Welcome to the Slashdot Beta site -- learn more here. Use the link in the footer or click here to return to the Classic version of Slashdot.

Thank you!

Before you choose to head back to the Classic look of the site, we'd appreciate it if you share your thoughts on the Beta; your feedback is what drives our ongoing development.

Beta is different and we value you taking the time to try it out. Please take a look at the changes we've made in Beta and  learn more about it. Thanks for reading, and for making the site better!

Phishing Scams Incorporate SSL Certificates

timothy posted more than 10 years ago | from the flashing-a-badge dept.


dettifoss writes "Netcraft reports: `Internet "phishing" scams are incorporating the use of SSL certificates in their efforts to trick users into divulging sensitive login information for financial accounts.' Perhaps more disturbingly: `Scammers can also configure their web server so that deceptive SSL certificates won't trigger an alert in the user's browser. "One of the SSL encoding methods is 'plain text'," Neal Krawetz from Secure Science Corporation noted in the SANS post on the issue. "Most SSL servers have this disabled by default, but most browsers support it. When plain text is used, no central certificate authority is consulted and the user never sees a message asking if a certificate should be accepted.'"

cancel ×


Sorry! There are no comments related to the filter you selected.

Whoa, phish! (-1)

ShockerFan (741511) | more than 10 years ago | (#8518049)

Phish is ghey. I got da FP. bye!

Addendum to FP (-1)

ShockerFan (741511) | more than 10 years ago | (#8518109)

This fine FP was another production of the Cabal of Logged In Trolls. Props to Sexual Asspussy and all his/her aliases; anti-props to GNAA, except for GNAA Sympathizer. Peace!

PGP Verified First Post (-1, Troll)

Anonymous Coward | more than 10 years ago | (#8518261) is not OpenPGP compliant. Please remove the spaces slash inserts to verify signature.

Hash: SHA1

Whoa, phish! (Score:-1)
by ShockerFan (741511) <shockerfan@b[ ] ['ell' in gap]> on Tuesday March 09, @11:54PM (#8518049)
(Last Journal: Wednesday January 14, @10:59PM)

Phish is ghey. I got da FP. bye!
Version: GnuPG v1.2.3 (GNU/Linux)

iD8FUCKATsa5mnC8Ma6ZvpIRAkoDAKDC5Yb 5y5Z5p/6A\yRPa4jqMSmyZwCg1txN

pfft (-1, Troll)

Anonymous Coward | more than 10 years ago | (#8518051)

I stopped phishing when AOL 3.0 came out...

Phish chicks smell bad (-1, Offtopic)

Anonymous Coward | more than 10 years ago | (#8518206)

The only time I got the clap was when I stuck it up a fucked up hippie chick in a van outside of a phish show a couple years ago. Never again.

FIRST POST! (-1, Troll)

Anonymous Coward | more than 10 years ago | (#8518052)


DAMN IT -- I MISSED FP!!! (-1, Troll)

Anonymous Coward | more than 10 years ago | (#8518077)

