tag:blogger.com,1999:blog-37798047.post2602280330293651520..comments2024-01-16T05:48:33.523-05:00Comments on Errata Security: Verifying the Comodo Hacker's keyDavid Maynorhttp://www.blogger.com/profile/09921229607193067441noreply@blogger.comBlogger15125tag:blogger.com,1999:blog-37798047.post-11853200383899833572011-03-31T13:46:44.409-04:002011-03-31T13:46:44.409-04:00Excellent post.Excellent post.Unknownhttps://www.blogger.com/profile/05283698339968263110noreply@blogger.comtag:blogger.com,1999:blog-37798047.post-84612199228794274162011-03-31T05:15:57.932-04:002011-03-31T05:15:57.932-04:00Again R.Graham excelent post, perfect build, and i...Again R.Graham excelent post, perfect build, and i agree with your verify method, you have a blog that reads a lot of ppl, most of them would have not understand a complex xplain of private key method, and properties.<br />Thx for this posts (all arround comodo's hack). Superb<br /><br />Q.QaSaRhttps://www.blogger.com/profile/07788349787026079199noreply@blogger.comtag:blogger.com,1999:blog-37798047.post-86118289970286098522011-03-30T13:16:49.364-04:002011-03-30T13:16:49.364-04:00Rolf: the answer is because several people (includ...Rolf: the answer is because several people (including me) suggested to him as the "final" proof. You are correct, we should've suggested your strategy.<br /><br />However, he's got the private keys of the other certificates to continue to prove his identity.Robert Grahamhttps://www.blogger.com/profile/09879238874208877740noreply@blogger.comtag:blogger.com,1999:blog-37798047.post-25957645683473577082011-03-30T04:11:42.709-04:002011-03-30T04:11:42.709-04:00Why did he post the private key? It would be far ...Why did he post the private key? It would be far more elegant and convincing if he had signed his messages with the private key. (Do we really know that the person posting the messages is the same as the person posting the key? At this point, anyone can claim to be the cracker, as he gave away his only proof.)Rolf Rander Næsshttps://www.blogger.com/profile/02172663850827590329noreply@blogger.comtag:blogger.com,1999:blog-37798047.post-90810576919805249162011-03-29T17:55:22.983-04:002011-03-29T17:55:22.983-04:00I just updated my post to explain why I think -mod...I just updated my post to explain why I think -modulus is inadequate.Robert Grahamhttps://www.blogger.com/profile/09879238874208877740noreply@blogger.comtag:blogger.com,1999:blog-37798047.post-58233716120202759912011-03-29T17:17:21.543-04:002011-03-29T17:17:21.543-04:00Robert: What two reasons please?Robert: What two reasons please?R/Shttps://www.blogger.com/profile/17873390947223398428noreply@blogger.comtag:blogger.com,1999:blog-37798047.post-83144606750707580782011-03-29T11:38:47.543-04:002011-03-29T11:38:47.543-04:00Thanks for the step-by-step! I will send my stude...Thanks for the step-by-step! I will send my students here to learn how it works :)<br /><br />--Sam BowneSam Bownehttps://www.blogger.com/profile/14190082233635609371noreply@blogger.comtag:blogger.com,1999:blog-37798047.post-88530771805823581562011-03-29T02:25:37.134-04:002011-03-29T02:25:37.134-04:00here the blog author said absolutely what i said i...here the blog author said absolutely what i said in a Persian forum:<br /><br />http://www.adminsehow.com/2011/03/a-response-to-comodohacker/<br /><br />really, if you don't have any relation with Iran's government and so these things you mentioned are only useful when you have access to the internet infrastructure of Iran; otherwise there's really no use for what you done and what you have!<br /><br />you lied and i told you everybody, he's a basidji working for government and he is a freak...!<br /><br />for you to know: in Iran there's only ONE company provides the whole internet connection of the country! "Ertebatat Sayyar" is the name of this company. this damnet *** government doesn't let anybody else to develop internet infrastructure in this country for 3 reasons:<br />1- they want a full access to all the data transfers of all the people<br />2- they want to apply a centralized filtering and censoring system on all the country's network<br />3- they sell the bandwidth so damned expensive to the ISPs so they can make so much money from internet! they have all of the oil in their hands but they don't lose the money they canmake from the internet!