Forgot your password?
typodupeerror
Businesses Security The Internet IT

DigiNotar Goes Bankrupt After Hack 136

Posted by timothy
from the it's-the-little-things dept.
twoheadedboy writes "DigiNotar, the Dutch certificate authority which was recently at the centre of a significant hacking case, has been declared bankrupt. The CA discovered it was compromised on 19 July, leading to 531 rogue certificates being issued. It was only in August that the attacks became public knowledge. Now the company has gone bankrupt, parent firm VASCO said today. VASCO admitted the financial losses associated with the demise of DigiNotar would be 'significant.' It all goes to show how quickly a data breach can bring down a company." Adds reader Orome1: "This is unsurprising, since a report issued by security audit firm Fox-IT, who has been hired to investigate the now notorious DigiNotar breach, revealed that things were far worse than we were led to believe."
This discussion has been archived. No new comments can be posted.

DigiNotar Goes Bankrupt After Hack

Comments Filter:
  • by erroneus (253617) on Tuesday September 20, 2011 @09:03AM (#37454772) Homepage

    Businesses have a strong profit motive. The people who run businesses are greedy. They will sacrifice everything, including security related expenses in order to boost profits in some way.

    I think this is simply obvious.

    • by ge7 (2194648)
      You can't secure everything. Not in the real world and not on the internet either. There's always way to go around security, both in the real world and internet. Laws exist so that people don't do something just because they can.
      • by Cryacin (657549)
        Yes, but you can perform due diligence. If you're a bank offering secure storage, one would expect a safe that not just anyone can access. This is like putting a giant 6ft steel door on your safe, but having the entry code as 1-2-3-4-5, and known by all staff members - including the janitor.
        • by Bert64 (520050)

          And with the numbers on the keypad 1-5 being shiny clean, while the remaining numbers are dirty due to never being used...

        • by Amouth (879122)

          including the janitor.

          but how else is he going to empty the trash?

          sorry i had this argument with my boss a few months ago - about locking up records and bookkeeping stuff.. they wanted the GM, Me to have the keys and someone suggested giving one to the Janitor so he could empty the trash.. the fact that i had to explain how bad of an idea that is just kills me..

          • You'd be surprised, you're not alone. Yes, even convenience trumps security in a company.

            I have seen the "janitor gets access" quite a few times. Even in high security areas. As soon as it would inconvenience a decision maker, security goes out the window.

          • I'm just amazed that you were able to get that concept through their heads. I've been in similar situations where "let us not make this too difficult" trumps real security every time.

            How much does a decent password cost? Nothing.
            How much does NOT using that same password everywhere cost? Nothing.
            Yet we constantly see cracks where the crappy password was used on multiple, critical systems.

            • by kdemetter (965669)

              You are forgetting the cost of education people, so they know why a weak password is a bad idea.
              So it doesn't cost nothing.

              However, the benefits certainly outweigh the costs.
              But that's the problem : they don't see the long term benefits , just the short term costs.

            • by lgw (121541)

              Asking most people (including me) to remeber a bunch of different strong passwords is a crappy idea. User-invented-convenience will trup security in ways that defeat security, every time.

              Instead, use a scheme that's convenient for the user but doesn't require a strong password. For example, there are plenty of two-factor auth solutions (from vendors who haven't been pwnt yet). These days, using the user's mobile device itself as one factor -- storing a stong random key on it, and adding a user-select PIN

              • For example, there are plenty of two-factor auth solutions (from vendors who haven't been pwnt yet).

                Which cost money to implement.

                These days, using the user's mobile device itself as one factor -- storing a stong random key on it, and adding a user-select PIN -- is a great answer, becaus people notice when they lose their phone.

                Which requires that either the person volunteer his personal phone for that or that the company issue him a company phone that supports that.

                Again, which costs money.

                You'll never mak

                • by lgw (121541)

                  Sure, making workable security takes (non-free) effort, no argument there. But if you ask for 16 character passwords, youll get them written down, self-sent by email, and so on. In practice, making it harder for the user does not increase security, because work-arounds increase proportionally.

