management errors. And this, bluntly, is one.

Re:Who's to blame? (hint)

DigiNotar did have segregated network segments. FTFA:

DigiNotar had its network highly segmented and had a number of those segments separated from the public Internet.

Re:Who's to blame? (hint)

[dkf]

Blunders like this ain't an admin's fault.

Wrong. They are the admin's fault, along with the fault of others as well. Blame can be spread, but not absolved. The admin should not have let things get into a state where things could get hacked, whatever his line management said. What's worse, if things were in a management state where the admin had decided to do a private passive-aggressive work-to-rule (I've known a few admins like that; technically competent, but total dicks) then they're absolutely making things worse and are thoroughly to blame.

Mind you, I'm not absolving management here. It takes two to tango.

Re:Who's to blame? (hint)

Wow, you don't know shit about what happened in reality in this case but you jump to conclusions.

It is not so uncommon for admins to tell their superiors about security problems and want to have them fixed but for whatever stupid reasons are not allowed to.

Especially in a CA scenario you would expect that the admin might not make any upgrades or security changes on the systems on his own without prior review and documentation etc.

So you don't know shit if this admin was actually able to fix the stuff but you still blame him. His only option might have been to quit the job.

I have not worked for a CA but as a admin I was caught in a similar situation where I had to live with a serious security problem because I was banned from changing anything.

STFU before blaming the admin you ass.

Re:Who's to blame? (hint)

[Opportunist]

The question is whether an admin can actually make that decision. Considering how sensitive the whole subject is and how management usually thinks techs don't know about "responsibility", chances are that he could not. The admin could have been well aware that there is a problem, and if he is smart he wrote a mail (and printed it for his own records) to his superior, but it is very unlikely that he could make a decision like that without a blessing from above. What's worse, there most likely even existed an order that he MUST NOT do something like that with the thinly veiled threat that if he does he's being fired on the spot. That has nothing to do with a passive-aggressive work-to-rule attitude, simply with "I want to keep my job so I have to work to THEIR rules".

A good admin would probably have noticed it, and he probably informed management about it. Whether he did or not we'll probably never know, because such things (hopefully!) don't make it out into the open, at least if this doesn't go to a public court. But it is very likely that he sat there, knowing well that he's guarding a ticking time bomb, but he just didn't get the necessary ok from above to do anything about it.

Bloody n00bs...

[fuzzyfuzzyfungus]

You would think that a company playing at something mildly important(like, oh being a CA for the Dutch government...) could, at very least, do basic things like store logs on WORM tape... Yes, those are overpriced compared to the normal ones; but they aren't that expensive.

Re:Bloody n00bs...

WORMs cost money... so does all security... I'm sure the contract was awarded to the lowest bidder.

Re:Bloody n00bs...

[tlhIngan]

You would think that a company playing at something mildly important(like, oh being a CA for the Dutch government...) could, at very least, do basic things like store logs on WORM tape... Yes, those are overpriced compared to the normal ones; but they aren't that expensive.

Welcome to business. The same rules apply everywhere - try to cut as many corners as you can so the company can boast about huge profits and the CEO can pay for this space tourist ticket.

The only things that change are how far you can take it before you get caught, and what the penalties are. In thie case, it was basically closing up shop. Not the worst (they could've held the execs liable, for example)...

Re:Bloody n00bs...

[Ryanrule]

You need to insert liability. IE, signing agency is FULLY liable for any losses incurred due to their security failure. This will make signing very expensive. That is ok.

Re:Bloody n00bs...

[Opportunist]

*sigh* Most likely, yeah.

Security is the stepchild of IT. They don't produce. Ok, so does a lot of IT, but at least with the rest of IT, management can somehow hope that eventually they can fire a couple of people. With ITSEC, no such luck. They don't streamline production (worse, they often bog it down), they don't make people redundant, in fact, they make more people necessary. Plus, those pesky, nosey security geeks keep peeking into every computer and might find out that the boss is surfing on pages containing gay llama porn.

It's sad but true, if you see two people sitting on a huge table in the crowded cafeteria and nobody wants to join them, and they're not talking with each other either, you know where security and controlling are.

But unlike controlling, it's pretty hard to make your boss understand the dangers of a security breach in IT.

Re:Bloody n00bs...

[Opportunist]

Sadly, it won't increase security. The money will not be used to hire better people and tighten security, it will go into reserves for when (not if) they get to pay for their blunders.

Re:Bloody n00bs...

