Slashdot Mirror

← Back to Stories (view on slashdot.org)

Nokia Extorted For Millions Over Stolen Encryption Keys

Posted by Soulskill on from the good-showing-all-around dept.

jppiiroinen writes: At the end of 2007, when Nokia still had huge market share with Symbian devices, they failed to disclose that somebody had stolen their encryption keys and extorted them for millions of Euros. The Finnish National Bureau of Investigation has not been able to figure out who did it. "The blackmailer had gotten hold of the Symbian encryption key used for signing. The code is a few kilobytes in size. Had the key been leaked, Nokia would not have been able to ensure that the phones accept only applications approved by the company."

89 comments

  1. I wonder if motorcycles were involved by Anonymous Coward · · Score: 1

    all good ransom getaways seem to involve motocycles

    1. Re:I wonder if motorcycles were involved by Anonymous Coward · · Score: 0

      You mean skateboards and taxicabs.

  2. Needs more Spy Thrilling by psyclone · · Score: 3, Insightful

    The money was left in a bag at a parking lot nearby Särkänniemi amusement park. Then things went wrong. The blackmailer took the bag. Police, however, lost track of the blackmailer and the money was gone.

    What, no GPS transmitter in the filament of each paper Euro? Amateurs.

    1. Re: Needs more Spy Thrilling by Anonymous Coward · · Score: 0

      Euros are made from a plastic polymer.

    2. Re: Needs more Spy Thrilling by Anonymous Coward · · Score: 1

      The euro banknotes are pure cotton fibre

    3. Re:Needs more Spy Thrilling by Anonymous Coward · · Score: 1

      What, no GPS transmitter in the filament of each paper Euro? Amateurs.

      Actually, the 1 and 2 unit currencies here on this side of the lake are not bills but coins. And while I wouldn't be surprised if our information hungry governmental overlords have tried putting GPS electronics in there, luckily the all-metal outside should keep us safe from any such spying activities.

    4. Re:Needs more Spy Thrilling by NotInHere · · Score: 1

      What, no GPS transmitter in the filament of each paper Euro? Amateurs.

      They have planned to add RFID. However AFAIK this has never been realized (yet).

    5. Re:Needs more Spy Thrilling by Anonymous Coward · · Score: 0

      I would assume that the bills were marked or at the very least the serials were blacklisted.

    6. Re:Needs more Spy Thrilling by Anonymous Coward · · Score: 0

      The money was left in a bag at a parking lot nearby Särkänniemi amusement park.

      Then things went wrong. The blackmailer took the bag. Police, however, lost track of the blackmailer and the money was gone.

      What, no GPS transmitter in the filament of each paper Euro? Amateurs.

      What would be the point? Considering that a GPS usually loses track when you drive into an underground garage or through a tunnel, I suspect that not even the best intelligence agencies in the world have something small yet powerful enough that would be useful in this case. These blackmailers are tech savvy so they must have had a plan how to transport the ransom money in a suitable container to a location where they can open it without fear of signals being broadcast anywhere.

      Furthermore, I know the area so if I made an escape plan, I would have a very fast boat ready in the marina on the lake right next to the amusement park since I consider it highly unlikely that the police would be ready to chase an extremely fast powerboat. The lake is big but not big enough for the police to normally have a boat on it and if they do have one, it will probably not be capable of chasing a small super fast boat, which would then mean that the only option for the police is a helicopter chase and no ability to quickly get a car to wherever I go with the boat because the roads surrounding the lake are not fast. Then I would go to the shore somewhere, walk through the semi-dense forest to a car which the police will hardly be able to distinguish from a car going to or returning from one of the summer cottages that are everywhere along the shore. To force the police to attempt to follow more than one car, I might even have a few decoy cars waiting on the small roads in the forest. That would pretty much be the ideal getaway scenario. Many small roads with some car traffic but most cars having a shitload of stuff in them since people always have their cars full when visiting their summer cottages. Stopping any and going through the contents will be a very slow process. Not to mention that consent from the occupants might be needed (IANAL so I don't know).

