Beta

Slashdot: News for Nerds

×

Welcome to the Slashdot Beta site -- learn more here. Use the link in the footer or click here to return to the Classic version of Slashdot.

Thank you!

Before you choose to head back to the Classic look of the site, we'd appreciate it if you share your thoughts on the Beta; your feedback is what drives our ongoing development.

Beta is different and we value you taking the time to try it out. Please take a look at the changes we've made in Beta and  learn more about it. Thanks for reading, and for making the site better!

Another Dutch CA Hacked

timothy posted more than 2 years ago | from the need-more-fingers-in-these-holes dept.

Security 152

An anonymous reader writes "After the fiasco involving DigiNotar, another Dutch CA (Gemnet, a daughter of KPN-Telecom) has been hacked and databases were accessed, webwereld.nl reports (Dutch original). The hack was possible because the website was managed using PHP-MyAdmin, and this application allowed database access without a password. The site has been shut down and security checks were ordered."

cancel ×

152 comments

Web Admin of the Year (5, Insightful)

Anonymous Coward | more than 2 years ago | (#38302498)

So a CA, holder of the keys for SSL certs, had an externally facing db admin module with no password... Just wow...

Re:Web Admin of the Year (4, Informative)

ledow (319597) | more than 2 years ago | (#38302540)

Ignoring that - they had internal documents that were accessible from their web/database server. Everything else defies belief too but really wouldn't have mattered that much if it had been ONLY their web db that was accessed.

Re:Web Admin of the Year (1)

g00head (1433713) | more than 2 years ago | (#38302548)

Very true, and a very good point

Re:Web Admin of the Year (2)

michelcolman (1208008) | more than 2 years ago | (#38303854)

But the biggest question is: why has it taken so long for them to be hacked? I suppose nobody suspected that they would be that stupid, so nobody bothered to even try? Talk about hiding information in plain view...

Re:Web Admin of the Year (3, Insightful)

John Hasler (414242) | more than 2 years ago | (#38306646)

But the biggest question is: why has it taken so long for them to be hacked?

How do you know it did?

Re:Web Admin of the Year (1)

19thNervousBreakdown (768619) | more than 2 years ago | (#38305696)

Given the number of exploits for phpMyAdmin, whether it's passworded or not is practically irrelevant if it's exposed to the internet.

But, since browser manufacturers don't audit CAs (I've never heard either way whether they audit or not, but even if one of them claimed to do so, given the track record I'd have to call bullshit), this hardly matters anyway--it's just going to happen again and again, and it's already happened a number of times that we have no idea about.

Re:Web Admin of the Year (0)

Anonymous Coward | more than 2 years ago | (#38307390)

These people should be CA's let alone admins of anything other than a mylittlepwny website.

jawdrop (5, Interesting)

v1 (525388) | more than 2 years ago | (#38302510)

website was managed using PHP-MyAdmin, and this application allowed database access without a password.

At what point does this become "criminal negligence"?

And you'd expect there would be some sort of periodic audit process in place for anyone that manages a root certificate? hippa-style something or other? Or will they just set up any idiots with a CA that have good credit?

Re:jawdrop (3, Interesting)

Afforess (1310263) | more than 2 years ago | (#38302826)

Actually, you could make the counter claim that the story title is bad.

After all, it isn't stealing to pick money off the ground, it isn't hacking to visit public web data.

Re:jawdrop (1)

Anonymous Coward | more than 2 years ago | (#38305530)

The title IS misleading. This is incompetence or negligence but 'hacking' in the title gets more eyeballs.

Re:jawdrop (2)

jon3k (691256) | more than 2 years ago | (#38302844)

HIPAA*. It's short for "Health Insurance Portability and Accountability Act". Sorry, pet peeve.

Re:jawdrop (0)

Anonymous Coward | more than 2 years ago | (#38303934)

And you'd expect there would be some sort of periodic audit process in place for anyone that manages a root certificate? hippa-style something or other? Or will they just set up any idiots with a CA that have good credit?

HIPAA*. It's short for "Health Insurance Portability and Accountability Act". Sorry, pet peeve.

Aside from being an Americanism, the use was perfectly acceptable, as the writer was asking if there are/were any in depth, ineffective, burdensome
rules/regulations in place akin to what the American HIPPA law is/was supposed to do.

Re:jawdrop (1)

Anonymous Coward | more than 2 years ago | (#38304994)

The irony here is that your parent was literally spelling out his point. And you still failed to understand it, recognize your failure to understand it, and felt compelled to reply. And then made the same mistake GP was correcting.

Lets play 'Pass The Blame!....' (4, Informative)

EasyTarget (43516) | more than 2 years ago | (#38302538)

this application allowed database access without a password

Nope, it doesn't.. not unless configured by a really clueless person, or (this being Holland) by someone who really couldn't give a f**k while being mis-managed by someone determined to spend as little as possible, or hopefully less.

(disclaimer; I'm a sysadmin who runs, amongst many other things, a MySQL server + PHPmyadmin for my company in the Netherlands, I do it properly but that's only because I care, nobody has ever checked..)

Re:Lets play 'Pass The Blame!....' (3, Informative)

johnkoer (163434) | more than 2 years ago | (#38302660)

not unless configured by a really clueless person

I think that is what was being implied by the summary. When I read it, I didn't assume that that was how PHPmyadmin came out of the box. They probably should have used better wording like "nd this application was configured to allow database access without a password", to ensure they got the correct point across.

Re:Lets play 'Pass The Blame!....' (4, Interesting)

Gaygirlie (1657131) | more than 2 years ago | (#38302856)

Atleast to my eye it looks like they're trying to lay blame on PHPMyAdmin. Perhaps it's just poor wording but still, that's how it does come out. And well, everyone knows that anything can be made insecure if they're given in incompetent-enough hands.

Re:Lets play 'Pass The Blame!....' (1)

Anonymous Coward | more than 2 years ago | (#38303764)

Atleast to my eye it looks like they're trying to lay blame on PHPMyAdmin.

I agree completely. Even worse, my experience tells me that this article could very well show up in some IT department's policies as a reason behind a "best practice" of banning PHP itself. I've always thought it "rude" for programs to include the technology they use in their names. The technology gets a bad rap for the program's problems in the eyes of the technically-challenged.

Re:Lets play 'Pass The Blame!....' (1)

TheSpoom (715771) | more than 2 years ago | (#38305170)

Even if it ships without a password out of the box (and I think it does), that shouldn't allow free access to the database, unless their database accepted a connection, from the root user, with no password. Someone there doesn't know how to setup MySQL.