[buglista]

Another syslog server costs peanuts, just has to be a bunch of disk with only port 514/udp listening. Shit, I use to run an internal CA which was more secure than these guys, because it was air-gapped. I know that doesn't scale, but we weren't charging people for certs, just doing it for internal use.

Re:Bloody n00bs...

[DarkOx]

Man you just described the scene in our cafeteria most days. I happen to be one those guys at the table. What always amazes me is production just does not get it. I really am their best friend. They are always freak out that "our security stuff" might mess up their PLC and someone could get hurt.

  Its like the possibility that a worm could get on their unpatched XP SP1 platforms from one of the endless parade of technician laptops that get plugged into that subnet and someone could get hurt is entirely lost on them. You'd think a bunch of plant engineers would get that its better to test out security controls under somewhat controlled conditions with people aware they might be a problem than to get owned during third shift.

Codered and welchia were not that long ago, and stuxnet and flame were just in the news but memories are short apparently.

Re:Bloody n00bs...

[DarkOx]

No it won't got to reserves. It will go to insurance premiums and to one of the big audit firms annually to NOT find problems and generate a great deal of glossy print outs to make the insurance firm feel good.

<half kidding>
The insurance firm will then sell stocks and bonds to a large brokerage, who will aggregate them into a fund or other financial product with more insurance companies suggesting that all risk has been eliminated. The original insurance companies will by these products (essentially their own companies) back from the brokers after paying a hefty commission and list them as assets.

Then brokers will revalue the assets higher based on the now expanded balance sheets, and suggest that more leverage is therefore okay. Eventually some hack of some tiny backwater CA nobody uses will cause a ripple effect bring the entire financial system to knees.
</half kidding>

Re:Bloody n00bs...

[Opportunist]

Our product managers found out that I'm on their side by now. What I learned is that you have to "sell" it to them, my angle was that I write part of their specs and also verify that they are being kept by the suppliers, thus taking work off their shoulders. Actually, what happens is that I write the sec requirements (which is my job anyway), then adapt them to their project (which is technically their job but that way at least I get what I want instead of them guessing what my specs are actually about and then omitting what really counts...) and review the bids (so I can make sure that my security guidelines are implemented).

It serves both of us. I get in the hard- and software we buy what our security standards require, and keep them from having to deal with it at least during the bidding stage of the project. Maybe it could work for you too, maybe trying to get into the acquisition/programming procedures for your PLCs would help them get rid of the concerns for "your security stuff" and enable you to get what you need?

FULLY hacked?

[ilsaloving]

As opposed to, what, partially hacked?

Isn't that like being almost pregnant?

Re:FULLY hacked?

[fuzzyfuzzyfungus]

It's always a dangerous assumption to make; but architecturally the concept of 'partially hacked' isn't terribly nonsensical. Consider the enormous number of web server setups where OS-level credentials and web application authentication are entirely different things. It happens all the time that kiddies will crack the web component and scribble all over your php forum or CMS or whatnot; but without ever gaining access to the OS.

You really don't want to work on the assumption that 'eh, I'm sure we were only partially hacked, no need to reinstall the OS'; but it may well often be true.

Re:FULLY hacked?

Yes.

Nope, it is like saying only the vagina was penetrated.

Re:FULLY hacked?

[dutchwhizzman]

4 out of 8 CA servers were proven to be tampered with and the hacker got Admin and/or SYSTEM privileges. The only thing he didn't get away with were the actual private keys, since those were stored in hardware that did the actual signing. If Diginotar would have scheduled the signing to a specific time of day and removed the smartcards from the readers for those CAs, he wouldn't even have been able to get his rogue certificates signed. The other 4 servers weren't interesting for the hacker and my interpretation is that he mainly used the CA server that could sign "web site certificates" for MITM purposes. I'd say that qualifies as "fully hacked" as opposed to for instance a single web server where a single web service was not completely secure, so he could manipulate it into signing requests. He got through 3 layers of (obviously lacking) security before he got to the CA servers themselves. Layer 1 was web servers, layer 2 was the office network and layer 3 were the CA servers themselves. He used stacked tunnels to get through firewalls between network segments and used public webservers he already owned as file drop. Out of over 250 investigated machines, he got access on all significant ones in the certificate, web hosting and logging processes, but the actual hardware containing the private keys. In summary, I'd say fully hacked is an accurate description.

Re:FULLY hacked?

[NinjaTekNeeks]

Agreed. Had the attacker not been able to leverage the access he obtained on the web servers to compromise the SQL Server he may very well have been stopped in his tracks in the DMZ.

Re:FULLY hacked?