    7. Re:Needs more Spy Thrilling by Anonymous Coward · · Score: 0

      If they fail tracking, it probably means they used Nokia GPS.

  3. Feature or bug? by ron_ivi · · Score: 2, Insightful

    Nokia would not have been able to ensure that the phones accept only applications approved by the company.

    Sounds more like a feature than a bug. Do device "owners" really want phones that "accept only applications approved by the company".

    1. Re: Feature or bug? by Anonymous Coward · · Score: 0

      Apparently you haven't heard of a group called "sheeple".

    2. Re:Feature or bug? by Anonymous Coward · · Score: 0

      I was told it was required for PCI-DSS/HIPAA/Sarbanes-Oxley compliance. Now, if that is true or not can be debated, so I'll leave that for people who actually know this field.

    3. Re:Feature or bug? by The+MAZZTer · · Score: 1

      The problem is that any applications signed by the key would look like they were officially approved by the company, even if they were not. There would be no way to differentiate them... that's the purpose of the key!

    4. Re:Feature or bug? by jeffmflanagan · · Score: 4, Insightful

      >Do device "owners" really want phones that "accept only applications approved by the company".

      Of course they do. You may not have heard of it, but there's a device called an iPhone that's tremendously popular, and this feature is one of the reasons.

      Locked down devices are not for me, but one would have to really have their head in the sand to not notice that safer to use devices are popular with many, many people.

    5. Re:Feature or bug? by Anonymous Coward · · Score: 0

      Nokia would not have been able to ensure that the phones accept only applications approved by the company.

      Sounds more like a feature than a bug. Do device "owners" really want phones that "accept only applications approved by the company".

      Yes. Malware is a serious problem on any widely used platform that lack this feature.

    6. Re:Feature or bug? by Anonymous Coward · · Score: 0

      Apple seems to sell a lot of devices.

    7. Re:Feature or bug? by BasilBrush · · Score: 1

      Sounds more like a feature than a bug. Do device "owners" really want phones that "accept only applications approved by the company".

      On phones, yes. Phone users don't want their data compromised, or to end up being scammed for money. The thought that they are limited to one store doesn't even register as an issue. In fact they mostly like the idea of a single store where they can find every app.

      The Slashdot user's ideas of free software come from a RMS. Ordinary people have never heard of him let alone care what he thinks.

    8. Re:Feature or bug? by BasilBrush · · Score: 1

      And most ordinary users that use Android are doing so because they are cheap, or they are the phone that the salesman at the store pushed at them. They aren't doing it because they think they have access to multiple app stores. Of the Android minority that ever download an app, most of them will never go outside Google Play.

    9. Re:Feature or bug? by Anonymous Coward · · Score: 0

      Ever heard of some company which sells overpriced phones with a fruit logo in them? Their customers will suck anything just to be part of that cult..

    10. Re:Feature or bug? by Anonymous Coward · · Score: 0

      Symbian had a toggle in the settings to disable signed app requirement. So yes, if anyone could sign any app when the "Signed only" was on, then it would be a bug.

    11. Re:Feature or bug? by Anonymous Coward · · Score: 0

      And most ordinary users of Apple are doing so because they are locked in to the iOS environment, or they saw an ad on TV that pushed them to wanting an iPhone because ... Apple told them it was good.

      They aren't doing it because they've considered the implications of being tied to Apple hardware, or because they know they can jailbreak the devices. Of the Apple minority that ever downloaded an app, most of them will never go outside of the App Store.

      Your blind fanboyism for Apple and Android bashing get so tiresome.

    12. Re:Feature or bug? by sjames · · Score: 2

      Also, the Tooth Fairy insisted. We don't know why.

    13. Re:Feature or bug? by sjames · · Score: 2

      And we know the key would never be used because the blackmailer pinkie swore.