<a href="">3.141592653589793238462643 38327950288419716939937510582097494459230781640628 62
0899862803482534211706798214808651328230664709 38446095505822317253594081284811
1745028410270193 85211055596446229489549303819644288109756659334461 284756482337
867831652712019091456485669234603486 104543266482133936072602491412737245870066
063155 88174881520920962829254091715364367892590360011330 5305488204665213841469
51941511609433057270365759 59195309218611738193261179310511854807446237996274 95
6735188575272489122793818301194912983367336244 06566430860213949463952247371907
0217986094370277 05392171762931767523846748184676694051320005681271 452635608277
857713427577896091736371787214684409 012249534301465495853710507922796892589235
420199 56112129021960864034418159813629774771309960518707 2113499999983729780499
51059731732816096318595024 45945534690830264252230825334468503526193118817101 00
0313783875288658753320838142061717766914730359 82534904287554687311595628638823
5378759375195778 18577805321712268066130019278766111959092164201989 380952572010
654858632788659361533818279682303019 520353018529689957736225994138912497217752
834791 31515574857242454150695950829533116861727855889075 0983817546374649393192
55060400927701671139009848 82401285836160356370766010471018194295559619894676 78
3744944825537977472684710404753464620804668425 90694912933136770289891521047521
6205696602405803 81501935112533824300355876402474964732639141992726 042699227967
823547816360093417216412199245863150 302861829745557067498385054945885869269956
909272 10797509302955321165344987202755960236480665499119 8818347977535663698074
26542527862551818417574672 89097777279380008164706001614524919217321721477235 01
4144197356854816136115735255213347574184946843 85233239073941433345477624168625
1898356948556209 92192221842725502542568876717904946016534668049886 272327917860
857843838279679766814541009538837863 609506800642251252051173929848960841284886
269456 04241965285022210661186306744278622039194945047123 7137869609563643719172
87467764657573962413890865 83264599581339047802759009946576407895126946839835 25
9570982582262052248940772671947826848260147699 09026401363944374553050682034962
5245174939965143 14298091906592509372216964615157098583874105978859 597729754989
301617539284681382686838689427741559 918559252459539594310499725246808459872736
446958 48653836736222626099124608051243884390451244136549 7627807977156914359977
00129616089441694868555848 40635342207222582848864815845602850601684273945226 74
6767889525213852254995466672782398645659611635 48862305774564980355936345681743
2411251507606947 94510965960940252288797108931456691368672287489405 601015033086
179286809208747609178249385890097149 096759852613655497818931297848216829989487
226588 04857564014270477555132379641451523746234364542858 4447952658678210511413
54735739523113427166102135 96953623144295248493718711014576540359027993440374 20
0731057853906219838744780847848968332144571386 87519435064302184531910484810053
7061468067491927 81911979399520614196634287544406437451237181921799 983910159195
618146751426912397489409071864942319 615679452080951465502252316038819301420937
621378 55956638937787083039069792077346722182562599661501 4215030680384477345492
02605414665925201497442850 73251866600213243408819071048633173464965145390579 62
6856100550810665879699816357473638405257145910 28970641401109712062804390397595
1567715770042033 78699360072305587631763594218731251471205329281918 261861258673
215791984148488291644706095752706957 220917567116722910981690915280173506712748
583222 87183520935396572512108357915136988209144421006751 0334671103141267111369
90865851639831501970165151 16851714376576183515565088490998985998238734552833 16
3550764791853589322618548963213293308985706420 46752590709154814165498594616371
8027098199430992 44889575712828905923233260972997120844335732654893 823911932597
463667305836041428138830320382490375 898524374417029132765618093773444030707469
211201 91302033038019762110110044929321516084244485963766 9838952286847831235526
58213144957685726243344189 30396864262434107732269780280731891544110104468232 52
7162010526522721116603966655730925471105578537 63466820653109896526918620564769
3125705863566201 85581007293606598764861179104533488503461136576867 532494416680
396265797877185560845529654126654085 306143444318586769751456614068007002378776
591344 01712749470420562230538994561314071127000407854733 2699390814546646458807
97270826683063432858785698 30523580893306575740679545716377525420211495576158 14
0025012622859413021647155097925923099079654737 61255176567513575178296664547791
7450112996148903 04639947132962107340437518957359614589019389713111 790429782856
475032031986915140287080859904801094 121472213179476477726224142548545403321571
853061 42288137585043063321751829798662237172159160771669 2547487389866549494501
14654062843366393790039769 26567214638530673609657120918076383271664162748888 00
7869256029022847210403172118608204190004229661 71196377921337575114959501566049
6318629472654736 42523081770367515906735023507283540567040386743513 622224771589
150495309844489333096340878076932599 397805419341447377441842631298608099888687
413260 47215695162396586457302163159819319516735381297416 7729478672422924654366
80098067692823828068996400 48243540370141631496589794092432378969070697794223 62
5082216889573837986230015937764716512289357860 15881617557829735233446042815126
2720373431465319 77774160319906655418763979293344195215413418994854 447345673831
624993419131814809277771038638773431 772075456545322077709212019051660962804909
263601 97598828161332316663652861932668633606273567630354 4776280350450777235547
10585954870279081435624014 51718062464362679456127531813407833033625423278394 49
7538243720583531147711992606381334677687969597 03098339130771098704085913374641
4428227726346594 70474587847787201927715280731767907707157213444730 605700733492
436931138350493163128404251219256517 980694113528013147013047816437885185290928
545201 16583934196562134914341595625865865570552690496520 9858033850722426482939
72858478316305777756068887 64462482468579260395352773480304802900587607582510 47
4709164396136267604492562742042083208566119062 54543372131535958450687724602901
6187667952406163 42522577195429162991930645537799140373404328752628 889639958794
757291746426357455254079091451357111 369410911939325191076020825202618798531887
705842 97259167781314969900901921169717372784768472686084 9003377024242916513005
00516832336435038951702989 39223345172201381280696501178440874519601212285993 71
6231301711444846409038906449544400619869075485 16026327505298349187407866808818
3385102283345085 04860825039302133219715518430635455007668282949304 137765527939
751754613953984683393638304746119966 538581538420568533862186725233402830871123
282789 21250771262946322956398989893582116745627010218356 4622013496715188190973
03811980049734072396103685 40664319395097901906996395524530054505806855019567 30
2292191393391856803449039820595510022635353619 20419947455385938102343955449597
7837790237421617 27111723643435439478221818528624085140066604433258 885698670543
154706965747458550332323342107301545 940516553790686627333799585115625784322988
273723 19898757141595781119635833005940873068121602876496 2867446047746491599505
49737425626901049037781986 83593814657412680492564879855614537234786733039046 88
3834363465537949864192705638729317487233208376 01123029911367938627089438799362
0162951541337142 48928307220126901475466847653576164773794675200490 757155527819
653621323926406160136358155907422020 203187277605277219005561484255518792530343
513984 42532234157623361064250639049750086562710953591946 5897514131034822769306
24743536325691607815478181 15284366795706110861533150445212747392454494542368 28
8606134084148637767009612071512491404302725386 07648236341433462351897576645216
4137679690314950 19108575984423919862916421939949072362346468441173 940326591840
443780513338945257423995082965912285 085558215725031071257012668302402929525220
118726 76756220415420516184163484756516999811614101002996 0783869092916030288400
26910414079288621507842451 67090870006992821206604183718065355672525325675328 61
2910424877618258297651579598470356222629348600 34158722980534989650226291748788
2027342092222453 39856264766914905562842503912757710284027998066365 825488926488
025456610172967026640765590429099456 815065265305371829412703369313785178609040
708667 11496558343434769338578171138645587367812301458768 7126603489139095620099
39361031029161615288138437 90990423174733639480457593149314052976347574811935 67
0911013775172100803155902485309066920376719220 33229094334676851422144773793937
5170344366199104 03375111735471918550464490263655128162288244625759 163330391072
253837421821408835086573917715096828 874782656995995744906617583441375223970968
340800 53559849175417381883999446974867626551658276584835 8845314277568790029095
17028352971634456212964043 52311760066510124120065975585127617858382920419748 44
2360800719304576189323492292796501987518721272 67507981255470958904556357921221
0333466974992356 30254947802490114195212382815309114079073860251522 742995818072
471625916685451333123948049470791191 532673430282441860414263639548000448002670
496248 20179289647669758318327131425170296923488962766844 0323260927524960357996
46925650493681836090032380 92934595889706953653494060340216654437558900456328 82
2505452556405644824651518754711962184439658253 37543885690941130315095261793780
0297412076651479 39425902989695946995565761218656196733786236256125 216320862869
222103274889218654364802296780705765 615144632046927906821207388377814233562823
608963 20806822246801224826117718589638140918390367367222 0888321513755600372798
39400415297002878307667094 44745601345564172543709069793961225714298946715435 78
4687886144458123145935719849225284716050492212 42470141214780573455105008019086
9960330276347870 81081754501193071412233908663938339529425786905076 431006383519
834389341596131854347546495569781038 293097164651438407007073604112373599843452
251610 50702705623526601276484830840761183013052793205427 4628654036036745328651
05706587488225698157936789 76697422057505968344086973502014102067235850200724 52
2563265134105592401902742162484391403599895353 94590944070469120914093870012645
6001623742880210 92764579310657922955249887275846101264836999892256 959688159205

Re:FIRST POST! (-1, Offtopic)

Anonymous Coward | more than 10 years ago | (#8518311)

yeah, you missed it by a long shot, dumbass!

GNAA Thanks You For Your Cooperation (-1, Offtopic)

Anonymous Coward | more than 10 years ago | (#8518411)

Props on the failed post.

Offtopic: Slashdot tech jobs (-1, Offtopic)

britneys 9th husband (741556) | more than 10 years ago | (#8518058)

Has anyone seen the banner ad for "Slashdot tech jobs"? Let's say you're a business, and you hire someone that found your listing through Slashdot. Are you going to act all surprised when they sit around all day... reading Slashdot? What genius thought of this?