                  Which requires that either the person volunteer his personal phone for that or that the company issue him a company phone that supports that.

                  OT, but does any company still pay for phones? I thought those were gone the way of the company car. Work phones virtualized on personal phones are my bet for the future.

                  • by khasim (1285)

                    But if you ask for 16 character passwords, youll get them written down, self-sent by email, and so on.

                    First off, I can easily remember my passwords. Even the ones that are more than 16 characters long.

                    Secondly, if you cannot, what's wrong with writing them down and keeping them in your wallet?

                    In practice, making it harder for the user does not increase security, because work-arounds increase proportionally.

                    No. The point was that it will ALWAYS be easier for the user to ignore the security (if that is an opt

        • That's amazing. I've got the same combination on my luggage!

      • by neokushan (932374)

        This may be true, but DigiNotar wasn't the victim of some elite cyberhacker genius, the attacks used against them were relatively simple and, most importantly, preventable. Frankly, considering how they handled the situation and how much other forms of security rely on these certificates not being compromised, they deserve to go out of business. Let this be a lesson to all of the CA's out there - your security is of paramount importance.

      • Then why bother with CAs? Why not just use the law to handle these sorts of things?
        • by plover (150551) *

          Then why bother with CAs? Why not just use the law to handle these sorts of things?

          911 operator: How may I assist you? /Me: I need to do some banking over the internet right away, and I don't trust the CAs to securely issue certificates.
          911: Sir, all banks use certificates. Just type https:/// [https] and trust your bank. /Me: Can't I just use http:/// [http] and if a bad guy steals my account, you catch him, right?
          911: Sir, there aren't enough police to catch every on-line bank hacker if nobody bothered to protect their communications. I also have real emergencies to deal with now, so you'll have

        • by Tanktalus (794810)

          Do you leave your doors unlocked? Why not just leave your doors open and use the law to handle these sorts of things?

          Simple: you put up rudimentary security to dissuade opportunists (the vast majority of low-level criminals, in my estimation), and even the more seasoned criminals who look for value for difficulty. If you have more security than value, you'll be skipped. If you have more value than security, you'll be targeted. Eventually.

          By limiting police resources to only situations where value is mor

    • by plover (150551) *

      Businesses have a strong profit motive. The people who run businesses are greedy.

      In the case of this security firm, (yes, they were a security firm because selling certificates is participating in the security business,) insecurity has proven to be the ultimate risk to not only profits, but to their investments as well.

      I only hope that the employees of other security firms will email copies of news articles like these to their management and investors. "If you don't take security seriously and fund it appropriately, you will go bankrupt."

      • by erroneus (253617)

        As with the case of the financial crisis, taking large risk is nothing that business is concerned about these days. Shareholders are only interested in short-term gains and micro-second investments and transactions. "Long term goals" has been removed from the dictionary. The SEC has long since had regulations in place to prevent excessive risk-taking... and once those regulations had been pulled back, increased risk taking occurred which led to the crash we all witnessed and have been feeling all this ti

        • by lgw (121541)

          That's overly cynical. Most of the day-to-day activity in stock trading is very short term (which only stands to reason), but most stock ownership is long term, controlled in mutual funds and pension plans by managers who do care about risk. You can see the results of this in the market: day-by-day everything moves by fashion, but year-by-year companies with long-term plans tend to do markedly better - it's just nearly lost in the noise of the day-to-day price changes.

    • Security is expensive

      Not really. It does cost more than NO security but not much more. Example, how much does it cost you to have a decent password instead of Password1?

      Businesses have a strong profit motive. The people who run businesses are greedy.

      Yes and yes. But that isn't the core of the problem. Greedy people can have the best security. They don't want criminals to take their money.

      They will sacrifice everything, including security related expenses in order to boost profits in some way.

      In some case yo

  • Bankrupt? (Score:4, Informative)

    by Anonymous Coward on Tuesday September 20, 2011 @09:03AM (#37454780)

    How do you go bankrupt before any charges have been laid, fines levied, etc.? Sounds like the parent company ditching them before they can be held liable.