    14. Re:Feature or bug? by Anonymous Coward · · Score: 0

      If you're taking a thinly-veiled shot at Android, malware is a very, very, very *minor* problem for Android. Most users will never venture outside of the Play Store and thus never have to worry about malware. And most of us who do install apps from elsewhere have a pretty good idea what we're doing and what to avoid.

    15. Re:Feature or bug? by ericloewe · · Score: 2

      The story is badly told. Symbian never restricted apps. I believe it did check their signatures on install, informing users (kinda like UAC in Windows).

    16. Re:Feature or bug? by Anonymous Coward · · Score: 0

      Malware isn't, but apps using/abusing permissions can be an issue on Android. Unlike iOS that asks you before an app does something, Android just hands over what an app wants, so the free fleshlight app downloaded can get every permission in the book, and there is no way around it. Well, almost no way, but not many people run XPrivacy/Xposed framework items.

    17. Re:Feature or bug? by Anonymous Coward · · Score: 0

      It's not fanboyism when it is simply the truth. Most people, no matter what phone OS they are using, don't really give two shits about any of this crap.

    18. Re:Feature or bug? by Anonymous Coward · · Score: 0

      >Do device "owners" really want phones that "accept only applications approved by the company".
      Of course they do. You may not have heard of it, but there's a device called an iPhone that's tremendously popular, and this feature is one of the reasons.

      Nonsense. Most iPhone (or indeed Android) owners wouldn't know what a walled garden was even if you put them in one.

    19. Re:Feature or bug? by mr_jrt · · Score: 2

      Yeah it did - my N95 (Symbian OS v9.2, S60 3rd Edition) was unable to play OGGs via the stock media player as the codecs weren't signed. Previous versions were able to fine, apparently.

      --
      Boo.
    20. Re:Feature or bug? by Anonymous Coward · · Score: 0

      Apple, back when you use to be able to go to a website and "jailbreak" (full root access) your phone?

    21. Re:Feature or bug? by Anonymous Coward · · Score: 0

      "The Slashdot user's ideas of free software come from a RMS. Ordinary people have never heard of him let alone care what he thinks."

      I have heard of him and I still don't care what he thinks.

    22. Re:Feature or bug? by DarwinSurvivor · · Score: 2

      That's just it. The summary says "Had the keys been leaked..." when in reality it is very obvious that they were leaked, Nokia just paid somebody and hoped they wouldn't use it. Encryption keys aren't something you can just give back, and a giant certificate revocation would have been noticed by a lot of security researchers.

      Basically, this story boils down to the fact that Nokia is out millions of dollars and their infrastructure is STILL compromised. Pinky swear indeed...

    23. Re: Feature or bug? by shitzu · · Score: 1

      Also - "Had the key been leaked Nokia would not have been able to ensure that the phones accept only applications approved by the company."
      This choice of words implies that the money somehow miraculously prevented the key from leaking. The key already HAD LEAKED. All nokia got for the money was a promise that the leaked key won't be misused.

    24. Re: Feature or bug? by shitzu · · Score: 1

      What does a fleshlight app do? How does it... um... work?

    25. Re:Feature or bug? by marcello_dl · · Score: 1

      In the alternate universe where nokia execs say "Fuck you, disseminate the key" we have nokia with a hacker friendly smartphone platform OR an instantly obsoleted platform thanks to evil hackers. I guess they would be better off than this nokia.
      "Being broken" was the business model of microsoft windows and they became number one with it.

      --
      ---- MISSING MISCELLANEOUS DATA SEGMENT --- [sigdash] trolololol
    26. Re: Feature or bug? by Anonymous Coward · · Score: 0

      Most users will never venture outside of the Play Store and thus never have to worry about malware.

      There's plenty of malware on the Play Store.

    27. Re:Feature or bug? by Anne+Thwacks · · Score: 1
      Do device "owners" really want phones that "accept only applications approved by the company".