<br /><br />in Iran, one of *** Mahmud Ahmadinejad's first laws after wining the election in 2004 was limiting home internet access to maximum of 128Kbps...! you can't even imagine that most of the people don't even know there's faster internet connections than a dial-up connection and faster? how much faster? more than 128K bits per second is FORBIDDEN and this ComodoHacker really likes this *** government!<br /><br />in Iran if you use satellite you will get fined! if you use satellite internet connection and only send a single piece of waves from your dish and they will find you and put you in jail...!<br /><br />in Iran 90% of useful sites are already filtered and everytime there's something going on in the streets (those "a few people of green movement" as the hacker says) they're getting so much damned worried even sometimes they cut down all of the country's internet and connections to out of the country! many of the ports are blocked and now none of the vpns work (there's always another way!) and even in the past days Opera Mini servers have been blocked because they work like proxies!<br /><br />ComodoHacker really likes this governemnt which fills his/their pockets with people's oil money!<br /><br />and another proof that he works for the government: last week you remember the news about what he/they've done, after they saw their work is out in the news and it's all gonna blow up they did their plan as fast as they could because there were no more time and the people were updating their browser versions; for a few days after that news many of the iranians whoever installed updated browsers faced so many ca warnings on mail.google.com and mail.yahoo.com<br /><br />the only purpose for them in life is to harm more people everday!BatteRyhttps://www.blogger.com/profile/09616118821469592011noreply@blogger.comtag:blogger.com,1999:blog-37798047.post-18562071297399493262011-03-29T01:10:39.906-04:002011-03-29T01:10:39.906-04:00answer to the hacker!:
http://pastebin.com/R8zBtL...answer to the hacker!:<br /><br />http://pastebin.com/R8zBtL9a<br /><br />p.s.: i didn't write it<br />http://www.balatarin.com/permlink/2011/3/28/2431744#c-4274383BatteRyhttps://www.blogger.com/profile/09616118821469592011noreply@blogger.comtag:blogger.com,1999:blog-37798047.post-51527791043032918652011-03-29T00:44:14.900-04:002011-03-29T00:44:14.900-04:00No, simply doing -modulus is insufficient for a co...No, simply doing -modulus is insufficient for a couple of reasons.Robert Grahamhttps://www.blogger.com/profile/09879238874208877740noreply@blogger.comtag:blogger.com,1999:blog-37798047.post-87985658703762508682011-03-29T00:19:16.616-04:002011-03-29T00:19:16.616-04:00I've been under the impression you can run the...I've been under the impression you can run these two commands (one on the cert, one on the private key) and if the Modulus value matches, then the private and public keys are a pair:<br /><br />openssl rsa -in addons.key -noout -modulus<br /><br />openssl x509 -in addons.cer -inform DER -noout -modulus<br /><br />(Feel free to correct me if that doesn't always work)Anonymousnoreply@blogger.comtag:blogger.com,1999:blog-37798047.post-76593956235597409142011-03-28T22:19:47.671-04:002011-03-28T22:19:47.671-04:00Can't you just use the -modulus flag? I think ...Can't you just use the -modulus flag? I think it would simplify the verification a lot.sep332https://www.blogger.com/profile/15089674288837329342noreply@blogger.comtag:blogger.com,1999:blog-37798047.post-36182917155605286252011-03-28T20:28:13.123-04:002011-03-28T20:28:13.123-04:00Great read and step by step instruction. I'll ...Great read and step by step instruction. I'll plan on trying for fun on my Ubuntu box.Coreyhttps://www.blogger.com/profile/05449222894395213870noreply@blogger.comtag:blogger.com,1999:blog-37798047.post-50525089060172515332011-03-28T20:24:14.246-04:002011-03-28T20:24:14.246-04:00It's essentially nothing in this context.
Peo...It's essentially nothing in this context.<br /><br />People have gotten confused by this recently with the RSA SecurID hack and the Comodo guy hacking RSA keys.Robert Grahamhttps://www.blogger.com/profile/09879238874208877740noreply@blogger.comtag:blogger.com,1999:blog-37798047.post-76934582633843129652011-03-28T20:18:27.850-04:002011-03-28T20:18:27.850-04:00(Note: the RSA algorithm has essentially nothing t...<em> (Note: the RSA algorithm has essentially nothing to do with RSA the company).</em><br /><br />Well, except for both the algorithm and the company being named after the same people, and the fact that the company was created to monetize their inventions. I think that's a little more than "essentially nothing".Unknownhttps://www.blogger.com/profile/15335488976548439448noreply@blogger.com