PayPal suspended the account of a white-hat hacker on Tuesday, a day after someone used his research into website authentication to publish a counterfeit certificate for the online payment processor. "Under the Acceptable Use Policy, PayPal may not be used to send or receive payments for items that show the personal information …
It's all happened before...
Have a look on here... hackervoice.co.uk...
Read the three posts titled " PayPal hacker discrimination".
Apparently, being able to donate to the site meant that the site was selling Information and Tools allowing the hacking of other sites...
My friend won...
Yet another reason to avoid PayPal
Or rather, yet another re-confirmation of the same reason -- they can't be trusted. Just wait until they require you to furnish your national ID card number in order to access your account. Don't think it won't happen just because it hasn't happened yet...
"Supplying offensive security products to the world."
If you ask me, Symantec's products fall into that category too...
So, obviously MS need to fix cryptoAPI, because they havem
n't fixed it after more than 9 weeks.
No excuses here, it is quite plainly an MS issue,
See, the problem with all of this is purely and simply Microsofts fault, so perhaps all of you should move over to Linux and Mozilla, because Microsoft don't give a shit because you're a bunch of fuckwits.
Now, seriously, if we can actually move on to where the responsibility does lie.
Disreputable,malevolent scammers and fraudsters. This isn't a paypal,ms or web related issue, it's an abuse of trust issue. Now maybe it's time for internet users to actually take control of their own issues.
Yep, I'll be the target again, for something none of you seem to be able to grasp.
If you want to do finacial services, shopping etc, go out into the real world and meet real people, you,me,we are all victims of laziness, and to a point social peer pressures.
Try and control your own lives before you go calling foul on others. I'd rather have a happy family life, than be the richest man in the graveyard, which to me, seems the point of your headlong march to the maker.
Hard to feel back for the guy
I think the author needs a bit of perspective. Per the article Marlinspike:
Created the bogus PayPal cert
Created the tool that lets you use it to hijack SSL/TLS
Trained people in how to perform the attack
Not really sure why we are suppose to be surprised that PayPal wants nothing to do him.
One can expect things like this to happen because the whole world of ethical hacking is actually pretty recent in the grand scheme of things. Perhaps in time these companies will develop a better approach when responding to things like this. The correct coarse of action would be to consult the author and figure out a way to fix the vulnerability. After which the tools can still be useful to other companies that may also be vulnerable and in doing this they will be able to better protect their customers. People like the guy in this article just want to get a little credit for finding something really clever and they are not to be feared. When you turn a blind eye to it or react harshly it will discourage ethical hackers from sharing future findings. We would still be on WEP if it weren't for people like this who were trying to make everyone more safe and secure. The people at Paypal must be completely clueless to these things which genuinely makes me concerned for that sites security. I think I will find another means of paying for things online...
We're in it for the money !!!!
The simple mistake made here was not to accept payments for the class and hacking tools over PayPal. Everyone knows that when there's a profit in it for Ebay they'll turn a blind eye. I reported an incident (more than once) in 2004 that cost me over 50 Euros and have still not received a reply because it didn't cost Ebay anything. All I got were threats from the person(s) offering the item for reporting them. So bad that I ceased to use that account for Ebay and had to create a new one from scratch.
Been using the net long before PayPal
Still no compelling reason to use them....
Take this to its ultimate conclusion...
The analogy here that I'm thinking of is of a person who teaches people how to counterfeit currency. He charges for his tuition and is quite happy to accept counterfeit currency as payment.
Your rants are getting more bizarre by the second. Criminals by their very nature will exploit any weakness they can use to their financial advantage. Microsoft is solely in a position to fix the issue. Apps that rely on CryptoAPI CANNOT FIX THE ISSUE. Has this penetrated your thick skull yet? Microsoft's tardiness in fixing such a serious issue is perplexing and unacceptable.
I really hate to say this, but actually their 2009 suite is rather good. Fast, accurate, unobtrusive and bloat free.
Yup, I had a WTF? moment when I tried it too. It was so good that I bought* a copy, so that's two WTF? moments for the price of one.
*Ok. A tenner for a three PC, two year license off fleabay and no questions asked, but it's the thought that counts.
"I'd rather have a happy family life, than be the richest man in the graveyard"
Not mutually exclusive, and we all end up in the graveyard.
Researchers in the USA say that a million dollars is enough money to ensure a happy life for most people. Sorry, I don't have a link for that.
So, let me get this straight...
"According to a note included with the certificate's release, Marlinspike distributed it during a training session at the Black Hat security conference in July. The hacker confirms he offered a class to penetration testers that taught them everything they'd need to test and carry out attacks on SSL certificates, and as part of that, he included a proof-of-concept certificate. But he never distributed the certificate and each student signed an agreement stating the material was for evaluation purposes and was not be be publicly released, he said."
(quoted from article)
He gave it out at a BLACK HAT hacker conference, and expected them to not use it, simply because they signed an agreement? I've heard of naive, but this is something approaching stupidity. He really should attempt to know his audience, before doing something like that.
For all he knows, someone there could have hacked his notebook. Or simply decided that, because the agreement wasn't in the "original Klingon", that it was null and void. In any case, hackers tend to be the kind of people who think that "information wants to be free", and in most cases, will actively take steps to achieve that goal.
Paypal are crooks. Stealing money openly now.
