Security Clan Chat: Another Certification Authority Goes Down

Thanks Kim!!!!!!

Later!

Yes, thanks all.  Be seeing you.

Thanks for the chat Kim! Talk to ya later all!

Thanks for leading the chat, Kim, and all for joining us today.

disclaimer: I only stated that Adobe is evil when it comes to piracy. This can overlap with one of the blog topics though re: third world markets and pirated software.

as if they have someone monitoring your activity (a person) to get you to pull your hair out as punishment.

Some people see sandboxing as the future.  Or completely segregating key functions from any open interface with the web.  But I guess we are getting some way from the hacking story.  Any more on certificates?

if you "crack" their apps, they make your machine shut off at times where it is most inconvenient.

@jwallace maybe it would help against automated attacks but a directed attack you can break out easily enough. Also it would be expensive and resource intensive

Adobe is EVIL!

can running each app instance in a sandbox be a solution? (I know very little about this).

I get Adobe updates almost weekly.

consistent*

I used to get consitent java updates which made me wonder.

Hackers have been relentlessly showing us in recent months that security across the board is in terrible shape.

fake Windows updates..

So we basically use what we have in terms of CAs, while waiting for something better to emerge?

I'd agree with that, Kim.

@Nicole.  One just has the feeling that the environment ought to be better than it is.  Or that it ought to be improving rather than evidently deteriorating.

It's evil, I tell you.

All security solutions need to be improved. But there will always be someone looking to break whatever we come up with.

I'm back to laughing.

@AW:  Yes, of course.  Facebook goes through your pockets after you log on.

Clearly, the fact that CAs are vulnerable doesn't mean we shouldn't use them, just that they need to be improved. And we will always be seeking alternatives.

@Mary, try setting up a new Facebook page, like a business page. 

Yeah the facebook thing happens on the site after you log in. Not sending in an email

okay. whew!!

jwallace that sounds like spam to me. Kim when you got that missive from Facebook it was on the actual site, right? Not via email?

"was inbox to me but has a site for me to log onto HTTP://please -check account -confirmation.tk/"

" Security sent me a notice to confirm my info is this normal? Its asking for my email address and password my bday and full name. Its threatening to close down my acct"

it's more like two factor authentication, useful if you have like an estranged relationship who is trying to hack into your account

@jwallace Facebook isn't the only place to do this, other things to do. Basically you enter the password and then they text your phone number another code, you enter that code. Presumablely because you have your phone

I'm deeply perturbed

I haven't had these experiences w/ FB. Is that because I'm not using certain features?

Re: alternatives to CAs, I haven't heard the word on that.

Yeah Facebook is getting deeply disturbing. Apparently it will soon be categorizing our friends for us.

but they askde for the PASSWORD. and how did I miss that blog?

They want to collect phone numbers, that's what they want.  That's why, if you are rash enough to synch your Facebook account with your phone, Facebook will gather all the numbers saved, whether numbers belong to Facebook users or not.

It's true, jw!

Yeah they do, they want an alternate way to contact you in the event your account is hacked (so they claim)

because I'm falling for it.

you all stop joking...

I've had Facebook tell me it requires a phone number before I can proceed with whatever I was doing.

Yes Facebook will request info like that. I do not understand why or how it's getting away with it.

okay I fell for that one. #coffeeANDcheckplease

@Kim REALLY?

I assume they are untrustworthy but I'm a weirdo

@JW.  Kind of thing Facebook throws at users.  Except it's authentic.

I had a friend ask me about an email they received asking for their date of birth, password etc or their profile will be "removed"(don't recall per verbatum) and it directed them to 650-543-4800 (sort of offtopic but)

I think that's fair, AW.  I expect most people who even notice security certificates just assume that they're trustworthy. 

If we establish that CAs are unsafe, then we need to consider more secure alternativs, as Jart suggests, but is there anything in the works that sounds more promising?

I think what I'm saying more is that currently security is Trusted or Un-trusted, perhaps levels of skepticism are more appropreate

But we've been told, haven't we, that CAs aren't required for digital commerce, haven't we?

AW, that doesn't sound good for online commerce.

