Read the Fox-It report. There's a database for revoked certs that responds to a query. If the cert is rooted at a CA it checks that CA's database it sounds like. If the cert isn't found or is found and marked good the cert passes. So there's no database of all certs from A CA that gets checked from the sounds of it. I guess I can see where a really large database would have issues and just having revoked certs would be enough but in this case it apparently allowed bad certs not officially issued through their system to be marked okay until they changed the behavior... That's the best I can make of it anyway!
Okay, read the Fox-it report. The certs serials were apparently NOT in the revocation database. For some assbackwards reason the RFC says when NOT found at all that the server responds "good" but if found and listed as revoked to deny. Wouldn't it make more sense to require all requests to be confirmed in the database? Was this a speed thing putting this into the RFC? The server is now checking and rejecting if not found it seems - it's how they know what certs are dorked....
Lets play pretend that this was air gapped\tempested\protected by dogs and this guy managed to insert a request for a cert into their system bypassing any dupe checks and payment crap. It would have been dutifully carried on whatever media they had used a million times before to the "special" machine, a cert created, and the cert sent on it's way to the attacker same as any other.
How does an air gap solve this problem exactly? Doing them by hand and checking their authenticity with a human is a great idea when you do it say once a week. Do it a few thousand(s?) times a DAY and the human validation falls apart. He didn't have to steal the keys to create certs on his OWN machine (nothing I've seen so far says he did), in fact that would have been more worthless, instead he likely got the system to make certs for him just like others. This way when revocation checks were done his cert checked out instead of being 404 and raising flags. That is what appears to have happened to me, air gap doesn't solve this IMO.
Because maybe your competitors do it that fast? Want to bet they aren't much different than any other CA in this regard?
And even if this was air-gapped somehow - why does anyone think the request wouldn't have gone right through with the other thousand(s?) or more requests bulk shipped through? How exactly would that have helped? The guy didn't *just* create a cert - he pushed it through their entire system including their databases that affirm it when a revocation is checked.
Really all it seems like he needed to do was bypass any checks in their system to prevent a dupe cert from being created, bypass some payment stuff maybe, and insert his request into the queue - all of the backend processing and firewalling in the world wouldn't have said Boo! if the request looked legit. Air-gapping this would have done nothing but slow business for this CA and *NOT* have stopped this "attack".
How exactly would an air-gap have changed the outcome?
Umm, this "kid" was able to pump out certs from a CA that could potentially have allowed a great deal of damage. He didn't just break in and deface the system, he broke in and got around the systems that were in place to prevent these kinds of certs from being produced - unless you think this CA didn't know that Google and Microsoft were already rooted elsewhere.
As for not being able to do more than damage.... what do you call having a database of credit cards stolen? SSNs? Credit card PROCESSING systems? That's not damage? You think organized crime isn't doing that?
How would that have worked? A CA is responsible for pumping out certs, for a fee, all day every day as well as verifying existing certs. If you think that this isn't done in an automated fashion by every CA out there then you don't understand the volume! All this guy did was break in and get the CA to do what it's normally setup to do and bypass the checks that would normally prevent the action. An air gap isn't reasonable in this scenario and I bet no other CA has one either. Personally I'm not surprised that this was done and if Iran had had a CA like Russia and China do then he might not have needed to bother.
Rango appears to be an exception, I too got it quickly. However I have about 4 others in the recent past that went for quite awhile as "long wait" and only recently cleared. In more than one case I simply went to RedBox and got the movie. If you do a bit of googling you can find that this behavior is documented with NetFlix and has even been written about here on Slashdot.
You'll get to see those new releases only while a new subscriber. Once you've been using the service awhile you'll suddenly find that new releases are "long wait" and it can be months before they are available. I've also noticed that despite my preference being BD they often add movies as DVD to my queue and sometimes swap them from BD to DVD if I don't pay attention....
Eac3to for BD using AnyDVDHD and then some work to compress. Other options too but yeah BD isn't an issue unless you want the menus and other crud. If you want just the movie you're set.
You DO realize that the parent post wants a law requiring LED indicator lights to be put on all laptops that have cameras right? That's pretty silly to say the least and won't solve this issue. If it's a privacy problem and current laws cannot cover it - which I doubt - then sure broaden an existing law. But making manufacturers put indicator lights on laptops isn't going to solve squat.
Thank you - common sense at it's finest! There are already plenty of laws that ought to apply if indeed this was as bad as it's been made to sound. A new law requiring manufacturers to add a blinky light to warn of camera use on laptops is beyond insane and wouldn't address the issue here let alone solve it.
Yes, heaven forbid we use one of the zillion or so EXISTING laws to try and prosecute this right? No instead some dumbass wants another LAW requiring blinky LEDs on camera equipped laptops to warn people.
