Beta
×

Welcome to the Slashdot Beta site -- learn more here. Use the link in the footer or click here to return to the Classic version of Slashdot.

Thank you!

Before you choose to head back to the Classic look of the site, we'd appreciate it if you share your thoughts on the Beta; your feedback is what drives our ongoing development.

Beta is different and we value you taking the time to try it out. Please take a look at the changes we've made in Beta and  learn more about it. Thanks for reading, and for making the site better!

Hackers Steal Opera-Signed Certificate Through Infrastructure Attack

samzenpus posted about a year ago | from the protect-ya-neck dept.

Opera 104

wiredmikey writes "Norwegian browser maker Opera Software has confirmed that a targeted internal network infrastructure attack led to the theft of a code signing certificate that was used to sign malware. 'The current evidence suggests a limited impact. The attackers were able to obtain at least one old and expired Opera code signing certificate, which they have used to sign some malware. This has allowed them to distribute malicious software which incorrectly appears to have been published by Opera Software, or appears to be the Opera browser,' Opera warned in a brief advisory. The Opera breach signals a growing shift by organized hacking groups to target the internal infrastructure network at big companies that provide client side software to millions of end users."

cancel ×

104 comments

Sorry! There are no comments related to the filter you selected.

NSA imperialist snoops again! (1)

For a Free Internet (1594621) | about a year ago | (#44118983)

Defeat U.S. imperialism! Hail Edward Snowden and Bradley Manning! A workers soviet America will give them the honors they deserve!

Re:NSA imperialist snoops again! (0)

Anonymous Coward | about a year ago | (#44119135)

A workers soviet America will give them the honors they deserve!

Nobody sane wants that. It would kill too many workers. [youtube.com]

A growing shift? (5, Insightful)

Anonymous Coward | about a year ago | (#44118985)

Does this really signal a growing shift? Or are we just saying that whatever happens in a news story must signal a "growing shift" toward that thing to induce widespread panic?

Re:A growing shift? (1)

UltraZelda64 (2309504) | about a year ago | (#44119149)

My guess is that you probably nailed it with the "to induce widespread panic" part. Nothing new here, hackers will use any method possible to trick people and conceal their true intentions, move along.

no. the NSA is probably doing this (1)

Anonymous Coward | about a year ago | (#44119245)

if bad guys are doing it, the governments are doing it.

the whole idea of SSL is based around the trust of the certificate and signing infrastructure. it is a growing shift away from the assumption that SSL=safe+secure when shit like this keeps happening over and over.

Re:no. the NSA is probably doing this (5, Insightful)

Anonymous Coward | about a year ago | (#44119299)

if bad guys are doing it, the governments are doing it.

You repeated yourself

Re:no. the NSA is probably doing this (1)

UltraZelda64 (2309504) | about a year ago | (#44119385)

Heh... that was actually pretty funny, because there is some truth to it. Good one.

Re:no. the NSA is probably doing this (1)

Kavafy (1322911) | about a year ago | (#44120439)

Thanks, Fouad.

Re:no. the NSA is probably doing this (0)

Anonymous Coward | about a year ago | (#44121967)

>government is bad
>Score:5, Insightful

Really Slashdot, really?

Re:no. the NSA is probably doing this (0)

Anonymous Coward | about a year ago | (#44144529)

What is the difference between safe and secure?

In Portuguese:
Safe: Seguro
Secure: Seguro

Opera is DOOMED (1)

Anonymous Coward | about a year ago | (#44119331)

For a company that just laid off most of its developers and resigned itself to being a rebranded Google Chrome, this cannot be coincidental.

The only vestige of any use from the former Opera Software is Fastmail.fm, and the developers struggle mightily to keep that branch as separate as possible from the Mother Ship.

Now this cert-signing issue, which on the surface seems petty, but signals a larger problem of a lack of focus on security and a neglected infrastructure. Layoffs will do that. I'm curious if Opera discovered the stolen Cert on their own or if it was reported to them, and how long it was compromised before revoked.

This is not the first sign that Opera is dead, but the bad news keeps piling on for this company. First the loss of mobile space due to actual smart phones, then the dropping of support for non-Windows PCs and non-Android smartphones, rumors rampant of a Facebook/someone else takeover, throwing away fifteen years of incremental browser improvement to become a Chrome skin (and thus breaking services like Opera Link), etc. Opera is DOOMED.

Re:Opera is DOOMED (-1)

Anonymous Coward | about a year ago | (#44119657)

For the record, not too many facts here are true.

Re:Opera is DOOMED (0)

Anonymous Coward | about a year ago | (#44120931)

They're back to their pre-firing number of employees; it was mostly an excuse to replace the worst performers.
The security system in place seems fairly solid, but I'm not at liberty to discuss how ...
Their mobile presence is doing fine, through their CIS and south-america deals. The mac edition is in much _better_ shape than the windows edition, and the linux version compiles but is paused until the developers can be moved back from the windows version (I'd guess before christmas). Moving to webkit makes a full iOS version possible, while Opera mini has always been a bizzarre and separate project that's not going away anytime soon. The rumors of takeovers have been going on forever with no factual grounding. The 15 years have included a rendering and javascript engine replacement and some rather wide reshapings. The only chromium code in opera 15 is the HTML renderer.