      No, and if this feature were dropped, a lot of us would want Symbian phones even now. This is the "feature" that killed Symbian. However, it was mandated by the carriers. It took Google to kill it, and Android gets stick daily for not having this "feature".

      --
      Sent from my ASR33 using ASCII
    28. Re:Feature or bug? by ericloewe · · Score: 1

      I believe my N97 had an option to allow unsigned apps (which were blocked by default, for obvious reasons).

      The stock media player not accepting new codecs is also different from the OS not accepting new apps that are unsigned.

    29. Re:Feature or bug? by queBurro · · Score: 1

      where be my moderator points?

      --
      sag
    30. Re:Feature or bug? by Anonymous Coward · · Score: 0

      I'd been curious for a while about symbian, and found a decent price on a relatively recent one(700) and decided to buy it to monkey with...

      Further research shows that it's trivially easy to jailbreak pretty much ALL symbian phones, and from a brief read it appears that they even dabbled with custom ROMs, probably more so since they have source code now.

      Sounds like NBI wanted to bust the extortionist but wasn't quite up to the horribly difficult task... I guess that they got too used to being just handed everything wrapped up in a pretty bow ready to roll into court...

    31. Re:Feature or bug? by hobarrera · · Score: 1

      Nokia would not have been able to ensure that the phones accept only applications approved by the company.

      Sounds more like a feature than a bug. Do device "owners" really want phones that "accept only applications approved by the company".

      The dive can run any code, the signing key makes it look "officially approved" by Nokia.

  4. Why no key revocation strategy? by Anonymous Coward · · Score: 1

    Keys get compromised, expire, etc. They should have had a process for updating keys, and then it would have cost nothing but a little egg on the face for letting someone steal it.

    1. Re:Why no key revocation strategy? by Anonymous Coward · · Score: 1

      There should have been a scenario test where keys were released, or perhaps RSA or ECC itself gets cracked.

      Perhaps the best solution would be devices having both a symmetric key for the individual device, and a symmetric key for that model. That way, if all public keys were blown, there could be a mechanism for updates that would essentially use symmetric encryption to "sign" code [1].

      Of course, if the symmetric key database is compromised, it is a bad thing, but a company as big as Nokia can easily keep a database air-gapped with this info.

      [1]: Create a cryptographic hash, encrypt the hash with the key hidden in some armored ASIC. Then to validate the signature, check the update's hash by calculating the update and decrypting it.

    2. Re:Why no key revocation strategy? by Anonymous Coward · · Score: 0

      You certainly do not appreciate the levels of Thought Corruption in a large enterprise. Public or private.

      For more details, please refer to RSA "Security", Lockheed Martin and the F22. And China.

  5. Load of BS by Anonymous Coward · · Score: 1

    I don't get why they actually paid people for this. Even if they received the key _back_ the attacker could have still used them.

    "nokia would not have been able to ensure that the phones accept only applications approved by the company"

    is complete BS, they could not verify that at the point they realized they screwed up key security.

    1. Re:Load of BS by Copid · · Score: 1

      That does sound really fishy. I guess if you're going to do that, you need to set the ransom low enough that the company will pay it for a "maybe he'll hold up his end of the bargain" level of assurance rather than a "problem is solved forever" level of assurance. If I said, "Give me a dollar or I'll expose your keys," it's probably worth a dollar to reduce the 100% probability of key exposure to anything marginally less than 100%. If I said, "Give me a hundred million dollars for an unkown but nonzero reduction in the probability that I'll expose your keys," that sounds like less of a good deal.

      The best part of this is that the blackmailer could also sell your keys to somebody who might use them without you ever knowing. Not only did they not know beforehand whether the keys were going to be kept secret, there's no way to be 100% sure even now that the keys were left unused.

      --
      An interesting anagram of "BANACH TARSKI" is "BANACH TARSKI BANACH TARSKI"
    2. Re:Load of BS by Anonymous Coward · · Score: 0

      They paid millions of dollars for a text file containing the words "LOL sucker" over and over.