    • You sell one product, properly validated certificates, and now you can't sell that product. No income = bankruptcy.
    • Re:Bankrupt? (Score:4, Insightful)

      by mcvos (645701) on Tuesday September 20, 2011 @09:13AM (#37454864)

      Good point. On the one hand, they deserve to go bankrupt for failing at the one thing that justified their existence, but dumping the corpse before it can be properly examined smells iffy.

      Note that you don't have to be charged with anything to go bankrupt, though. When all your customers leave, you suddenly have no revenue, but you still have your costs. And since it's obvious to everybody that DigiNotar will go bankrupt anyway, nobody loans them money, they quickly lack the money to pay salaries and other costs, and suddenly they're bankrupt.

      • What I find bewildering(if not exactly surprising) is that Diginotar can seek bankrupcy protection without VASCO being involved.

        Diginotar can be expected to have basically zero income, and a bunch of expenses, in the near future; but (from VASCO's 2010 annual report)
        "In January 2011, we acquired all of the intellectual property of DigiNotar Holding B.V. and its subsidiaries and acquired 100% of the stock of DigiNotar B.V. and DigiNotar Notariaat B.V. (collectively, “DigiNotar”), each a priva
        • by mcvos (645701)

          That's what limited liability means, I'm afraid. Though with the recent mess in mismanaged corporations, I'd say it sounds reasonable if the limitations to liability were to be reduced somewhat. In other words, people and corporations should be held accountable, and indeed pay, if they cause big problems like these.

          • by rjmx (233228)

            Something I've never understood: exactly what benefit does the community gain from allowing limited-liability companies? If someone is free to establish a limited-liability corporation, and it goes broke owing lots of money to others, why should they be allowed to keep their own assets and, if they want, go on to start another such company?

            I'm sure there must be a reason we allow this, but for the life of me I can't think of one.

            • by DZign (200479)

              In most countries (afaik but I'm not an accountant/lawyer with international experience) there are restrictions..

              Especially the first months/year a company starts, the people who run it can be held personal liable.
              So don't think of starting a company, getting loans from a bank, increasing debt by not paying your suppliers, and just declare yourself bankrupt after a few months and get away with it. If your business plan wasn't wel defined and you didn't raise enough initial (own) capital to survive 1 or 2 ye

              • by rjmx (233228)

                Thank you. I figured there had to be a reason.

                Interestingly, the "fortune" at the bottom of this page has:

                > If you are smart enough to know that you're not smart enough to be an Engineer, then you're in Business.

            • by whoever57 (658626)

              exactly what benefit does the community gain from allowing limited-liability companies?

              Imagine that you are a small-time investor. You see that a company called Enron seems to be doing well, but as a small investor, you have no idea that there is anything fishy going on. S you buy a few shares of Enron. Suddenly Enron implodes, and you lost your investment. Now, the people that were owed money by Enron (employees, for example) sue you because there is no limited liability. Not only did you lose your inve

        • by nedlohs (1335013)

          I can understand at least the logic(if not necessarily the wisdom) of limited-liability-corporations as a vehicle for tiny stockholders to not take on outsized risks through holding miniscule slices of a large venture over which they have little or no control

          That isn't the reason behing limited-liability-corporations. They are vehicles to provide limited libility without regrd to who the shareholders are. Without checking or doing any reasearch I'm going out on a limb and claiming that there are more LLC that are 100% owned by 5 or less pepole than there are owned by more than 5. (Almost every IT person doing consulting jobs incorporates, as do most plumbers, electricians, etc who work for themselves, and so on).

          There are costs with those benefits - the entity

          • I realize that that is how limited liability companies are in fact used(Ambrose Bierce: "Corporation, n. An ingenious device for obtaining individual profit without individual responsibility."), my puzzlement is just with the fact that such usage persists in law...

