From this article on ZDNet (http://blogs.zdnet.com/security/?p=2339&tag=nl.e550)--

Using computing power from a cluster of 200 PS3 game consoles and about $700 in test digital certificates, a group of hackers in the U.S. and Europe have found a way to target a known weakness in the MD5 algorithm to create a rogue Certification Authority (CA), a breakthrough that allows the forging of certificates that are fully trusted by all modern Web browsers.

The research, which will be presented today by Alex Sotirov (top left) and Jacob Appelbaum (bottom left) at the 25C3 conference in Germany, effectively defeats the way modern Web browsers trust secure Web sites and provides a way for attackers to conduct phishing attacks that are virtually undetectable.

The research is significant because there are at least six CAs currently using the weak MD5 cryptographic algorithm in digital signatures and certificates. The most commonly used Web browsers — including Microsoft’s Internet Explorer and Mozilla’s Firefox — whitelist these CAs, meaning that a fake Certificate Authority can display any site as secure (with the SSL padlock).

“We basically broke SSL,” Sotirov said in an interview ahead of his 25C3 presentation.



:shock: So I'm imagining the hackers walking into Best Buy and asking for 200 PS3's....

Jeez, if someone wanted to buy more than *1* PS3, I think that's suspicious enough to warrant a call to the police

Maybe sony should start marketing the PS3 as a rack mountable server.

Hmm....PS2s were going to be used by Saddam Hussein for missile guidance and now PS3s break SSL...

Im calling it: the PS4 will trigger Armageddon






So I have to spend $80,700 (+tax) to steal a credit card with a $5000 limit? PASS.

Hmm....PS2s were going to be used my Saddam Hussein for missile guidance and now PS3s break SSL...

Im calling it: the PS4 will trigger Armageddon






So I have to spend $80,700 (+tax) to steal a credit card with a $5000 limit? PASS.
With that false CA, you could steal A million CCs with a $5000 limit. Among a few other-better things...

Maybe sony should start marketing the PS3 as a rack mountable server.

http://www-03.ibm.com/systems/bladecenter/hardware/servers/qs21/index.html

Already out and considerably more effective per watt than a PS3 and takes up far less space but not something you could easily buy anonymously. PS3s you can pick up for cash at zillions of retail outlets and avoid a paper trail.

Hmm....PS2s were going to be used my Saddam Hussein for missile guidance and now PS3s break SSL...

Im calling it: the PS4 will trigger Armageddon






So I have to spend $80,700 (+tax) to steal a credit card with a $5000 limit? PASS.

Are you kidding? With a couple of good programmers to create some automation, $100,000 (there is a lot more needed than just the PS3s to get this cluster happening) is a very minor capital investment for a mob operation to steal millions.

This isn't just credit cards, although with automation that can be very lucrative. Intercept all of the people trying to log into a major card providers site to set up a payment and you got the data needed to drain those bank accounts.

http://www-03.ibm.com/systems/bladecenter/hardware/servers/qs21/index.html

Already out and considerably more effective per watt than a PS3 and takes up far less space but not something you could easily buy anonymously. PS3s you can pick up for cash at zillions of retail outlets and avoid a paper trail.
Yeah, but a rack full of PS3s just sounds cooler.

The only December sales.

The room they kept them in must have been super hot. I bet they were working in their underoos and had tons of fans all over the place to stay somewhat cool.

here's a picture of the PS3's from the conference , i must say how cute they look all in a node cluster


http://hackadaycom.files.wordpress.com/2008/12/ps31.jpg?w=300&h=400

The room they kept them in must have been super hot. I bet they were working in their underoos and had tons of fans all over the place to stay somewhat cool.

naww i wish i still had the link but i remember some group putting the PS3, Wii , And Xbox360 in temperature controlled environments to make them fail. Temps went from below 0 to almost boiling . 1st Place was the Wii ,PS3 , Xbox360 ( i forget how long till it red ringed on them)


(http://phreedom.org/research/rogue-ca/)

NPD:
Wii - 2.7 million
Xbox 360 - 850,000
PS3 - 201 (I think someone in the GGT got one too.)