Oh goodie a LAW dictating lights on a laptop - just what we need! What a load of crap. I do NOT want another light on my laptop thanks and requiring it via some sort of retarded law is insane. Putting it into documentation simply means it will be yet another thing that won't get seen by most users. How about instead we simply use some common sense and fry the companies that are bugging users like this. There's already been one case where a school was snapping pics of the kids using the computers - complete with your suggested LED - where folks were told the flickering light was a "bug". I do not believe an LED is a solution here, especially one required by law.
You're inside of an HTTPS connection and send spooky data that somehow this Telex box can see. How exactly can the Telex box see inside the HTTPS secured connection if the connection is supposed to be secured to this bogus back-end web site that's benign and not aware of the goofy stuff? Is this SSL connection somehow different than a normal one to these web sites and if so would that possibly make it stand out?
Not true. WHQL isn't required for installation - I have signed drivers onboard that aren't WHQL. Getting a signing cert is easy for a manufacturer too.
Umm at what point in that process do they know you didn't pay for it exactly? Not every song is purchased from Apple nor Amazon for that matter and what will they do about ripped CDs?
No one I know who uses Word or Excel or PPT for business likes the new "ribbon interface" and we're forced to use it daily - and have for well over a year or two. Sorry but this was a BAD design decision that Microsoft is too damned stubborn to admit.
They have been churning versions out for Windows quite a bit now. They are trying to get everyone on updated code it seems and I bet it has something to do with all of the folks publishing information on how to access their infrastructure. I won't be surprised if they turn a switch and block all of those folks here soon....
This is already being done, I've not got the link handy but have posted a link to a guy's blog doing this many times. He has had a great deal of success publishing books that print publishers rejected - and so have many others. An advantage to digital is that the books aren't ever pulled from the shelf and can earn for FAr longer periods of time. Lots and lots of advantages to electronic IMO.
Also, I see nothing wrong with having tons of downloaded books. All the better to share with others who might read it...
Yes exactly. As a result the number of pirated books has got to be skyrocketing. This is even worse than for music since books are so small it makes sense to download collections vs single books. Once I found eBooks costing more than paper I stopped buying them electronically. The fact that publishers actually tried to whine that printing presses cost lots of money as reason for high ELECTRONIC pricing just pissed me off to say the least. MacMillen's blog was a pretty amazing read, these people are so arrogant it's not even funny.
Slashdot Mirror
Read the Fox-It report. There's a database for revoked certs that responds to a query. If the cert is rooted at a CA it checks that CA's database it sounds like. If the cert isn't found or is found and marked good the cert passes. So there's no database of all certs from A CA that gets checked from the sounds of it. I guess I can see where a really large database would have issues and just having revoked certs would be enough but in this case it apparently allowed bad certs not officially issued through their system to be marked okay until they changed the behavior... That's the best I can make of it anyway!
Okay, read the Fox-it report. The certs serials were apparently NOT in the revocation database. For some assbackwards reason the RFC says when NOT found at all that the server responds "good" but if found and listed as revoked to deny. Wouldn't it make more sense to require all requests to be confirmed in the database? Was this a speed thing putting this into the RFC? The server is now checking and rejecting if not found it seems - it's how they know what certs are dorked....
AV products are a little smarter than that now. A little....
Umm bullshit?
Lets play pretend that this was air gapped\tempested\protected by dogs and this guy managed to insert a request for a cert into their system bypassing any dupe checks and payment crap. It would have been dutifully carried on whatever media they had used a million times before to the "special" machine, a cert created, and the cert sent on it's way to the attacker same as any other.
How does an air gap solve this problem exactly? Doing them by hand and checking their authenticity with a human is a great idea when you do it say once a week. Do it a few thousand(s?) times a DAY and the human validation falls apart. He didn't have to steal the keys to create certs on his OWN machine (nothing I've seen so far says he did), in fact that would have been more worthless, instead he likely got the system to make certs for him just like others. This way when revocation checks were done his cert checked out instead of being 404 and raising flags. That is what appears to have happened to me, air gap doesn't solve this IMO.
Because maybe your competitors do it that fast? Want to bet they aren't much different than any other CA in this regard?
And even if this was air-gapped somehow - why does anyone think the request wouldn't have gone right through with the other thousand(s?) or more requests bulk shipped through? How exactly would that have helped? The guy didn't *just* create a cert - he pushed it through their entire system including their databases that affirm it when a revocation is checked.
Really all it seems like he needed to do was bypass any checks in their system to prevent a dupe cert from being created, bypass some payment stuff maybe, and insert his request into the queue - all of the backend processing and firewalling in the world wouldn't have said Boo! if the request looked legit. Air-gapping this would have done nothing but slow business for this CA and *NOT* have stopped this "attack".
How exactly would an air-gap have changed the outcome?
Umm, this "kid" was able to pump out certs from a CA that could potentially have allowed a great deal of damage. He didn't just break in and deface the system, he broke in and got around the systems that were in place to prevent these kinds of certs from being produced - unless you think this CA didn't know that Google and Microsoft were already rooted elsewhere.