But sure, otherwise you're right.

Re:Opera is DOOMED (1)

Ash-Fox (726320) | about a year ago | (#44121117)

They're back to their pre-firing number of employees; it was mostly an excuse to replace the worst performers.
The security system in place seems fairly solid, but I'm not at liberty to discuss how ...

Forgive me if I don't see why anyone should listen to an AC without any evidence and implies we should trust them on this.

Re:Opera is DOOMED (0)

Anonymous Coward | about a year ago | (#44121377)

Oh absolutely - consider it an unbacked statement to counter an unbacked statement. :)
(The actual source is that I live with an opera employee, hardly too quotable. Or legal.)

Re:Opera is DOOMED (0)

Anonymous Coward | about a year ago | (#44121659)

The real actual source is that I am the CEO of Opera.

Re:Opera is DOOMED (0)

Anonymous Coward | about a year ago | (#44131371)

Ah, so one of the few people who got himself an office after declaring "the entire company shall enjoy (ok, suffer) an open floor plan".

Re:Opera is DOOMED (1)

hkmwbz (531650) | about a year ago | (#44152489)

The original poster claimed that Opera laid off most of its developers, which is not true at all. They laid off maybe 20-25 developers out of several hundred. In other words, the AC you are responding to is at least 100% more believable than the original poster who has been caught making demonstrably false claims.

Re:Opera is DOOMED (1)

Ash-Fox (726320) | about a year ago | (#44152839)

I'm not sure that an AC that claims they are the CEO of Opera is believable either.

Re:Opera is DOOMED (1)

hkmwbz (531650) | about a year ago | (#44178307)

That AC obviously isn't the same as any of the other ACs. It's just someone trolling or making a joke.

Re:Opera is DOOMED (1)

hkmwbz (531650) | about a year ago | (#44152483)

For a company that just laid off most of its developers and resigned itself to being a rebranded Google Chrome, this cannot be coincidental.

Laid off most of its developers? Opera had nearly a thousand employees, and hundreds of people working on the browser. 90 people left or were fired, and only about half were engineers (meaning programmers or testers). So if we assume that around half of the engineers who left were developers, something like 20-25 out of several hundred developers are now gone.

Most of its developers?

As for being a rebranded Chrome, the new Opera actually has a totally new user interface, and is not just using Chrome's.

The only vestige of any use from the former Opera Software is Fastmail.fm, and the developers struggle mightily to keep that branch as separate as possible from the Mother Ship.

Right. Your claims are really believable, considering that you made the outrageously false claim that they fired most of their developers when the fact is that they only fired a fraction of them.

This is not the first sign that Opera is dead, but the bad news keeps piling on for this company. First the loss of mobile space due to actual smart phones, then the dropping of support for non-Windows PCs and non-Android smartphones, rumors rampant of a Facebook/someone else takeover, throwing away fifteen years of incremental browser improvement to become a Chrome skin (and thus breaking services like Opera Link), etc. Opera is DOOMED.

Opera is doomed, eh? That must be why they announced a growth to more than 300 million active users a while back. That must be why they are not only profitable, but constantly growing their revenues and profits. Yes, a doomed company which is growing like crazy and getting new users all the time.

Did Opera lose the mobile space to smartphones? That doesn't make sense. They said that most of their new users were actually on smartphones. Again you seem to be making up a lot of weird claims.

I don't know where you are getting you info from, but it's all wrong.

Re:A growing shift? (2)

cold fjord (826450) | about a year ago | (#44119551)

Does this really signal a growing shift? Or are we just saying that whatever happens in a news story must signal a "growing shift" toward that thing to induce widespread panic?

Criminal gangs and individual crackers have been growing more sophisticated in their computer crime activity for some time. If you're going to move up the food chain of commercially valuable exploits, this is exactly the sort of thing that you would expect. It makes it much easier to get malware accepted on a system, which means it makes it easier to extract some sort of value from the system. (Stolen data, botnet, spam host, etc.)

Re:A growing shift? (1)

DarkOx (621550) | about a year ago | (#44120653)

The real tragedy of the non-user-controllable code signing features being baked into some popular operating systems. It does not make us safer but it dose create a barrier to entry in the market place for legitimate software developers.

Advantages of a barrier to entry (1)

tepples (727027) | about a year ago | (#44121567)

Some people, such as a PlayStation fan on Slashdot who will remain nameless, would argue that a barrier to entry is a good thing. It ensures that anybody who wants to distribute software to the public is serious about creating quality software. It's a fallacy, but like other fallacies, appeal to accomplishment [wikipedia.org] springs from a heuristic: companies that have successfully published quality works in the past are more likely to publish quality works in the future. The example he likes to trot out is the North American video game recession of 1983, when there was so much shovelware crap on store shelves that neither players nor retailers could find which 2600 games were worthwhile. The North American market pretty much abandoned video games until the fourth quarter of 1985 when Nintendo added a lockout chip to its new Nintendo Entertainment System to assure retailers that only games that Nintendo had evaluated for a certain baseline quality level would be allowed to run.