[PolygamousRanchKid+]

As opposed to, what, partially hacked?

Well, yes, it's partial differential equations and quantum mechanics . . .

Isn't that like being almost pregnant?

It's just like Schrödingers cat was pregnant and not prenant at the same time.

In Abstract Hilbert Space.

Re:FULLY hacked?

This is the sad word diarrhea of idiots speaking english, even if they are native. They find necessary to intensify what they say because it is usually of no substance. Read Feynman's lectures for some real english.

Re:Codeweavers Crossover Direct Downloads 10/31/20

What about for Mac OS X which is the only non-Windows desktop OS that matters?

is there any connection with stuxnet

just curious

Re:is there any connection with stuxnet

[plover]

No, the signed keys used in the stuxnet attack were believed to have been stolen by an actual break-it at the factories that made the motor controllers.

Not surprised at all!

[tikal808]

Just look at what their web servers have been running for years! What a joke!! http://uptime.netcraft.com/up/graph?site=www.diginotar.nl

Re:Not surprised at all!

As opposed to the OS and web server running on the kernel.org servers that were compromised by trojans? I wish I wish I could remember their names...

Oh, really? Try this *NIX boy... apk

What were ALL THE OTHER CA's HACKED RUNNING? Linux

Proof?? Fine, easy, & here 'tis ("eat it" boy):

(very, Very, VERY BAD for ecommerce, online shopping, banking, etc./et al)

---

http://uptime.netcraft.com/up/graph?site=StartCom.com

http://uptime.netcraft.com/up/graph?site=GlobalSign.com

http://uptime.netcraft.com/up/graph?site=Comodo.com

http://uptime.netcraft.com/up/graph?site=DigiCert.com

http://uptime.netcraft.com/up/graph?site=www.gemnet.nl

---

The list of CA Servers BREACHED that RUN LINUX (StartCom, GlobalSign, DigiCert, Comodo, GemNet)... per these articles verifying that:

http://itproafrica.com/technology/security/cas-hacked/

&

http://threatpost.com/en_us/blogs/site-dutch-ca-gemnet-offline-after-web-server-attack-120811

---

* Thus, in case you didn't KNOW IT? Happened the SAME TIME as it did on that single Dutch Windows CA server & "4 out of 5 dentists CAN'T BE WRONG?"... Sure they can be, when 4/5 breaches OCCURRED ON LINUX SERVERS!

APK

P.S.=> How do your words taste, now that you have to "eat them", flavored with the "bitter taste of SELF-DEFEAT" as well as your FOOT IN YOUR MOUTH... Penguin-boy!

... apk

Re:Oh, really? Try this *NIX boy... apk

[tikal808]

You have put together a good compilation of various issues with Linux. Of course in my brief comment, I never even mentioned Linux. I'm looking forward to seeing what kind of issues you have complied regarding Net/Free/Open BSD. Cheers.

Re:Oh, really? Try this *NIX boy... apk

My reading of the original comment was that DigiNotar didn't bother to update IIS 6.0, the implication more along the lines of the allegation that Sony was running unpatched Apache instances in front of the PSN.

For more info

[Citral]

The attacker's Pastebin posts can be found here: http://pastebin.com/u/ComodoHacker . The authenticity seems likely to me; in one post he links to a calculator.exe that you can download which is signed by a Diginotar certificate. When you inspect the file properties in Windows, it will indeed state that the file is certified.

There were only 2 types involved... apk

Linux (5 of 6 'hacked') & 1 Windows unit...

(Thus, who're YOU *trying* to fool, with this utter line of EVASIVE bullshit quoted next below, hmmm?)

"You have put together a good compilation of various issues with Linux.Of course in my brief comment, I never even mentioned Linux" - by tikal808 (2622665) on Wednesday October 31, @06:26PM (#41836083)

* It's not "working-out-well" for you... not @ all, considering ONLY LINUX &/or WINDOWS were involved in the CA breaches...

YOU? Fail... like all lying little *NIX noobz always do - amazing: YOU & "your kind"... you really DON'T HAVE any honor whatsoever, do you? Deceits are just "part of your 'repetoire'" aren't they??

APK

P.S.=> You little *NIX weasels & YEARS of "Linux = invulnerable" (or other types of *NIX variants, like MacOS X being "invulnerable to viruses" etc./et al that even APPLE outright LIED on) around here on /.? All coming to an end for a LONG TIME now... you reaped what you all sowed, now enjoy eating it!