As for not being able to do more than damage.... what do you call having a database of credit cards stolen? SSNs? Credit card PROCESSING systems? That's not damage? You think organized crime isn't doing that?
How would that have worked? A CA is responsible for pumping out certs, for a fee, all day every day as well as verifying existing certs. If you think that this isn't done in an automated fashion by every CA out there then you don't understand the volume! All this guy did was break in and get the CA to do what it's normally setup to do and bypass the checks that would normally prevent the action. An air gap isn't reasonable in this scenario and I bet no other CA has one either. Personally I'm not surprised that this was done and if Iran had had a CA like Russia and China do then he might not have needed to bother.
As the title says - is Lucas literally making money now?!
Rango appears to be an exception, I too got it quickly. However I have about 4 others in the recent past that went for quite awhile as "long wait" and only recently cleared. In more than one case I simply went to RedBox and got the movie. If you do a bit of googling you can find that this behavior is documented with NetFlix and has even been written about here on Slashdot.
You'll get to see those new releases only while a new subscriber. Once you've been using the service awhile you'll suddenly find that new releases are "long wait" and it can be months before they are available. I've also noticed that despite my preference being BD they often add movies as DVD to my queue and sometimes swap them from BD to DVD if I don't pay attention....
Eac3to for BD using AnyDVDHD and then some work to compress. Other options too but yeah BD isn't an issue unless you want the menus and other crud. If you want just the movie you're set.
You DO realize that the parent post wants a law requiring LED indicator lights to be put on all laptops that have cameras right? That's pretty silly to say the least and won't solve this issue. If it's a privacy problem and current laws cannot cover it - which I doubt - then sure broaden an existing law. But making manufacturers put indicator lights on laptops isn't going to solve squat.
Thank you - common sense at it's finest! There are already plenty of laws that ought to apply if indeed this was as bad as it's been made to sound. A new law requiring manufacturers to add a blinky light to warn of camera use on laptops is beyond insane and wouldn't address the issue here let alone solve it.
Yes, heaven forbid we use one of the zillion or so EXISTING laws to try and prosecute this right? No instead some dumbass wants another LAW requiring blinky LEDs on camera equipped laptops to warn people.
Get a clue.
Oh goodie a LAW dictating lights on a laptop - just what we need! What a load of crap. I do NOT want another light on my laptop thanks and requiring it via some sort of retarded law is insane. Putting it into documentation simply means it will be yet another thing that won't get seen by most users. How about instead we simply use some common sense and fry the companies that are bugging users like this. There's already been one case where a school was snapping pics of the kids using the computers - complete with your suggested LED - where folks were told the flickering light was a "bug". I do not believe an LED is a solution here, especially one required by law.
You're inside of an HTTPS connection and send spooky data that somehow this Telex box can see. How exactly can the Telex box see inside the HTTPS secured connection if the connection is supposed to be secured to this bogus back-end web site that's benign and not aware of the goofy stuff? Is this SSL connection somehow different than a normal one to these web sites and if so would that possibly make it stand out?
Not true. WHQL isn't required for installation - I have signed drivers onboard that aren't WHQL. Getting a signing cert is easy for a manufacturer too.
Umm at what point in that process do they know you didn't pay for it exactly? Not every song is purchased from Apple nor Amazon for that matter and what will they do about ripped CDs?
Citation needed - I've seen no such exploit. I call bullshit! What has been released is supposedly code to "talk" their protocol.
No one I know who uses Word or Excel or PPT for business likes the new "ribbon interface" and we're forced to use it daily - and have for well over a year or two. Sorry but this was a BAD design decision that Microsoft is too damned stubborn to admit.
They have been churning versions out for Windows quite a bit now. They are trying to get everyone on updated code it seems and I bet it has something to do with all of the folks publishing information on how to access their infrastructure. I won't be surprised if they turn a switch and block all of those folks here soon....
I'll bet China adds more prisoners per year than they execute too.....
The DOJ and others have signed off on this purchase already? The shareholders? Wow, that was FAST! /sarcasm
Methinks it's not quite a done deal yet...
This is already being done, I've not got the link handy but have posted a link to a guy's blog doing this many times. He has had a great deal of success publishing books that print publishers rejected - and so have many others. An advantage to digital is that the books aren't ever pulled from the shelf and can earn for FAr longer periods of time. Lots and lots of advantages to electronic IMO.
Also, I see nothing wrong with having tons of downloaded books. All the better to share with others who might read it...
Yes exactly. As a result the number of pirated books has got to be skyrocketing. This is even worse than for music since books are so small it makes sense to download collections vs single books. Once I found eBooks costing more than paper I stopped buying them electronically. The fact that publishers actually tried to whine that printing presses cost lots of money as reason for high ELECTRONIC pricing just pissed me off to say the least. MacMillen's blog was a pretty amazing read, these people are so arrogant it's not even funny.