Re:A growing shift? (1)

Ryanrule (1657199) | about a year ago | (#44119559)

I had a growing shift happen the other night while dancing with a girl at a club.

Unlikely (5, Funny)

formfeed (703859) | about a year ago | (#44120055)

There are three things that I don't believe you:
(1) Dancing (2) Girl (3) Club

Re:Unlikely (1)

KingMotley (944240) | about a year ago | (#44122281)

Well it was moving, not sure most would call it dancing. It was with a girl, or what appeared to be mostly (90%?) a girl, and by club he means his mother's basement.

Yes (0)

Anonymous Coward | about a year ago | (#44119941)

Witness the "HACKURS DID IT" headline, which is quite at odds with the careful press release.

This is one case where I'd rather read the press release --notoriously full of CYA mealy-mouthed unreadable word salad-- than even the headline some ham-fisted hack came up with. On a self-described so-called "tech savvy" site, no less.

Re:A growing shift? (0)

Anonymous Coward | about a year ago | (#44119983)

Not really, it relates to the various attacks on CAs like Comodo [wikipedia.org] and DigiNotar [wikipedia.org] (and arguably things like stuxnet, duqu and flame, although a subset of these may be government-related).

Re:A growing shift? (1)

Jah-Wren Ryel (80510) | about a year ago | (#44121035)

Does this really signal a growing shift?

The shift already happened a few years back when all RSA SecureID tokens were compromised. [arstechnica.com]

What happened here with Opera is small potatoes compared to the SecureID fiasco.

Re:A growing shift? (0)

Anonymous Coward | about a year ago | (#44121973)

Does this really signal a growing shift? Or are we just saying that whatever happens in a news story must signal a "growing shift" toward that thing to induce widespread panic?

You have raised some new and disturbing questions about the practices of journalists in America.

next? (0)

Tastecicles (1153671) | about a year ago | (#44119029)

Microsoft Update?

The certificate crowd is proven wrong yet again. (4, Insightful)

Anonymous Coward | about a year ago | (#44119059)

Whenever the topic of security comes up, there are always a bunch of people who go on and on and on about how certificates are always the answer to security problems.

How do we fix security problems with email? "Certificates!", they say.

How do we fix security problems with HTTP? "Certificates!", they blurt out.

How do we fix security problems with DNS? "Certificates!", they scream.

How do we fix security problems with passwords? "Certificates!", they yell.

How do we fix security problems with application executables? "Certificates!", they exclaim.

Yet we see so many stories about certificates getting compromised in one way or another. And then the infrastructure surrounding them is always so goddamn awful. They cause just as many, if not more, problems than they actually manage to partially solve.

It's time for the certificate advocates to stop and think. They need to look at the big picture. They need to realize that while certificates may have their place in some very specialized situations, they are not the ultimate solution that we so desperately need.

Re:The certificate crowd is proven wrong yet again (4, Informative)

BitZtream (692029) | about a year ago | (#44119127)

The problem is that implementations that are checking the certificate are not requiring third party authenticated signing timestamps.

If the implementations checking certificates required a trusted root signed timestamp with the digital signature in any of those implementations, then expired certificates would be useless.

Certificates can be compromised, but they are far better than passwords people use.

There has yet to be an actual problem with certificates, just bad implementations.

I would love for you to point me at some software that has never had any implementation faults.

Re:The certificate crowd is proven wrong yet again (4, Insightful)

MightyMartian (840721) | about a year ago | (#44119325)

Perhaps if people took better care of private keys, this wouldn't bloody happen at all.

Re:The certificate crowd is proven wrong yet again (1)

cgimusic (2788705) | about a year ago | (#44149295)

They paid so much for the certificate would it really be that costly to them to keep the private key on a machine not connected to a network?

Re:The certificate crowd is proven wrong yet again (0)

Anonymous Coward | about a year ago | (#44120445)

The problem is that implementations that are checking the certificate are not requiring third party authenticated signing timestamps.

There you go again, "if only the technology...". The rest of your comment is mostly tu quoque arguments and other fallacies. That is, you're talking bullshit.

NO. Just NO. The problem with certificates is much deeper than that, and starts with the premise of the certificate issuers: They'll protect you from anyone they won't take money from. This being commercial entities. It goes downhill from there.

Re:The certificate crowd is proven wrong yet again (0)

Anonymous Coward | about a year ago | (#44120955)

What are you blabbering about? If I have a policy on my domain to allow executables signed with certificates where the software publisher is Adobe, Oracle, Microsoft, Apple, etc., no one is going to be able to get pass that barrier without stealing private keys from Adobe, Oracle, Microsoft, etc. (which is the same "weakness" for every single security protocol in existence or has ever existed anywhere at anytime or will exist anytime in the near future)

Re:The certificate crowd is proven wrong yet again (1)

tepples (727027) | about a year ago | (#44121615)

no one is going to be able to get pass that barrier without stealing private keys from Adobe, Oracle, Microsoft, etc.

So how should a legitimate software developer get its publisher certificate into your domain's "etc." list?

Re:The certificate crowd is proven wrong yet again (1)

DarkOx (621550) | about a year ago | (#44120689)

The problem with code signing certificates though is what should the validate rule actually be? Should an executable no longer be considered trusted when the cert expires?