      To this day they still have no clue if the extortionist had the key in the first place.

    3. Re:Load of BS by Anonymous Coward · · Score: 0

      The ransom has to be high enough to create some level of confidence that it will make a significant reduction in the blackmailer's motivation to further monetize the keys. At some point, the risk and effort to attempt further sales of the keys is not worth the potential return. While that could change over time as the blackmailer spends the money, presumably the keys became obsolete after some years (once the compromised group of phones became obsolete), so that there was little further risk to Nokia.

      Of course it may have been some kind of desperate tax dodge by Nokia.

    4. Re:Load of BS by Anonymous Coward · · Score: 1

      How do you know ? They probably got an email signed with their own key, containing the ransom letter.

  6. Nice to trust the criminals by Anonymous Coward · · Score: 0

    Doesn't anybody else find it odd that the circle of trust includes the persons who stole the keys. After all we all know they would not do something bad like use the keys.

    1. Re:Nice to trust the criminals by GameboyRMH · · Score: 1

      Execs can trust criminals for the same reason that sharks don't eat lawyers...professional respect ;-)

      --
      "When information is power, privacy is freedom" - Jah-Wren Ryel
  7. Beema all the way. by K.+S.+Kyosuke · · Score: 0

    Now GTFO.

    --
    Ezekiel 23:20
  8. No funny business by TsuruchiBrian · · Score: 1

    From a strategic point of view this is a clusterfuck. Why did Nokia put real money in the bag if they were planning to arrest the person that came to pick it up? If the police had succeeded then it wouldn't matter if the money was real. If the blackmailer gets away, then maybe, if you are lucky, he might keep his promise if he thinks you acted in good faith. But now I am reading a story on slashdot about how they tried to catch this guy and botched the plan, so now the blackmailer knows that Nokia was not acting in good faith. Now the blackmailer has no reason not to leak the keys, unless he plans to try to extort more money.

    1. Re:No funny business by Anonymous Coward · · Score: 0

      If it were me, I'd pick up the bag, look in it, and if dissatisfied, use my phone to email the code to a very large distribution list. If the money is fake, you're going to jail either way, so you may as well make good on your threat, right?

      The blackmailer would be a fool to think Nokia wouldn't work with the police. He was expecting it and clearly took precautions to ensure he'd not be caught, right from the start. He probably figures at this point he has enough money to disappear, so why not do so and avoid even more serious police scrutiny by simply deleting the code and running. Again, that's what I'd do.

      But then again, I don't extort people. So I guess I might not be the right guy to ask. LOL.

    2. Re:No funny business by Anonymous Coward · · Score: 0

      I agreed with your reasoning right up until you said delete the code. I just don't see a reason to delete the code, at least not in the short term. It's too powerful of a bargaining chip if the police do catch up with you later. The downside is if you were caught with the code it could be used against you as proof, except I really can't see a scenario playing out where having the code leads to you being captured where not having it they wouldn't have known it was you.

    3. Re:No funny business by Jumunquo · · Score: 1

      Too many potential points of failure - you could be quickly restrained or knocked out (like by a taser). They could cell jam you or otherwise intercept your data. Or they could have already hacked your phone in the time you picked up the bag and took it somewhere to check its contents. Better would be to set up some servers to send out the code at a certain time. If anything happens to you, then there's no one to disable that system.

      I agree that the blackmailer, once the money is in hand, is incentivized to keep his/her end of the bargain. Sending out the code would just leave a potentially traceable digital trail and just having the code on-hand is incriminating evidence. And in this case, where Nokia keeps dishonestly quiet, all you have on your tail are a few police officers that can't even follow a bag.

    4. Re:No funny business by Jumunquo · · Score: 1

      Regarding keeping the code, you'd have to hide it really well such that only you can retrieve it. You should encrypt or otherwise scramble it for starters. It's not that hard. Criminals are usually caught because they're either stupid, or because easy money is addictive, so they keep doing it, and eventually, something happens outside their calculations (and they tend to get more careless over time too).