Paypal think they are bigger than they are, Alienating those that try and help? One think to argue about what software is used for, another to steal money. The right thing they should have done is hand over all money and suspend the account, not freeze his cash. Surely it counts as theft, or requires a court order to just steal the money?
Yay!!! Go you. After yesterdays tirade, glad to see you're still there with the same arguments.
Paypal, security clowns
This would be the same PayPal that have trained their users to click on PayPal links in their email.
So now all mr. Phisher needs to do is send out a bogus PayPal email with a link to a bogus PayPal site, verified by a bogus PayPal certificate.
La La La La... I can't hear you
Are we now supposed to think that PayPal is now somehow more secure because they have suspended Marlinspike account as "a security measure meant to help protect you and your account." Seems to be a common response by big companies, shoot the messenger, "Hi, we're a big company and our software is shite, bet we will retaliate against anyone who says so"
Marlinspike should immediately sue PayPal for the fraud/embezzlement/theft of his $500, should net him alt least $10M under the 'merkin legal system.
I for one will continue to treat PayPal the same way I do when spellchecking my posts, i.e. "Ignore All"
Is there a US equivalent of the small claims court?
In the UK this would be simple. They have his money and cannot legitimately stop him getting it out of his account.
A simple letter asking for the money to be returned with 28 days or face a small claims court action to get the money back.
I'm sure he'd get is money back fast, and would easily win the action if they don't give him the cash back.
@NutZ - kool aid slurper
You might have had a point, if I hadn't been reading similar drivel for over a decade, oh and if you weren't wrong.
Despite the bum gravy that emanates from the 'white hat' community with tedious regularity, if you publish an exploit that can be used to harm others you are responsible for it's subsequent use in doing so. Like handing out loaded guns to children.
The ass hat community came to the conclusion long ago that 'security through obscurity doesn't work'. They did this all by themselves, based on absolutely zero evidence (trust me, I was there) and subsequently decided that this was grounds to make full disclosure of all exploits a Good Thing, despite the fact that the two are patently unrelated.
They were wrong then, and they are wrong now. And they know it, and they don't care because it's all just an excuse for them to massage their pathetic geek egos and strut around calling themselves "hackers" (largely a misnomer, but the semantics of self applied labels are out of scope) while lacking the man danglers to actually engage any live targets.
I see by the fact that you think they are knights in shiny armour keeping us all safe in our beds that you have bought into their self aggrandising propaganda. Put down that kool aid and get a clue. These retards release live exploits into the web where they are taken up by skript kiddies and used to wreak havoc. That's actually not very fucking clever.
What idiot leaves $500 in his paypal account.
"Experienced" paypallers know not to leave more than 20 quid in there.
Transfer out immediately is the rule.
Hear, hear! @The Other Steve
I love it. Excellent argument The Other Steve. I particuarly like the loaded guns to kids analogy. Maybe cheques will have a place in future!
Looks like PayPal's attitute roughly is 'We don't care what you sell to hack other people, but help people hack us and we'll stamp on your nuts and kidnap your puppy'. Nice, community-minded people.
Paypal will keep the money for 6 months as a guarantee against claims and chargebacks.
It's in the T&C's that everybody who has an acount skips past in a rush to tick the "I Agree" box.
And now that they are based in Luxumberg, I'm not sure if you can sue them through the UK Small Claims system as it only applies to UK based firms and requires a UK based address to deliver documentation - I found that out while suing RyanAir who are based in Dublin and had to serve the papers to their customer services desk at Stanstead Airport.
Surely if he's that good a hacker, he can just get into Paypals back end system and re-enable his account for long enough to transfer the £500 out before deleting all his details ?
It's also worth noting that even if you close your account, Paypal keep all of your personal details on file for 6 years.
Gave the talk at Defcon too
I actually saw him give the talk at Defcon, on how easy this was to do and changes that needed to be made. His Defcon talk is now available on their site.
The real news is...
that there is no news here. PayPal is a completely unregulated service which does arbitrary things with scrip accounts. There is no money in your PayPal account, there is only what they say is in it.
I won a suit against PayPal and I'm not going back . No more eBay, no more small-time scammers selling junk. It's quite the life.
Surely they should hire him then?
If a company like PP needs to secure their certificates in a better way, then who better do it then the guy who figures out their weakness. I don't for a minute believe in this rubbish about him being irresponsible. he is a hacker, that's what he does, he finds security flaws and shows how to exploit them, then the security professionals look at his work and find out how to protect against them, this is how the security industry have always worked.
If it was a case of security through obscurity, then they rely on the hope that no one would ever look into the weaknesses of that system, and that if someone does he wouldn't exploit it, explain to anyone how to exploit it, or ever talk about it, they rely on the good will of the whole world then. and BTW security through obscurity actually refers to having non generic authentication methods or whatever, that are never to be divulged by the company, this isn't the case here as they were using the standard SSL certificate system. (and even those have a history of being analyzed and hacked)
- IT bloke publishes comprehensive maps of CALL CENTRE menu HELL
- Analysis Who is the mystery sixth member of LulzSec?
- Prankster 'Superhero' takes on robot traffic warden AND WINS
- Comment Congress: It's not the Glass that's scary - It's the GOOGLE
- Analysis Hey, Teflon Ballmer. Look, isn't it time? You know, time to quit?