The room they kept them in must have been super hot. I bet they were working in their underoos and had tons of fans all over the place to stay somewhat cool.

could be nice if all the employees were female.

God this terrifies me. This essentially yanks the plug of the idea of buying anything off the internet even if it's secure.
I might as well buy nothing from the Internet now as whoever I'm going through might have a hacker to scam secure certificates in the process. This is the WORST thing to happen to online e-commerce if the info isn't Propoganda designed to crash the robust business the Internet is doing to begin with. I wouldn't be surprised if the latter isn't true as well.
If the former is really true is there a solution stronger then 128 bit encryption? I remember how it use to be 128 bit encryption couldn't be touched.
P.S. Anyone who does this and steals credit cards isn't a hacker, they're a phreaker and furthermore a complete fucking cunt. Yeah you never hear me say that but cunt. Also you're the lowest of the low, a complete fucking scumbag.
edit: Mark my words that this will be one of the biggest stories in the news if people don't attempt to quash it.

God this terrifies me. This essentially yanks the plug of the idea of buying anything off the internet even if it's secure.
I might as well buy nothing from the Internet now as whoever I'm going through might have a hacker to scam secure certificates in the process. This is the WORST thing to happen to online e-commerce if the info isn't Propoganda designed to crash the robust business the Internet is doing to begin with. I wouldn't be surprised if the latter isn't true as well.
If the former is really true is there a solution stronger then 128 bit encryption? I remember how it use to be 128 bit encryption couldn't be touched.
P.S. Anyone who does this and steals credit cards isn't a hacker, they're a phreaker and furthermore a complete fucking cunt. Yeah you never hear me say that but cunt. Also you're the lowest of the low, a complete fucking scumbag.
edit: Mark my words that this will be one of the biggest stories in the news if people don't attempt to quash it.

http://banjo.macrochan.org/source/A/L/AL5H25SM65HM5ZEFA5UKGSJLSZWY7ZKO.jpg

be afraid, be very afraid

God this terrifies me. This essentially yanks the plug of the idea of buying anything off the internet even if it's secure.
I might as well buy nothing from the Internet now as whoever I'm going through might have a hacker to scam secure certificates in the process. This is the WORST thing to happen to online e-commerce if the info isn't Propoganda designed to crash the robust business the Internet is doing to begin with. I wouldn't be surprised if the latter isn't true as well.
If the former is really true is there a solution stronger then 128 bit encryption? I remember how it use to be 128 bit encryption couldn't be touched.


Grow a pair.

God this terrifies me. This essentially yanks the plug of the idea of buying anything off the internet even if it's secure.
I might as well buy nothing from the Internet now as whoever I'm going through might have a hacker to scam secure certificates in the process. This is the WORST thing to happen to online e-commerce if the info isn't Propoganda designed to crash the robust business the Internet is doing to begin with. I wouldn't be surprised if the latter isn't true as well.
If the former is really true is there a solution stronger then 128 bit encryption? I remember how it use to be 128 bit encryption couldn't be touched.
P.S. Anyone who does this and steals credit cards isn't a hacker, they're a phreaker and furthermore a complete fucking cunt. Yeah you never hear me say that but cunt. Also you're the lowest of the low, a complete fucking scumbag.
edit: Mark my words that this will be one of the biggest stories in the news if people don't attempt to quash it.

No it doesn't. It just means that you shouldn't click on links sent to you in emails...which is what you already shouldn't be doing. These things sound bad, but just be happy that some legit hackers found it and are going public with the info--that's how internet security gets better.

No it doesn't. It just means that you shouldn't click on links sent to you in emails...which is what you already shouldn't be doing. These things sound bad, but just be happy that some legit hackers found it and are going public with the info--that's how internet security gets better.

:applause: well said :applause: , people tend to associate hacks of this nature as a bad thing when it actually a good thing.

