On 06/12/2012 10:58 AM, Thor Lancelot Simon wrote:
One wonders what Microsoft knows about who requested all those licenses.
Presumably there was some effort put into plausible deniability.
Considering that the Flame attackers are said to operate 80
command-and-control servers at locations aro
On Tue, Jun 12, 2012 at 10:51:59AM -0500, Marsh Ray wrote:
>
> What is unclear is if there are any effective costs or rate
> limitations on how often one can 'activate' an MSTS license server.
> A compute cluster faster than 200 PS3s could cut down on the number
> of license certs that were burned
On 06/12/2012 04:09 AM, Marc Stevens wrote:
They were limited to a millisecond time-window to request the original
cert for their attack to succeed.
That means they probably needed a lot more attempts than the 9 attempts
(over 4 weekends) we needed.
From Sotirov's http://www.trailofbits.com/re
On 12-6-2012 10:45, Ben Laurie wrote:
On Tue, Jun 12, 2012 at 8:24 AM, Marc Stevens wrote:
On 12-6-2012 0:59, Ralf-Philipp Weinmann wrote:
On 6/11/12 6:38 PM, Ondrej Mikle wrote:
On 06/11/2012 11:06 AM, Ben Laurie wrote:
On Mon, Jun 11, 2012 at 1:56 AM, Nico Williams
wrote:
On Sun, Jun 1
On Tue, Jun 12, 2012 at 8:24 AM, Marc Stevens wrote:
>
>
> On 12-6-2012 0:59, Ralf-Philipp Weinmann wrote:
>>
>> On 6/11/12 6:38 PM, Ondrej Mikle wrote:
>>>
>>> On 06/11/2012 11:06 AM, Ben Laurie wrote:
On Mon, Jun 11, 2012 at 1:56 AM, Nico Williams
wrote:
>
> On Sun, Jun 1
On 12-6-2012 0:59, Ralf-Philipp Weinmann wrote:
On 6/11/12 6:38 PM, Ondrej Mikle wrote:
On 06/11/2012 11:06 AM, Ben Laurie wrote:
On Mon, Jun 11, 2012 at 1:56 AM, Nico Williams wrote:
On Sun, Jun 10, 2012 at 3:03 PM, Florian Weimer wrote:
* Marsh Ray:
Marc Stevens and B.M.M. de Weger (o
From: "Ralf-Philipp Weinmann"
>Thank you, dear flame authors, for providing an implementation for my
>idea! Now, how should I cite you?
Just cite "NSA".Don't worry, they'll know about it ...
___
cryptography mailing list
cryptography@randombit.net
On 6/11/12 6:38 PM, Ondrej Mikle wrote:
> On 06/11/2012 11:06 AM, Ben Laurie wrote:
>> On Mon, Jun 11, 2012 at 1:56 AM, Nico Williams wrote:
>>> On Sun, Jun 10, 2012 at 3:03 PM, Florian Weimer wrote:
* Marsh Ray:
> Marc Stevens and B.M.M. de Weger (of
> http://www.win.tue.nl/has
On 06/11/2012 11:06 AM, Ben Laurie wrote:
> On Mon, Jun 11, 2012 at 1:56 AM, Nico Williams wrote:
>> On Sun, Jun 10, 2012 at 3:03 PM, Florian Weimer wrote:
>>> * Marsh Ray:
>>>
Marc Stevens and B.M.M. de Weger (of
http://www.win.tue.nl/hashclash/rogue-ca/) have been looking at the
On 2012-06-10 17:33:51 -0500 (-0500), Marsh Ray wrote:
[...]
> e2 - attacker bribes Microsoft personnel into issuing evil cert
[...]