            There is a certain logic to limited liability ventures in situations where you need large numbers of (relatively) small investors with limited control over the venture in order to accomplish some end(and, back when establishing an LLC required
            • by nedlohs (1335013)

              Such a usage persists because without it the risk of running a business would be far too large for most people. But yes the business that do run would go bankrupt less often - the price you pay for that is reducing GDP to 1/10th (completely made up) of what it is now. Most people won't take that trade.

              And incorporating doesn't insulate you from losses it limits losses to what you have invested. If some third party is willing to loan a company too much money that's their problem - they knew the deal when the

        • by tqk (413719)

          "... The acquisition expands the technological breadth of our product line by expanding our abilities to offer PKI technology throughout the product line."

          It'll be very interesting watching VASCO in the future, given this fiasco. Are heads at VASCO going to roll considering their abysmal research prior to acquiring DigiNotar? Did they even have any technical people ride along with DigiNotar's operations staff prior to signing on the dotted line? Will the board of directors keep their seats (and if so, why)?

          Ya gotta love it when doofuses are shown to be such, live and in Technicolor, splashing their incompetence onto the headlines world-wide. Evolution in

    • Re:Bankrupt? (Score:4, Interesting)

      by Kjella (173770) on Tuesday September 20, 2011 @09:36AM (#37455084) Homepage

      You have commitments like rent, wages and other expenses and suddenly no more projected income. Even if you're not cash flow insolvent yet, you can in most countries file for bankruptcy the moment it is clear that you will be unable to meet those commitments. In fact, in many countries you must do it so that all debtors get their fair share of the assets rather than the quickest getting paid and the last left with nothing. It's not that usual but if you suddenly lose your core business like this company did then that can be instant bankruptcy.

    • by xelah (176252)

      A company doesn't have to have no money today to be insolvent. I don't know Holland, but here in the UK your company will be insolvent if it knows it can't pay its bills as they come due, even if they're not due today. Any company will have long term contracts - to pay salaries/redundancy, to pay suppliers, etc. IANAL, but IIRC once insolvent, you have a duty to act in the best interest of your creditors (and not your shareholders) and not to treat any preferentially (pay your friend but not your employees,

    • 1. Cheap security, sell certs
      2. Get hacked, face huge liability claims
      3. Transfer all money to parent company
      4. Close shop
      5. Profit $$$

      Conclusion: If an CA can declare "bankruptcy" so simple, without having enough money to face liability, the certs of such a CA are worth nothing. We shouldn't trust those CAs in the beginning. What about a mandatory liability insurance for CAs? The insurance will check that you operate securely, I bet ...

  • So, if certs cannot be trusted, and this brings to the surface the whole concept of "trust", what are we to do? What should we use?
    • by maxume (22995)

      What are you using certificates to secure?

      If you are just shopping, why worry about it?

      If you are securing communications that are important to a business or something, you can build your own certificate chain (meaning you can set it up so that hackers would need to break into a safe or whatever, not some internet connected computer), and so on.

      • As long as your business partner is also a company, this might fly. If you're selling to a lot of computer illiterates (like, say, banks trying to convince their customers to use the internet for banking so they can fire a few more clerks), trying to explain to them what constitutes a trustworthy certificate will probably mean higher expenses than keeping the clerks.

    • Well, there are these other options:
      • Manual verification -- perhaps banks and retail outlets could hand out fliers with QR Code or Data Matrix encoded copied of their pubilc key fingerprints. This does not solve the problem for small businesses that need to deal with people online (potentially people who cannot receive fliers or business cards), but for local businesses or large corporations it is potentially workable. Key replacement is the biggest problem here (anyone who has tried to manage sshd should
    • Some say Convergence [youtube.com] is the answer [convergence.io]. I haven't been able to make it work, personally, so it's probably not ready for prime-time. Also, I don't like the name.

  • by Anonymous Coward

    Not that it repairs the fuckup, or that anyone else will learn from it, but at least the incompetent got what was coming to them, just this once.

    • Do we have any reason to believe that 'the incompetent' hadn't either already jumped ship, or structured things so that the possible collapse of the scheme would leave them to float gently down on their golden parachutes and on to the next victim?