Do people even see the lock? (5, Interesting)

valence (164639) | more than 10 years ago | (#8518061)

Based on my experiences helping neophytes do web work, my guess is that 90% of the web-using public doesn't even notice the little key icon, and don't know what a security certificate is even when the dialog to accept one appears. All they usually look at is the web page itself... especially on a browser like Safari where the lock is a small icon in the title bar that escaped me the first time I went looking for it. It might be interesting to have some usability folks do an eye movement analysis to see if the average user's eye ever tracks to the lock icon during normal browsing.

Of course, this does make it more likely for people who hit that nasty stage of knowing just enough about online security to be dangerous to get caught...

Re:Do people even see the lock? (3, Insightful)

RoundSparrow (341175) | more than 10 years ago | (#8518081)

I agree, most users don't even pay attention to the lock.

And even if they do... SO WHAT -- gee your data is encrypted for the 100ms it travels between your PC and the web server.

But is the web server itself secure? Most aren't... most are written by ASP + PHP programmers who have no clue about SQL Injection.

Re:Do people even see the lock? (5, Insightful)

mrseigen (518390) | more than 10 years ago | (#8518094)

But is the web server itself secure? Most aren't... most are written by ASP + PHP programmers who have no clue about SQL Injection.

Excellent point, you have to consider the pinheads who are keeping your credit card data on file as well. Somebody comes by, cracks a few passwords and they walk off with all this data. That's a lot less work than busting SSL.

Re:Do people even see the lock? (2, Insightful)

LostCluster (625375) | more than 10 years ago | (#8518156)

Or worse yet... the people who have the root passwords to the server walk off with the data with no hacking needed.

Re:Do people even see the lock? (4, Funny)

gilrain (638808) | more than 10 years ago | (#8518181)

Or, worse yet, the guy who has the credit card in his wallet goes out and buys something! Oh wait, I guess that was a step too far.

Re:Do people even see the lock? (3, Funny)

Anonymous Coward | more than 10 years ago | (#8518231)

Or, still even worse, the guy with the credit card travels to Soviet Russia where his credit card spends *him*.

Re:Do people even see the lock? (0, Funny)

snarkh (118018) | more than 10 years ago | (#8518506)

Or, worse yet, the guy who has the credit card in his wallet goes out and buys something!

What a disaster!

Re:Do people even see the lock? (1, Interesting)

Anonymous Coward | more than 10 years ago | (#8518232)

What are some good resources for a web developer to read so that they know how to design secure sites that use RDBMS as a backend?

Re:Do people even see the lock? (5, Informative)

Anaxagor (211917) | more than 10 years ago | (#8518448)

What are some good resources for a web developer to read so that they know how to design secure sites that use RDBMS as a backend?

OWASP [] is a good start.

Re:Do people even see the lock? (0)

fodi (452415) | more than 10 years ago | (#8518347)

Can somone please explain the implications of using plain text SSL encryption? I'm under the impression that 128bit or above, non-reversible encryption is, in all practise, unbreakable. Also, isn't it common practise to encrypt sensitive data stored in a database with the same level of security? So, if someone does snif an encrypted packet, or access your database, how can they actually make use of the data they steal?


Look for the cute little lock! (2, Interesting)

fm6 (162816) | more than 10 years ago | (#8518309)

And even if they do... SO WHAT -- gee your data is encrypted for the 100ms it travels between your PC and the web server.
That 100ms is long enough for a packet sniffer to grab your credit card number. But that's not why they're playing up that lock icon. They're trying to give people a simple way to distinguish legitimate sites from phishing sites. Not a very good way, of course, but I'm not sure I know a better one.

Re:Do people even see the lock? (4, Interesting)

miracle69 (34841) | more than 10 years ago | (#8518095)

Would there be a way to have the browser display some sort of image transparency on the secure web page?

If the user was forced to pick a unique picture/bitmap/watermark that would be displayed on secure webpages by the browser, it could help with security. I.E. Design the browser so no ssl pages work until the user selects a unique bmp/jpeg that would be displayed as a unique overlay somewhere on the web page that allows them to verify that the page is secured.

Re:Do people even see the lock? (1)

gilrain (638808) | more than 10 years ago | (#8518194)

Maybe as an option, but for god's sake don't force the thing. I, and many others, *do* look for the lock and would prefer to not have some image ruining the look of the page.

Re:Do people even see the lock? (5, Insightful)

nacturation (646836) | more than 10 years ago | (#8518276)

Would there be a way to have the browser display some sort of image transparency on the secure web page?

Given that the problem can be clearly stated and this is software we're talking about, yes -- such a method could easily be implemented. Alternate solutions could be changing the colors for the titlebar/statusbar, unique secure text/mouse cursor icons, flashing page borders, etc. However, if the trust is misplaced (as this article suggests) then all this notification is kind of pointless. User education on top of security-conscious software is still the best way to deal with security concerns.

Re:Do people even see the lock? (1)

asmellysock (649878) | more than 10 years ago | (#8518284)

Sometimes individual entry fields can be https without the page on which they are appearing being secure. For example, go to the bankone web site. The login field has a little lock next to it drawn by the site itself (not the browser).

Re:Do people even see the lock? (1)

Pieroxy (222434) | more than 10 years ago | (#8518294)

It might be interesting to have some usability folks do an eye movement analysis

Well, since https is flawed in its mere design (As the story says) I'd say save the trouble of doing an analysis and just forget about the whole thing.

Interface issue (0, Redundant)

Overly Critical Guy (663429) | more than 10 years ago | (#8518479)

The browser should somehow make it more prominent then, without annoying the user. If you really wanted to be safe, have the window give itself a red border around the page, instead of a tiny little lock at the bottom. People would notice a red border, yet it wouldn't be intrusive.

Re:Do people even see the lock? (5, Insightful)

rcpitt (711863) | more than 10 years ago | (#8518495)

The biggest problem with "seeing the lock" is that the lock icon itself does not intrude enough and the "You're now viewing a secure site" message is too intrusive.

The auto industry went through this when they put warning bells/buzzers on their cars telling drivers/passengers that their belt was not done up. The warning was persistent and loud - and got disabled (read ignored for the lock symbol and turned off for the message) ASAP.

