Verified by VISA

[SkyNigger]

The Internet has thousands of threads about the Akamai creeps. Two decades, no answers; just idiotic lies from morons who believe Power is their friend. They're big, right? What reason would they have to 'risk' it all? This is the logic used to convince morons that online poker is legit. Like Absolute and UB.

At best, they're incompetent. Which is kind of amazing, because billion-$ corporations are somehow compelled to host their websites on Akamai servers. At worst, they're corrupt. Which is kind of amazing, because billion-$ corporations are somehow compelled to host their websites on Akamai servers.

http://forums.techguy.org/web-email/...ai-net-fb.html

No responses.

http://forums.techguy.org/general-se...i-net-img.html

No responses.

http://forums.techguy.org/web-email/...mai-net-2.html

2007 thread with multiple complaints, no solutions. Yahoo said it was a minor problem that would go away soon. 2007.

Quote:

Originally Posted by Anonymous

This problem started happening to me since last week I started protesting in facebook against the corrupted politicians running the planet

One poster linked to SecuriTeam's warning:

Quote:

Some Akamai hosts allowed anyone to proxy SSL connections through them. That is, anyone could freely "Akamaize" his or her own SSL Web server (see: http://www.peacefire.org/bypass/Proxy/akamai.html). Because popular browsers (e.g., Netscape and IE) implicitly trust Verisign CA certificates, a malicious SSL server could spoof SSL certification via Akamai's use of Verisign server certificates. The effect was that simply checking a site for the existence of a Verisign server certificate had no meaning. Anyone would have been able to use a Verisign server certificate (specifically, one issued to Akamai) for signing arbitrary content.

After Verisign issued 'bogus' Microsoft certificates (their explanation was that someone fooled them into issuing them to Microsoft Corporation, Microsoft was like "eh these things happen, no problemo homie") in like 2001, the question I've asked many times without an answer is WHY ARE VERISIGN STILL IN BUSINESS? No one else really asks that question. Everyone is so wonderfully forgiving.

This guy demolishes Microsoft's insulting claims post-incident. You would have to be a world-class imbecile (almost, Filipino-level stupid) to fail to understand that Microsoft's mistakes aren't really mistakes so much as 'mistakes'. And insulting ones, at that.

Quote:

We've seen how VeriSign publishes its CRLs, and examined whether its certificates and CRLs are within RFC 2459's requirements. Now let's revisit the question of exactly how Windows obtains and uses VeriSign CRLs. In particular, does Microsoft's CryptoAPI support the Well-Known-URL method, or does it rely on the user to provide the Manual method? The rather astonishing conclusion one must arrive at is "Neither".

To be specific, Microsoft's CryptoAPI, as shipped by Microsoft, only handles CRLs when they are listed in certificates that have the CRL Distribution Point extension of RFC 2459.

Microsoft is simply refusing to acknowledge the question of how it could design and ship a revocation infrastructure relying entirely on a feature it must have known didn't exist in the VeriSign certificates it was accepting.

Any system -- even Microsoft's -- could have an internal Well-Known URL for VeriSign, from which it automatically obtains suitably-recent CRLs for any VeriSign certificates it cares to accept. As an unautomated alternative, any system -- even Microsoft's -- could have a simple Manual procedure for obtaining and using CRLs. Which systems actually do this is a different question entirely. Indeed, one system we certainly know cannot and does not: Microsoft's.

But maybe a simple Manual process WILL work with MSIE. Here's what one user wrote to me about the process:

• Go to the VeriSign CRL site and click on the link named Class3SoftwarePublishers.crl to download the CRL.
• Go to Tools | Internet Options, then click on the Contents Tab.
• Click the Certificates button.
• Click Import, then use the Certificate Manager Import Wizard to import the CRL.
• Follow the confirmation instructions in Microsoft Security Bulletin MS01-017:
  In IE, select Tools, then Internet Options. Select the Advanced tab, then scroll to the section titled Security and verify that "Check for publisher's certificate revocation" has been selected.
• Verify that the CRL is in use by downloading an OCX and following the instructions on Microsoft's update confirmation page.

[U][But it's not working because] I followed the procedure listed, and what it says under Digital Signature Information is "This signature is okay" rather than anything about revocation.

Now it's possible that I've done something wrong, but [it seems pretty straight-forward]. Either way, something is very wrong.

The really interesting thing is that VeriSign has been publishing CRLs under its current mechanisms FOR YEARS, indeed, for years before RFC 2459 was ever written. Either it was wasting time and money doing so, since those CRLs were never used by anyone, or someone somewhere managed to figure out a way to get the VeriSign CRLs and use them properly. That Microsoft was unable to do so is the real issue here.

This leaves a really big unanswered question:

Why would Microsoft base its entire CRL and revocation infrastructure on an optional feature that was absent from certificates issued by one of its principal certificate providers?
At the very least, there are some gravely flawed design assumptions here, or there is a major breakdown in communication and requirements. Microsoft alone knows the real answer, and Microsoft alone should be held accountable.

Amazingly, this condition (unobtainable and/or unusable VeriSign CRLs) must have persisted for some time. That is, the revocation problem itself has existed since CryptoAPI first shipped. Windows has NEVER been able to obtain and use a VeriSign CRL. If it had, then Microsoft would not have had to issue ANY patch or update.