      Low-level incompetents(along with their competent; but low-level peers) tend to go down with the ship; but people with enough power to cause really systemic fuckups are often first to the lifeboats...

      In Diginotar's case, the sheer scale of the fuckuppery sugg
      • There's a reason for this: These companies are shells. There's no need to make them secure, they're in the name of Canary M. Burns and if the shit hits the fan, the Canary gets to croak while the next shell is created.

        Give it a week or two and we'll see a new company take over, that miraculously is somehow connected to the parent of DigiNotar.

  • With major browsers kicked its CA cert out of the trusted list, the CA by definition and practically could generate no profit...

    What else do you expect, huh? Of course it could only get closed!

    • by maweki (999634)
      Yeah, nobody should be surprised by this. They sell trust and if they no longer have any trust to sell, they go bankrupt. It's not like you could import trust for a dime a dozen from China.
      • by KiloByte (825081)

        It's not like you could import trust for a dime a dozen from China.

        If you pull the right strings, CNNIC will gladly cross-sign your root key. It will cost you more than 10/12 cents, though.

        • by Lennie (16154)

          Only if they create a new root, most browsers completely blocked the CA even as a sub-CA.

    • by Amouth (879122)

      also with their CA pulled - anyone with a cert from them (legit) could go after them to foot the bill for a cert on a competitor.. I bet that's the main reason for filing bankruptcy, so they don't have to pay customers back.

      i do love how the "parent" company says losses will be high.. they are going to write off/avoid the brunt of the "losses" when they file bankruptcy for the sub company.

    • by wvmarle (1070040)

      Close down yes. Bankrupt, not so fast. If they can't survive even weeks without income and have no choice to go bust leaving behind large debt (as is suggested in the article) their business was not financially sound at all. Which in turn may explain why they did not take the safety measures they should have taken.

      • by xelah (176252)

        Continuing without income means burning through cash which could otherwise be distributed to creditors. Unless that's somehow going to make things better for creditors that's unlikely to be allowed. If they either had some reasonable prospect of recovering their business, or had enough cash to pay all of their redundancy payments, all of the future payments on their long term contracts, etc. then they could have chosen to continue. If not, then it's quite possible (I don't know the local law) that they're r

        • by wvmarle (1070040)
          Of course, but liquidating doesn't necessarily means that the business is bankrupt. Businesses close for whatever reason other than bankruptcy (owner retires; landlord raises rents too much; business simply unprofitable but also not loss making). And also in those cases a liquidator is appointed to take care of that.
  • teach 'em a lesson (Score:3, Informative)

    by burris (122191) on Tuesday September 20, 2011 @09:19AM (#37454916)

    Lesson learned: if you are a CA, under no circumstances should you allow any breaches to become public.

    • Quite the opposite: If you're a CA, don't even try to hush it up since it WILL get out and then any semblance of trust (which is your ONLY asset as a CA) is destroyed.

      Look at Comodo for how to do it right. Yes, they fucked up too, and they will get some heat for that, but they're nowhere near being kicked out of the trusted CAs list of any browser.

      If you notice a breach, you can actually react properly and easily fix it by NOT covering up but by coming forwards with it. The expense to recover from a breach

      • by Kalriath (849904)

        Or Verisign, who managed to lose Microsoft's Code Signing certificate. Didn't get in too much crap for that...

  • Misplaced paranoia. (Score:5, Interesting)

    by the_raptor (652941) on Tuesday September 20, 2011 @09:21AM (#37454936)

    My favourite part of the article:

    We have strong indications that the CA-servers, although physically very securely placed in a tempest proof environment, were accessible over the network from the management LAN.

    TEMPEST http://en.wikipedia.org/wiki/TEMPEST [wikipedia.org] is a method where you intercept EM radiation from a computer and use that to reconstruct some information about what that computer is doing. For example the US government could supposedly read CRT monitors from a fair distance away.

