Posts by Anonymous Dutch Coward

Press conference

Press conference:

http://www.dumpert.nl/mediabase/1691651/f0bb030b/persconferentie_donner_over_hack_overheidssites.html

Some quick notes on what the minister said, hope it's a good representation of the original:

Items:

- Diginotar has own-branded and* PKIOverheid certs.

- Diginotar was attacked.

- Friday results of investigation by Fox IT security company: PKIOverheid certs managed by Diginotar may be compromised

- Government does not trust Diginotar certs anymore

- Government will switch to other PKI cert supplier

- Phased transition of operational management of all Diginotar [PKI Overheid certs

- Diginotar will cooperate

- monitor improper/fraudulent use during transition phase

- security experts will help in transition

Results: transition without big interruptions of data traffic

Q&A:

Will compromised sites be kept up?

Yes, although this will lead to certificate warning in browser. User should not use site.

How many sites?

We're tracking that down. It involves hundreds of sites.

Why aren't sites taken down?

They're also used for automated traffic, so we're not taking them down. Therefore we're taking over Diginotar [PKI overheid cert] operational management.

Isn't automated process unsafe then?

We immediately see improper use because we're taking over operational management

You're taking over operational management [at Diginotar]. Will this mean a government team will step in, and take over control?

Yes, management/responsibility will be taken over by government. This will ensure any improper use will be immediately detected.

What do you think of this?

These are risks with new technology. It's a break-in, an interruption of reliable traffic.

Does Fox IT research show the Iranian government was behind this?

They can't investigate that. Report only shows hacking has taken place, andcerts have been stolen. We don't know extent of this. We

We cannot see where the certs where used. By taking over management, we will be able to see this.

Investigation of who did this hack is the next step.

PKIOverheid may be compromised. How many government certs/sites are involved?

Diginotar is requested to give list of all government customers , Government initial investigation indicated a lot of sites involved e.g. revenue services, motor vehicle department are involved.

Who will be hit, how long?

Don't know, will take a couple of days. E.g. motor vehicle department site has already taken steps to switch certs and be usable again

=====================================================

* some PKIOverheid certs are managed by DigiNotar, not all as there are other suppliers as well

=====================================================

How will they "monitor" improper use? When people start complaining their personal data has been stolen?

The story that government can track down improper use of certs by taking over Diginotar management seems ridiculous, but Donner may be a bigger PKI/SSL expert than I am...

Dutch language skills sadly declining

Spokesmen should brush up on their archaic Dutch genitive case plural definite article skills*:

a spokesman wrote in an email. "Our top priority is to protect the privacy and security of our users. To be clear, in this instance we are considering a CA operated by DigiNotar, not the Staat de Nederlanden root CA"

Staat de Nederlanden root CA

[State the Netherlands root CA]

should be

Staat der Nederlanden root CA

[State of the Netherlands root CA]

* Sounds impressive, but honestly, my English skills might be below that of the spokesman mentioned - I have no idea whether what I just spouted is actually correct. But hey, this is a comment, so.... ;)

Which one?

"up and coming proven technologies"

Which one is it? If it's proven presumably it has either ascended or come, possibly left already. If up and coming.... a marketeer could call it proven, certainly. Whether real people would is a different story.

It works, but it doesnt...

"the incident will rightly lead to questions about the "viability of the cloud as a delivery platform" but added outages were not a sign that the cloud does not work."

and

"There is also a need to address business contingency on behalf of customers...blah"

In other words, it could have worked, but it doesn't. But it will. Really. Or does it "work" already as long as you keep tweeting that you have a disruption when your disaster recovery doesn't work?

I'm sure a lot of customers really appreciate that there is a need to address business contingency. Problem is, the providers should have done so in advance....