... apk

Re:There were only 2 types involved... apk

Aight, bitch, show me the linux botnets. Show me any linux virus that isn't somebody's proof-of-concept research project.

Show me that you know anything about securing a server of any kind.

Nothing is invulnerable. If someone (besides Oracle) had claimed that, this would be news. You're a lying fuckwad for claiming otherwise.

What is true, is that most Linux distros have some sort of default role-based security, and that you can crank that up to 11 if you have time. You can further use chroot to separate processes, and for the ultra-paranoid, there is Qubes OS. Also, if you have lots and lots of time, you can personally inspect every line of code in your entire fucking system, and let me know when *any* of that is true for Windows. If you don't know what the words mean, google them.

Re:There were only 2 types involved... apk

[Desler]

Aight, bitch, show me the linux botnets.

Ok. Happy?

8200 PSYOP

First, very good hack - if the story is true. I would not be surprised to find out in ca 10 years that they had the inside help.

BUT, somebody is trying hard to attribute this to Irangov. They are the bad, evildoers and certainly - war must be brought to their land. This smells like a masterpiece in a huge PSYOP orchestration to inflame public opinion in the West.

Google for "8200" and check who builds the CP firewalls.

Re:8200 PSYOP

[mvdwege]

Since the attackers came in through an open port, the firewalls are irrelevant. Now, will someone please moderate this antisemitic bullshit down to -infinity?

Little "Pro-*NIX douche" did what I said too

Downmodded this reply to you ( w/ Linux fuckups in security 2011-2012 ) -> http://tech.slashdot.org/comments.pl?sid=3222433&cid=41835701 AND he tried to "hide" my post that put him in his place with a downmod here also -> http://tech.slashdot.org/comments.pl?sid=3222433&cid=41835589 where I easily PROVED that more Linux CA's were breached, by far (5:1 ratio vs. Windows).

* He truly IS the "typical little nerd weasel" that I personally OFTEN associate with what I call "not men" online (weasels)...

APK

P.S.=> His "kind"? Come with the territory, & the deceits of YEARS of hearing "Run Linux - it's invulnerable to anything" (pretty much)... & they WONDER WHY their OS of choice is in DEAD-LAST place? People are NOT stupid & can see right thru their b.s. & deceits - typical little 'geeks' in *thinking* they're "so smart" (most are stupid as hell imo & their skill level in the art & science of computing also? WEAK!)...

... apk

And The Political Angle ?

Why is "the hacker" talking politics ? If he is a single person, is he really an Iranian loyalist ? Or are we made to believe that ? Be careful...

Re:And The Political Angle ?

[Opportunist]

Just so I know: Why the heck should I care what he is?

Re:Codeweavers Crossover Direct Downloads 10/31/20

[RMingin]

By all means, help yourself.

Giving out the links is kinda dumb when you could have the registration link and one year support and upgrades for free as well.

http://flock.codeweavers.com/

You FAILED Penguin boy... apk

GET OVER IT -> http://tech.slashdot.org/comments.pl?sid=3222433&cid=41835589

* LMAO, @ this "ReAcTioN" from you quoted next:

"Aight, bitch, show me the linux botnets. Show me any linux virus that isn't somebody's proof-of-concept research project. Show me that you know anything about securing a server of any kind." - by Anonymous Coward on Wednesday October 31, @08:03PM (#41836893)

No, that's ok, since I showed EVERYONE READING HERE that you're FULL of it... see link above & "rinse, lather, & repeat", boy... & your "AC" reply now? Especially not fooling anyone... lol!

(THAT is the "problem" w/ you little "nerds" - again, you *THINK* you're smart, until I come along & SHOW YOU what smart actually really is by TOTALLY OUTSMARTING YOU & "your kind" (weasels, & you wonder WHY Your OS of choice is in dead-last place on servers + desktops combined? Don't wonder - we all "see you", & RIGHT thru you & your kind, because you're stupid...)

* Face facts - Vs. that link above? LMAO - YOU FAILED & rather badly... playing RIGHT into my hands, because as was said in the film "V: For Vendetta"?

"He knows us better than we know ourselves"

When you modded down my reply here (using your "alternate registered 'luser'" account(s)) -> http://tech.slashdot.org/comments.pl?sid=3222433&cid=41835701 AND tried doing it here too (but the INSIGHTFUL still stands strong, lol) -> http://tech.slashdot.org/comments.pl?sid=3222433&cid=41835589

LMAO!