Re:Lets play 'Pass The Blame!....' (2, Insightful)

YeeHaW_Jelte (451855) | more than 2 years ago | (#38302698)

I haven't worked with PHPMyAdmin for years (luckily) but even having it accessible from public IP adresses is a serious oversight, password or not.

Re:Lets play 'Pass The Blame!....' (-1)

Anonymous Coward | more than 2 years ago | (#38303508)

It is not a oversight!

PHPMyAdmin's default setup is configured to only allow localhost admin access with a password!
I know because I installed it more than once.

They must have deliberately opened it up to the net and hacked in a way to have no password. (Which, as far as I know isn't even possible with a normal installation!)

So I smell a mole here. Otherwise I can't imagine how this could have been possible.

But who the hell uses a PHP tool and MySQL for something as serious as a professional CA?
PHP and MySQL are for amateurs and wannabe pros (aka "web professionals"). (Disclaimer: I am an actual professional web application developer, and am offended by everyone calling themselves "web professionals" after having read a single HTML book and built a site in Dreamweaver from a Photoshop screen.)
I would have installed a PostgreSQL server cluster (for reliability), a massive backup facility enabling you to go back at least a year, a hardcore OpenVPN with port knocking as the only connection to the servers, hardening, PAX, SELinux, a IDS, honeypot, rootkit-checker, logcheck, constant auditing from another system which is itself hardened and audited too
and a self-developed client application for DNS management that connects to the server through that VPN.
Something along those lines. No "web apps". No open ports. No bullshit.

Of course even that would not help against a mole.

And of course I would probably not have gotten the deal for being too expensive. ^^ (Now guess how expensive losing all your clients for being hacked is... ;)

Re:Lets play 'Pass The Blame!....' (0)

kyrio (1091003) | more than 2 years ago | (#38304616)

Uh... what? phpmyadmin is configured for external access by default. It asks you for passwords during setup. Unless you mean when configuring it manually, and not through the repos.

Re:Lets play 'Pass The Blame!....' (1)

kdemetter (965669) | more than 2 years ago | (#38306876)

There is difference between being able to access the database directly, and accessing the database through phpmyadmin :

- On any website i have used , by default direct access to the database is only possible for localhost .
- phpmyadmin is publiciy accessible for everyone, allowing you to administer the database, from any place.
- to get to phpmyadmin, you are required to authenticate.

If phpmyadmin doesn't have a password, the password on database isn't going to matter much , as you can change your password through phpmyadmin anyway.

Re:Lets play 'Pass The Blame!....' (1)

Nefarious Wheel (628136) | more than 2 years ago | (#38308468)

There is difference between being able to access the database directly, and accessing the database through phpmyadmin :

- On any website i have used , by default direct access to the database is only possible for localhost .
- phpmyadmin is publiciy accessible for everyone, allowing you to administer the database, from any place.
- to get to phpmyadmin, you are required to authenticate.

If phpmyadmin doesn't have a password, the password on database isn't going to matter much , as you can change your password through phpmyadmin anyway.

One point - I've set up a couple of XAMPP installations, but I can't remember whether it allows multiple login fails without an air-gap. If it doesn't have a form of interrupt here, it's susceptible to a simple odometer attack. Can anyone remember?

Re:Lets play 'Pass The Blame!....' (2)

arth1 (260657) | more than 2 years ago | (#38303846)

(disclaimer; I'm a sysadmin who runs, amongst many other things, a MySQL server + PHPmyadmin for my company in the Netherlands, I do it properly but that's only because I care, nobody has ever checked..)

As a long time sysadmin, it has become my opinion that the way to use tools like phpmyadmin "properly" is not at all.

I once thought that they might be okay for home use, but have changed my mind on that too - it breeds a generation of "sysadmins" who don't know exactly what they're doing, or why, and in some cases don't even give a fuck about their ignorance. They may then expect the tools at work too, because they have made themselves dependent on them.
When the undigestables meet the stationary propeller, and they have to investigate what went wrong, they don't know how. When faced with systems where their tools aren't present and can't even be installed, they hit a stumbling block, if not a roadblock.

Re:Lets play 'Pass The Blame!....' (2)

tbannist (230135) | more than 2 years ago | (#38304780)

Your line of reasoning is a little off, you could use the same argument against every labor saving invention in the history of mankind (No spears for you caveman! Lest you forget how to properly kill a deer with your bare hands!). phpMyAdmin is very useful for doing a lot DB work quickly. I use it practically every day. It's an invaluable tool for developers, for examples, who are managing their own local databases and a useful tool for support personnel who can be trusted with some database access but aren't going to learn full SQL and the MySQL CLI interface.

Sysadmins who don't know exactly what they're doing aren't sysadmins, they're "unqualified applicants", and it's the job of the person doing the hiring to reject them and tell them to go learn what they're doing. Whether that's HR or an individual manager, it's their failure if they're hiring incompetent people.

Re:Lets play 'Pass The Blame!....' (1)

webnut77 (1326189) | more than 2 years ago | (#38305130)

Thank you for saying this so well.

Plus

  1. phpMyAdmin (at least the way I use it) does not have its own passwords. It uses a MySQL user ids and passwords. If you fail at securing MySQL, it's not phpMyAdmin's fault.
  2. If it's running under Apache httpd you can limit access in a lot of ways (i.e. by IP address and/or Apache login) so there is no problem with it running on an internet facing server.
  3. You can be a CLI guru and still use a GUI to get things done.

Re:Lets play 'Pass The Blame!....' (1)

mark_elf (2009518) | more than 2 years ago | (#38307704)

Yeah pretty much. I know this is /. so we have to quibble about every goddamn thing, but if you're installing something like phpMyAdmin and it doesn't ask you about passwords, or whatever dumbass thing happened here, the problem is that somebody screwed the pooch by just leaving it that way. We gotta make it a little harder than that.

I think the takeaway from this story is that there are "sysadmins" that don't know what they are doing and occasionally demonstrate this in spectacular ways. There are also VP's that fire good people before they are finished because they themselves don't understand the business they are in. It sorta works? OK, that's good enough, you're fired.

Re:Lets play 'Pass The Blame!....' (1)

rev0lt (1950662) | more than 2 years ago | (#38306918)

A developer that would need to use phpMyAdmin should already know enough SQL to use the CLI interface. There are plenty of graphical mysql administration tools that can easily work with a tunneled ssh connection. In the cases that is not feasible, the alternative should never be to upload a 3rd party tool, with a rich history of known vulnerabilities, to a production server.