They (the auto industry) learned though - they put the buzzer/bell on for only a few seconds at the beginning of the trip - reminding those who cared and not pissing off the rest enough to result in turning off the warning permanently (and thereby removing the warning from others who might drive the car/run the browser)

The lesson is "If you are going to issue a warning message - do it for a few seconds and then get rid of it so the idiot driving doesn't use wire cutters to remove it altogether"

Are you listening programmers?

*The* question remains: (-1, Offtopic)

Anonymous Coward | more than 10 years ago | (#8518078)

Why is my hamster so nice? It can eat a lot and is so soft!

SSL certificates in 2004 (5, Informative)

ddent (166525) | more than 10 years ago | (#8518082)

(Disclaimer: I am probably biased, since we issue
SSL certificates
on our website.)

This article is a good example of yet another reason why the old advice of
"make sure the site you are dealing with has an ssl certificate, and you
should be fine" is no longer entirely true.

To be more confident you are dealing with a reputable/accountable merchant/site, you
should not only make sure that they have an SSL certificate, but you
should also actually click on the lock (or however it is done in the browser
you use) and look at the certificate.

The reason the advice used to be valid, is that traditionally, to get an SSL
certificate, you had to provide documents to prove you are who you say you
are, i.e. DUNS #, articles of incorporation, business license, DBA, bank statement,
passport, driver's license, whatever. That is still true for most of the
certificate authorities, but it isn't always true. Some of the new certificate
authorities don't actually ask to see documents before issuing the
certificate, instead, they merely make sure that you have control of the
domain by sending an email to the listed contacts. In some cases, they also
place a phone call to a number you provide them (I fail to see how this does
anything, but..). Certificate authorities that do this will issue the
certificate to "Domain control validated, organization not validated" as the
organization (or similar text to that effect) rather than to the actual name
of the company the certificate is for. These certificates are
perfectly fine for making sure things
are encrypted, however, they make the certificate useless for getting an idea
about the legitimacy of who you are dealing with. They also don't tend to
carry the warranties that other ones do (and for good reason, who would
underwrite that procedure?).

Re:SSL certificates in 2004 (1, Informative)

ddent (166525) | more than 10 years ago | (#8518125)

Gah... I submitted this as HTML but slashcode interpreted it as plaintext and messed up the formatting somehow... sorry!

Anybody got a list of "BAD" Cert providers? (4, Interesting)

nlinecomputers (602059) | more than 10 years ago | (#8518240)

Ok if the bad guys can get certs from slime certificate houses then I can delete said certificates or mark them untrustworthy. Will I then get warning about the certificate being invalid and that should prompt me to take a closer look.

If so anybody have a list of SSL providers I should be giving a second look at when the site pops up?

Re:SSL certificates in 2004 (-1, Offtopic)

normal_guy (676813) | more than 10 years ago | (#8518290)

What a horribly formatted post, and it got up to 5?

Re:SSL certificates in 2004 (-1, Offtopic)

Anonymous Coward | more than 10 years ago | (#8518317)








had to



Re:SSL certificates in 2004 (1)

ddent (166525) | more than 10 years ago | (#8518339)

Uh, that AC was not me. And I already apologized for the poor formattting... kindly lay off :)

Re:SSL certificates in 2004 (1)

andreMA (643885) | more than 10 years ago | (#8518443)

Ever since the "Extrans" and "code" options were added I've found posting with HTML to be hit-or-miss as well. Ah, to be a beta-tester.

Re:SSL certificates in 2004 (1)

ThisIsFred (705426) | more than 10 years ago | (#8518400)

Some of the new certificate authorities don't actually ask to see documents before issuing the certificate, instead, they merely make sure that you have control of the domain by sending an email to the listed contacts.

That doesn't make me feel any wiser or safer. Asking for all of that information isn't the litmus test for the legitimacy of a CA. Heck, that'd be a great front for an identity thief. I'm no more trusting of big tech companies offering certificates. Just because they charge a wad of dough doesn't make them competent or trustworthy. There needs to be ethics standards in place for these CAs. SSL encrypted web sites are the preferred way to do business transactions with mail-order companies. If there isn't some kind of trusted organization in place to enforce some ethical standards, it'll end up being like the stock market in the 1980s.

Re:SSL certificates in 2004 (0)

Anonymous Coward | more than 10 years ago | (#8518430)

Umm... non verified SSL certs? And you don't tell us whom?
Not even a http://cutandand l?


This slashdot right?
I am sure there are lots of home servers our there that would love to get a cert w/o having a corporation.

Niggers... (-1, Troll)

Anonymous Coward | more than 10 years ago | (#8518087)

just feasted on my junk liberally..

The short (2, Informative)

Idealius (688975) | more than 10 years ago | (#8518088)

Here's the kicker (From Article):

Netcraft has developed a service to help banks and other financial organizations identify sites which may be trying to construct frauds, identity theft and phishing attacks by pretending to be the bank, or are implying that the site has a relationship with the bank when in fact there is none.

Here's the competition (From Google):

About Comodo:
Comodo is the leading WebTrust-compliant enterprise solutions provider for E-commerce Security Solutions. Firmly established in the market, Comodo markets a range of innovative products and services developed by its dedicated research lab delivering software, hardware, secure messaging and certificate-based security.

Comodo offers its SEEOS(TM) Secure Enterprise Extensible Operating System for integrated network security, together with secure Linux applications delivered via its Trustix(TM) brand, SIDEN(TM) next generation ASIC, Instant SSL Certificates for securing web servers and patented web site verification and identity solutions. For product information please contact US +1 800 772 5185 or Europe +44 (0) 161 874 7070 or visit the Comodo Home Page at .

About Betrusted:
Betrusted is the premier global provider of security and trust services to the world's leading organizations and government agencies. Through its managed security services, Betrusted offers clients a comprehensive package of leading security products coupled with unrivalled expertise to help reduce costs, increase revenues and comply with government and industry regulations. For more information, please visit our website at . Betrusted is owned by One Equity Partners, Bank One's private equity group.

( l-120104.html [] )

Re:The short (0, Offtopic)

Idealius (688975) | more than 10 years ago | (#8518158)

Flamebait +1

For fun.

Average Joe (5, Insightful)

LordK3nn3th (715352) | more than 10 years ago | (#8518097)

Average Joe doesn't have any idea what encryption is or why it's important. Average Joe just wants to point, click, and buy. Hell, I rarely pay attention to it.

Isn't it more likely that people were suckered in not because of the SSL trick but rather simply from "scam" or mimic pages instead?