Then, you VAINLY *tried* the usual bullshit in "mincing words" (since you didn't mention Linux)... lol, only to FIND YOURSELF WITH "EGG ON YOUR FACE" (you only did THAT to yourself yet again) since there was ONLY LINUX & WINDOWS INVOLVED... lol!

Priceless...

APK

P.S.=> Sometimes, I actually *think* fools like you that shoot your mouths off without being aware of ALL of the facts are actually a 'setup', a 'plant' of sorts, to spur controversy & argument... I say that, since NOBODY is that stupid as you've shown yourself to be, clearly & WITHOUT question - & of course, you KNOW I've just GOTTA say it, as-is-per-my-usual "inimitable style":

THIS? This was just "too, Too, TOO EASY - just '2ez'" - but, as I said just above? I often think it's so easy & meant to be...

... apk

Ah, I just GOTTA do this too... apk

"Aight, bitch, show me the linux botnets. Show me any linux virus that isn't somebody's proof-of-concept research project" - by Anonymous Coward on Wednesday October 31, @08:03PM (#41836893)

Linux problems? See ANDROID getting NUKED daily by exploits and yes, it IS a Linux!

(Lmao, too easy)...

Also, please:

Cut the "wannabe nigga" stuff, BOY - I eat scumbags like that ALIVE where I live & have for decades... the "real" kind, not some wannabe "plastic imitation" like you!

(In fact - So much so, they're AFRAID of me, & ought to be)

Unlike a "suburban punk" like you? I grew up in & LIVE in an "inner urban" environment and in one of the MOST violent cities (#3 last I checked) there is, bar-none. The "plastic fake" crap YOU use? Please...

I am NOT what you & "your kind", the "not-men online" are... whimps, & deceitful 1/2 truth spouting weasels... lol, ONES LIKE YOU THAT HAD TO "EAT THEIR WORDS" - > http://tech.slashdot.org/comments.pl?sid=3222433&cid=41835589

Oh, lol, "the SHAME of it" (but then again, THAT is "nothing new" to wormish little geek/nerd weasels, now is it? Nope!)

LMAO!

---

"Show me that you know anything about securing a server of any kind." - by Anonymous Coward on Wednesday October 31, @08:03PM (#41836893)

LMAO - I'll do BETTER than that: I WRITE "industrial-strength"/"mission-critical" enterprise-class systems, & been adminning them for DECADES, professionally...

Also - based on your screwups here?

I'd even wager LONGER THAN YOU'VE BEEN ALIVE & running + setting them up since the 1996 Olympics in Atlanta, which I did for BellSouth... boy!

(Most people here KNOW this... you? Evidently don't, but then again?? You've shown us "how much you know" already, lol... nearly nothing, and so much so, you "shot your mouth off" only to have to "eat your words", vs. myself... lol!)

LOL, techies & admins? MY opinion of them (those that limit themselves to "menial" tasks only like admin 'work')??

They are SELF-LIMITING (or rather LIMITED) dolts, who without guys like myself (programmer-analysts/software engineers & architects) WOULDN'T HAVE A THING TO RUN, without us... & yes, to do OUR jobs? WE HAVE TO BE FULL AD-WIDE ADMINISTRATORS!

Of course, If you had ANY skills or know-how in professional environs? You'd KNOW THAT, too... & obviously? You don't... lol!

---

"Nothing is invulnerable. If someone (besides Oracle) had claimed that, this would be news. You're a lying fuckwad for claiming otherwise.." - by Anonymous Coward on Wednesday October 31, @08:03PM (#41836893)

This only tells ME that YOU either are NEW here OR are full of it (you forgot APPLE & their "we don't get viruses" b.s. & you noted BSD too? LMAO - there you are, "phool"... you got "NOOKED" again! You only do it, to yourself, every single time!) - that kind of CRAP has been spouted here for years now (not so much anymore though... gosh, "wonder why" (not), since MacOS X has been 'burned' repeatedly for their "we get no viruses" etc./et al lies, AND of course, my data posted here to YOU!)

No, your "train ride" is ending... you're just to DUMB to know it!

---

"What is true, is that most Linux distros have some sort of default role-based security, and that you can crank that up to 11 if you have time. You can further use chroot to separate processes, and for the ultra-paranoid, there is Qubes OS. Also, if you have lots and lots of time, you can personally inspect every line of code in your entire fucking system, and let me know when *any* of that is true for Windows. If you don't know what the words mean, google them..." - by Anonymous Coward on Wednesday October 31, @08:03PM (#41836893)

Yes, you're STUPID again... because you don't know WHO you are speaking to... but, ok!