I bet certain segments of the software industry would love that. Talk about planed obsolesce.

Maybe the binary should be trusted as long as the create or modify dates are prior to the certificates expiry?

This wont do anything because anyone sophisticated enough to create malware can just manipulate the date stamps before signing.

I know OCSP! We will just do revocation checks every time.

Again certain segments of the software industry would love this. It would empower them to decide when your software no longer works. No you can't just check once, malware authors would just have stuff sleep for awhile, and the CA or signer may not know they have had a breach. After all something like 60% of commercial breaches we reported by 3rd parties last year.

Then there are the privacy implications of doing a revocation check everytime you run some code.

The certificate trust model just does not work for software

Re:The certificate crowd is proven wrong yet again (0)

Anonymous Coward | about a year ago | (#44122765)

They have signed third-party timestamps. We use them for email so that way people claim that the email was faked as easily. Just have one generated when you sign the executable and as long as the all four combinations of timestamp and certificates are valid the stamp is good. Likewise, you have to look for any revocation through OCSP or a CRL.

Re:The certificate crowd is proven wrong yet again (0)

Anonymous Coward | about a year ago | (#44122815)

The problem is that implementations that are checking the certificate are not requiring third party authenticated signing timestamps.

Actually, one of the most prominent implementations does exactly that. It's Windows Kernel Code signing.

Re:The certificate crowd is proven wrong yet again (1)

Anonymous Coward | about a year ago | (#44119365)

Whenever the topic of security comes up, there are always a bunch of people who go on and on and on about how certificates are always the answer to security problems.

How do we fix security problems with email? "Certificates!", they say.

How do we fix security problems with HTTP? "Certificates!", they blurt out.

How do we fix security problems with DNS? "Certificates!", they scream.

How do we fix security problems with passwords? "Certificates!", they yell.

How do we fix security problems with application executables? "Certificates!", they exclaim.

Yet we see so many stories about certificates getting compromised in one way or another. And then the infrastructure surrounding them is always so goddamn awful. They cause just as many, if not more, problems than they actually manage to partially solve.

It's time for the certificate advocates to stop and think. They need to look at the big picture. They need to realize that while certificates may have their place in some very specialized situations, they are not the ultimate solution that we so desperately need.

Are you saying "certificate" when you mean "PKI"?

This might be taken as evidence that you know very little about security...

Re:The certificate crowd is proven wrong yet again (0)

Anonymous Coward | about a year ago | (#44120421)

Are you saying "trees" when you mean "forest"?

Re:The certificate crowd is proven wrong yet again (1)

bloodhawk (813939) | about a year ago | (#44120947)

In this instance it is critical to differentiate, certificates have not been broken/compromised at all, underlying implementations of the infrastructure and the people handling that infrastructure have been compromised or broken. Certificates in general are an excellent solution to many security issues, however it does require good PKI infrastructure and management otherwise they are pointless. For many of their uses you don't even need to trust or rely on any external authority, you can run your own which no fukker has access to except those you specifically grant access and trust, for instance we run a PKI infrastructure where I work, not exposed to the internet and the CA itself is segregated off and heavily secured. We rely on no external party.

Certificates prevent encrypt email (0)

Anonymous Coward | about a year ago | (#44119483)

We could have encrypted email tomorrow if it didn't require a signing authority to issue a certificate!

Nothing stops a computer generating a public/private key pair, an email client like Thunderbird could do it tomorrow. Nothing stops it sending the public key in the header of sent messages, and collecting those public keys as it goes along.

First time you get a public key from an email that you trust, the key is accepted, and tracked. If you have a public key... send it encrypted using the public key to that email address. If you get a different key from that email address, warn user of possible man in middle attack (either with new key or previous key).

Certificates are not secure, any spying agency with access to a certificate authority can issue themselves fake certs and perform man in the middle attacks. Since many signing authorities are in the USA, they are subject to the secret FISA court and thus cannot be trusted anymore than the FISA court can (i.e. demonstrably not at all).

SSH currently will do a key exchange using the first-time approach without a certification authority and we should use the same system for end to end email encryption.

Re:Certificates prevent encrypt email (1)

FrangoAssado (561740) | about a year ago | (#44119947)

SSH currently will do a key exchange using the first-time approach without a certification authority and we should use the same system for end to end email encryption.

When connecting for the first time, SSH shows the public key fingerprint of the host you're connecting to. If you don't bother to check it, you're leaving yourself wide open to a MITM attack (and in this case, the attacker doesn't even need access to any certificate authorities).

Your proposed email system that blindly accepts every public key upon first connection is even worse than using CAs -- with certificates, you can at least choose which authorities you want to trust.

My SSH warns me if the fingerprint changes (0)

Anonymous Coward | about a year ago | (#44120237)

My SSH client warns me when the fingerprint changes. It TRACKS the PRIOR fingerprints. It's happened once, SSH Client warned me. I suspect local hackers trying to gain a server, but never did resolve where the line had been intercepted and the problem went away the next day, the key was back and I could connect. [Silly me, I was looking at *my* end, I never thought that the basic infrastructure of American telecoms had been hacked by criminals in uniforms.]