Re:Lets play 'Pass The Blame!....' (0)

Anonymous Coward | more than 2 years ago | (#38312334)

There are plenty of graphical mysql administration tools that can easily work with a tunneled ssh connection.

Like... phpMyAdmin! What, never occurred to you to do it that way?

Re:Lets play 'Pass The Blame!....' (1)

rev0lt (1950662) | more than 2 years ago | (#38312552)

Why would you use a 3rd party bug-ridden application, when you can use the only slightly crappy MySQL Workbench, from the same guys that bring you MySQL?

Re:Lets play 'Pass The Blame!....' (1)

rev0lt (1950662) | more than 2 years ago | (#38306844)

Last time I checked many (most?) sysadmins don't know exactly what they're doing, and that's why graphical and wizard-based configuration tools are so popular. And no, I'm not talking about windows. There's nothing wrong with that, in most cases. Critical or public facing infrastructure should be the exception, though.

Re:Lets play 'Pass The Blame!....' (1)

kdemetter (965669) | more than 2 years ago | (#38306974)

So you are blaming the tool for failures of the users ( sysadmins are users in this case ).
If they don't know how a tool works, the solution is not to stop using the tool. The solution is to learn how it works.

Re:Lets play 'Pass The Blame!....' (1)

Nefarious Wheel (628136) | more than 2 years ago | (#38308592)

It's easy for us to forget the complexity and blame the sysadmin, too. It might be wise to periodically remind the user community that these are machines with billions upon billions of intangible but very real moving parts. The number of utilities and GUI property pages we have to use are many - thousands - and when budgets are trimmed a little too tightly, some of the bits will become misaligned. Knowledge or no, the sysadmin has a fairly huge workload and you have to allow time to get it right before you go public and fire the sysadmin because you brought him on with capex instead of opex.

Nothing wrong with PHPMyAdmin (2, Insightful)

Anonymous Coward | more than 2 years ago | (#38302558)

Why blame the tool? It's like blaming the web browser that the people used to access PHPMyAdmin to access the unsecured database. It's the dits who didn't secure the database that are to blame. Put a password on it and PHPMyAdmin won't be able to get in. Unless there's an exploit I'm not aware of, of course.

Re:Nothing wrong with PHPMyAdmin (2)

ggeens (53767) | more than 2 years ago | (#38303910)

Why blame the tool? It's like blaming the web browser that the people used to access PHPMyAdmin to access the unsecured database.

AFAIK, PHPMyAdmin doesn't have its own security. The user/password is passed to the MySQL server. If they were able to create databases without a password, it would seem that MySQL was installed without a password for the mysql admin user. During installation, MySQL asks to set a root password. A long time ago, this was not the case.

This would seem that they had a very old MySQL setup and they never changed the password.

Re:Nothing wrong with PHPMyAdmin (1)

whoever57 (658626) | more than 2 years ago | (#38304054)

During installation, MySQL asks to set a root password

Not on Centos, and I assume Red Hat.

Re:Nothing wrong with PHPMyAdmin (1)

kyrio (1091003) | more than 2 years ago | (#38304644)

It's asked me for a root pass on CentOS, and Debian and others that I've used.

Re:Nothing wrong with PHPMyAdmin (1)

TheSpoom (715771) | more than 2 years ago | (#38305322)

Echoing this sentiment. Every package management system I've used to setup MySQL asked to set a root password.

Re:Nothing wrong with PHPMyAdmin (1)

whoever57 (658626) | more than 2 years ago | (#38307452)

It's asked me for a root pass on CentOS,

Step 1: yum install mysql-server
Step 2: service mysqld start

No password required.

Err, wow - just wow. (2)

Penguinisto (415985) | more than 2 years ago | (#38302560)

"The hack was possible because the website was managed using PHP-MyAdmin, and this application allowed database access without a password."

I honestly don't know what to say. I mean, doing something like this on an internal network would be bone-headed enough, but doing it on an external-facing box? Under conditions where you would think security is paramount? I mean, you have to actually install and set up PHP MyAdmin - that shit isn't on by default.

But, the fault lies elsewhere as well. After all, who the fuck was supposed to be doing the compliance audits, pen-testing, network security, firewall security? You always hire a reputable outside person/company to do those things.

I honestly think the corp got what it deserved at this point... though the victim customers certainly don't deserve what they're about to get (a scramble for new certs, integrity checking, etc).

Re:Err, wow - just wow. (2)

Pieroxy (222434) | more than 2 years ago | (#38304276)

Under conditions where you would think security is paramount?

And this is why you don't know what to say. Security is not paramount. Net revenue is. And security costs money.

Re:Err, wow - just wow. (1)

Penguinisto (415985) | more than 2 years ago | (#38305536)

Unfortunately, your statement is all too true in far too many cases.

Well, it is until the company gets bitten by the lack of it, in which case one or more of the following options are open:

1) fire the admin deemed most responsible for the breach (in this case, it'd be justified anyway)

2) over-react, spend a mountain of cash on security, and lock everything down to the point where nobody can use it without a lot of headache and heartache.

3) fire up the PR machine, and minimize as much of the reputation damage as possible.

The sad news is, most of the breaches aren't public, or even public enough. Sure, even the non-public ones will scare the crap out of the powers that be for awhile, and may even get you a bit of budget to clean the mess up. But, if you're the sysadmin? Unless you keep very careful records (and offsite copies for ready distribution to, say, Wikileaks) of budget refusals and of refusals to implement certain security controls, you're the one whose career is gonna fry for it.

Re:Err, wow - just wow. (1)

bill_mcgonigle (4333) | more than 2 years ago | (#38305998)

But, the fault lies elsewhere as well. After all, who the fuck was supposed to be doing the compliance audits, pen-testing, network security, firewall security? You always hire a reputable outside person/company to do those things.

I expected to find a bunch of "certified by X" badges on their website [google.com] but it just says, basically, "we're safe. Trust us."

If they weren't on the government gravy train they probably would have been gone a long time ago.

Insecure OSS trash... (-1)

Anonymous Coward | more than 2 years ago | (#38302600)

...allows security breech.

I know, I know... I'm sure there are pools of howto docs, man pages, and wikis that have chapters about configuring the software securely. OSS freetards like that kind of complexity and blame the enduser when something gets missed.

CA System - Has Never Worked As Intended. (3, Funny)

VortexCortex (1117377) | more than 2 years ago | (#38302652)

So, any CA can create a cert for any site (or even EVERY site via *.* -- WHO THOUGHT THIS WAS A GOOD IDEA?!). This means EVERY SINGLE CA must remain 100% secure all the time in order for us to be able to trust the CA system.

