Hacker News new | past | comments | ask | show | jobs | submit login
Belgian professor in cryptography hacked (standaard.be)
106 points by 1337biz on Feb 1, 2014 | hide | past | favorite | 28 comments



A near-perfect copy of Slashdot was supposedly served to infect "targets" with malware. Since Slashdot isn't the center of the IT world any more, the logical conclusion must be this: Who of us (reading this) is currently being served his HN by GCHQ?

We're here at the heart of what should (and does) bug many IT people over here in Europe: If you work in IT for a company that does something of interest to GCHQ and the NSA, then you and your access credentials are one of those 'targets' they keep speaking about.


HN isn't the center of the IT world, either.


Well, maybe not, but USG does keep on eye on the goings on here. E.g. http://web.nvd.nist.gov/view/vuln/detail?vulnId


Your link is indeed broken but some google fu led me to find these entries proving your point :

http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2013-017...

http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2013-209...

http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2012-492...

They cite HN among a plethora of other references, though.


Yes but this is NIST (formerly ANSI), and these are essentially credits. Heck even I am in credits at NIST somewhere, it's quite a leap from being mentioned to being tracked by government.


Your link is broken


I just assume the intelligence community has penetration into YC at an organizational level anyway. (Not to single out YC, just any firm in that class).


What would be the point of penetrating YC? There isn't much useful intelligence to gain from a startup accelerator. Things might change now that there are a lot of foreigners in the program, but even then, it's a relatively small group of people.

As much as people on this site like to think they're important, I highly doubt that anyone here (with the exception of the infrastructure/security people) matters enough to the intelligence community for anything more than your run-of-the-mill passive wiretapping/eavesdropping that all Americans are being subjected to.


British secret service police wanted an informer on every street and certainly tried to send infiltrators to every minority political meeting they could.


I guess if you think that you're a potential target, you should be doing your computing like rms: http://stallman.org/stallman-computing.html


Anybody who works in infrastructure for a big European ISP is a target. That's a lot of people who are currently living relatively normal lives.


His computer was infected after clicking a (bogus) LinkedIn invitation of a non-existent employee of the European patent office.

Just goes to show how effective phishing attacks are. If a professor of cryptography does not check SSL certificates, far less people do so than we think.


Social engineering has very little to do with cryptography; being expert on one does not give effective protection against the other (or vice versa).


Here's a much better english summary:

http://www.standaard.be/cnt/dmf20140201_011


thanks. First sentence of second paragraph had my mind in shambles trying to parse it.

"There isn't a card with an electronic chip available, or it has some sort of security technology that UCL professor Jean-Jacques Quisquater (67) was involved in developing."

I haven't a clue what that means.

[edit] wait, your link just ends up at the same article for me.


A mod changed the link, earlier it was just a several sentence gigaom "article" linking to a Google translation of http://www.standaard.be/cnt/dmf20140131_049.


Thanks to the mod for the link change. Only found the standaard translation and thought the gigaom was at least some form of a summary and better than a google translated document.


That's a pretty literal translation from Dutch, a better interpretation would be "There isn't a chip card in circulation without security technology based on the work of UCL professor Jean-Jacques Quisquater".


That's what I thought it meant after trying to re-piece the words together in a way that made sense in English.


That sentence is not perfectly idiomatic, but it seems to assert that Prof. Quisquater was involved in developing security tech for all chip-equipped cards that are currently available.


That sentence is a literal translation from Dutch. Basically saying that the professor has been involved in the development of basically any card with an electronic chip available.


ISTM that a strict adherence to Kerckhoffs's principle on the part of the professor and his colleagues would reduce the value of this hack to run-of-the-mill NSA/GCHQ creepiness. That is, they're not going to learn any secret keys to CA roots by reading his email. Since they're creepy evil bastards, however, there doesn't have to be a point to it.


That example just shows, how easy it is to be scamed. No matter how smart and how much of an expert you are, you still may be vulnerable from an totally unsuspected angle. Don't ridicule someone who "deserved" it because of his "stupidity" or "naivety", because you may be the next laughing-stock.


Quisquater was involved in the development AES. Are the NSA trying to find ways to crack it?


That is incorrect. Quisquater was not involved in any of the AES candidates, let alone the winner.


Uhm, yes?! Because, like, it's their damn job to break crypto?!


Besides the GCHQ aspect, doesn't seem terribly different from other less catchy news stories: "Immunologist gets the flu", "Physical therapist fractures shin", etc.


You make it sound like it happened by chance. However, it's more like "Special Forces kill top terrorist in Absurdistan" (as in, went an extra mile, tailored operation, high-value target).

edit: speling




Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: