No, I'm sorry but it's a completely unusable solution because it's not easier for the customers to use or understand. Ultimately, many of their customers are stupid, and it's not their fault. 50% of them are below average, after all. The most we can ever hope for is that they recognize "bank == safe place for my money." And that doesn't absolve the bank of the liability to provide that security, at least not if they want to keep having customers.
So all the technical work of security has to end up in the bank's hands. You can ask a customer to perform only the simplest of instructions, and even those will only be followed if they are required to obtain an immediate payout at the endstate.
"Put this card in the slot in order to withdraw money" is an example of a good model to follow.
"Put this card in the slot and type your secret PIN in order to withdraw money" is an acceptable model to follow, but it's surprisingly close to the limits of what some people are capable of.
"Drive to the bank, write down the 40-digit fingerprint number in our window, go home, run a virus scan, type this URL into your browser without using a bookmark, doubleclick the padlock, click the Security tab, click the View Certificate button, check that the certificate SHA-1 fingerprint is the same as you wrote down, click the details tab, check that the root signer of the certificate hierarchy chain says Verisign, click the close button, dismiss the dialog box, click the login button, type your username, type your secret PIN into this field on the web page, click 'Transfer' to pay your bills on line" is hardly an acceptable model of a use case. Yet it's exactly what is being recommended.
And people wonder why there are security breaches.
Actually, the banks already have a way to distribute the certs: put them on smart cards. The bank can trust the cert because they issued it. The customer can trust the cert because the bank handed it to them.
There are many good security features a smart-card based solution brings to the table. First, the bank is entirely in charge of their own security from end-to-end. There is no trusting of third parties*. The bank is able to uniquely verify the presence of your card, and can refuse to transfer money without it. And if the bank is compelled by a warrant to cooperate with the government, they just hand over the data without fooling around with a clumsy man-in-the-middle attack, .
What's really needed is a ubiquitous smart card reader to be included on standard computer builds.
*Actually, you still have to trust the third parties who provide the applications, operating systems and hardware. The only completely secure way around that is for the bank to provide the actual computer to the customer, via a handheld card device like Vasco makes. A close second is by providing a custom bootable image on read-only media.
Why do you imagine that would "make the common people laugh at him"? He'd successfully portray it as a CIA attack.
Then bring in the Russians. Those ex-KGB guys knew how to run a good disinformation campaign. Throw mud, keep throwing mud, fling mud into real news stories that spin them the wrong way, do everything you can to make the target look incompetent and buffoonish at every turn. Be sure to use deniable cut-outs so that the deceit can't ever be traced directly back to you.
They caused plenty of dissent in the USA during the cold war. They also learned that disinformation wasn't enough to topple the leaders of the U.S. government, nor did it give them the clear advantage in negotiations. Occasionally it gave them blackmail opportunities to create informants, but for the most part it was a giant waste of money. The KGB apparently never saw it that way, as they stated in 1984 that "Our chief task is to help to frustrate the aggressive intentions of American imperialism... We must work unweariedly at exposing the adversary's weak and vulnerable points." The job of Service A was to fabricate disinformation through "active measures."
Service A was responsible for casting doubt upon the lone gunman "theory" of the Kennedy assassination; they portrayed J. Edgar Hoover as a Bircher and amplified the rumors of him being a gay cross dresser; and they successfully caused gullible third world leaders to believe all kinds of lies, from AIDS being created by the U.S. Army at Fort Detrick to the U.S. importing third-world orphans to use as organ donors to supposed plans to overthrow the Indian president Rajiv Gandhi.
That blog post even has a variant of obfuscation the author likely didn't intend. He mentioned octal, but used a funny notation in his google.com example: http://00000102.00000146.00000015.00000143/
Oracle bought Sun, not Microsoft. I can't even imagine a reason for Microsoft to buy Sun other than to let a raving DEVELOPER throw chairs at Java until it was utterly destroyed.
And Java and JavaScript are completely unrelated. JavaScript is to Java as fish is to phishing. They sound similar but are in no way the same thing.
Mozilla running JavaScript threads? Srsly?
Let me fix that: -10, truly most completely wrong.
Satellite dependence? The GPS constellation is designed that from the ground there are almost always six birds visible, even though only three are needed for a fix. When one fails, it doesn't take the others with it, and the constellation is simply reconfigured to make up for the missing satellite. The birds have a proven track record for reliability. And they're always going to exist because the military needs them to, regardless of the civilian need.
Radar, on the other hand, breaks down. It's a spinning motorized beast that gets beat up by wind, rain, hail, snow, ice and rust. Replacement parts are expensive. Maintenance is constant. And due to curvature of the earth radar coverage is still quite poor, as the further you get from a station or the closer you are to the ground the less visible you are. Significant portions of the U.S. airspace are completely invisible on radar, even though there are a hundred ground radar stations sweeping the skies.
Finally, radar is systemically fragile to your imagined terrorists. A single ground station could be taken out by a band of idiots with small arms, leaving a large metropolitan area with no radar coverage whatsoever. For that matter, a radar could be taken out by a single idiot with a screwdriver and the wrong manual. A GPS satellite, on the other hand, is in MEO, 12,500 nice safe miles from the nearest idiot or screwdriver.
Of course there is a huge problem with any massive upgrade. That is simply cost.
Whose cost? You think we the taxpayers should continue to pay hundreds of millions of dollars annually to maintain and operate the current fleet of aging and incredibly expensive radar sets? And you're saying we should simply accept the elevated safety risks of the current outdated systems? Deploying the system in Alaska (the biggest general aviation state) showed a decrease in crashes of 80%, don't you think that should play a factor in your decision?
Your opposition seems to be based only on your sympathy with Joe Pilot who might (or might not) have to spend a couple thousand bucks to make his $50,000 plane four times safer, not to mention easier to navigate.
The FAA's proposal makes a lot of sense, makes aviation safer for everyone, and will be run at the expense of its primary users. I really don't see a downside.
RTFA. I borked the summary by, well, summarizing. The FAA is outlawing *non-work-related* laptops and devices.
And while it is Congress who is passing the law, it is the FAA who wrote it and recommended it. This isn't typical Congress making stuff up because they want to be seen "doing something."
So chill out. RTFA again. It's what the FAA is asking for, and not just the ordinary ravings and droolings of the dimwits in Congress.
Just because someone pinged me in this thread, I want to point out the different machines involved:
Zombie: Infected PC. Executes only those instructions whose digitally signature matches that of an included self-signed certificate. (RSA signatures are not reversible.) Connects to C&C servers using a technique known as fast-flux proxies.
Command and Control: Middleman server. Accepts connections from zombies and the master. Forwards copies of digitally signed instructions. Fast-flux proxies help hide this server's location.
Master: This is the PC owned by the botherder. It connects to C&C servers via fast-flux proxies just like any other zombie. It contains the private key of the self-signed certificate distributed to all zombies. It is the only machine that can digitally sign instructions. It is also likely to be the only machine that has the tools to maintain the botnet and check its status.
If the botnet is operated by a gang, there may be more than one copy of the master. But each master has to be carefully guarded.
Sure, you can decrypt the instructions at a specific node. You can connect to the C&C server and try to inject your own instructions. The C&C server probably won't even accept them if their signature isn't valid. And no zombie will execute those instructions without first checking their signatures.
I know. I was just being supportive of "idontgo", because he sounded like he was claiming people would "reverse engineer" RSA, which is ridiculous. I'm sure he must have meant something else.
However, there is a potential vulnerability in what he's saying (even if he's saying it wrong.) The vulnerability is in the zombies. The zombies have to phone home to register. How does the C & C server know if it should trust a zombie? Is it susceptible to some kind of protocol exploit (a buffer overrun, a malformed URL, etc.)? While it won't ever have the private key, it might cough up a list of zombies.
I've never understood the appeal of SSO solutions. Joe Sixpack doesn't give a damn. It's never been made simple enough for him to "get". A handful of geeks may think it's awesome. But the rest of the real world doesn't care.
I just want a cellphone that allows, well, you know, to call people.
What would be the simplest, easiest, cellphone with the least functionality (no bluetooth, no Java, no appstore, no memory card) that would fit me?
You know, one with ten numbers and a "call" and a "hang up" button?
You say you want "simplest and easiest". Think deeply about what you're trying to do. Do you actually want to talk to a "number", or do you really intend to talk to a specific person? This is a real question, and not intended to be a smart-assed comment.
Most people assume a simple phone is one that dials numbers, but that's because we've been trained by 80 years of technological limits that have forced us to abstract human conversations behind strings of digits. With new phones that have contact lists, you don't need the numbers other than for initial input into the machine. You set the number once (or save it if they call you first) and never dial the digits again.