Now, this was pointed out from the beginning. "There is not a single point of failure -- No! There are MANY points of failure, any of which means a complete breakdown!"

A web of trust is the only real competing system, and still here we are, not even trying that out on a large scale. Say what you will, but know that all trust tree hierarchies are doomed to fail.

Come at me CA apologists. All your certs aren't belong to you.

Re:CA System - Has Never Worked As Intended. (0)

Anonymous Coward | more than 2 years ago | (#38302700)

This was a website hack ... not a hack of the CA. Besides, they are a reseller not actually a CA.

Re:CA System - Has Never Worked As Intended. (4, Insightful)

ledow (319597) | more than 2 years ago | (#38302770)

Personally, I now have more faith in the CA system than before.

When a rogue CA was spotted, within days it had was revoked AND ALL ITS CERTIFICATES FAILED, including ones running in government departments, in every major web browser (totally independently).

That's a pretty damn good response, and caused the collapse of the company and a government investigation - because browsers that have NOTHING to do with the CA's or the government unilaterally revoked a CA certificate in their browsers.

The point of the CA system is trust. At some point you have to trust someone. Web of trust is just trusting the majority of public opinion, statistics or some other automated metric. The CA system is trusting particular institutions and browser makers (who, if you don't trust anyway, you wouldn't be doing business with or using their product).

One CA abused that trust and they disappeared from the web overnight. But I still trust my CA. It's like saying that because one hosting company had a website vandal, everyone should just stop using website hosts.

And now it's in the news, every tiny little breach is going to come to light whereas before, unless you followed the OSCP revocations religiously, you'd never have known.

The CA system did exactly what it was designed to do and it worked much better than I would have ever expected. I don't see the Dutch CA failing as a failure of the system - the system worked and continues to work. It's like the Internet - it just routes around damage and carries on (by revoking the trust - which you can do yourself in any browser - in those who are untrustworthy).

Re:CA System - Has Never Worked As Intended. (1)

Anonymous Coward | more than 2 years ago | (#38303572)

I'm sorry, but what a load of BS. The fact is that the DigiNotar breach was only quickly dealt with *once it was discovered* long after the breach actually occured, with fraudulent certs already being in the wild and actually used in Iran. Who knows how long it'll take next time before someone notices these fraudulent certificates. Heck, who knows how many CA's have been breached right now, only we don't know about them yet...

Re:CA System - Has Never Worked As Intended. (1)

HFShadow (530449) | more than 2 years ago | (#38304878)

Having every major browser vendor issue a software update, is far from what i'd consider to be "working". Why don't we have proper CRL's?

Re:CA System - Has Never Worked As Intended. (1)

ledow (319597) | more than 2 years ago | (#38305882)

Update? That's what CRL's are for, as you point out.

Opera was never "updated" to remove the Diginotar cert, for instance.

CA System, "works" as intended; inherently broken (1)

Onymous Coward (97719) | more than 2 years ago | (#38306884)

"But what's really scary, is that the evidence F-Secure found suggests that DigiNotar was hacked at least two years ago."

I don't agree that having one's ass hanging in the wind — thinking your SSL connections are secure while they're not — for two years is a system that "works".

It's astonishing in the current landscape where most everyone appears to be concerned and casting about for solutions to see someone thinking the CA system is fine. The foundation of the CA system involves giving each of hundreds of race-to-the-bottom entities complete authority over your SSL security. Even if "race-to-the-bottom" weren't their nature, you'd still have a bell curve of performance, and the tail on the left side is your maximal security. (You are here. [thinkgeek.com] ) The system is inherently flawed.

Re:CA System - Has Never Worked As Intended. (1)

AvitarX (172628) | more than 2 years ago | (#38302812)

For a web of trust to work on a global scale, you're going to need super trustables, it will essentially end up like we have now.

This isn't e-mail where our interactions are pretty much limited to friends.

Re:CA System - Has Never Worked As Intended. (1)

thegarbz (1787294) | more than 2 years ago | (#38303122)

This means EVERY SINGLE CA must remain 100% secure all the time in order for us to be able to trust the CA system.

You act like this is something that shouldn't be an outright requirement anyway, let alone something that a company entrusted with generating SSL keys should actually be capable of in the first place.

Frankly I hope their certificates get revoked and they get shutdown due to neglecting their only source of income, our trust in them. Maybe a few more companies going tits up will be a wakeup call.

Re:CA System - Has Never Worked As Intended. (1)

Skuto (171945) | more than 2 years ago | (#38303448)

or even EVERY site via *.* -- WHO THOUGHT THIS WAS A GOOD IDEA?!

I think Firefox and Chrome reject such certificates by default (for obvious reasons).

Re:CA System - Has Never Worked As Intended. (1)

dveditz (11090) | more than 2 years ago | (#38306150)

No browser would accept a *.* certificate. According to the spec '*' can only appear in the leftmost label and can match only within that label. Long ago Netscape originally supported an expressive regexp syntax; modern browsers follow the RFC.

Summary is misleading (4, Informative)

Barefoot Monkey (1657313) | more than 2 years ago | (#38302662)

The hack was possible because the website was managed using PHP-MyAdmin, and this application allowed database access without a password.

That's a bit misleading. From what I gather the hack was possible because the database was configured to allow access without a password. Considering that, whether or not PHPMyAdmin is appropriate is a tiny matter by comparison. The summary makes it sound like PHPMyAdmin is to blame.

The dutch are doing the world a favor (0)

Anonymous Coward | more than 2 years ago | (#38302798)

Forcing the world into abandoning the ridiculous CA system.

Re:The dutch are doing the world a favor (1)

Penguinisto (415985) | more than 2 years ago | (#38303150)

And replace it with... what?

CAs are a lot like democracy. They both suck, but they tend to suck less than all other forms that have been tried up to now.

KPN revokes certificates (1, Informative)

lbalbalba (526209) | more than 2 years ago | (#38302832)

In response to the news, Gemnet's parent company KPN, has revoked a thousand certificates. Dutch original [webwereld.nl]

Oh, that's really neato. (0)

Anonymous Coward | more than 2 years ago | (#38302972)

While idiots continue to make stuff like this possible, I won't be able to find a job.

Perfect.

PHP-MyAdmin is a major source of vulnerabilities (0)

Anonymous Coward | more than 2 years ago | (#38303042)

The team behind it should maybe think about adding some checks to ensure the application is configured correctly before allowing access. Why would they even allow no-password operation? I've seen so many incorrectly configured PHP-MyAdmin instances that it makes me sick. They should add a boot-strap script that ensure config, correct file permissions, etc, before entering the app.

Re:PHP-MyAdmin is a major source of vulnerabilitie (2)

TheSpoom (715771) | more than 2 years ago | (#38305258)

FFS, if you're depending on phpMyAdmin for your database security, you're doing it wrong. If phpMyAdmin, out of the box, can access your MySQL server, it means you haven't given a password to the root user on MySQL. Which means anyone that can connect to your MySQL server at all has full access.

Unless setup in a very specific way, all phpMyAdmin does is pass along your authentication information to MySQL.

Re:PHP-MyAdmin is a major source of vulnerabilitie (1)

Penguinisto (415985) | more than 2 years ago | (#38305662)

Someone please mod parent up.

TFA describes a complete failure not only of the company's security setup, but of its specific architecture and design. Even if you have to use phpMyAdmin that frickin' badly? Unless you're a web hosting provider running the damned thing in a sandbox, you deny visibility to it from the outside network for starters. Then there's still the matter of the default password-less state of the DB.

I mean, damn... what high school kid did they get to set this thing up? It's not 2001 anymore, where brain farts like that could be ignored, and the worst you had to worry about is some script kiddie defacing your company home page.

Flabbergasted (1)

Issarlk (1429361) | more than 2 years ago | (#38303074)

Once I though that CA where serious business, with the biggest of them hosted in bunkers with complete security for the keys.
Now I know it's just as secure as everything else on the net: as Lulzsec demonstrated this year, no security whatsoever.

Now I'm just waiting to learn that nuclear missiles launch consoles are web applications with a "secure" javascript password check to protect them.

Re:Flabbergasted (0)

Anonymous Coward | more than 2 years ago | (#38303574)

Re:Flabbergasted (1)

psydeshow (154300) | more than 2 years ago | (#38305708)

Well played, sir!

Re:Flabbergasted (1)

BumboChinelo (2527572) | more than 2 years ago | (#38304066)

Once I though that CA where serious business, with the biggest of them hosted in bunkers with complete security for the keys. .

Happy to hear it since I had the same idealistic vision and in the past was doubtfull of our company solution that uses a non networked machine to sign certs that is in a protected aread but not a bunker or faraday change. Only was to import/export data (requested and certs) is via DLT tape. Afterall it doesn't seem such a lousy solution

Damn (2)

MadKeithV (102058) | more than 2 years ago | (#38303170)

And here I thought the Dutch would have the national pride not to make their network security like Swiss Cheese.

Re:Damn (1)

MarkGriz (520778) | more than 2 years ago | (#38303778)

Maybe that little Dutch boy can plug this security dike.

Re:Damn (0)

Anonymous Coward | more than 2 years ago | (#38305144)

Actually we don't really have national pride. A proper Dutchman has a mild dislike for his country*, the only reason we stay is because we dislike all other countries a little more ;)

* Many consider soccer to be an exception to this rule.

Ca subject name? (4, Interesting)

qha (23486) | more than 2 years ago | (#38303230)

So the first question I expected t.f.a. to answer:

What is the subject name of this Ca so I can remove it from my list of "trusted" Cas?

Re:Ca subject name? (0)

Anonymous Coward | more than 2 years ago | (#38303456)

"After the fiasco involving DigiNotar, another Dutch CA (Gemnet, a daughter of KPN-Telecom)..."

Re:Ca subject name? (2)

qha (23486) | more than 2 years ago | (#38303526)

Ok, so this Ca is already not included in Debian?

I can't find anything about it in the changelog for the ca-certificates package.

Re:Ca subject name? (1)

qha (23486) | more than 2 years ago | (#38303830)

Just asked a collegue to check his windows machine for any ca certificates named anything with Gemnet or KPN, no matches there either.

Re:Ca subject name? (1)

qha (23486) | more than 2 years ago | (#38304128)

I can't find any certificate that looks like this on Centos 6 either.

Re:Ca subject name? (1)

Anonymous Coward | more than 2 years ago | (#38304596)

What is the subject name of this Ca so I can remove it from my list of "trusted" Cas?

You would have to move to the Netherlands, become a muncipality and get hooked up to their private network to see a GEMNET-certificate. You haven't read TFA, have you?

Re:Ca subject name? (1)

qha (23486) | more than 2 years ago | (#38312548)

Thanks!

No, I just scanned through it looking for hints on what the ca subject might be. Now I have however and I have to admit it still isn't clear to me from the article that this is not a common ca or whatever we should call them.

Starting to feel like Uplink... (2)

dragonhunter21 (1815102) | more than 2 years ago | (#38303442)

I'm kinda getting an Uplink vibe here, with all these "X was hacked" "Another X was hacked, the government is taking it very seriously" on and on and on.

The choice of trust is poorly designed (1)

Marrow (195242) | more than 2 years ago | (#38303924)

The keys are there to protect my communications. And yet I am not the one who is choosing who to use as the vendor for my trust. I am given a list of 3rd parties that I have never heard of instead.
There should not be 1000+ organizations in charge of the security of my communications. I should choose a vendor I trust, and then that vendor should decide if the website I am trying to reach is legitimate. The system is broken by design.

I'm just waiting... (1)

Z00L00K (682162) | more than 2 years ago | (#38303994)

For Verisign to get hacked.

Re:I'm just waiting... (1)

psydeshow (154300) | more than 2 years ago | (#38305784)

I'm just waiting... for Verisign to get hacked.

Or burgled.
Or infiltrated by enemy agents.
Or infiltrated by government agents.
Or headed up by a clueless CEO who demands single sign-on access to everything and uses a password based on his birthday.
Or outsourced to Sony.

Re:I'm just waiting... (1)

Kalriath (849904) | more than 2 years ago | (#38310636)

It's not Verisign any more - it's Symantec. And in the near future all those "Verisign Secure" badges on the internet are changing to "Norton Secure".

So... job done I guess.

Enough is Enough (1)

StikyPad (445176) | more than 2 years ago | (#38304076)

These stories about Dutch CA's are really clogging up the system.

Re:Enough is Enough (1)

Errol backfiring (1280012) | more than 2 years ago | (#38312992)

Ok. Let me delete them for you. Surely the password needed to do that is somewhere on the web...