It doesn't seem entirely outside the realm of possibility
since this was found in the wild in Flame, which in turn is
suspected to be a state-sponsored cyber e
2012/6/11 Ben Laurie
> On Mon, Jun 11, 2012 at 1:56 AM, Nico Williams
> wrote:
> > On Sun, Jun 10, 2012 at 3:03 PM, Florian Weimer
> wrote:
> >> * Marsh Ray:
> >>
> >>> Marc Stevens and B.M.M. de Weger (of
> >>> http://www.win.tue.nl/hashclash/rogue-ca/) have been looking at the
> >>> collision
On Mon, Jun 11, 2012 at 1:56 AM, Nico Williams wrote:
> On Sun, Jun 10, 2012 at 3:03 PM, Florian Weimer wrote:
>> * Marsh Ray:
>>
>>> Marc Stevens and B.M.M. de Weger (of
>>> http://www.win.tue.nl/hashclash/rogue-ca/) have been looking at the
>>> collision in the evil CN=MS cert. I'm sure they'll
On Sun, Jun 10, 2012 at 3:03 PM, Florian Weimer wrote:
> * Marsh Ray:
>
>> Marc Stevens and B.M.M. de Weger (of
>> http://www.win.tue.nl/hashclash/rogue-ca/) have been looking at the
>> collision in the evil CN=MS cert. I'm sure they'll have a full report
>> at some point. Until then, they have sa
On 06/10/2012 03:03 PM, Florian Weimer wrote:
Does this mean they've seen the original certificate in addition to
the evil twin?
Until then, there is another explanation besides an advance in
cryptanalysis. Just saying. 8-)
I guess I look at it like this:
Start with the simplest explanation
Hi Florian,
> * Marsh Ray:
>
> > Marc Stevens and B.M.M. de Weger (of
> > http://www.win.tue.nl/hashclash/rogue-ca/) have been looking at the
> > collision in the evil CN=MS cert. I'm sure they'll have a full report
> > at some point. Until then, they have said this:
>
> >> [We] have confirmed t
* Marsh Ray:
> Marc Stevens and B.M.M. de Weger (of
> http://www.win.tue.nl/hashclash/rogue-ca/) have been looking at the
> collision in the evil CN=MS cert. I'm sure they'll have a full report
> at some point. Until then, they have said this:
>> [We] have confirmed that flame uses a yet unknown
Microsoft just released more info:
http://blogs.technet.com/b/srd/archive/2012/06/06/more-information-about-the-digital-certificates-used-to-sign-the-flame-malware.aspx
It turns out that this:
echo '30 1a 06 08 2b 06 01 04 01 82 37 12 01 01 ff 04 0b 16 09 54 4c
53 7e 42 41 53 49 43'|xxd -r -
On 06/05/2012 07:21 AM, Douglas Pichardo wrote:
The last link below [http://rmhrisk.wpengine.com/?p=52] points out that
the sub-CA's were issued with constraints granting them:
- License Server Verification (1.3.6.1.4.1.311.10.6.2)
- Key Pack Licenses (1.3.6.1.4.1.311.10.6.1)
- Code Signing (1.3.
2012/6/5 Marsh Ray
> [...]
>
> An excerpt:
> "That’s right, every single enterprise user of Microsoft Terminal Services
> on the planet had a CA key that could issue as many code signing
> certificates they wanted and for any name they wanted."
>
> It sounds as if Windows users might have a milli
These researchers have detailed the cert chain here:
http://blog.crysys.hu/2012/06/the-flame-malware-wusetupv-exe-certificate-chain/
If you like X509, you'll find this interesting.
I've attached copies for reference.
Microsoft is saying some strange things like:
http://blogs.technet.com/b/msr
On Mon, Jun 04, 2012 at 10:20:33AM +0200, Erwann Abalea wrote:
> It's also not clear about what could have been done with TS certificates.
> Is it only codesigning, or TLS server as well?
I'm surprised they can be used for code signing at all. TS (in its modern
incarnation) is a TLS-encapsulated
It's also not clear about what could have been done with TS certificates.
Is it only codesigning, or TLS server as well?
--
Erwann.
Le 4 juin 2012 09:57, "Marsh Ray" a écrit :
>
> In case its not clear from the filenames (e.g. the email system drops
them) there were three certs revoked. These a
On 06/04/2012 02:41 AM, Marsh Ray wrote:
I've attached the revoked sub-CAs and their roots.
In case its not clear from the filenames (e.g. the email system drops
them) there were three certs revoked. These are the ones with
"Licensing" in the CN.
For convenience I also included the two roo
I'm sure many readers of the list will have heard by now, some Microsoft
sub-CAs were used for signing malware.
For the record here's an excerpt from the MS release and to save
interested people time I've attached the revoked sub-CAs and their roots.
There is some tantalizing bits about MD5
24 matches
Mail list logo