    However, worrying about TEMPEST protection when you not only have those system connected to systems that are connected directly to the net, but use a single management username and password combo for your entire network is just insane. Even if the system wasn't connected to the Internet the freaking janitor could have placed a key-logger and had access to the entire system.

    It is far cheaper to bribe one employee then spend millions setting up a modern TEMPEST system. I guess even the Dutch practice security theatre.

    • For example the US government could supposedly read CRT monitors from a fair distance away.

      That is not very impressive, since the glow from a CRT is enough to reconstruct the image on the screen, and Ross Andersen's book describes how less than $1000 of equipment is enough to pick up stray emissions from a VGA cable and reconstruct the image from a neighboring building.

      • by wvmarle (1070040)

        I'd guess a simple and effective counter measure against that is to have say a hundred monitors present in the same room as the one you try to secure, and have them just showing a screen saver or so. Some that move, others that are mostly static, whatever. Good luck filtering the signal of one monitor out of that!

      • by fbjon (692006)

        That is not very impressive, since the glow from a CRT is enough to reconstruct the image on the screen.

        I do this every day using organically grown Eyeball technology, in fact.

    • It is especially ironic that they were using (pitifully weak) password authentication, when they are a wholly-owned subsidiary of a 2-factor authentication vendor...

      I can only assume that having good authentication is hard, boring, and forces people to remember stuff, while getting to open the Big Serious Door and walk into your (probably sold by the vendor as "military grade") TEMPEST datacenter, with all the blinkenlights, involved no ongoing effort after the initial install and gave everyone involved
    • by cptdondo (59460)

      I thought a part of TEMPEST was that the machine could not be connected to a LAN except to other TEMPEST machines... ISTR that our tempest machines had removable drives that were stored separately in a safe and only inserted when the machine was booted. No LAN connection was allowed at all outside the room.

    • Want to bet that some ISO 27k auditor wanted the Tempest-proof environment and didn't care about the single user/pass access?

      And here I wonder why security auditors have such a bad name...

  • by AtomicJake (795218) on Tuesday September 20, 2011 @09:41AM (#37455142)

    DigiNotar got what it deserved.

    However, the real problem stays: There are hundreds of CAs out, which are trusted by default by your browser. You probably never heard about most of them. They operate in different countries - you cannot sue them easily from your country. All of them can (technically) also issue certs for all Web sites (even for Web sites that have an existing cert from somebody else).

    The whole CA system in broken. I would rather like to trust only CAs that have earned the trust. E.g. CAs that have been validated by my bank for online payments (but not for my email).

    • However, the real problem stays: There are hundreds of CAs out, which are trusted by default by your browser. You probably never heard about most of them. They operate in different countries - you cannot sue them easily from your country. All of them can (technically) also issue certs for all Web sites (even for Web sites that have an existing cert from somebody else).

      That's not the real problem. The real problem is that what happened to Diginotar could happen to a really big CA, and then removing it from the browser breaks half the web.

      • However, the real problem stays: There are hundreds of CAs out, which are trusted by default by your browser. You probably never heard about most of them. They operate in different countries - you cannot sue them easily from your country. All of them can (technically) also issue certs for all Web sites (even for Web sites that have an existing cert from somebody else).

        That's not the real problem. The real problem is that what happened to Diginotar could happen to a really big CA, and then removing it from the browser breaks half the web.

        Well, it can only happen to CAs, which do not know security (and since we have hundreds of them in our browsers, it is very likely that there are others that are as bad as DigiNotar). However, reducing the number of CAs is not a solution, as this will just elevate the risk for a each security breach at a CA. The only solution is delegate the "trust" relationship in a way that it economically VERY interesting that the delegate checks the trustworthiness of the CA. E.g. your bank for certs that is used for on

        • The only solution is delegate the "trust" relationship in a way that it economically VERY interesting that the delegate checks the trustworthiness of the CA. E.g. your bank for certs that is used for online payments - if the (by the bank trusted) CA fails, it's the bank that pays the damages. Unfortunately, I do not have yet an idea of certs used by "free" Webmail (e.g. gmail).

