More details for those so inclined: http://isc.sans.edu/diary.html?storyid=11512<http://isc.sans.edu/diary.html?storyid=11512#comment>
* * *ASB* *http://XeeMe.com/AndrewBaker* *Harnessing the Advantages of Technology for the SMB market… * On Wed, Sep 7, 2011 at 12:46 PM, Paul Hutchings <[email protected]>wrote: > Keep in mind that Globalsign have suspended issuing certificates whilst > they conduct an investigation into the hackers claims that he has access > their CA. > > Of course it's just a claim, and Globalsign appear to have acted > appropriately by taking what seems like positive action, but if the claims > do turn out to be true, Globalsign aren't exactly a pile high sell cheap SSL > vendor. > > ------------------------------ > *From:* Harry Singh [[email protected]] > *Sent:* 07 September 2011 5:38 PM > > *To:* NT System Admin Issues > *Subject:* Re: DigiNotar compromise > > *>>**While I do get you point about the relative costs for services like > digital certificates, we have no idea whether or not an appropriate level of > revenues is being invested back into the security infrastructure. Yes, more > expensive *should* mean something, but there's no way to be sure that it > does. Our awareness of a breach doesn't mean it hasn't been going on for > quite some time...* > * > * > +1 > > I'm curious to see what will the future (immediate or otherwise) bring > to both the business and technology of the CA/SSL cert industry. > > > > > On Wed, Sep 7, 2011 at 12:32 PM, Andrew S. Baker <[email protected]>wrote: > >> Until recently, DigiNotar also had a profitable business model to protect. >> >> So did RSA, for that matter. >> >> While I do get you point about the relative costs for services like >> digital certificates, we have no idea whether or not an appropriate level of >> revenues is being invested back into the security infrastructure. Yes, more >> expensive *should* mean something, but there's no way to be sure that it >> does. Our awareness of a breach doesn't mean it hasn't been going on for >> quite some time... >> >> ** >> >> *ASB* *http://XeeMe.com/AndrewBaker* *Harnessing the Advantages of >> Technology for the SMB market… >> >> * >> >> >> >> On Wed, Sep 7, 2011 at 10:57 AM, Ken Schaefer <[email protected]>wrote: >> >>> And yet people ask: “why should I pay $x * 100 for a Verisign/etc. >>> cert vs $x for a DigiNotar/etc. cert”. **** >>> >>> ** ** >>> >>> Yet, I suppose this is capitalism in action. There is not guarantee that >>> Verisign is non-hackable, yet they have a profitable business model to >>> protect. Each of us has to make a tradeoff to decide whether a cheaper price >>> is worth the risk that too cheap a price is compromising due diligence on >>> behalf of the CA**** >>> >>> ** ** >>> >>> *From:* Ziots, Edward [mailto:[email protected]] >>> *Sent:* Wednesday, 7 September 2011 10:30 PM >>> >>> *To:* NT System Admin Issues >>> *Subject:* RE: DigiNotar compromise**** >>> >>> ** ** >>> >>> Honestly, **** >>> >>> ** ** >>> >>> It doesn’t surprise me on this one, I am sure there are others that are >>> just as bad or worse, that will get owned at sometime in the future and the >>> same kind of stuff will be un-earthed. **** >>> >>> ** ** >>> >>> Z**** >>> >>> ** ** >>> >>> Edward E. Ziots**** >>> >>> CISSP, Network +, Security +**** >>> >>> Security Engineer**** >>> >>> Lifespan Organization**** >>> >>> Email:[email protected]**** >>> >>> Cell:401-639-3505**** >>> >>> [image: CISSP_logo]**** >>> >>> ** ** >>> >>> *From:* Tim Evans [mailto:[email protected]] >>> *Sent:* Tuesday, September 06, 2011 4:02 PM >>> >>> *To:* NT System Admin Issues >>> *Subject:* DigiNotar compromise**** >>> >>> ** ** >>> >>> If this is true, I find this absolutely unacceptable that a commercial CA >>> would run a system like this. Incredible**** >>> >>> ** ** >>> >>> >>> http://computer-forensics.sans.org/blog/2011/09/06/diginotar-incident-response-report-no-logging-weak-password-no-protected-network >>> **** >>> >>> ** ** >>> >>> ** ** >>> >>> Tim Evans >>> >> ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to [email protected] with the body: unsubscribe ntsysadmin
<<image001.jpg>>