  9. Trust... by Bert64 · · Score: 1

    So how do you trust a company? Profit is their primary goal, and if they feel that hiding a breach like this will be more profitable than disclosing it that's exactly what happens... Meanwhile, you now potentially have to also trust some criminals who have already demonstrated their willingness to commit blackmail.

    --
    http://spamdecoy.net - free throwaway anonymous email - avoid spam!
  10. subjects are stupid by Anonymous Coward · · Score: 0

    Likely story. The NSA asked and they rolled over, right ? This is just cover.

  11. And now for the news... by msauve · · Score: 1

    Blackmailer blackmails blackmailer. More at 11.

    --
    "National Security is the chief cause of national insecurity." - Celine's First Law
    1. Re:And now for the news... by Anonymous Coward · · Score: 0

      We have better, more diverse and more robust ways to get into your phone, Subject. I mean, our phone you kindly paid for.

  12. Sigh by Anonymous Coward · · Score: 0

    Whoever decided it was a better idea to pay rather than protecting their customers should be sent to prison... I'm sorry, but they knowingly compromised security for every user.

    1. Re:Sigh by Jumunquo · · Score: 1

      Actually, paying the ransom was the best bet to protect the user. However, they also should have let everyone know they had been compromised, and that's the part where they put corporate greed before their customers.

    2. Re:Sigh by GameboyRMH · · Score: 1

      Corporations commonly pay ransoms to blackhats, it just doesn't get reported. I heard of a CEO once paying a 100kUS ransom to prevent his customer database from being released - with no evidence!

      --
      "When information is power, privacy is freedom" - Jah-Wren Ryel
  13. Unimaginable horror by WaffleMonster · · Score: 2

    Damn you just have to feel sorry for Nokia...

    I couldn't imagine the pain and suffering must be associated with selling devices and then losing the ability to control what software can be installed on them.

    1. Re:Unimaginable horror by Anonymous Coward · · Score: 0

      FYI you could install software to Symbian phones from wherever. You just had to allow it just like in Android..

    2. Re:Unimaginable horror by Anonymous Coward · · Score: 0

      Like when they changed to Windows?

  14. Sherlock vs Moriarty by bswarm · · Score: 1

    Moriarty Calls every Nokia phone and broadcasts the image of himself laughing.

  15. Extort the extorer? by Kaz+Kylheku · · Score: 4, Funny

    Pay me, or you don't get to extort your users with your locking scheme! :)

  16. RFID by Anonymous Coward · · Score: 0

    RFID - Read the Fucking Included Document?

    So, they didn't include the document so the blackmailers did not know what to do and ended up getting lost?

    Ah! I get it!

  17. Carriers that hide the Unknown sources checkbox by tepples · · Score: 1

    Symbian had a toggle in the settings to disable signed app requirement.

    So does Android. But that doesn't stop carriers from forcing that signature requirement toggle on, just as AT&T did for the first several months that it sold Android phones (Motorola Backflip, HTC Aria, Samsung Galaxy S "Captivate"). And the vast majority of phones sold in the U.S. market during the Symbian era had carrier branding on them.

  18. Delegation of vetting by tepples · · Score: 1

    Do device "owners" really want phones that "accept only applications approved by the company".

    Yes.

    As BasilBrush and CronoCloud have explained here several times, the majority of people are not geeks and don't want to have to spend time doing their own vetting of safety, usefulness, and battery efficiency of apps. Instead, they choose to delegate this vetting to Nokia, Apple, Microsoft, Sony, Nintendo, etc. I've summarized the purported advantages of closed platforms.

    1. Re:Delegation of vetting by Somebody+Is+Using+My · · Score: 2

      I disagree. I do not think this is a major consideration for most users. The idea of multiple software stores, some of which may or may not be trustworthy, is not high on the list when comparing phones.