Fail2ban jail for phpMyAdmin (1)

Maow (620678) | more than 2 years ago | (#38304132)

Not sure if it would've helped in this situation, as it seems the DB itself had no password, but since I don't run phpMyAdmin, I use a fail2ban jail which bans any IP trying to access phpMyAdmin since they're obviously up to no good.

Shameless plug:

Jails for phpMyAdmin, ssh as root, and, bad robots:
https://www.maow.net/fail2ban [maow.net]

And, it's using a self-signed certificate ... seems like the only CA I can trust is myself, and I don't really like the look of that shifty character in the mirror either.

this is just new. (0)

Anonymous Coward | more than 2 years ago | (#38304804)

Dutch ca's making it easy for trojans/viruses to do their work.. wouldn't be surprised if they are all linked somewhere..

Misleadling article (1)

EMN13 (11493) | more than 2 years ago | (#38305132)

According to KPN, the hacked website was not part of the CA's issuing system. Assuming they're being wholly truthful, this article is pure sensationalism: A company has a non-critical website that's hacked: whooptie.

Of course it's bad PR: it doesn't inspire confidence in their other security matters. However, its just as likely that they're concentrating on their actual business (managing certificates), and the site was an afterthought. In any case (maybe I'm just cynical) it doesn't surprise me that a very low traffic, low volume site is negligently secured.

Totally misleading headline.

Re:Misleadling article (1)

Em Adespoton (792954) | more than 2 years ago | (#38306112)

Only partially misleading... the configuration provided access via a roundabout route to the admin credentials, which could be used to legitimately mess with the issuing system by escalating access privileges. It's not a case of "they left the issuing system wide open!" but it is a case of "they left an entry point to their management system wide open!" which can eventually result in the same thing... with fewer ways to track monkeying with the issuing system, as the attacker will be using legit creds, and may even be accessing via a legit admin's address.

Thought Linux = Secure, Penguins... apk (0)

Anonymous Coward | more than 2 years ago | (#38306582)

Funny part is, it's NOT SHOWING THAT, especially on CA's this year! To wit/e.g.:

---

Linux's showing in CA's that utilize it that have been breached recently:

http://uptime.netcraft.com/up/graph?site=StartCom.com [netcraft.com]

http://uptime.netcraft.com/up/graph?site=GlobalSign.com [netcraft.com]

http://uptime.netcraft.com/up/graph?site=Comodo.com [netcraft.com]

http://uptime.netcraft.com/up/graph?site=DigiCert.com [netcraft.com]

http://uptime.netcraft.com/up/graph?site=www.gemnet.nl [netcraft.com]

The majority (5/6) of what was breached RAN LINUX (StartCom, GlobalSign, DigiCert, Gemnet, & Comodo)... per these articles verifying that:

http://itproafrica.com/technology/security/cas-hacked/ [itproafrica.com]

&

http://threatpost.com/en_us/blogs/site-dutch-ca-gemnet-offline-after-web-server-attack-120811 [threatpost.com]

---

* Per my subject-line above, & all the YEARS here of hearing "Linux = Good/Secure & Windows = Bad/Insecure" b.s. just seems to be falling apart @ the seams for the outright "FUD" it truly was, eh?

(NOW - IF anyone reading doesn't LIKE that? Keep this in mind: IT"S FACTS, documented facts, from reputable sources!)

Yes, I also have more & from VERY recent history on Linux's security failings (but you can start with the above Penguins, & "Read 'em & WEEP"...)

APK

P.S.=> NOW, as I stated above? IF you don't like it, I have PLENTY MORE from recent history (very recent in fact & ongoing for years now, especially THIS year no less) on how "secure" Linux is showing itself to TRULY be (not!)...

(Especially now that it's being used more, especially on ANDROID bearing smartphones, where it's turning up as bad as, or worse than, Windows is on PC's (due to widespread usage? Any OS can be "shredded" on security & have its weakness' exposed)

However, the REAL trouble is, Linux is JUST STARTING THAT CYCLE!

By comparison, Windows has been fixing itself vs. that for years-to-decades now by comparison due to widespread marketshare/mindshare (nearly 95% in fact)...

... apk

Re:Thought Linux = Secure, Penguins... apk (0)

Anonymous Coward | more than 2 years ago | (#38307568)

Although I agree that linux doesn't seem to be much more secure than Windows lately, I totally fail to understand how this has anything to see with the present article that explicitly states that they let a phpmyadmin interface open in the wild without any password protection.

Or maybe you're trying (hard) to get an "offtopic" mod ?

Just posting facts (in my 1st post)... apk (0)

Anonymous Coward | more than 2 years ago | (#38307754)

"Although I agree that linux doesn't seem to be much more secure than Windows lately, I totally fail to understand how this has anything to see with the present article that explicitly states that they let a phpmyadmin interface open in the wild without any password protection." - by Anonymous Coward on Thursday December 08, @03:39PM (#38307568)

It goes to show you that for all the "smarts" many Penguins believe they have? The OS itself, especially if NOT setup security-hardened (& that means "above & beyond" even SeLinux's defaults) isn't anymore secured than its competitors (such as MacOS X &/or Windows 7/Server 2008 R2): They ALL have security-hardening possibilities far, Far, FAR above the default "norms" sent you by the oem's who make them.

* Linux also has a lot of other "security-hassles" that DON'T belong in the "I forgot to look @ my security settings, application & OS side both, & configurations of them alongside code running on them (ala bind variables & stored procedures vs. SQLInjection possibles for example)... ANDROID ALONE shows that much!

---

"Or maybe you're trying (hard) to get an "offtopic" mod ?" - by Anonymous Coward on Thursday December 08, @03:39PM (#38307568)

Hmmm, on that note from you? No, I just post facts from reputable sources as I did in the post you replied to... would you like MORE, & from recently?? I can supply them, in seconds, & again - from reputable sources with concrete, verifiable, & truthful data.

(I can "speculate" also & say you're attempting to "bury the truth" by getting others to "downmod" my posts, whether it has verifiable facts that do NOT make Linux appear very secure in it, or not!)

APK

P.S.=> I just KNEW, long ago, that all the "Linux = GOOD/SECURE, & Windows = BAD/INSECURE" business stated for YEARS around here was b.s. is all - "security-by-obscurity" (because of Linux's 1.19% of marketshare mainly) was what Linux users had going for them... not an "inherently more secure OS"!