That leads directly to a repeat of the first question: do you want to hunt through a contact list, or do you still just want to talk to someone? Again, we've been trained by the limits of our recent cell phone technology to accept 2=ABC, 3=DEF, etc. But that sucks for searching. Arrow-up and arrow-down are frustrating for average numbers of contacts, and the experience gets worse the more people you know.
If you honestly want to just talk to someone, you should really be asking for a phone with voice recognition dialing. Motorola, Nokia, Apple, Sony Ericsson all have phones that can voice dial without training based on the names you've entered in the contact list, and I'm sure there are many others out there. Pushing the "call" button and saying "Call John Smith" is about as simple and easy and clear and direct as it gets. You should look into that, rather than constraining your requirements with limits that no longer need to exist.
The original problem with textbooks is that they are expensive to write. It can take thousands of hours to produce a completely new book.
The recurring problem with textbooks is the money addiction that authors and publishers seem to suffer from. After quitting their day job for a year to write a book, they believe that book writing is more profitable. So they figure they can tweak the book for a couple of weeks or so and convince teachers that this one is the new hotness and last year's is old and busted.
Unfortunately, the expert author model just isn't very sustainable. If you pour a year of your life into summarizing your previous several years worth of experiences, the only current topic you're now qualified to author is writing a book.
So how do you propose funding the author for a year's worth of hard work? The wikipedia model, allowing many volunteers to share the load? The corporate benevolence model, like Google's summer of code?
I'm not saying that you shouldn't have cheap books, but I am saying the author and editor still need to be paid for their not-inconsiderable efforts.
Actually, most of my time is spent fighting crime vigilante-style on the streets of a major city in a brightly colored spandex suit. I only spend a few minutes at a time on the computer.
By "brightly colored" do you mean to say "Cheetoes-stained and mom hasn't done the laundry yet"?
Why? Do the "worst of the deadbeats" somehow still deserve credit? Credit isn't a basic human right. For that matter, owning a car isn't a basic human right, either.
If the deadbeats "need" a car, they really "need" to save enough money to buy one. I'm sorry about your destitute friend's situation, but I didn't extend her the credit that she defaulted on in the first place. I didn't give her the bad debt history. If she "hit a rough patch", she was already overextended when she hit it. Her creditors deserved to lose the money they never should have loaned her in the first place, but they also have the right to honestly report her repayment behavior to the credit bureaus -- it's why they keep track of such things.
Anyone stupid enough to loan money to someone who has walked away from their previous debts deserves the chance to lose any money they loan that person. Usurious loans fall under that category, too.
Couldn't that $1.4 billion have been better spent buying Valium for the rampant xenophobes in Congress? Just trank 'em all out and stop them from worrying about a non-problem.
The Mexicans who do enter illegally aren't exactly "stealing" great jobs from American citizens. They're picking crops, cleaning houses, flipping burgers, etc. The real problem is that our legitimate businesses are legally shipping planeloads of cash overseas for crappy products and services. Do we really need a million plastic "movie tie-in" figurines to be given away with Happy Meals, or blankets with arms in them?
By endpoint, I assume the GP poster means not the C and C servers, but the bot-herder's personal PC with the private key. The one he uses to sign the commands. That is indeed one place the system is vulnerable. The other is that there may be a security vulnerability in the bot implementation that would permit an unauthorized connection to take over the bot, perhaps via buffer overflow or something. Y'know, the "endpoints."
Yes, if he thought that the C and C servers contain the private key, he's very much mistaken.
No, I'm sorry but it's a completely unusable solution because it's not easier for the customers to use or understand. Ultimately, many of their customers are stupid, and it's not their fault. 50% of them are below average, after all. The most we can ever hope for is that they recognize "bank == safe place for my money." And that doesn't absolve the bank of the liability to provide that security, at least not if they want to keep having customers.
So all the technical work of security has to end up in the bank's hands. You can ask a customer to perform only the simplest of instructions, and even those will only be followed if they are required to obtain an immediate payout at the endstate.
"Put this card in the slot in order to withdraw money" is an example of a good model to follow.
"Put this card in the slot and type your secret PIN in order to withdraw money" is an acceptable model to follow, but it's surprisingly close to the limits of what some people are capable of.