That is evil.. (0)

Sovern (631825) | more than 10 years ago | (#8518098)

Considering the low level of understanding most users have, I think many more will fall for these scemes. We should all switch to the dark side.

Re:That is evil.. (0)

Anonymous Coward | more than 10 years ago | (#8518132)

The low-level users don't know anything about SSL or encryption etc. If these users are going to get duped into entering thier info they are going to wether it is SSL enrypted or not.

It doesn't matter (4, Insightful)

TheDarkener (198348) | more than 10 years ago | (#8518103)

What, is this going to trick another 1% of so called "technically adept" people *COUGHmcseCOUGH* into giving their online bank login info over a freakin' website? Who ever ASKS YOU for your login information?! They reset it, and they have you reset it upon login.

Ooooh... Wait a minute. That could be a NEW strain of e-mails... Just takes a little more HTML craftmanship to code a fake E-Mail with a "reset" password, you log into the evil website with it, and enter in your "new" (which would most likely be your old one again, for most people) info. Scary!

Re:It doesn't matter - but it does (1)

RoundSparrow (341175) | more than 10 years ago | (#8518136)

I don't agree... It does matter. There are those of us who still use email, despite the spam (and phishing that this story is about).

And when I get a legit looking letter that looks like a real notice from a domain registrar, web site I have account with (PayPal, eBay, eSnipe, Mwave, NewEgg, etc.) - then I want to respond.

Business is about relationship with customer and company... you SHOULD read your notices that your account is past due, that your account was hacked and you need to change your password

Fraud and crime sucks no matter what part of your life. Don't just accept it. Yes, things are not what they used to be on the Internet... it is the job of the geek to help educate the masses and to help track down the as*holes.

Re:It doesn't matter - but it does (2, Interesting)

LostCluster (625375) | more than 10 years ago | (#8518204)

I think the problem is that the Internet is using all sorts of technologies that allow things to be misrepresented... the basic IP protocol was written in an era where every other host on the Internet could presumed to be somewhat friendly, since everyone was either part of the US Government or an academic who was affiliated with a univeristy. Any abusers of the Internet could be identified and thrown out.

Now, absolutely every weakness is being found and exploited. The Internet just wasn't designed for this...

Re:It doesn't matter (4, Informative)

PacoTaco (577292) | more than 10 years ago | (#8518472)

Who ever ASKS YOU for your login information?

Verisign does. After failing to get an account migration problem fixed via email, I finally resorted to calling them. The rep asked for my username and password to verify my identity and couldn't understand why I refused to give out my password over the phone. I asked him if the passwords were stored in their database in plaintext or if he was going to check it by logging on, but he wouldn't tell me.

Defeats the purpose of SSL? (5, Insightful)

chrispyman (710460) | more than 10 years ago | (#8518121)

Wasn't the entire point of SSL was to be encrypted? Who's bright idea was it to put plain text in SSL in the first place, much less give browsers support for it?

Re:Defeats the purpose of SSL? (1)

zeruch (547271) | more than 10 years ago | (#8518145)

the entire point of any one technology these days seems to be to do something that will be eclipsed and/or circumvented by another technology in roughly realtime. ain't high-tech fun?

Re:Defeats the purpose of SSL? (4, Informative)

realdpk (116490) | more than 10 years ago | (#8518251)

Sometimes all you need is authentication. It would actually be nice if plaintext sites could have plaintext certificates so you'd know you're going to the right place, but still be able to browse without the added encryption overhead with every request.

There would, of course, need to be a way to easily differentiate between encrypted and non-encrypted sites just like now.

Re:Defeats the purpose of SSL? (2, Interesting)

chamilto0516 (675640) | more than 10 years ago | (#8518318)

OK, given what is in this thread, I ask this: In the popular browsers (IE, Netscape, Mozilla, Firefox, Safari) how would I turn off "plain text" SSL. But if I could, would I want to? Would that break SSL authenication without encryptions type things and do a lot of sites do that?

For the record, I do look for the lock icon but because of that, I do turn off the "you are connecting to a secure site/you are leaving a secure site." 9 times out of 10, I do click on the lock and verify that the URL in the cert matches the url that I am pointing to...but I do understand that I'm especially paranoid in a nerdy kinda way.

Re:Defeats the purpose of SSL? (0)

NutscrapeSucks (446616) | more than 10 years ago | (#8518372)

Is it possible to disable these plain text certificates?

I just looked through Firefox and IE and don't see any clearly marked as "Plain Text". The only one that looks slightly funky is "NO LIABILITY ACCEPTED, (c)97 VeriSign, Inc."; "VeriSign Time Stamping Service Root"

Re:Defeats the purpose of SSL? (4, Interesting)

femto (459605) | more than 10 years ago | (#8518384)

Perhaps the problem is a user interface one? Typically, a user will interpret a 'lock' to mean security. Wouldn't the solution be to only display the lock when the link is actually encrypted (plain text doesn't count as encryption)? Alternatively, replace the 'binary' lock with an analog scale indicating an effective key length (in bits) as an indicator of security level. Perhaps have the bar change colour when it passes a level of security strong enough to be considerd as 'encrypted'?

I presume the second half of the problem in that MS Internet Explorer allows (is this fixed?) a site to misrepresent its address in the address bar? That way the user cannot be sure that the address displayed matches that in the certificate.

Personally, I've never understood the mentality of allowing a web page to modify ANYTHING outside the boundaries of its frame. Doesn't this break the whole 'object orientedness' of a windowing display?

Best strategy for fighting this (5, Insightful)

kongjie (639414) | more than 10 years ago | (#8518123) probably a low-tech one.

If I understand correctly, phishing comes into play when users are sent an e-mail with a bogus link. Probably something like "we've detected fraudulent use of your account, please follow this link to verify your information" etc. etc.

There is no reason to follow links in e-mail to get to a site that you regularly use. If you doubt the authenticity of an e-mail from, say, American Express, just visit the site as you usually do, through a bookmark. After logging in you should be able to access the necessary info.

Re:Best strategy for fighting this (1)

RoundSparrow (341175) | more than 10 years ago | (#8518177)

Yha, and domain typo squatters, etc.

Surfing was 'fun', now it has become a nightmare.

Re:Best strategy for fighting this (1)

platipusrc (595850) | more than 10 years ago | (#8518337)


And what's the point of SlashHot [] anyway?

Re:Best strategy for fighting this (5, Funny)

Anonymous Coward | more than 10 years ago | (#8518331)

If you doubt the authenticity of an e-mail from, say, American Express, just visit the site as you usually do, through a bookmark.