Anyway the point being that the change of key IS NOTIFIED, the user IS aware of man in the middle attacks, and the NSA would have had to do a MITM attack on the FIRST key exchange to do their illegal interception of email unnoticed.

The current CA system does not work, IS NOT USED, IS NOT USABLE, emails are sent unencrypted and EVERY email you assume its from the person who sent it, but it is totally vulnerable to spoofing. So your decision that the email from fred@blogs.com is really fred@blogs.com is your choice, you can choose to accept that first key exchange or reject it. But this is the same decision you are always making anyway with the content.

With the key, you know this is the same fred@blogs.com you've been talking to since years, not creep@nsa.dictator.mil undermining America.

This works for SSH, it protected my connection from malicious actors. It can work for mail too, even politicians, even press, even ordinary people.

Re:My SSH warns me if the fingerprint changes (1)

FrangoAssado (561740) | about a year ago | (#44122405)

There's nothing wrong with tracking prior public keys. That's a good option for knowledgeable users, but it's a no-starter for people who know nothing about cryptography.

See for example what would happen when a key is compromised or just lost. In this case you have to warn everyone that your key will change. Now think of how often will people receive the message "hey, my email key has changed, so the warning you'll get is not a MITM attack", and how soon will people start clicking "accept" without bothering to check whether it's legitimate?

The idea of certificates is that the end user only has ONE job: to decide which CAs he or she will trust. Even that has proven to be too much for the end user: almost no one even knows you can choose which CAs they want to trust, everyone trusts the browsers or the OSs to make this choice for them. Any solution that requires MORE decisions from the user is a step back.

Re:My SSH warns me if the fingerprint changes (1)

cgimusic (2788705) | about a year ago | (#44149311)

People ignore messages about certificates anyway. I managed to use a man in the middle attack to steal an old IT teachers password sent over HTTPS. I just used a self signed certificate and he accepted it like the warning was nothing out of the ordinary.

Re:Certificates prevent encrypt email (0)

Anonymous Coward | about a year ago | (#44120897)

Consider the three options:
* Certificates. Apparently not popular, because they're a hassle (and a hassle with costs; the worst kind).
* Nothing. Status quo for mail today, where everything could be spoofed.
* SSH-style, which prevents MITM attacks on the second and further mails from a source.

Moving from "nothing" to "SSH-style" would not make things worse.

Re:Certificates prevent encrypt email (1)

pipedwho (1174327) | about a year ago | (#44120093)

What would also need to be added to your proposal is to supplement with SRP or other secure password system that allows two users to easily exchange relatively insecure passwords out of band to verify the exchanged verifier. This also applies to SSH, especially when remotely connected to a box under your direct control.

You'd use this to supplement the base line protection of using a PKI system to verify the verifiers.

Once the public key has been reliably transferred, it can then safely be used to securely receive any communications without a man-in-the-middle or passive listener being able to decrypt it.

Another solution is to further supplement the above with the use of multiple cert authorities to sign/exchange your certificate (and multiple revocation lists). The more channels it comes in through, the more it can be trusted. So to properly fake out the system, you'd have compromise more than just a single authority. And you'd need the shared out of band password. Compromising any one of those channels does the attacker no good; they'd need to hack all of them (or hack your system, steal your private keys and/or trojan your system and/or eavesdrop at the endpoints).

No, also extent mailto: tag (0)

Anonymous Coward | about a year ago | (#44120331)

"What would also need to be added to your proposal is to supplement with SRP or other secure password system that allows two users to easily exchange relatively insecure passwords out of band to verify the exchanged verifier. This also applies to SSH, especially when remotely connected to a box under your direct control."

No, not at all. You trust the message content is from Bob, ergo so must the key be from Bob.

You could for example publish your email address in a format that includes the public key. So users clicking on an email link on a webpage automatically get the secure key. For example a bank might publish the email address on its https website, it contains a mailto tag
[a href="mailo:no-one@test.com+publickey:fwefiuwhefiuwheiuhw3o3joid9323dsijfoioijqwif.."]example[/A]

If the website is secure then so is the public key exchange.

If you are a journalist, politician or law enforcement and need more secure email, you can always pass the first key via a more secure route. But even if its passed via a https website link, its as good as a certificate exchange is now.

But that brings up back to the main point. Email IS NOT encrypted because the certificates system does not work, is cumbersome, and is subject to NSA man in the middle attacks at any time anyway!

A key revoke is an unencrypted email negotiation the same as the first one. Only now you're suspicious, and can ring them to check, or contact them some other way... as it is, you have to check each and every discussion. You don't hand any 'trusted' third party the key exchange because 'third parties' are inherently subject to a secret court order from a secret court.

Re:Certificates prevent encrypt email (1)

andy.ruddock (821066) | about a year ago | (#44120103)

Or, you could use PGP and have encrypted e-mail today.

PGP needs both ends (0)

Anonymous Coward | about a year ago | (#44120393)

Yes, but its more like PGP that automatically upgrades to encryption on the first key exchange.

