OT: utility account transfer frauds
Nexus
nexus at patrol.i-way.co.uk
Fri, 11 Oct 2002 13:35:30 +0100
----- Original Message -----
From: "David Howe" <DaveHowe@gmx.co.uk>
To: <ukcrypto@chiark.greenend.org.uk>
Sent: Friday, October 11, 2002 12:44 PM
Subject: Re: OT: utility account transfer frauds
> at Friday, October 11, 2002 10:21 AM, Charles Lindsey
> <chl@clw.cs.man.ac.uk> was seen to say:
> > Would you care to post a demonstration?
> *grin* do I look like I have the resources to find such a collision? it
> took distributed.net a fair bunch of time to break a 64 bit key, and
> this would be a task of approximately the same size. Probably I could
> interest them in the problem.. If I had a 10K prize to tempt them with
> :)
I also don't have the resources for that, but for an example of how
dangerous this implicit trust in digital certificates can be, look at what
happened to Microsoft when Verisign were socially engineered out of some
_legitimate_ MS certs.
http://www.itworld.com/Sec/4039/IW010322hnmicroversign/
Not to mention the number of flawed implementations of various schemes, the
number of times companies don't renew/sign/etc their own certificates, yada
yada...
Like David, I too am waiting for this one to fall on it's face at M'Luds
stockinged feet.
Cheers,
JJ