On 8 Dec, 2011, at 8:27 PM, Peter Gutmann wrote:
> In any case getting signing certs really isn't hard at all. I once managed
> it
> in under a minute (knowing which Google search term to enter to find caches
> of
> Zeus stolen keys helps :-). That's as an outsider, if you're working inside
> the malware ecosystem you'd probably get them in bulk from whoever's dealing
> in them (single botnets have been reported with thousands of stolen keys and
> certs in their data stores, so it's not like the bad guys are going to run
> out
> of them in a hurry).
>
> Unlike credit cards and bank accounts and whatnot we don't have price figures
> for stolen certs, but I suspect it's not that much.
If it were hard to get signing certs, then we as a community of developers
would demonize the practice as having to get a license to code.
Jon
_______________________________________________
cryptography mailing list
[email protected]
http://lists.randombit.net/mailman/listinfo/cryptography