This applies to real life too. The other day, two guys wearing official-looking "police" uniforms came to arrest me. I didn't open the door, I called 911 and told them that some jokers wearing police costumes were trying to arrest me. I turns out they were the real police, but it's always best to double check.

Re:Best strategy for fighting this (4, Interesting)

techno-vampire (666512) | more than 10 years ago | (#8518408)

I did tech support for an ISP until my call center was closed. We used to tell people that we'd never send them an email asking for login or credit card info, and that any message doing so was bogus. Of course, this lead to the occasional luser that wouldn't tell us their password when we needed to ID them because they couldn't see the difference between somebody sending them an email asking for their password and them calling us and our needing to ID them before changing something on their account. Most of the time, just pointing out that they'd called us, so they know who they're talking to rather than an email that they don't know who sent did the trick, but there's always a few people that refused. I never minded because not doing something is much less work and I could go on to the next call faster.

Re:Best strategy for fighting this (1, Interesting)

Anonymous Coward | more than 10 years ago | (#8518452)

There's actually very few reasons that ISP tech support should need your password. My theory is that they only ask because they are using barbaric management systems and/or it's just part of their monkey-script. Either way it's bad policy.

Domain Typos (1)

ChrisBrown1 (212711) | more than 10 years ago | (#8518441)

Or evil domain is typo of legitimate one... (Not meant to defame any website) such as,,, etc...

Open SSL contributes to the problem... (2, Troll)

LostCluster (625375) | more than 10 years ago | (#8518142)

Unfortunately, the open-source SSL systems contribute to this problem...

Most of them let you do a functionally okay SSL certificate without having to pay a root certificate authority. However, that means you're going to get the "sorta okay" certificate message poping up, with the user being told that the certificate is valid but there's no certifying authority behind it. As a result, the user is trained to click "Yes" to that box, and is conditioned to ignore such errors...

Re:Open SSL contributes to the problem... (4, Insightful)

devnullify (561782) | more than 10 years ago | (#8518214)

You can create self-signed certs just as easily with Microsoft's certificate managment tools.

Users are conditioned to click Yes/OK to *any* dialog box that gets in their way, without reading it.

Re:Open SSL contributes to the problem... (0)

Anonymous Coward | more than 10 years ago | (#8518341)

Well, I'm a user, and I'm not buying anything from you if you don't have a real certificate.

you are misinformed (3, Informative)

wotevah (620758) | more than 10 years ago | (#8518369)

RTFA or quit trolling. The problem is not the SSL certificates or who creates them, but the browsers accepting a "plain" encryption scheme when setting up the secure channel. I haven't actually seen this but it's entirely within reason that a "plain text" encryption was available in the SSL libraries for debugging communications in SSL apps.

I think it should be fairly simple to update the browsers so they require some encryption by default. Voila. Problem solved and we don't have to kill OpenSSL or "pay a root certificate authority" for the privilege of having encryption.

Re:you are misinformed (1)

femto (459605) | more than 10 years ago | (#8518451)

The parent has a valid point. But the problem is not with allowing people to create their own certificates.

When you inspect a certicicate with MS Internet Explorer, it says the certificate is 'okay'. Most users would interpret this to mean 'everything is 'hunky dorey', and continue on with their transaction.

In reality, 'okay', in the context it is used, means that the certificate is internally consistent. It doesn't say anything about whether the user is being scammed. Shouldn't the message wording be changed to reflect the fact that it doesn't actually relate to everything being 'okay'?

Re:Open SSL contributes to the problem... (4, Informative)

rekt (760792) | more than 10 years ago | (#8518456)

An SSL certificate is just a (hopefully long) bit-string formatted in a certain way. I don't see how the fact that anyone can generate a long bit string to a well-known format contributes to the insecurity of SSL.

If a protocol can be weakened by someone generating a long bit-string, then that protocol isn't worth much in the first place.

Public knowledge of SSL (incarnated in the openSSL source) is not the problem. Rather, the problem is twofold:

Uncomprehending users
End users don't understand PKI, for the most part. They don't understand the implications and assumptions which underly the system. By default, the X.509 architecture means that they end up implicitly trusting the root Certificate Authorities installed by their browser provider (which means they are implicitly trusting their browser provider and we know who that usually is...)
Untrustworthy Hierarchy in X.509
The hierarchical nature of SSL's PKI means that even for those people who understand how it works, they are still strongly compelled to trust some large CAs. Sadly, many of the large CAs have abandoned their ideal role of actually establishing and verifying identity. They seem to now see themselves as yet another middleman who deserves a cut of any transaction without providing a service.
How many times have you seen a CA whose policy for establishing identity amounts to "Please send us a fax on company letterhead" ? Who can't send a fax on "company letterhead" these days?

I would be willing to pay a good CA for actual verification, even as a client, if i could be sure that they were actually verifying the folks they issued certificates to. But it would need to be big enough to be able to certify a large number of sites to be worthwhile...

The non-hierarchical nature of the web of trust [] model of PKI is so much better than X.509, so it would fix the untrustworthy hierarchy issue above. But, even more than X.509, it expects all the end users to understand the basic ideas of PKI, not just "look for the little lock and click those dialogs as soon as they come up". sigh...

Microsoft Has Got You Covered (5, Funny)

FiberOpPraise (607416) | more than 10 years ago | (#8518147)

Don't worry, I make sure to type all of my URL's now including onces such as: d=0&mode=thread&commentsort=0&op=Reply
Sometimes they take a while but it pays off!

Re:Microsoft Has Got You Covered (0)

Anonymous Coward | more than 10 years ago | (#8518453)

The problem you are describing has been resolved in a patch.

an old timer i know (5, Interesting)

Spetiam (671180) | more than 10 years ago | (#8518165)

solves all this by never entering any financial data anywhere on the internet. he's not a knowledgeable computer user, and he knows it. in his case, and in the case of many non technically-minded individuals, it seems much easier to simply avoid all online financial transactions.

i think his simple approach to avoiding online financial risks makes a lot of sense. many of my non-tech friends/family members might be taken in by a scam like this, and given how painful it is to explain computer things to them, from now on i'll just tell them never, under any circumstances, to enter financial data on the web.

surprise, surprise... (1)

wotevah (620758) | more than 10 years ago | (#8518436)

I doubt that completely removes the risks. I bet most processors now use the 'net to submit data to their central database when they get it either by phone or on paper. It's the obvious thing to do, not many want to develop their own modem-based secure networks when this cheap Internet is already here.