Personally I think the entire notion of trust (in the digital sense) is outdated

Yes, the breach of those CAs is pretty damning. But CAs have been hounded as unsafe for ages, no?

@Nicole.  RSA has been very secretive about exactly what was stolen,  but several subsequent hacks (Lockheed Martin), for example, seem to have been based on that hack.

I think we're in repair mode now, with DigiNotar certificates simply being re-listed as untrustworthy.  Hasn't yet happened with GlobalSign.  Not good for those companies.

Well that RSA hack was in March, right? And we still don't know the extent of the damage from that. Very distressing.

When will the other shoe drop on this hack? That is to say, when will we know how bad the damage has been?

He was able to issue 500 or more phoney certificates based on the DigiNotar hack - for major sites too.  Who knows what else he has?

AW, I think that's what's "SHOCKING" about this story.  It doesn't matter how good the encryption is if Commodo has owned the server with the keys.

Hi Nicole! :)

Perhaps the storage of those needs to be more in line with SCADA systems, which required a Stuxnet level of sophisication

Hello jwallace!

So at this point we don't know the extent of the damage of this hack and all of the certificates that were compromised, right?

di dI hear quantum computing?

Right Kim, the issue is the generation point of the encryption here. not the level of encryption. That is always the weakest point

Yes, that's what it's about, quantum computing.

Hi Mary.

Welcome Mary.

Hi everyone

I may be misremembering, but I think the 6DEE essayist was big on quantum computing, which could indeed generate inconceivably long strings of code.  But that won't happen yet; plus, we still have the problem.  Someone needs to have the key or nobody will be able to use it.

@AW, as I understand it, he's not breaking codes, he's just cheating.

I think there's been much speculation about increasingly elaborate algorithms, harder and harder to break.  This hacker evades that problem by simply stealing the solution.  That's the worrying thing.

I think it's important when it comes to encryption that 1) the biggest vunerability is the origionation point and 2) any encryption will be broken, it's just a matter of when

One of our 6DEE students had an essay run in the ThinkerNet about the future of cryptography. Perhaps the answer to our issues exists in there.

Are SHOCKINGS worse than Lulz?

There's a suggestion that he might have breached an Israeli CA.  He says he has four more to reveal, but I think GlobalSign was one of those. 

Well all I know is that there are more SHOCKINGS to come -- so I'm scared.

@Nicole, his posts are somewhat incoherent, but the Comodo hack was to commemorate a massacre of Muslims in Srebrenica on the same day some years ago.  He blames the Dutch government for intolerance against Muslims (DigiNotar is Dutch).  I don't pretend to make sense of it all.

Awilliams, I agree completely. At very least, companies should be offering some sort of introduction to digital security lesson.

@Kim, I've been somewhat impressed by Mozilla and Googles no-nonsense response. We might start seeing some headway made

With this particular hack, I don't really get the political association...

Fundamentally I think part of the problem is a lack of public understanding about the issues. "Security Certificate" holds no meaning to almost everyone. It might be a good time to start offering digital security 101 in schools so people understand

One does get a serious impression of complacency.  Looks like Mozilla and Google are not going to tolerate that any more.

Good point, Awilliams.

I think a lot of that Kim is the fact that they felt they were somewhat untouchable. The years of seemingly no breaches (who knows how long they have been compromised) lead to complancency

It seems that, no matter the security method, there's a hacker somewhere who is spending his/her days trying to figure out how to get around it.

Yes... it's been a year of exposing flaws in companies that are claiming to be secure.

Exactly AW.  I see security certificates are offered fairly cheaply, but I guess in very large numbers.

It's following in a simliar vein that a lot of the big breaches of the past year or so are following. Companies that claim to offer secure products are themselves being compromised. Another good example is the RSA breach of not too long ago

A big wake up call to the CAs, who have presumably been making nice money out of a fairly automatic process up to now.

(Thanks for the audio intro, Kim!)

So what's your take on this issue with security certificates?

Yes a bit of sun is a great thing these days, still so much flooding -_-

Pretty good. Glad it isn't raining at the moment.

It's going alright, how are you today on this sunny day?

How's it going?

Welcome Awilliams!

Hi Security peoples!

It's a lovely day for a security clan chat.