I crossed paths with the guys behind globaltrust.it years ago. I ended up auditing a code project they had written for a co. in the financial services industry that required good security, audit trails, client authentication etc.
After the third remote exploit that I found, my recommendation was that they throw it out and start again, it was a huge jumble of PHP. This hurt their feelings, and a 6 month long argument ensued where they defended their competency.
When I heard 'Italian certificate provider' last week, I thought it could be them, because they went on to launch a certificate project. I am more surprised that Comodo didn't do any due diligence on their resellers. All they had to do was to email my client to ask how their project went, and they would have found out about the clusterfuck.
> At first I decided to hack RSA algorithm, I did too much investigation on SSL protocol, tried to find an algorithm for factoring integer, analyzed existing algorithms, for now I was not able to do so, at least not yet, but I know it's not impossible and I'll prove it
Huh. He kind of lost all credibility at that point. Breaking RSA isn't something you just decide to do. I'll wait for the day when he announces he's broken it.
After reading him state how astonishing his skills are and how he'll tackle the integer factorization problem, I thought to myself, "he must be a 20 years old university student." Then he states his age.
I highly doubt that he will be able to do so either.
However, that does not reflect on whether or not he is the one that is behind the attack on Comodo, which has no real indications of being difficult.
Comodo claims that it must have been an organized, planned out attack because they knew which domains to get certificates for. That does not explain why 3 were generated for one domain and one for 'global trustee'. Nor does it take a genius to figure out a set of domains you would want certificates for depending on what you are planning to do (in this case, it seems like attacking large webmail providers).
No. Integer factorization is not NP-hard (so not NP-complete). (This isn't proven, but it's generally thought to be the case.) So, while doing a polynomial-time integer factorization would be hugely significant (and make all asymmetric encryption in the world useless), it would not prove P=NP.
> So, while doing a polynomial-time integer factorization would be hugely significant (and make all asymmetric encryption in the world useless)
This is wrong in two ways.
First, a polynomial-time algorithm could still be too slow to be practical, either because the degree of the polynomial were high or because the constant factor or asymptotically disappearing overhead were high.
Second, discrete-logarithm-based cryptography does not depend on the difficulty of integer factorization. That includes Diffie-Hellman, ElGamal, DSA, SRP, and elliptic-curve methods.
You're right that integer factorization is not known to be NP-hard, and so a polynomial-time integer factorization algorithm wouldn't show P=NP.
I don't want to turn this into a complexity theory discussion thread but isn't it an NP problem? And does proving that it can be solved in polynomial time mean P == NP (and vice versa)?
Am I the only one to expect the guy who compromised a CA and generated a number of very high-value certs to use one of those certs to sign his message?
I come off with the feeling it is actually composed by an Iranian (possibly a team but could be an individual) who is clearly motivated to make "politically correct" (from the POV of the Iranian govt.) speeches. He goes to great lengths to praise his government, ambassador and president while denouncing all dissidents, separatists, Israel and the US. I cannot help feeling he/they have some connection with the government. Possibly the whole teenage cyberpunk rhetoric was deliberate (see repeated "hard for you easy for me" and "I was so fast" and the absurd "I will factor large integers") and little more than a poorly executed smoke screen to divert attention.
If you combined these evil SSL certs with the right BGP hijack, you could read a lot of people's email and such. And since reading mail lets you reset passwords on everything else, he could have basically owned millions of people.
I thought the most interesting part about this was that he claimed to be a 21yo Iranian who took sole credit, while having a problem with the lack of controversy surrounding the Stuxnet US/Israel project.
Oooh, my favorite part is on line 136, when he claims "RSA 2048 was not able to resist in front of me". That's a pretty, um, "interesting" characterization of the level of sophistication of his attack.
Can you elaborate on the "grade A rationalist" remark? Does attempting to compensate for one's cognitive biases generally blind one to how one sounds to others?
I LOVE the fact that I live in a world that I get to read some hackers manifesto online:
My Rules as I rule to internet, you should know it already...
Although, I do have to agree with his points about Echelon.
EDIT: His command of the English language is irrelevant -- I stand by my comment above, which is the fact that we are even reading stuff like this makes the 16-year-old-cyberpunk-playing self from the '80s quite happy.
After the third remote exploit that I found, my recommendation was that they throw it out and start again, it was a huge jumble of PHP. This hurt their feelings, and a 6 month long argument ensued where they defended their competency.
When I heard 'Italian certificate provider' last week, I thought it could be them, because they went on to launch a certificate project. I am more surprised that Comodo didn't do any due diligence on their resellers. All they had to do was to email my client to ask how their project went, and they would have found out about the clusterfuck.