Re:an old timer i know (1)

snarkh (118018) | more than 10 years ago | (#8518439)

Yes, and I prefer to stay home as it dramatically decreases the probability of a heavy home appliance falling on my head as I walk under a window.

I also prefer candles as it it decreases the chance of being electrocuted.

Re:an old timer i know (0)

Anonymous Coward | more than 10 years ago | (#8518440)

Right. Tell him to not use ATMs either, unless he is able to spot the difference between a real and false-fronted IBM 30803 machine.

Legislation (0, Troll)

dysprosia (661648) | more than 10 years ago | (#8518168)

Why, oh why isn't there legislation to make this sort of thing illegal? Phishing is basically fraud, and if there was a chance that some action could be done, then these phishers would not be tempted to pull such a stunt, since they would know that there would possibly a lawsuit/jailtime behind this...

Re:Legislation (2, Troll)

pookie_jurd (613079) | more than 10 years ago | (#8518189)

Why isn't there a law against going out and killing people? Then these people "would not be tempted to pull such a stunt, since they would know that there would possibly a lawsuit/jaintime behind this..."

Re:Legislation (4, Insightful)

nacturation (646836) | more than 10 years ago | (#8518226)

I think you'd be better off asking why the existing laws against fraud and deceptive trade practicees aren't enforced.

Re:Legislation (4, Insightful)

yasth (203461) | more than 10 years ago | (#8518233)

It is illegal under current laws (Wire fraud, misrepresentation, etc). The hard part is catching them, also there are jurisdiction issues. I mean really there was no need for new murder laws when guns came about. This is fraud, and oftentimes theft plain vanilla crime, but with a new delivery method. Also to be honest, most DAs would probably rather go after child porn then something so unlikely to get there names in the paper as white collar credit card scams

Re:Legislation (2, Funny)

alfredw (318652) | more than 10 years ago | (#8518350)

most DAs would probably rather go after child porn then something so unlikely to get there names in the paper as white collar credit card scams

Reminds me of Bowling for Columbine. Michael Moore had the brilliant idea of treating white collar criminals just like the rest... Chase them through the street, tackle 'em in the street, and bump them a few times on the hood of the cruiser. Would make for entertaining TV, and every "Average Joe" would love to see his/her boss go down.

Re:Legislation (5, Insightful)

Anonymous Coward | more than 10 years ago | (#8518278)

Oh, it's illegal. The problem isn't whether or not this sort of thing is legal. It's finding, apprehending, and punishing the offendors that's the hard part.

Let me give you an example. Suppose you're in the nation of Grand Fenwick, and bank with the National Grand Fenwick Bank. I, who live in Mordor, decide to target customers of the National Grand Fenwick Bank, and set up a fake website at http://123.456.789.0/gf.php[1] that mimics their logon screen. I then send out millions of emails to lure customers of NGFB to my website.

Within minutes of these emails being sent, the Powers That Be at NGFB know about the fraud that's being committed in their name. They know what host is hosting the scam. They know (or can easily find out) where the host is located physically. BUT:

  1. How do they know whether that host is a willing or unwitting party to the fraud?
  2. How do they prove it, if it's willing?
  3. If it's unwilling, how do they track down the perpetrator?
  4. Assuming they can track down the perpetrator, how do they take said perp into custody?
It just so happens that the host is my own, and I'm listed as the registrar. Alas, alack, there is no extradition treaty between Mordor and Grand Fenwick, so all they can do is shout threateningly across the ocean at me, whilst I mock their puny and powerless attempts to bring me to justice.

There are too many levels of proof needed to bring a conviction, and even if they're all satisfied, if the perpetrator is in a country such as Russia, all hope goes out the window. In fact, all it takes is one layer -- me hiring a Russian to obtain these details -- to protect me (as long as I'm careful about how I use those details).

The police and fraud departments are aware of these issues, and they're trying to resolve them. Unfortunately, political problems get between the problem and the solution. Things aren't helped when it takes me a half hour to alert the bank and/or police of a currently active fraudulent site...

[1] Yes, I know this is an invalid IP address. You're missing the point.

Re:Legislation (1)

techno-vampire (666512) | more than 10 years ago | (#8518446)

set up a fake website at http://123.456.789.0/gf.php[1] that mimics their logon screen.

This IP range is controlled by Freedonia, and President Rufus T. Firefly has let it be known that hijacking their limited IP addresses would be a causus belli. Prepare for war!

Re:Legislation (1)

TykeClone (668449) | more than 10 years ago | (#8518307)

And it should be a capital crime.

Meh (4, Insightful)

Xenographic (557057) | more than 10 years ago | (#8518227)

Sad thing is, it's getting harder and harder to be able to give them basic advice.

At the rate things are going, you pretty well have to know all the same tricks the spammers/scammers do...

I mean, just the other day, I got a message from PayPal about my account. Oops, I don't have one... Okay, so that would've been my first clue, but it was faked well enough to pass Hotmail's spam filter, and it looked official, like I really had had an account suspended.

So I check the email source, because I know better. Sure enough, it's using the %00 bug to catch IE users. Assuming they would know to look for where the link actually pointed, instead of where it claimed to.

In the mean time, I went to the page. Sure enough, it wants every bit of information imagineable. All the other links off it link to actual PayPal pages... the status bar at the bottom is left blank via JavaScript. So the inobservant and gullible would be hosed...

Naturally, I feed it totally fake information (might as well give them more false data... shouldn't harm anyone, should only help get them caught, I hope), just to see what it does. Sure enough, redirects you to another actual part of the PayPal site. I sent off a LART to the hosting provider's abuse email. No response. I don't consider that a good sign.

Note that no SSL was required here. Just official-looking pages. Granted, I didn't fall for it, but I know more about these exploits than Joe Average. Joe Average probably wouldn't know what was wrong with %00 in a URL if he saw it.

This is sad, too. I've taught classes on this, and I try to teach the class as much as they are capable of understanding. Even so, it's getting to the point where I feel like they need to know at least as much as I do just to avoid these stupid scams. There's a new one made up every day, it seems, and I spend a lot of time just keeping up with what the lowlifes are doing...

So the point of all this? We practically need a "scam report" type of newspaper for the general public. Not to mention a primer detailing the older tricks in the book... not to mention some way to get the average public to read them both.

