My dad works for one of those provincial government agencies, and according to him, they're installing Ubuntu.
Been trying to convince him to use Fedora !!
OK, let me try if I can restate the problem first, then I'll give the question:
So:
1. You want the CA to *sign* a rouge certificate by having it fooled into signing a legitimate, hash-colluded one.
2. In order to do that, you must carefully choose the legit certificate and ask the CA to sign, while using the rouge ones for bad things.
Now clearly when asking the CA to sign, you ought to agree with some of the legal stuff from the CA. The problem I see lies in this scenarios:
(a) You use the bad certificate to do bad things that affect me.
(b) I somehow trace it back to the problem of the certificate being rouge/malicious, etc. I further backtrack the CA tree and found the one that sign your legit certificate.
(c) I file a law suit, and the CA that signed your cert will then know that its misused signature is for you. Then you'll get into troubles.
SO YOU'RE SHOOTING YOURSELF IN THE FOOT.
You can say that's the way it is, since one of your millions enemies may have framed you. Well, I think it's in many order of magnitude more difficult finding a hash-collisioned certificate to a random legit one. So I don't think so.
I am more concerned with the technical details of the worm, but have no patience reading the Owning Kraken article. Any who, I blogged some of my thoughts here http://tientadinh.blogspot.com/
In summary, as far as I know, Kraken does not scale as well as Storm, because it relies on the the DDNS providers. Plus, how the owner can orchestra a DDOS attack is not very clear for me.
It's clearly not the best paper I've ever read. The assumption is not at all modest. It says that the Swarm capability exceeds that of the botnet. Well, considering how many ISP must be gathered to defense against Storm.
First of all, ISPs are always known for not liking each other very much. Unless there is an international treaty, it's for me very difficult to gather enough ISPs to defense against large botnet such as Storm.
Secondly, it mentions sometimes about using Bittorent and relying on normal PCs instead of ISPs. You must have more number of such innocent machines than number of machine in the botnet. Notice i said "innocent" machines here. Now another fundamental question is how to make sure the machines in such systems are free of malware themselves.
Slashdot Mirror
My dad works for one of those provincial government agencies, and according to him, they're installing Ubuntu. Been trying to convince him to use Fedora !!
OK, let me try if I can restate the problem first, then I'll give the question:
So:
1. You want the CA to *sign* a rouge certificate by having it fooled into signing a legitimate, hash-colluded one.
2. In order to do that, you must carefully choose the legit certificate and ask the CA to sign, while using the rouge ones for bad things.
Now clearly when asking the CA to sign, you ought to agree with some of the legal stuff from the CA. The problem I see lies in this scenarios:
(a) You use the bad certificate to do bad things that affect me.
(b) I somehow trace it back to the problem of the certificate being rouge/malicious, etc. I further backtrack the CA tree and found the one that sign your legit certificate.
(c) I file a law suit, and the CA that signed your cert will then know that its misused signature is for you. Then you'll get into troubles.
SO YOU'RE SHOOTING YOURSELF IN THE FOOT.
You can say that's the way it is, since one of your millions enemies may have framed you. Well, I think it's in many order of magnitude more difficult finding a hash-collisioned certificate to a random legit one. So I don't think so.
I am more concerned with the technical details of the worm, but have no patience reading the Owning Kraken article. Any who, I blogged some of my thoughts here http://tientadinh.blogspot.com/ In summary, as far as I know, Kraken does not scale as well as Storm, because it relies on the the DDNS providers. Plus, how the owner can orchestra a DDOS attack is not very clear for me.
It's clearly not the best paper I've ever read. The assumption is not at all modest. It says that the Swarm capability exceeds that of the botnet. Well, considering how many ISP must be gathered to defense against Storm. First of all, ISPs are always known for not liking each other very much. Unless there is an international treaty, it's for me very difficult to gather enough ISPs to defense against large botnet such as Storm. Secondly, it mentions sometimes about using Bittorent and relying on normal PCs instead of ISPs. You must have more number of such innocent machines than number of machine in the botnet. Notice i said "innocent" machines here. Now another fundamental question is how to make sure the machines in such systems are free of malware themselves.