A few of us will use Thunderbird and recommend it to our friends, as they in turn use Thunderbird, so that link will be encrypted and as it spreads so the encryption network spreads with it. Constitutional protection is restored, right to privacy back, democracy protected... all good stuff without any issues.

Webmail is inherently unsafe, you have to trust Hotmail or Gmail or Yahoomail , those accounts could also publish keys, but the link would only be secure up to their accounts. Because they'd hold the private portion of the key. Even then, that's better than the current situation.

Re:Certificates prevent encrypt email (1)

Ash-Fox (726320) | about a year ago | (#44121167)

Or, you could use PGP and have encrypted e-mail today.

How do I use PGP with Zimbra server (webmail) and Zimbra Desktop (desktop client)?

Re:Certificates prevent encrypt email (1)

Ash-Fox (726320) | about a year ago | (#44156237)

It's been four days, you told me I could have it today. Why do you delay?

Key continuity management: MITM'd from day one (1)

tepples (727027) | about a year ago | (#44121673)

What you describe is called "key continuity management".

First time you get a public key from an email that you trust

How should one decide to trust a particular e-mail? The sender can spoof the From address.

SSH currently will do a key exchange using the first-time approach without a certification authority

Your SSH connection could be MITM'd from day one and you might not notice it.

Re:Key continuity management: MITM'd from day one (1)

lister king of smeg (2481612) | about a year ago | (#44127607)

What you describe is called "key continuity management".

First time you get a public key from an email that you trust

How should one decide to trust a particular e-mail? The sender can spoof the From address.

SSH currently will do a key exchange using the first-time approach without a certification authority

Your SSH connection could be MITM'd from day one and you might not notice it.

you could communicate a key id over another channel, (in person, via phone, mail, etc) with the id yo can grab the public key from a key server, like pgp uses.

In practice, hosts don't give a key out of band (1)

tepples (727027) | about a year ago | (#44128301)

you could communicate a key id over another channel, (in person, via phone, mail, etc)

But what providers of shared hosting or a virtual private server are willing to do this for a customer? I've asked the tech support departments of a few such hosts, and the answer was "Just say yes to whatever key fingerprint your SSH client shows."

Re:The certificate crowd is proven wrong yet again (0)

Anonymous Coward | about a year ago | (#44119487)

> It's time for the certificate advocates to stop and think. They need to look at the big picture. They need to realize that while certificates may have their place
> in some very specialized situations, they are not the ultimate solution that we so desperately need.

If you're really convinced that the certificate people don't have a clue, then why are you asking *them* to fix the problem?

Re:The certificate crowd is proven wrong yet again (0)

Anonymous Coward | about a year ago | (#44120697)

You forgot one:
How do we fix security problem with certificates? "Certificates!", they squeal with the heads exploding.

Clearly the solution is...Certificates! (1)

mystikkman (1487801) | about a year ago | (#44120911)

They need to realize that while certificates may have their place in some very specialized situations, they are not the ultimate solution that we so desperately need.

Certificates!
Clearly the solution is to sign these old certificates with new certificates so that they become more secure.

Re:The certificate crowd is proven wrong yet again (0)

Anonymous Coward | about a year ago | (#44121005)

Why are you disproving claims of idiots? Nobody sane has ever held a position that certificates are the silver bullet for security or anything else. Like every single thing in life, protecting something of value is a never ending arms race..

Want to cheat at a sport? Arms race between people making designer drugs and people making testing protocols to detect them.
Want to kill someone? Arms race between people designing security protocols and people with high tech weaponry/low tech bribing, etc.

Re:The certificate crowd is proven wrong yet again (0)

Anonymous Coward | about a year ago | (#44121151)

How do we fix security problems with Certitficates? "Certificates!", they drunkenly mumble..

The NSA could track down the hackers (0)

Anonymous Coward | about a year ago | (#44119067)

Alls they have to do is search for the intercept with the headline: "The fat lady has sung."

Theft will always be with us (1)

hessian (467078) | about a year ago | (#44119183)

There will always be people who want to commit crimes of theft.

However, we can thin their ranks a bit. Support the death penalty for cyberthieves (at least in Texas).

Re:Theft will always be with us (1)

Nyder (754090) | about a year ago | (#44119281)

There will always be people who want to commit crimes of theft.

However, we can thin their ranks a bit. Support the death penalty for cyberthieves (at least in Texas).

I support a cyber death penalty for cyber thieves. But out right kill them? Seriously? I can think of a lot better type of people to put to death in Texas, starting with the lawyers and judges then moving on the politicians.

Say hello to Mr. Noose (1)

Camael (1048726) | about a year ago | (#44119355)

Did you recently ...
- copy any html codes from someone else's website?
- save any pictures or files from the web?
- cut and paste an article or link it to a friend?
- take any screenshots of any interesting pages you found?
- download any movies, music or porn?

Congrats, you may be a cyberthief. This way please, for your appointment with Mr. Noose.

Re:Say hello to Mr. Noose (0)

Anonymous Coward | about a year ago | (#44119591)

Congrats, you may be a cyberthief. This way please, for your appointment with Mr. Noose.

May I reschedule my appointment with Ms. Noose? She gives me a hard-on while I'm getting my hang on.