      Issues they do care about in general order of importance:
      * Cost of the phone
      * Provider support (e.g., will I be able to use this phone with my carrier)
      * Features of the phone (does it have a keyboard, or a camera, and what does it look like)
      * App support (can I download apps I am interested in?)

      The fact is, most people have a rudimentary understanding of how the apps work and what risks they are taking when they download software from the internet. Nor are they aware of how powerful and versatile these pocket-computers really are. So long as they get their email, facebook, music, mapping, a few choice games, and perhaps the usual word-processing apps, most people are satisfied with the selection they get from the app store (there may be more to that list, but for the vast bulk of people, everything they need or want can be had from the official app stores). It doesn't occur to them that they are "locked-in" because they already get everything they need so they don't go looking for more. However, when they do feel the restrictions - when they discover that FlappyBirds or whatever fad-app isn't available on the app store, they are more than willing to visit alternative sites to get their software fix, regardless of the risk this to which this puts their data.

      In other words, it is true that users usually do not care about being locked in to one application provider. But they also don't care that the official app-stores vet the software either and when push comes to shove they will readily accept software from any source. Once made aware of the issue, the multiple sources of apps is a selling point for Android, because it gives the users more selection. That it comes with significant risk to their privacy and data is rarely a consideration. When the garden wall gets in their way, they dislike it as much as power users without understanding the benefits it might bring.

  19. The benefit of freedom is flexibility by tepples · · Score: 1

    The Slashdot user's ideas of free software come from a RMS.

    Where you see "freedom" in arguments for free software, read "flexibility". The iPhone is less flexible in some ways than some other platforms. For example, there's no app for helping contribute to an access point database because Apple refuses to make the needed APIs public.

  20. When there's no app for that by tepples · · Score: 1

    People give a care when they find that they'll never be able to get an app for a particular task on their phone or tablet. Where's WiFi-Where for iOS? Where's a web browser for iOS capable of viewing a WebGL visualization of the brain? And where's a web browser that supports uploading documents created in an app, other than pictures and videos, to a web form?

  21. account info too by Anonymous Coward · · Score: 0

    The email address I used for a dev account there gets spammed a lot and I never used it anywhere else!

  22. they should have encouraged the hacker by 0xdeaddead · · Score: 1

    since nobody wrote or used symbian in the android era anyways.

  23. Finnland? Were they running Linux? by Anonymous Coward · · Score: 0

    Crypto keys stored on a Linux server??? Just asking.

  24. What?! by Anonymous Coward · · Score: 0

    They should have let it free, so people could hack the device.

    And why not using key revocation?

  25. No funny business by Anonymous Coward · · Score: 0

    My guess:

    They assumed or knew there were more than one person. They put real money in the bag to pass any kind of quick check of the money. Police lost the person picking up the money because they were trying too much to stay hidden. This might have taken days of following the person to see who he meets. Maybe they wanted all of the blackmailers. Other option is Nokia wanted to let the blackmailers go, and didn't give all info to the police. This could happen if they first contacted the police, but then got second thoughts about if it's a good thing to catch the blackmailers and possibly face the renvenge of leaked keys.

  26. Sounds like the Keystone Cops by Zontar_Thing_From_Ve · · Score: 1

    For those who don't understand the reference, the Keystone Cops were incompetent policemen in a series of American silent movies. I read the article linked to in the article and basically Nokia dropped the money off in a paper bag in a parking lot and the police watched the pickup and then completely lost the blackmailer. To this day they have no idea at all who got the money and it seems that Nokia has only the word of the blackmailer that they wouldn't use the keys for nefarious purposes.

  27. wait... what now? by Anonymous Coward · · Score: 0

    "Had the key been leaked, Nokia would not have been able to ensure that the phones accept only applications approved by the company."

    Um... tiny little problem there. Your extortionist already HAD the keys. It's not like they can "un-have" them.

    We promise we'll delete them after you give us the money.