"Drive to the bank, write down the 40-digit fingerprint number in our window, go home, run a virus scan, type this URL into your browser without using a bookmark, doubleclick the padlock, click the Security tab, click the View Certificate button, check that the certificate SHA-1 fingerprint is the same as you wrote down, click the details tab, check that the root signer of the certificate hierarchy chain says Verisign, click the close button, dismiss the dialog box, click the login button, type your username, type your secret PIN into this field on the web page, click 'Transfer' to pay your bills on line" is hardly an acceptable model of a use case. Yet it's exactly what is being recommended.
And people wonder why there are security breaches.
Actually, the banks already have a way to distribute the certs: put them on smart cards. The bank can trust the cert because they issued it. The customer can trust the cert because the bank handed it to them.
There are many good security features a smart-card based solution brings to the table. First, the bank is entirely in charge of their own security from end-to-end. There is no trusting of third parties*. The bank is able to uniquely verify the presence of your card, and can refuse to transfer money without it. And if the bank is compelled by a warrant to cooperate with the government, they just hand over the data without fooling around with a clumsy man-in-the-middle attack, .
What's really needed is a ubiquitous smart card reader to be included on standard computer builds.
*Actually, you still have to trust the third parties who provide the applications, operating systems and hardware. The only completely secure way around that is for the bank to provide the actual computer to the customer, via a handheld card device like Vasco makes. A close second is by providing a custom bootable image on read-only media.
Why do you imagine that would "make the common people laugh at him"? He'd successfully portray it as a CIA attack.
Then bring in the Russians. Those ex-KGB guys knew how to run a good disinformation campaign. Throw mud, keep throwing mud, fling mud into real news stories that spin them the wrong way, do everything you can to make the target look incompetent and buffoonish at every turn. Be sure to use deniable cut-outs so that the deceit can't ever be traced directly back to you.
They caused plenty of dissent in the USA during the cold war. They also learned that disinformation wasn't enough to topple the leaders of the U.S. government, nor did it give them the clear advantage in negotiations. Occasionally it gave them blackmail opportunities to create informants, but for the most part it was a giant waste of money. The KGB apparently never saw it that way, as they stated in 1984 that "Our chief task is to help to frustrate the aggressive intentions of American imperialism ... We must work unweariedly at exposing the adversary's weak and vulnerable points." The job of Service A was to fabricate disinformation through "active measures."
Service A was responsible for casting doubt upon the lone gunman "theory" of the Kennedy assassination; they portrayed J. Edgar Hoover as a Bircher and amplified the rumors of him being a gay cross dresser; and they successfully caused gullible third world leaders to believe all kinds of lies, from AIDS being created by the U.S. Army at Fort Detrick to the U.S. importing third-world orphans to use as organ donors to supposed plans to overthrow the Indian president Rajiv Gandhi.
"R2, fix me another Velcro Martini. Magnetically stirred, of course."
Just remember to turn the mic to Houston off of VOX.
HOUSTON: "Uhhh, were getting a pretty steady 2-3 Hz slapping sound down here guys. Are all systems ok up there, and any ideas on a cause?"
Houston, ISS. We report it as a steady 2-3 Hz fapping sound, not slapping. The cause appears to be us being STUCK IN ORBIT FOR SIX MONTHS! Over.
It's nice to see a company take an ethical stand and stick to it.
... and then turn their ethics around 180 degrees after getting hacked and stick with that. For a while, anyway.
For the moment the compass needle is pointing the right way, so I guess we should approve of that.
This list was about unsung heroes. Zork was sung from the rooftops.
And fish and phishing have something in common, too: one is cold and slimy, the other makes a tasty lunch (especially with lemon.)
Bottom line, though: I. Fed. The. Troll. I was had. We probably don't need to worry any further about what I said.
Orrin Hatch is famous for sucking
FTFY.
your boss walks in while you have goatse on your screen
Hey, boss, come look at my new "magic mirror" app. It uses the web cam to display people as they truly are!
*fired*
But some days it would be soooo worth it.
102 105 114 115 116 112 111 115 116 33
Oh, that's like my scary octal dream. I think I even saw an 8!