Ca

Re:Ah, I just GOTTA do this too... apk

I think someone should do a kickstarter to get APK a talk radio show. The last twenty minutes he can read us 20 more entries for our host files.

Re:Ah, I just GOTTA do this too... apk

I think you should attempt to be on topic troll.

old news?

sorry but this company was hacked a year ago, and since then it's bankrupt and Dutch Gov is not using their CAs any more ...

Off-topic b.s., nothing more... apk

Typical "Pro-*NIX trolls" in action, as per your usuals, having to go "off-topic" when you're outta ammo (not that you ever HAD any vs. this -> http://tech.slashdot.org/comments.pl?sid=3222433&cid=41835589 or this -> http://tech.slashdot.org/comments.pl?sid=3222433&cid=41836535 )

* :)

APK

P.S.=> Too bad all you have's that by this point, eh? You "FAILED", boys... when will you EVER learn that you can't match wits with me: I'll blow you away, & that's that (Proof's in the Pudding here, as "yet another example thereof"...)

... apk

Thanks for the data... apk

I didn't have that one, & I can use it in the future!

* Especially vs. the "Pro-*NIX" trolls around here, and their UTTER b.s. ...

APK

P.S.=> Surprising to FIND a botnet on Linux systems, actually - why? NOBODY USES LINUX by comparison to Windows on PC Desktops (& it's about a 50/50 "split" on servers worldwide too)...

... apk

Now the "coup de grace"/icing on the cake

"most Linux distros have some sort of default role-based security" - by Anonymous Coward on Wednesday October 31, @08:03PM (#41836893)

New NEWS/NewFlash: SO DOES WINDOWS, & it's BETTER via Group Policies & Active Directory than what Linux does via scripts for "enmasse" enterprise-wide deployment of security!

---

" and that you can crank that up to 11 if you have time." - by Anonymous Coward on Wednesday October 31, @08:03PM (#41836893)

Again, New NEWS/NewsFlash: Once more - I practically "wrote the book" on how to secure Windows & it goes to "12"... see here:

http://tech.slashdot.org/comments.pl?sid=3222433&cid=41837611

(See 4th quote of your b.s. there... "eat your words" again!)

---

"You can further use chroot to separate processes" - by Anonymous Coward on Wednesday October 31, @08:03PM (#41836893)

LMAO - you can do UAC Virtualization on Windows via taskmgr.exe & ISOLATE PROCESSES INTO A SINGLE PROFILE too... you fail, again!

---

"and for the ultra-paranoid, there is Qubes OS." - by Anonymous Coward on Wednesday October 31, @08:03PM (#41836893)

That's from my fellow "polish person" & she uses VM's to achieve it... good job on HER part (not yours)...

---

"Also, if you have lots and lots of time, you can personally inspect every line of code in your entire fucking system" - by Anonymous Coward on Wednesday October 31, @08:03PM (#41836893)

SO CAN HACKER/CRACKERS (that sword cuts BOTH ways)... & I will tell you, POINT-BLANK, that IF I were a hacker/cracker? I'd rather trace sourcecode looking for holes than trying to "fuzz" or dissassemble a binary executable &/or closed source code...

---

"and let me know when *any* of that is true for Windows." - by Anonymous Coward on Wednesday October 31, @08:03PM (#41836893)

I just did here in THIS VERY POST, and here, earlier -> http://tech.slashdot.org/comments.pl?sid=3222433&cid=41837611 also!

"YOU FAIL!"

APK

P.S.=>

"If you don't know what the words mean, google them." - by Anonymous Coward on Wednesday October 31, @08:03PM (#41836893)

LMAO, please - after this:

http://tech.slashdot.org/comments.pl?sid=3222433&cid=41835589

and this:

http://tech.slashdot.org/comments.pl?sid=3222433&cid=41836535

and THIS (perhaps ESPECIALLY that since it 'blew away' your b.s. & illogical off-topic ad hominem attack attempts that failed directed MY way):

http://tech.slashdot.org/comments.pl?sid=3222433&cid=41837611

?

"YOU FAIL", badly... very badly!

When WILL you "Pro-*NIX" trolls EVER learn - you can NEVER, ever "get the best of" me... ever!

After all - It hasn't happened here in over 8++ yrs. now, & thus? Probably NEVER will, as long as you go off "1/2 cocked" operating on utter b.s. you heard HERE ON /. that's based on 1/2 truths & falsehoods (which is what KILLS your chances @ success - folks aren't dumb, despite your "wannabe geek" thinking you're "smart" (because you're not & it showed here) ... lol!

