Lone Iranian Claims Credit For Comodo Hack

nk497 writes "A boastful Iranian hacker has claimed sole responsibility for the Comodo security certificate attack, saying it had nothing to do with his government. The 21-year-old claimed via a note on PasteBin, 'I'm not a group of hacker, I'm single hacker with experience of 1,000 hackers.' While some researchers believed his claims, saying the media had accepted Comodo's claims that the attack was from the Iranian government too easily, others said it was impossible to tell if the hacker was real, or a PR move by Iran."

Why provide him a platform?

[bogaboga]

Isn't Slashdot providing this dude a platform for [free] publicity? Why is this story even here? Nothing about it is substantiated at all.

The only thing I can guarantee is that there is a human being at the other end who is now in the news.

Re:

[iamhassi]

Dude? I thought this was a PR move by Iran?

Re:

[ls671]

Hmm... If I understand your post correctly, let me comment a bit:

Do you know how certificate signing work ?

Done properly, one should never reveal its certificates private keys at any time. So in the end, a certificate signed by an external company should be as confidential as a self signed certificate or a certificate signed by a company you trust.

This is the whole idea behind PKI.

Granted, I have seen many people who do not understand this important point. I have seen cases where the the signing authority w

Re:

[Anonymous Coward]

Snake Plisskin. I've heard of you. I HEARD YOU WERE DEAD!

Re:An anonymous claim of skill?

[_Sprocket_]

New infosec meme.... "with experience of 1,000 hackers."

Re:An anonymous claim of skill?

[kill-1]

Follow-ups:

"I should mention my age is 21"

"How smartass you are?"

"My orders will equal to CIA orders"

"I'm a GHOST"

"I'm unstoppable, so afraid if you should afraid, worry if you should worry."

"I did it one time, make sure I'll do it again" (reminds me of Steve Ballmer)

"RSA 2048 was not able to resist in front of me"

Re:

[game kid]

"I'm unstoppable, so afraid if you should afraid, worry if you should worry."

I think 1,000 hackers is a pretty cool guy. eh takes over comodos and doesn't afraid of anything.

Re:

[_Sprocket_]

I think 1,000 hackers is a pretty cool guy. eh takes over comodos and doesn't afraid of anything.

Dude. I was in to 1,000 Hackers before they were cool. Now they're just sell-outs.

Huh?

[nog_lorp]

This message is sort of retarded. First he tried to solve prime factorization, and then he was like "maybe I should hack a CA instead"? And later he will do us the favor of "proving it is not possible" to come up with a prime factorization algorithm?

rules, rules, rules

[simoncpu was here]

I'm glad there's no rule #34 of this Iranian hacker.

Re:rules, rules, rules

[coyote_oww]

If he has the experience of 1000 hackers, it would still not involve a single woman.

At least we know where they get the virgins

[SmallFurryCreature]

To bad suicide bombers, the virgins? It is this guy... mind you, if you examine world history especially in the sunnier parts... they might not mind.

Re:

[Isaac Remuant]

It loses it's magic after Google Translate... :P

On a serious note, Is it possible that the grammar mistakes are intentional? Would a decent hacker who'd have to deal with the English language all around make so many mistakes? I'm asking out of total ignorance here.

Uhg...

[Anonymous Coward]

This is the first I saw a straightforward description of the hack... "SQL injection, then privilage escalation, got SYSTEM shell, remote desktop, investigation and I discovered trustdll.dll :)" Where trustdll.dll was a c# lib he decompiled and saw hard-coded credentials. This was it? Really?

Of course it's a PR move

[Weaselmancer]

I mean come on, really?

'I'm not a group of hacker, I'm single hacker with experience of 1,000 hackers.'

Sounds just like the Iraqi Information Minister or Kim Jong Il. "Oh no no no! I not a group or government no! I am super skilled hacker with skill of 1000 men. I can play 18 rounds of golf in 18 shots by getting 18 hole in one. Yes! I just that good!"

Re:

[bongey]

18 rounds of golf in 18 shots

Just 18 I could do it 1

Re:

[AlienIntelligence]

18 rounds of golf in 18 shots

Just 18 I could do it 1

Chuck? Chuck Norris? Is that you?

-AI

Re:

[MrSenile]

No, if it was Chuck Norris, he'd get all 18 holes in one without swinging, without the need for a ball, and without having to get out of bed to actually show up.

Re:

[Anonymous Coward]

'I'm not a group of hacker, I'm single hacker with experience of 1,000 hackers.'

Something tells me this guy will soon become a single dead hacker with experience of 1,000 virgins.

Tip your server. I'll be here all the week.

Re:

[Anonymous Coward]

First, the Dear Leader did not claim to make 18 hole-in-ones. Just a hole-in-one one the first par 4, his first hole ever (although they didn't mention if he took a practice swing), and all the subsequent par 3s. I believe his final score was somewhere in the 40s.

Second, I did the exact same thing once on Tiger Woods PGA Tour 2009 on Xbox, so I wasn't impressed.

Re:

[retchdog]

it's 38 under par, so ~34 shots, and with five holes-in-one claimed.

Re:

[failedlogic]

I think you are heading down the right direction here in finding this network based SCWMD assault (Security Certificates for the Web of Massively Disorganized). Unfortunately the hacker will be very difficult to identify. As you allude, a skilled hacker that can write press releases like the Iraqi Information Minister, instill fear like only Kim Jong Ill can do and yet still have the time to practice and play a perfect round of 18 rounds of golf. I think while the clues you offer are an attempt to be helpfu

Re:

[syousef]

'I'm not a group of hacker, I'm single hacker with experience of 1,000 hackers.'

Sounds just like the Iraqi Information Minister or Kim Jong Il. "Oh no no no! I not a group or government no! I am super skilled hacker with skill of 1000 men. I can play 18 rounds of golf in 18 shots by getting 18 hole in one. Yes! I just that good!"

Actually my first thought was Charlie Sheen...winning with the power of his mind once again....I know, I know, that was last week's meme.

He didn't mean he had the skill of 1000 hackers

[CrazyJim1]

He meant to say he had the skill of a 1000 hacks.

Re:

[antdude]

That is why I like to say "prove it!". :)

I'm convinced

[wrencherd]

From TFA:

The individual, who calls himself ComodoHacker

Well, there you are.

Re:

[binaryseraph]

Or to the rest of the SSL using world: CommodeHacker.

Re:

[Zanadou]

Would you like to sell a vowel?

It was really just the MCP

[Dachannien]

I've grown 2,415 times smarter since then.

Having the skill of 1000 hackers...

[sdguero]

deserves 1000 virgins in the afterlife, right?

Re:

[sayfawa]

No, no, no, the jihadists get the 1000 virgins. He gets the 1000 right hands.

Re:

[Anonymous Coward]

I read all of his Pastie's.

If you want a laugh, read them.

A lot of egotistical shit talk from a guy who doesn't realize RSA simply cannot be "cracked". It's impossible.

If you had any common sense, you would use your "hacks" on the actual people who have/had access to having CR's resigned.

Also, let's not just throw around "symmetric" and "asymmetric" when dealing with encryption and hashing, it just makes you look dumb.

And working on a way to derive two prime factors of a number is ridiculous, you won't ever accomplish it. Simply because we are dealing with numbers larger than the processing ability of most computers that can be accessed (spare some), and the fact that primality tests aren't something you can simply "write".

I thought I had an epiphany in math class a few weeks ago (pre-calc is boring as fuck, and my Ti-84 only can do so much, even with asm programmin), and realized that if you took any number, you can first run it against basic tests and tests of division. Even numbers out, numbers whom digits add up to a multiple of 3 are out, etc. After that, you are fucked.

RSA is secure. Period. It's implementation can only be *so* secure.

And lol, if you want to do something actually epic, and worth bragging about, steal the private RSA key and code yourself a resigner. Until then, stop acting like you did anything tremendously amazing.

This is all >implying this kid isn't just frontin.

-Thilo The "Hax"

Are you talking about yourself? You're only in high school. The extent of your formal math knowledge is beneath basic calculus. Shut up and get over yourself.

He sounds VERY pro-government!

[damoncz]

I am an Iranian dissident living outside Iran and this guy is VERY pro-government, which is a rarity in Iran if you are following the news.. Line 41: "A message in Persian: Janam Fadaye Rahbar" Means "my life sacrificed for the Leader". Only Khamenei goons otter that. I smell something fishy. Can't be a lone hacker...

Re:

[iamhassi]

Means "my life sacrificed for the Leader". Only Khamenei goons otter that. I smell something fishy. Can't be a lone hacker...

Maybe he took the blue pill...

Re:

[AB3A]

Mod parent up for informative post.

This boastful diatribe is not the mark of a really smart person. It seems more like a cult member taunting the public.

I do not doubt that he could be crazy and smart at the same time. I think Iran's leadership has noticed the power of the stuxnet virus/worm. They're rightfully embarrassed. However, instead of fixing their problems and moving on, they're lashing out with dweebs like this deluded idiot.

The fact is that our CA platforms of trust are quite vulnerable. We sho

Re:

[GameboyRMH]

Who says he isn't the Iranian equivalent of The Jester?

Newer Info

[LoneHighway]

Jacob Appelbaum tweeted this earlier. Comodohacker may be for real.

It appears that the #comodogate hacker has posted the secret key for Mozilla's cert: http://pastebin.com/X8znzPWH [pastebin.com]

Re:

[netsharc]

BTW it's not "Mozilla's cert", it's the cert faking to be addons.mozilla.org that he created and signed through the compromised CA...

Re:

[Xest]

Why would that make him legit? Just means if he's an Iranian propaganda agent that the actual group of Iranians, from perhaps Iranian military establishments that did the hack gave it to this PR guy to paste.

We know the hack was real, we know it came from Iran, nothing there changes that. That doesn't in any way prove he was a lone individual. only that he is at least connected to the person or people that really did the attacks.

More info

[raulfragoso]

An interview with ComodoHacker: http://erratasec.blogspot.com/2011/03/interview-with-comodohacker.html [blogspot.com] His twitter account is @ichsunx

till..

[0dugo0]

He had me till HAARP.