(Additionally? Especially @ the kernel level where Linux's "mainstream" 2.6 kernel has more unpatched security vulnerabilities & more "remotely exploitable" ones than does Windows Server 2003 (which as easy work-arounds for its 2 remotely vulnerable ones no less), AND, Linux has more & by over 4x as many no less, & per SECUNIA.COM stats on that much)... apk

Re:Just posting facts (in my 1st post)... apk (0)

Anonymous Coward | more than 2 years ago | (#38307986)

"Although I agree that linux doesn't seem to be much more secure than Windows lately, I totally fail to understand how this has anything to see with the present article that explicitly states that they let a phpmyadmin interface open in the wild without any password protection." - by Anonymous Coward on Thursday December 08, @03:39PM (#38307568)

It goes to show you that for all the "smarts" many Penguins believe they have? The OS itself, especially if NOT setup security-hardened (& that means "above & beyond" even SeLinux's defaults) isn't anymore secured than its competitors (such as MacOS X &/or Windows 7/Server 2008 R2): They ALL have security-hardening possibilities far, Far, FAR above the default "norms" sent you by the oem's who make them.

* Linux also has a lot of other "security-hassles" that DON'T belong in the "I forgot to look @ my security settings, application & OS side both, & configurations of them alongside code running on them (ala bind variables & stored procedures vs. SQLInjection possibles for example)... ANDROID ALONE shows that much!

So, nothing even remotely related to the current article ?

No, I just post facts from reputable sources as I did in the post you replied to... would you like MORE, & from recently?? I can supply them, in seconds, & again - from reputable sources with concrete, verifiable, & truthful data.

(I can "speculate" also & say you're attempting to "bury the truth" by getting others to "downmod" my posts, whether it has verifiable facts that do NOT make Linux appear very secure in it, or not!)

APK

P.S.=> I just KNEW, long ago, that all the "Linux = GOOD/SECURE, & Windows = BAD/INSECURE" business stated for YEARS around here was b.s. is all - "security-by-obscurity" (because of Linux's 1.19% of marketshare mainly) was what Linux users had going for them... not an "inherently more secure OS"!

ok, so I can say "Bill Gates is rich", "Windows Vista sucks", "the earth orbits around the sun" on any slashdot article and not be modded off-topic because it's a fact ?

(Additionally? Especially @ the kernel level where Linux's "mainstream" 2.6 kernel has more unpatched security vulnerabilities & more "remotely exploitable" ones than does Windows Server 2003 (which as easy work-arounds for its 2 remotely vulnerable ones no less), AND, Linux has more & by over 4x as many no less, & per SECUNIA.COM stats on that much)... apk

Wrong. the Linux 2.6 kernel has more *KNOWN* and *PUBLICLY PUBLISHED* security vulnerabilities (although some linux fanboys might argue on the definition of "security vulnerabilities"). Microsoft keeps their hidden, deeply buried (the so-called "security" by obscurity). You (or anyone on Earth for that matter) have NO IDEA of which OS has the more security vulnerabilities. Claiming to know that unknowable information is pure FUD and BS.

CA's & Security (what I posted) = pertinent (0)

Anonymous Coward | more than 2 years ago | (#38308464)

"So, nothing even remotely related to the current article ?" - by Anonymous Coward on Thursday December 08, @04:09PM (#38307986)

The article's on CA's, security, & yes, even Linux (because the "hacked/cracked" servers RUN LINUX at GEMNET): THUS, as to what I posted (all fact based, deals in CA's that run LINUX and that were security breached... period) = VERY pertinent, on those very grounds, alone...

APK

P.S.=>

"Wrong. the Linux 2.6 kernel has more *KNOWN* and *PUBLICLY PUBLISHED* security vulnerabilities (although some linux fanboys might argue on the definition of "security vulnerabilities"). - by Anonymous Coward on Thursday December 08, @04:09PM (#38307986)

I agree on UNKNOWN security vulnerabilities, but I never mentioned those - I STATED KNOWN UNPATCHED SECURITY VULNERABILITIES LISTED @ SECUNIA.COM...

So, would you prefer I use the National Vulnerabilities Database here instead -> http://web.nvd.nist.gov/view/vuln/search-results?query=Linux+kernel&search_type=all&cves=on [nist.gov] from NIST??

I could you know... however, later than "2.6 mainstream base code" versions of the Linux kernel patch the holes, but, that assuming that those that use it actually DID update their OS (that's largely a manual thing via rpm, yum, apt-get etc. on Linux usually).

Problem is, when you UPDATE a Linux kernel? It also BREAKS APPS ON IT, like mad too... I've had it happen!

---

"Microsoft keeps their hidden, deeply buried (the so-called "security" by obscurity)." - by Anonymous Coward on Thursday December 08, @04:09PM (#38307986)

Rightfully so - they're NOT an "Open 'SORES'" based company, & their sourcecode's their lifeblood... by way of comparison, regarding sourcecode of current OS source? Linux isn't doing well there, RECENTLY TOO, mind you, either:

---

KERNEL.ORG COMPROMISED:

http://linux.slashdot.org/story/11/08/31/2321232/Kernelorg-Compromised [slashdot.org]

---

"Proof's in the pudding", right there above, recently too mind you (again, per my usual, just facts)...

I'll also tell you, right now, for a FACT & from experience here (17++ yrs. professionally coding mostly)?

Sending "Open 'SORES'" code into a compiler & step-tracing it (because you have the actual sources) is far, Far, FAR EASIER to find "security bugs" in, than is disassembly of closed source code (or even fuzzing it sending it data it may not be able to handle)...

Closed source actually works BETTER for security, especially in that regard in fact, because it's "closed"... period!

... apk

Re:CA's & Security (what I posted) = pertinent (0)

Anonymous Coward | more than 2 years ago | (#38312450)

"So, nothing even remotely related to the current article ?" - by Anonymous Coward on Thursday December 08, @04:09PM (#38307986)

The article's on CA's, security, & yes, even Linux (because the "hacked/cracked" servers RUN LINUX at GEMNET): THUS, as to what I posted (all fact based, deals in CA's that run LINUX and that were security breached... period) = VERY pertinent, on those very grounds, alone...

APK

P.S.=>

I disagree, you sound like those guys that scream "OMFG Windows was pwned ... again" because some guy didn't put an admin password on his Windows XP install or because IE has a flaw ..., except that here the component hacked (mysql database with no password + phpmyadmin accessible from the internet) is not even part of linux. And don't tell me IE is not part of Windows, they got sued and lost big because it is.

"Wrong. the Linux 2.6 kernel has more *KNOWN* and *PUBLICLY PUBLISHED* security vulnerabilities (although some linux fanboys might argue on the definition of "security vulnerabilities"). - by Anonymous Coward on Thursday December 08, @04:09PM (#38307986)

I agree on UNKNOWN security vulnerabilities, but I never mentioned those - I STATED KNOWN UNPATCHED SECURITY VULNERABILITIES LISTED @ SECUNIA.COM...