... apk

Re:Now the "coup de grace"/icing on the cake

That would be great if everything you posted weren't counterfactual.

Android is Linux the way iOS is BSD. Related, not identical. Android's problems are not at the kernel level. Apples to apples, here.

Nice windows security howto. Notice how it doesn't include anything about Group Policy? Notice how group policy doesn't exist in the home versions of Windows? The role-based security in Linux is not scripts, but SELinux. You know, that thing the NSA designed?

Speaking of the NSA, I'm sure you know they publish security guidelines on how to secure OSes. So we could all give a fuck about the one you wrote, but keep sucking your own dick on that one. Would you be surprised to learn that none of the public-facing servers for the NSA, CIA, or FBI run Windows? Clearly they're all asking to get hacked. Again, who gives a fuck about some half-assed Certificate Authority? Verisign and Thawte both run linux, maybe you should let them know how fucked they are.

Qubes uses a hypervisor and the linux kernel. It could not be accomplished with Windows. You can do fuck-all with the NT kernel, in fact. Does it have bugs? Assuredly. Can you find out what they are? Nope!

Yes, crackers can see your source code. Why don't we have linux botnets again? The nice thing about hacking windows, their users have to wait for M$ to get off their ass to patch something. If the users are lucky it will only take months. Also, the black-hats have the Windows source code too. Microsoft will hand it out to practically anybody.

UAC virtualization is *not* chroot. It is also disabled for x64 processes. You don't even have a clue.

You have this idea that how much you post and how often are actually good measures of what your posts are worth. You're right, of course, but it's an inverse relationship. Testimonials are, of course, the least credible things you could post.

But I have to sympathize: it can't be easy living in a world that proves you wrong by its very existence. Linux beats Windows 2-1 in the server space, practically nothing else runs on supercomputers, and Windows phones aren't even a rounding error in Android sales -- to say nothing of the embedded space. Probably because you don't understand what "embedded" means. I hear that IIS has some great new features available to the 15% of sites that are actually using it though!

Nobody's buying what you're selling. Keep trying, maybe some day we'll all wake up and say, "APK was right all along!"

Re:Now the "coup de grace"/icing on the cake

Nobody's buying what you're selling. Keep trying, maybe some day we'll all wake up and say, "APK was right all along!"

If Linux is so great why is it in last place in marketshare on PC's and Servers combined versus Windows? Seems everyone is buying Windows despite Linux being free which says people will pay for Windows over a free operating system such as Linux even. That means Linux just is not as good in the eyes of users. Wake up troll.

Intruder personal IP erroneously used

Im reading through the pdf report, and it notes "the intruder erroneously connected to the stepping stone without using the proxy..., " so it looks like they might be able to bring charges at some point, EXCEPT... the ip resolves to a DSL user in Iran.

Does ANDROID use a Linux kernel?

See my subject-line, & answer YES or NO... That's all, pretty simple, because (lmao) IT SURE ISN'T WINDOWS or MacOS X (or BSD etc.)... going to tell me it's OS/2 right?? Come on...

"Notice how it doesn't include anything about Group Policy?" - by Anonymous Coward on Thursday November 01, @04:32PM (#41846383)

Funny - you have to use GPEDIT.msc & SECPOL.msc to do what it entails, fully... you must not have read it AND note that its VERY OUTSET, it's noted to securing desktops (including LAN/WAN oriented ones if need be) for HOME PC Desktop end-users!

Please: LEARN TO READ!

---

"The role-based security in Linux is not scripts, but SELinux."?" - by Anonymous Coward on Thursday November 01, @04:32PM (#41846383)

Which is, AGAIN, copying what Windows had in DACL's (via SeLinux MAC, mandatory & inflexible, whereas DACL's ARE flexible)... not only that. but Linux keeps COPYING stuff from Windows!

E.G.:

---

1.) SMP, & thus, ENTERPRISE READY SERVERS for Linux couldn't happen until things very like:

a.) Windows NT-based OS' had in completion ports in process scheduling
b.) Re-entrant kernelmode code.

2.) True usermode threads (instead of a single 'round robin' to a single kernelmode thread as Linux had due to process fork type structuring in process mgt.)

3.) DFS (Distributed File System) was around way, Way, WAY before Linux had things like ZFS available/ported to it.

4.) Lastly but FAR FROM LEAST? What the NSA "bolted on" to Linux via SeLinux, in MAC (mandatory access control) which IS a copy of what Windows NT-based OS had LONG before Linux ever did, in ACL (access control lists) @ the filesystem, & registry levels...