          You got the problem completely wrong. Let's say my bank is highly knowledgable, they figured out that there are 10 CAs they can trust one hundred percent and the others are a bit dodgy, and they use one of the 10 CAs that are hundred percent trustworthy. The problem is that any of the dodgy CAs can create a certificate for the bank's website that will be trusted by your browser until it is found out and revoked, without the bank being involved at all. And of course the victim of a hack will not be in contac

          • The only solution is delegate the "trust" relationship in a way that it economically VERY interesting that the delegate checks the trustworthiness of the CA. E.g. your bank for certs that is used for online payments - if the (by the bank trusted) CA fails, it's the bank that pays the damages. Unfortunately, I do not have yet an idea of certs used by "free" Webmail (e.g. gmail).

            You got the problem completely wrong. Let's say my bank is highly knowledgable, they figured out that there are 10 CAs they can trust one hundred percent and the others are a bit dodgy, and they use one of the 10 CAs that are hundred percent trustworthy. The problem is that any of the dodgy CAs can create a certificate for the bank's website that will be trusted by your browser until it is found out and revoked, without the bank being involved at all.

            No, the idea is that you only trust the CAs that have been trusted by the bank and not the dodgy CAs (so no more default lists of hundreds of 'trustworthy" CAs). Did I explain it that badly that this was not obvious?

      • At the same time we have too many trusted CAs I've heard others claim.

        Hogwash

        Big CAs can use multiple intermediate keys to spread the risk. Browser and OS vendors are the first link in the chain of trust, they have more than enough sway to demand levels of risk acceptable to them. You are the next link, complain to your browser / OS vendor and raise a stink. They'll demand stronger audits or contracts. Money talks folks.

        There's nothing wrong with a chain of trust, or you wouldn't be trusting anything el

    • A good way to do this would be to come up with a reputation-based system that filters down.

      For example, CAs would need a higher reputation than that of sites and services.

      This model won't work with the existing CA business model, however.
  • Idiots (Score:4, Interesting)

    by Arancaytar (966377) <arancaytar.ilyaran@gmail.com> on Tuesday September 20, 2011 @10:51AM (#37455910) Homepage

    We have strong indications that the CA-servers, although physically very securely placed in a tempest proof environment, were accessible over the network from the management LAN.

    It is at once hilarious and depressing that there are tech and security managers who take steps to shield equipment from electromagnetic detection and then leave that equipment open to remote access. Wrap your computer in tinfoil and then stick your password on the screen.

  • would be 'significant.'

    I think they are filing for bankruptcy while they still have money in their pockets to avoid law suites as opposed to gone bankrupt. I believe "gone bankrupt" means they are broke and giving up.

  • I have said so many times that we are not strict enough on punishment for the cyber crimes that affect companies, this should prove as a perfect example why certain individuals that bring down a company due to their hacking ventures, should face proper penalties.

  • by colfer (619105) on Tuesday September 20, 2011 @02:05PM (#37458322)

    can fix. Also amazing how complex CA authority has become. The concept is fairly simple, but the niceties of the trust bits have become so arcane that Mozilla is having to fix erroneous understandings of the bits in their own code, without breaking legacy. Then the people working on security code have highly resistant personalities and so all kinds of nonsense gets frozen in for years.They sort of have to be that way, to keep their code gov't certified... what a mess. Crowd-sourced verification of self-signed certs is starting to sound better & better.

    The practical results of the way the code works at least at Mozilla were mystified complaints about the fake revoked Digninotar certs put in Mozilla to block real fake certs! That is not a model for the future. They are working on it, but it's glacial.

    • by colfer (619105)

      Monopoly €1000 certs, that's a not a biz model you can fix. Someday I will understand Slashdot editing.

  • which was carried out by the hacker-soldiers of the government of Iran for the purposes of identifying the 300,000 Iranians that radical fundamentalist Theocracy wants to muzzle. In other words, state sponsored terrorism.

Some people carve careers, others chisel them.

Working...