So, would you prefer I use the National Vulnerabilities Database here instead -> http://web.nvd.nist.gov/view/vuln/search-results?query=Linux+kernel&search_type=all&cves=on [nist.gov] from NIST??

I could you know... however, later than "2.6 mainstream base code" versions of the Linux kernel patch the holes, but, that assuming that those that use it actually DID update their OS (that's largely a manual thing via rpm, yum, apt-get etc. on Linux usually).

Problem is, when you UPDATE a Linux kernel? It also BREAKS APPS ON IT, like mad too... I've had it happen!

---

"Microsoft keeps their hidden, deeply buried (the so-called "security" by obscurity)." - by Anonymous Coward on Thursday December 08, @04:09PM (#38307986)

Rightfully so - they're NOT an "Open 'SORES'" based company, & their sourcecode's their lifeblood... by way of comparison, regarding sourcecode of current OS source? Linux isn't doing well there, RECENTLY TOO, mind you, either:

---

KERNEL.ORG COMPROMISED:

http://linux.slashdot.org/story/11/08/31/2321232/Kernelorg-Compromised [slashdot.org]

---

"Proof's in the pudding", right there above, recently too mind you (again, per my usual, just facts)...

I'll also tell you, right now, for a FACT & from experience here (17++ yrs. professionally coding mostly)?

Sending "Open 'SORES'" code into a compiler & step-tracing it (because you have the actual sources) is far, Far, FAR EASIER to find "security bugs" in, than is disassembly of closed source code (or even fuzzing it sending it data it may not be able to handle)...

Closed source actually works BETTER for security, especially in that regard in fact, because it's "closed"... period!

... apk

Again I disagree, as Secunia themselves said (If I remember correctly, because some idiot used their figures as sound proof of Firefox being less secure than IE) : this is comparing oranges and apples. And the fact that you use trolling terms such as "Open Sores" doesn't help me to try to understand your argument. Flaws in closed source can be harder to find, but it also mean that we (user) cannot check for them either and that we don't know when they're patched or what is or is not patched. Security through obscurity is an illusion (just as much as blindly believing linux is perfectly secure).
Car analogy: if someone wants to steal A car, he will take easy one. If someone wants to steal YOUR car, he will steal it, period.

Facts are facts... apk (0)

Anonymous Coward | more than 2 years ago | (#38313404)

Disagree ALL you like but facts remain facts here http://it.slashdot.org/comments.pl?sid=2564492&cid=38306582 [slashdot.org]

(There's no "apples to oranges" comparison there at all whatsoever, only FACTS that Linux was compromised MULTIPLE TIMES running @ 5 CA's... period!)

APK

P.S.=> The topic is CA's being breached - how do you figure I am off topic, as you stated in your 1st reply, by my simply pointing out that those same CA's run Linux? apk

Re:CA's & Security (what I posted) = pertinent (0)

Anonymous Coward | more than 2 years ago | (#38312916)

diclaimer: using both windows and linux here (50/50)

I could you know... however, later than "2.6 mainstream base code" versions of the Linux kernel patch the holes, but, that assuming that those that use it actually DID update their OS (that's largely a manual thing via rpm, yum, apt-get etc. on Linux usually).

don't know what linux you are using but on most distrib ('buntu's, redhat's) it's fully automatic, kinda like window$: it asks for your admin password, you (un)select your updates, click the "update" button. Done

Problem is, when you UPDATE a Linux kernel? It also BREAKS APPS ON IT, like mad too... I've had it happen!

Problem is, when you UPDATE a Windows ? It also BREAKS APPS ON IT, like mad too... I've had it happen!
sevice pack anyone ? migrating from XP to Vista to 7 anyone ?
I had to reinstall my windows from scratch 4 times in 3 years because of these ...
my linux partition though : upgrading since 'buntu 7.10 up to 10.04 flawlessly from that point-of-view*.

*another point-of-view is that some options changed place, some default programs where installed in new distrib while other where not maintained anymore, but that's not limited to open source in any case.

regarding sourcecode of current OS source? Linux isn't doing well there, RECENTLY TOO, mind you, either:

---

KERNEL.ORG COMPROMISED:

http://linux.slashdot.org/story/11/08/31/2321232/Kernelorg-Compromised [slashdot.org]

you're kidding right ? did you miss the memo: the linux source code is versionned with git. i.e. it is distributed all over the world and hash-tagged. Any modification of the code at kernel.org would have been spotted right on the first repo sync. I sure hope window$ source code versionning system has the same security, otherwise we're doomed ...

NB: sorry for the window'$' thing, but given your obviously trollish "open sores", I couldn't resist.

Another /. user said it on the Diginotar case: (1)

D,Petkow (793457) | more than 2 years ago | (#38308680)

"Bob has a problem requiring secure communication. He decides to use certificates. Now Bob has two problems."

Time to (0)

Anonymous Coward | more than 2 years ago | (#38312496)

Time to remove the Dutch government from our Trusted Roots

manolo shoes (0)

Anonymous Coward | more than 2 years ago | (#38312560)

Manolo Blahnik Blue Suede Pointed Toe Pump are alwatys show the high sociaty in the past,because the price is too high,and now you have the chioce to own it ,we provide the Manolo Blahnik shoes with high quality and the lower price.You will get what you see in the picture,it is your turn now.manolo blahnik something blue satin pump,made of blue suede with a high heel approximately 10cm,it has blue inside lining.
Pop element:with black suede and a pointed-toe pump
Height:10cm covered heel
Material:suede
Color:blue
Weight:0.5kg
Toe:pointed
manolo blahnik shoes [christianshoeus.com]
manolo shoes [christianshoeus.com]
christian louboutin shoes [christianshoeus.com]
christian louboutin shoes on sale [christianshoeus.com]
cheap christian louboutin shoes [christianshoeus.com]

Load More Comments
Slashdot Account

Need an Account?

Forgot your password?

Don't worry, we never post anything without your permission.

Submission Text Formatting Tips

We support a small subset of HTML, namely these tags:

  • b
  • i
  • p
  • br
  • a
  • ol
  • ul
  • li
  • dl
  • dt
  • dd
  • em
  • strong
  • tt
  • blockquote
  • div
  • quote
  • ecode

"ecode" can be used for code snippets, for example:

<ecode>    while(1) { do_something(); } </ecode>
Create a Slashdot Account

Loading...