That blog post even has a variant of obfuscation the author likely didn't intend. He mentioned octal, but used a funny notation in his google.com example:
http://00000102.00000146.00000015.00000143/
True octal notation simply requires a single leading zero, like this:
http://0102.0146.015.0143/
The cool thing is this opens a new avenue for further defeating the fixed string-based scanners. These are all equivalent:
http://00000102.00000146.00000015.0143/
(Slashdot makes me fill the lines with not-repetitive stuff.)
http://00000102.00000146.00000015.00143/
(Slashdot makes me fill the lines with not-repetitive stuff.)
http://00000102.00000146.00000015.000143/
(Slashdot makes me fill the lines with not-repetitive stuff.)
http://00000102.00000146.00000015.0000143/
(Slashdot makes me fill the lines with not-repetitive stuff.)
http://00000102.00000146.00000015.00000143/
Sure, a regexp would easily solve the problem, but that seems to be part of the root problem anyway.
-5, very completely wrong.
Oracle bought Sun, not Microsoft. I can't even imagine a reason for Microsoft to buy Sun other than to let a raving DEVELOPER throw chairs at Java until it was utterly destroyed.
And Java and JavaScript are completely unrelated. JavaScript is to Java as fish is to phishing. They sound similar but are in no way the same thing.
Mozilla running JavaScript threads? Srsly?
Let me fix that:
-10, truly most completely wrong.
Satellite dependence? The GPS constellation is designed that from the ground there are almost always six birds visible, even though only three are needed for a fix. When one fails, it doesn't take the others with it, and the constellation is simply reconfigured to make up for the missing satellite. The birds have a proven track record for reliability. And they're always going to exist because the military needs them to, regardless of the civilian need.
Radar, on the other hand, breaks down. It's a spinning motorized beast that gets beat up by wind, rain, hail, snow, ice and rust. Replacement parts are expensive. Maintenance is constant. And due to curvature of the earth radar coverage is still quite poor, as the further you get from a station or the closer you are to the ground the less visible you are. Significant portions of the U.S. airspace are completely invisible on radar, even though there are a hundred ground radar stations sweeping the skies.
Finally, radar is systemically fragile to your imagined terrorists. A single ground station could be taken out by a band of idiots with small arms, leaving a large metropolitan area with no radar coverage whatsoever. For that matter, a radar could be taken out by a single idiot with a screwdriver and the wrong manual. A GPS satellite, on the other hand, is in MEO, 12,500 nice safe miles from the nearest idiot or screwdriver.
Of course there is a huge problem with any massive upgrade. That is simply cost.
Whose cost? You think we the taxpayers should continue to pay hundreds of millions of dollars annually to maintain and operate the current fleet of aging and incredibly expensive radar sets? And you're saying we should simply accept the elevated safety risks of the current outdated systems? Deploying the system in Alaska (the biggest general aviation state) showed a decrease in crashes of 80%, don't you think that should play a factor in your decision?
Your opposition seems to be based only on your sympathy with Joe Pilot who might (or might not) have to spend a couple thousand bucks to make his $50,000 plane four times safer, not to mention easier to navigate.
The FAA's proposal makes a lot of sense, makes aviation safer for everyone, and will be run at the expense of its primary users. I really don't see a downside.
RTFA. I borked the summary by, well, summarizing. The FAA is outlawing *non-work-related* laptops and devices.
And while it is Congress who is passing the law, it is the FAA who wrote it and recommended it. This isn't typical Congress making stuff up because they want to be seen "doing something."
So chill out. RTFA again. It's what the FAA is asking for, and not just the ordinary ravings and droolings of the dimwits in Congress.
Just because someone pinged me in this thread, I want to point out the different machines involved:
If the botnet is operated by a gang, there may be more than one copy of the master. But each master has to be carefully guarded.
Sure, you can decrypt the instructions at a specific node. You can connect to the C&C server and try to inject your own instructions. The C&C server probably won't even accept them if their signature isn't valid. And no zombie will execute those instructions without first checking their signatures.
I know. I was just being supportive of "idontgo", because he sounded like he was claiming people would "reverse engineer" RSA, which is ridiculous. I'm sure he must have meant something else.
However, there is a potential vulnerability in what he's saying (even if he's saying it wrong.) The vulnerability is in the zombies. The zombies have to phone home to register. How does the C & C server know if it should trust a zombie? Is it susceptible to some kind of protocol exploit (a buffer overrun, a malformed URL, etc.)? While it won't ever have the private key, it might cough up a list of zombies.
Is it? Or is OpenSSO simply inconsequential?