Re:Theft will always be with us (1)

myowntrueself (607117) | about a year ago | (#44119599)

There will always be people who want to commit crimes of theft.

However, we can thin their ranks a bit. Support the death penalty for cyberthieves (at least in Texas).

Congratulations on making the USA more like China!

Penalty for Cyber Crimes--Amish for life! (1)

ikhider (2837593) | about a year ago | (#44119821)

That's right, cyber criminals must be made to eschew all technology post-1800 and be consigned to an Amish paradise for life and have sex with real women. No more computers, microwave ovens and clothes with buttons and zippers. Oh, and they have to go to Church too.

Quote: current evidence suggests a limited impact (4, Funny)

Michalson (638911) | about a year ago | (#44119205)

Well of course, this only affects people that would run software signed by Opera and they have already taken steps to notify both of them of the situation.

The Opera intrusion is only the tip of the iceberg (2)

Camael (1048726) | about a year ago | (#44119441)

Opera is not the first nor the last victim of certificate theft. There is evidence that the use of digitally signed malware is increasing [techworld.com] since the Stuxnet incident gave this attack vector worldwide exposure.

Both Kaspersky Lab and BitDefender have confirmed seeing a steady increase in the number of malware threats with digitally signed components during the last 24 months. Many use digital certificates bought with fake identities, but the use of stolen certificates is also common, Craiu and Botezatu said.

Also, unless I'm mistaken, revoking stolen certificates do not prevent malware signed with it from running [securelist.com] . Most casual users I think tend to trust certificates (that is what it's for, after all, to certify that its from a trusted source). Not many will bother to check the authenticity of the certificate.

1. I heard Microsoft and Verisign revoked the stolen Realtek certificate, does it mean I’m safe now?

Due to the way certificates work, a revoked certificate doesn’t mean the malware will not run anymore. You will still get infected by Stuxnet and the driver will still load without any warning. The only effect of the revoke process is that the bad guys will not be able to sign any further malware with it.

It might be premature to talk about its impact being limited until the full scope of the intrusion and loss of data is made known, and the number of users affected by the intrusion (not disclosed so far).

Re:The Opera intrusion is only the tip of the iceb (0)

Anonymous Coward | about a year ago | (#44119513)

Most casual users I think tend to trust certificates (that is what it's for, after all, to certify that its from a trusted source). Not many will bother to check the authenticity of the certificate.

This is why God created CRLs. That's actually what happened to the dinosaurs: they got revoked.

Re:The Opera intrusion is only the tip of the iceb (1)

richlv (778496) | about a year ago | (#44120521)

i'm wondering about "The only effect of the revoke process is that the bad guys will not be able to sign any further malware with it." in the cited article. how would revocation prevent further signing ?
using crl would (should ?) prevent signed software from working, but signing with a key already in somebody's possession wouldn't be impacted

Re:Quote: current evidence suggests a limited impa (0)

Anonymous Coward | about a year ago | (#44120519)

The problem isn't with the two guys that run Opera, it's with the other two guys that thought what they downloaded and installed was Opera. Opera has no idea who those other two guys are, so they need Slashdot's help in getting the word out fast.

I Hate Opera (1)

NEDHead (1651195) | about a year ago | (#44119213)

and doing it in ASL was never a real improvement

Re:I Hate Opera (0)

Anonymous Coward | about a year ago | (#44120205)

Yeah, Opera's pretty lame. Did you see that terrible interview she did with Louis Armstrong?

How do you know what gets stolen? (0)

Anonymous Coward | about a year ago | (#44119225)

I don't know much about intrusion detection but how would someone go about detecting what was taken? How do you detect someone copying data from somewhere? It seems like data is only being read which would be more difficult to detect than data being written over or being deleted which could be detected. Does anyone have any insight how you would detect an intrusion?

Re:How do you know what gets stolen? (2)

Yomers (863527) | about a year ago | (#44119251)

By seeing malware signed by your certificate?

Re:How do you know what gets stolen? (0)

Anonymous Coward | about a year ago | (#44119317)

I am the same AC that asked the original question but I meant how about other attacks that have happened in the past. Like personal user data stolen or something. So what your saying is that the only way to know if any data has been stolen is if your see it posted online somewhere?

Re:How do you know what gets stolen? (1)

Yomers (863527) | about a year ago | (#44119563)

If you know system was compromised you can presume that data was stolen.

---
Captain Obvious

Re:How do you know what gets stolen? (1)

gl4ss (559668) | about a year ago | (#44119757)

I am the same AC that asked the original question but I meant how about other attacks that have happened in the past. Like personal user data stolen or something. So what your saying is that the only way to know if any data has been stolen is if your see it posted online somewhere?

some systems have access logs builts so that even if you manage to get the data, you might not be able to remove your log entries for doing so. varies case by case of course.