---

"Why don't we have linux botnets again?."?" - by Anonymous Coward on Thursday November 01, @04:32PM (#41846383)

WRONG -> Linux webserver botnet pushes malware - Attack of the open source zombies

http://www.theregister.co.uk/2009/09/12/linux_zombies_push_malware/

I didn't post that, some other AC did, but it seems to be proving you wrong (I didn't read it though, admittedly so "go on now", try your "FUD SPIN" some more, lol...).

---

"UAC virtualization is *not* chroot. It is also disabled for x64 processes?."?" - by Anonymous Coward on Thursday November 01, @04:32PM (#41846383)

ARE YOU HIGH ON DRUGS?

I am using it RIGHT NOW ON MY 64-bit WEBBROWSERS!

---

"You don't even have a clue.?."?" - by Anonymous Coward on Thursday November 01, @04:32PM (#41846383)

After the above, & the rest of this exchange? I think everyone KNOWS who "doesn't have a clue" here... lol, & it's NOT me!

---

"it can't be easy living in a world that proves you wrong by its very existence. Linux beats Windows 2-1 in the server space" - by Anonymous Coward on Thursday November 01, @04:32PM (#41846383)

LMAO - Even GIVING AWAY Linux can't overtake Windows overall in marketshare defying common-sense & business logic, albeit, assuming Linux is as good as Windows is (clearly, that shows it still isn't OR I'd be on it like "white on rice" to be honest)... & you know it.

As you said?

The world itself proves that much...

Personally though, especially vs. you "Pro-*NIX" trolls & your YEARS of "Linux = invulnerable" b.s. on /. here?

I find it, immensely amusing...

Again - Since IF Linux was EVERY BIT AS GOOD AS WINDOWS, it should have blown it out a decade ago... & it hasn't!

(What's THAT fact tell everyone?)

By the way - It's also about a 50/50 split in lists I've seen, and on the desktop? Windows RULES over Linux by like, what?? 99:1 as the rat

GREAT QUESTION... apk

Distills my thoughts exactly vs. the AC troll (who obviously isn't very "confident" in his responses considering I dust every "so-called 'point'" he makes with facts)... one of the "classics" so far, along with my showing 5/6 CA's hacked, was LINUX driven (hilarious) after that 1st trolls' post, but this one next quoted from him?? It's "up there" with it imo!:

"Why don't we have linux botnets again?" - by Anonymous Coward on Thursday November 01, @04:32PM (#41846383)

LOL, I am going to "unload" the ultimate 'burn' on him on that one (that I didn't get it in as well as I would have liked though, in that I only posted that Linux botnets DO indeed, exist, via the "register"'s article on them -> http://tech.slashdot.org/comments.pl?sid=3222433&cid=41838471 which another AC posted, not I ) &, hopefully, VERY shortly on that note, lol, once he replies.

Also - I have a "funny feeling" he's going to avoid YOUR question to NO END... lol, watch!

* Nicest part is, in order to HAVE a botnet in the 1st place on ANY OS platform?

Well - FIRST, YOU MUST HAVE USERS in order to justify even CREATING IT & fact: Linux has SO FEW USERS it is NOT FUNNY by comparison to Windows overall on PC Desktops + Servers combined!

APK

P.S.=> I actually enjoy "tearing up" this PESKY little AC troll, & funniest part of all is, he doesn't realize I like & use Linux (KUbuntu &/or MINT) @ times over the years, it's gotten better, but... like he said? The WORLD shows you what is #1, & it surely isn't Linux on personal computers!

... apk

Since ac troll won't answer? Wikipedia can... apk

"Android is a Linux-based operating system" FROM -> http://en.wikipedia.org/wiki/Android_(operating_system)

* Too easy, as-per-my-usual, vs. "Pro-*NIX" trolls...

APK

P.S.=> The rest of my post annihilated him also, point-for-"so-called 'point'" that the little *NIX troll *tried* to vainly use, & failed on... lol!

... apk

Nobody will buy Linux, here is why

http://linuxfonts.narod.ru/why.linux.is.not.ready.for.the.desktop.current.html

Chroot jail break anyone? apk

Tell us about chroot jailbreaking. Oh, you won't? This can then -> http://www.bpfh.net/simes/computing/chroot-break.html

* It has been a SERIOUS PLEASURE, "tearing you up", point for "so-called 'point'" of yours each time...

APK

P.S.=> You're some wannabe computer guru, obviously, who isn't aware of that being possible...

... apk