I've never understood the appeal of SSO solutions. Joe Sixpack doesn't give a damn. It's never been made simple enough for him to "get". A handful of geeks may think it's awesome. But the rest of the real world doesn't care.
Snoracle is probably totally safe with this.
I just want a cellphone that allows, well, you know, to call people.
What would be the simplest, easiest, cellphone with the least functionality (no bluetooth, no Java, no appstore, no memory card) that would fit me?
You know, one with ten numbers and a "call" and a "hang up" button?
You say you want "simplest and easiest". Think deeply about what you're trying to do. Do you actually want to talk to a "number", or do you really intend to talk to a specific person? This is a real question, and not intended to be a smart-assed comment.
Most people assume a simple phone is one that dials numbers, but that's because we've been trained by 80 years of technological limits that have forced us to abstract human conversations behind strings of digits. With new phones that have contact lists, you don't need the numbers other than for initial input into the machine. You set the number once (or save it if they call you first) and never dial the digits again.
That leads directly to a repeat of the first question: do you want to hunt through a contact list, or do you still just want to talk to someone? Again, we've been trained by the limits of our recent cell phone technology to accept 2=ABC, 3=DEF, etc. But that sucks for searching. Arrow-up and arrow-down are frustrating for average numbers of contacts, and the experience gets worse the more people you know.
If you honestly want to just talk to someone, you should really be asking for a phone with voice recognition dialing. Motorola, Nokia, Apple, Sony Ericsson all have phones that can voice dial without training based on the names you've entered in the contact list, and I'm sure there are many others out there. Pushing the "call" button and saying "Call John Smith" is about as simple and easy and clear and direct as it gets. You should look into that, rather than constraining your requirements with limits that no longer need to exist.
The original problem with textbooks is that they are expensive to write. It can take thousands of hours to produce a completely new book.
The recurring problem with textbooks is the money addiction that authors and publishers seem to suffer from. After quitting their day job for a year to write a book, they believe that book writing is more profitable. So they figure they can tweak the book for a couple of weeks or so and convince teachers that this one is the new hotness and last year's is old and busted.
Unfortunately, the expert author model just isn't very sustainable. If you pour a year of your life into summarizing your previous several years worth of experiences, the only current topic you're now qualified to author is writing a book.
So how do you propose funding the author for a year's worth of hard work? The wikipedia model, allowing many volunteers to share the load? The corporate benevolence model, like Google's summer of code?
I'm not saying that you shouldn't have cheap books, but I am saying the author and editor still need to be paid for their not-inconsiderable efforts.
Actually, most of my time is spent fighting crime vigilante-style on the streets of a major city in a brightly colored spandex suit. I only spend a few minutes at a time on the computer.
By "brightly colored" do you mean to say "Cheetoes-stained and mom hasn't done the laundry yet"?
Why? Do the "worst of the deadbeats" somehow still deserve credit? Credit isn't a basic human right. For that matter, owning a car isn't a basic human right, either.
If the deadbeats "need" a car, they really "need" to save enough money to buy one. I'm sorry about your destitute friend's situation, but I didn't extend her the credit that she defaulted on in the first place. I didn't give her the bad debt history. If she "hit a rough patch", she was already overextended when she hit it. Her creditors deserved to lose the money they never should have loaned her in the first place, but they also have the right to honestly report her repayment behavior to the credit bureaus -- it's why they keep track of such things.
Anyone stupid enough to loan money to someone who has walked away from their previous debts deserves the chance to lose any money they loan that person. Usurious loans fall under that category, too.
Couldn't that $1.4 billion have been better spent buying Valium for the rampant xenophobes in Congress? Just trank 'em all out and stop them from worrying about a non-problem.
The Mexicans who do enter illegally aren't exactly "stealing" great jobs from American citizens. They're picking crops, cleaning houses, flipping burgers, etc. The real problem is that our legitimate businesses are legally shipping planeloads of cash overseas for crappy products and services. Do we really need a million plastic "movie tie-in" figurines to be given away with Happy Meals, or blankets with arms in them?
By endpoint, I assume the GP poster means not the C and C servers, but the bot-herder's personal PC with the private key. The one he uses to sign the commands. That is indeed one place the system is vulnerable. The other is that there may be a security vulnerability in the bot implementation that would permit an unauthorized connection to take over the bot, perhaps via buffer overflow or something. Y'know, the "endpoints."
Yes, if he thought that the C and C servers contain the private key, he's very much mistaken.