Are we sure this isn't the NSA? (0)

Anonymous Coward | about a year ago | (#44119285)

We have Snowden cyber attack leak and his claims NSA was behind thousands of cyber attacks including the Chinese University.

http://www.guardian.co.uk/world/2013/jun/13/snowden-revelations-nsa-china-relations

We also have the leaked memo from the President authorizing it:

http://www.guardian.co.uk/world/interactive/2013/jun/07/obama-cyber-directive-full-text

The NSA *are* the 800lb gorilla in cyber attacks, a few script kiddies don't have a $4 billion cyber budget the NSA has. So the question comes back to, a simple one. "Are we sure this wasn't the NSA operation to sign malware?". Like Stuxnet was some super clever worm, only later it turned out to be targetted at Iran reactors and probably made by the NSA. If they did Stuxnet, it's likely they did many others and breaking into to database is one of the possibles listed in the Presidents authorization.

Re:Are we sure this isn't the NSA? (1)

myowntrueself (607117) | about a year ago | (#44119615)

But its all supervised by judges!

(I guess, given the scale of it, this means all the spooks at the NSA are judges. Maybe they'll soon make all the street cops judges too, that would work out well I'm sure. Theres probably a cadet at the academy now who can't wait to have 'Judge' in front of his name. Cadet Dredd).

Re:Are we sure this isn't the NSA? (1)

gl4ss (559668) | about a year ago | (#44119763)

actually no, what they do "in" Norway isn't supervised by anyone.

and what I mean by "in" is that they do it while sitting in USA and argue that then it is not a crime for them to perform something that is a crime in Norway(try it the other way and they'll argue it's a crime that happened on US soil. fuckers.).

Are Opera users on other platforms also exposed? (2)

Camael (1048726) | about a year ago | (#44119329)

Reading the advisory from Opera, the only information on the possible consequences of the breach is that :-

It is possible that a few thousand Windows users, who were using Opera between 01.00 and 01.36 UTC on June 19th, may automatically have received and installed the malicious software. To be on the safe side, we will roll out a new version of Opera which will use a new code signing certificate.

Are users of other OSes similarly exposed to malicious software, such as those using Mac, Lunix, Android or iOS?

Re:Are Opera users on other platforms also exposed (0)

Anonymous Coward | about a year ago | (#44120139)

I was using opera at that time and haven't received anything... I feel cheated now.

Signing certificate per platform (1)

tepples (727027) | about a year ago | (#44122077)

Apart from platforms that use OpenPGP, such as .deb-based GNU/Linux platforms, each platform has a separate signing certificate. OS X has its own, Android has its own, iOS has its own, and Windows has two: Authenticode for desktop applications and the Windows Store developer license for immersive applications. For small developers, it's a hassle to keep all of them renewed, but for companies big enough to draw targeted attacks like this, it's a benefit.

HEH !! LIKE ANYONE THAT MATTERS USES OPERA !! (-1)

Anonymous Coward | about a year ago | (#44119425)

Commies don't count !!

Blame Snowden (0)

Anonymous Coward | about a year ago | (#44119543)

He probably had a hand in it.

Its ok - Opera stopped making browsers a month ago (2)

citizenr (871508) | about a year ago | (#44120413)

All they do now is recompile Chromium with their branding.

Re:Its ok - Opera stopped making browsers a month (1)

hkmwbz (531650) | about a year ago | (#44152505)

That's not true at all. They have made their own user interface on top of Chromium.

Re:Its ok - Opera stopped making browsers a month (1)

citizenr (871508) | about a year ago | (#44153245)

So they are UI company now. Still not a browser company,

Re:Its ok - Opera stopped making browsers a month (1)

hkmwbz (531650) | about a year ago | (#44178417)

No, they are still a browser company. They are even contributing to Webkit (now Blink). Anyway, you should at least admit that the claim you made turned out to be false.

Re:Its ok - Opera stopped making browsers a month (1)

citizenr (871508) | about a year ago | (#44179691)

Its not false and it wont be false until I can right click in Opera >=15 and see "edit site preferences"

Re:Its ok - Opera stopped making browsers a month (1)

hkmwbz (531650) | about a year ago | (#44186749)

So if they removed that option from Opera 12, they would no longer be a browser company? That setting is what defines a browser company? Come on... you are making a fool of yourself

Admit it, you messed up. You claimed that all they do is to recompile Chromium, which is wrong since they've made their own UI. You then admitted that you were wrong but now insisted that they were just a UI company. I then pointed out that they are contributing to Webkit/Blink, and now you're just trying to change the subject.

More Ammo (1)

organgtool (966989) | about a year ago | (#44121599)

The Opera breach signals a growing shift by organized hacking groups to target the internal infrastructure network at big companies

That's just great! Now all of those snooty Opera users will be able to brag about having another feature before all of the other browsers.

Re:More Ammo (0)

Anonymous Coward | about a year ago | (#44127695)

As a snooty Opera user, we are all planning on jumping ship (most likely to firefox) because the newest version is no longer anything special.

Load More Comments
Slashdot Login

Need an Account?

Forgot your password?

Submission Text Formatting Tips

We support a small subset of HTML, namely these tags:

  • b
  • i
  • p
  • br
  • a
  • ol
  • ul
  • li
  • dl
  • dt
  • dd
  • em
  • strong
  • tt
  • blockquote
  • div
  • quote
  • ecode

"ecode" can be used for code snippets, for example:

<ecode>    while(1) { do_something(); } </ecode>