My concern is buying something THROUGH Amazon and others, not clicking on links and one of their employees sets up one of these fake certificates and BAM! they have my card number. Same with Play-Asia and others. I think I have a legitimate concern for the time being.

the whole point of this is

1) not to many people have 200 ps3's
2) this hack was shown at a security conference to help show sites like amazon and such that we need a reworked solution
3) Intercrap Explorer and Firefox are the 2 web browsers that this hack will more or less work on (there the most widely used browsers) and both companies have bee notified and have plans to rework this.

I'd be more worried about black hat hackers who do thing like steal info and write viruses then the white hat hackers who did this , to show us that there's time for a change.

Sadist part is , most of the time identity theft happens and isn't due to online Trojans or other malicious coding , it's mostly peoples stupidity. When i was at the doctors office the dumb bimbo across from me was on her cell phone the whole time talking to some company giving out (in a public place) all of here info on the phone. Thanks to her i know all i need for a nice new FREE laptop (not saying i would today 10 years ago yeah) if i want to take over an identity i now know were her husband works, that they don't have a land line just the cell phones , here social ,her mothers maiden name,where they live,...get the point.

You know it still amazes me bimbo's exist. Maybe I live in a bubble but most of the females I've talked to have been perfectly intelligent. I might have met one or two that are a bit ditzy, at least at times, but I think we've all had dumb moments once in a while or a very brief while. The only time I was fucking flabbergasted one time was by someone's lack of common sense and everyone in the class was thinking the same thing I was and this was a guy who usually seemed intelligent. I will admit though I heard some chicks around the mall around here and talking and they sounded like a bunch of complete airheads. I was surprised they were speaking for real and not just playing.
Bubba next time I order from Amazon they're getting called to order from instead of ordered online.

If those Black Hat's do what you say I don't consider them hackers. I consider hackers one's that just want information open and free and have no malicious intent, they just wish to expand their knowledge. The types of people you're talking about I much more consider having the term phreakers or something else applied to them.

If those Black Hat's do what you say I don't consider them hackers. I consider hackers one's that just want information open and free and have no malicious intent, they just wish to expand their knowledge. The types of people you're talking about I much more consider having the term phreakers or something else applied to them.

Pheakers play with phones a hacker is a hacker black hat or white hat , but yeah the good hackers are white hats :D

Like I said if they're malicious I don't consider them hackers. Hmmm. What about knackers? Or hacklocks?

The problem is White Hats are commonly considered industry tools that shill for douchebag corps. If White Hats we're doing their duty they'd consistently crash China's monitoring on Internet Cafe's and peoples home computers there.

NPD:
Wii - 2.7 million
Xbox 360 - 850,000
PS3 - 201 (I think someone in the GGT got one too.)


:rofl:

No it doesn't. It just means that you shouldn't click on links sent to you in emails...which is what you already shouldn't be doing. These things sound bad, but just be happy that some legit hackers found it and are going public with the info--that's how internet security gets better.


Yep. Ethical hackers (http://www.research.ibm.com/journal/sj/403/palmer.html) help improve security (http://news.zdnet.co.uk/security/0,1000000189,39278184,00.htm).

a real white hat hacker

http://video.google.com/videoplay?docid=376279794752248911

Bubba next time I order from Amazon they're getting called to order from instead of ordered online.


Whats to stop the other person on the other end of the line to copy down your info? Face it your info isn't guaranteed safe anywhere be it online or offline. I'd rather take the convenience of online shopping then calling a number and staying on hold and finding/saying all my details.

if there is a fraudulent charge on your CC can't you just let the CC company know and they'll remove it? i see this as a problem for big corps and not the common man. i'm glad there are people out there pointing out flaws, so the corps will fix it.

It's good to see a use for the PS3. flame on!!!!

This is some scary stuff, but at the same time I can't help but say that I'm impressed. Hopefully this will help further security measures. I always knew SSL would be broken soon. It never seemed safe enough.