Re:Meh (0)

Anonymous Coward | more than 10 years ago | (#8518300)

I mean, just the other day, I got a message from PayPal about my account. Oops, I don't have one... Okay, so that would've been my first clue, but it was faked well enough to pass Hotmail's spam filter, and it looked official, like I really had had an account suspended.

I can't believe it. You're saying that hotmail's spam filters let a scam message through. I'm shocked.

Re:Meh (1)

Xenographic (557057) | more than 10 years ago | (#8518327)

They sometimes catch ones with broken headers. And spammers aren't that good at writing SMTP engines, either.

That said, yeah, it's not like it's that hard for them to pass the spam filters. Even so, it's just another thing that might help it seem more legitimate to a potential victim.

Then again, I would hope that a reasonable person would know better than to give them every possible password, address, SSN and bit of personal information they could possibly want... :/

I mean, hell, I was waiting for the field that asked for "3rd grade teacher's name" or "pet(s) name(s)" ...

thanks scammers! (4, Funny)

BinaryJono (546830) | more than 10 years ago | (#8518255)

finally an affordable way to use SSL certificates on our sites without "unsigned certificate" warnings or having to pay Verisign $895/year for each certificate!

Re:thanks scammers! (3, Interesting)

ddent (166525) | more than 10 years ago | (#8518371)

Please, please dont do that... that is purely evil. You give the impression to your visitors that you are securing their data, and then you don't if you do it that way. Also note that you can get a certificate every bit as good as the ones that VeriSign issue for much less than $895/year these days - look around a bit more.

You do raise a very interesting point though. The fact that browsers don't pop up a warning for plain-text SSL could actually potentially be used to perform a man-in-the-middle attack with no-one the wiser (unless they check the issuer of the certificate manually, as they should)! That is rather scary to me, and it is serious enough that patches should be issued (not that most people apply them, but that is an entirely different story).

Damm I wish I knew (3, Funny)

MajorDick (735308) | more than 10 years ago | (#8518262)

"One of the SSL encoding methods is 'plain text'," I could have had my own certs with no browser barking for all this time ? Damm Years ago I tried the "Please install my certificate thing" It worked for a while but stupid customers kept asking questions (I am sorta joking) Now I find out I could have configured my server to avoid many of these authority issues ?

'splane it to me Lucy (1)

602 (652745) | more than 10 years ago | (#8518280)

from the article: The evolving strategies of phishing crews underscore the need for continuing consumer education on detecting deceptive URLs, web sites and now, to discern authentic SSL certificates and relationships as well.

I understood most of the article, but parts of it were like Greek to me, and I'm pretty savvy. I understand encryption and know to look for the SSL lock when I'm entering sensitive information, but visual spoofing worries me. I'll be sure to look at SSL certificates from now on. I hope the browser and backbone programmers can make this more secure.

Re:'splane it to me Lucy (3, Informative)

Vegeta99 (219501) | more than 10 years ago | (#8518477)

Well, these 'phishers' would make up a url.. something like (and then, insert a bunch of spaces)

Their site would be an exact replica meant to steal your information. So, firms would beat into their customers to look for the 'lock' or the https:// before a URL to make sure that it was the right site.

With plain text encoding on an https site, you still get the comfort factor of the lock (i think), and the https://, so once again, the morons who don't look at the complete URL are going to be victimized.

IE had a bug where a certian control code would make the second part of the url (the @and everything after it) completely invisible. This has been fixed.

They just want to jam. (4, Funny)

Jasn (106824) | more than 10 years ago | (#8518338)

I for one object to blaming all this on Phish. I'm sure that Mr. Anastasio et al. have no connection to this illegal and extremely harmful activity.

Invading SSL can't be good (1)

superpulpsicle (533373) | more than 10 years ago | (#8518340)

This was the last safe territory for me. When I punch info into a https site, I get a sense that it's alot safer.

How the hell I use online banking and do any heavy shopping via https again?!

Re:Invading SSL can't be good (3, Insightful)

sirReal.83. (671912) | more than 10 years ago | (#8518455)

I don't care if you're using 2048-bit encryption to purchase that new GeForce - if SuperDealUpgradeStore so much as leaves the wrong port open on the firewall or uses a simple password and doesn't check logs, you're hosed.

As the saying goes: "Security is a process, NOT a product."

Mozilla has a warning for this... (4, Informative)

Anonymous Coward | more than 10 years ago | (#8518364)

It defaults to poping up a warning that you are using low grade encryption. Plain text qualifies!

Is there a page with a demo of the technique? (2, Interesting)

kasperd (592156) | more than 10 years ago | (#8518370)

I'd like to verify if my browser is vulnurable.


Anonymous Coward | more than 10 years ago | (#8518375)

I think the site you were looking for is here [] .

The lock is not important (4, Insightful)

thedillybar (677116) | more than 10 years ago | (#8518429)

Many websites now use an insecure connection (HTTP) to shop, add items to your cart, and process your checkout. Even the final order form page is sent over HTTP, but the form POST is set to use HTTPS.

This is fine by me. Everything up to that point doesn't need to be encrypted. However, the only way to verify that the form (i.e. credit card #) will be sent over HTTPS is to View Source and look for the POST line. And this makes verifying certificates and encryption methods even harder.

Would it make sense for a tooltip over the Submit button to show the destination of the POST? Or at least whether it's secure? How about some useful items on the right-click menu?

While I'm on the topic...When I right-click and hit View Source, why can't the browser open an editor and scroll to the line of code that I right-clicked on? I know Firefox & IE don't, maybe something else does already..

Re:The lock is not important (4, Interesting)

windside (112784) | more than 10 years ago | (#8518483)

While I'm on the topic...When I right-click and hit View Source, why can't the browser open an editor and scroll to the line of code that I right-clicked on? I know Firefox & IE don't, maybe something else does already..

In Firefox, if you highlight part of the HTML document and then right click the highlighted text and select "View Selection Source", the program attempts to load the source and go to the appropriate line(s). I've found the functionality is kind of hit-and-miss, but it's definitely what you're after.

Uh, duh. (-1, Troll)

SCHATTIE (760808) | more than 10 years ago | (#8518459)

Where is the condemnation of your friend Bob Thompson?

I Blame Dirty Hippies! (-1, Troll)

mikewren420 (264173) | more than 10 years ago | (#8518481)

Seriously... ok, not. Seriously though, at least I can pay for my RV for Bonnaroo now! :)
Load More Comments
Slashdot Login

Need an Account?

Forgot your password?