Security is a chain. Break one link and the whole chain fails. The critical broken link in this incident was Microsoft's sole reliance on a feature that simply didn't appear in the certificates it was accepting.

He didn't do anything wrong. Every other day, I follow a procedure outlined on an Microsoft "FastRelease Article" or listed on an Apple or AppleDeveloper forum to address one of the millions of security 'breaches' left intentionally open on systems shipped by every single OEM and software provider. I'm not a moron. Nothing about these steps are especially complicated, with the exception of getting them to work.

I reach the final step and the command prompt returns zero output, i.e. in this imbecilic quasi-Orwellian industry, that's supposed to mean "success" - except, there isn't any. I appreciate the brilliance, in tactics. But I'm the only person who does. Everyone else just gets frustrated. I get horrified because the only thing worse than a stack of new error messages, is no error messages. You know how ridiculous it is trying to elicit 'expert' assistance for a command that produces zero output upon completion?

It's about as ridiculous as posting a log of error messages. I have single (1) logs with millions of lines of errors when I open them in Notepad. I've posted links to them. I've read huge portions. Pretty sure millions of errors during failed installs = something is very wrong. You can investigate those error messages if you want to get more error messages. Keep spinning round and around hunting down Microsoft and Apple errors and you could spend 14 months and 6 figures USD going backwards.

I know this because I did this once, and this is what happened to me. You could probably achieve the same in a shorter period of time, and I imagine it wouldn't cost you as much. In late May and early July, I was going 'crazy'; offering Thai networking specialists 10,000 and 20,000 baht "no strings attached" upfront fees just to take a look. It's funny, some really hated money and simply weren't interested. So I upped the offers. Understand, I'm holding cash out when making these offers; I'm not promising cheques payable upon invoice or COD. They hate money at Pantip and FortuneTown, what can you do. A few didn't though; at least, not initially. A lot of experts came to my apartment in 2011. The manner in which they left though...

I know what horror combined with self-hatred, frustration and terror looks like. I have woken up with "big-boned" girls I believed were adorable the night before, when I used to drink. My systems are "big-boned" girls. My cash was the alcohol. The guys that stumbled backwards out of my Siri@Sukhumvit apartment...I recognised those guys. "Nothing is wrong", they said. "Everything is fine."

They just had to go.
-----

This is interesting.

http://revealingerrors.com/akamai_ssl

Quote:

Not happy about this Akamai shit. Have spent ages looking into DNS redirecting and am convinced there is a connection here with Akamaitechnologies. What do we do, stop purchasing stuff online because that is the only way to be secure? Very worrying indeed. The Internet is rapidly becoming an unworkable pool of shit. God only know what it will be like in ten years time??? When I have found a way to block Akamai, I will and if that means I can't access sites as a result then so be it!
Posted by Christopher Bergner at Mon Mar 21 15:38:22 2011

I have spent many days doing the same thing and am also convinced Akamaitechnologies are FILTHY CORRUPT. There are thousands of threads on the Internet with no answers, just idiotic lies about it being "fixed soon".

Quote:

None of this covers why Akamai feels the need to persistantly portscan anything and everything that connects to a site hosted on one of their servers, and their own website fails to explain the need for this assault.
Posted by Anonymous at Wed Mar 16 21:45:57 2011

I've got a pretty good idea why.

[SkyNigger]

Shucks. Microsoft domain. Microsoft certificate.

"Internal error."

[SkyNigger]

Akamai screwed up again, forgot to certify the domain name for Microsoft Translator. Carn darnit.

They'll get it 'right' one day..!

[rum dick]

Quote:

Originally Posted by SkyNigger

They refuse to redact this filthy shit. So they invent "catechisms". How cute!

It's time to kill. And time for some Christians to die.

I'm a mormon. We arent christians. So no glory to be had for killing me. But if you're shipping an invite to join you on Christian safari my schedule is waaaaaaay clear for the next lifetime or two.

[SkyNigger]

July 2011: This is retarded because that URL www.test-ipv6.com is straight off the opendns.com homepage (top right). mail.gigo.com? OpenDNS can't get their shit right? OpenDNS.

[SkyNigger]

Quote:

Originally Posted by Rum Dick

I'm a mormon. We arent christians. So no glory to be had for killing me. But if you're shipping an invite to join you on Christian safari my schedule is waaaaaaay clear for the next lifetime or two.

Wait. What? Do Mormons hate Christians?

What's the Mormon position on Biblical infallibility and inerrancy? I know the spiritual leader (who never gets involved in politics) of one billion Catholics believes every word in the Bible is the literal word of God. That's blasphemous if he believed in God. If he didn't, it's reality.

Christians need to die but the problem isn't their beliefs. Make someone stupid enough, and they'll believe anything. Visit the Philippines if you want to see 100 million examples of this fact.

The reason the atheist pedophiles who manage religion across the globe - really - need to die is because they use religion to turn humans into imbecilic creeps. Like my mother, who drowns everything in her obsession with public perception, her imbecilic awkwardness, her nauseating coy and her sensitivity to your non-existent shame, imagined for your benefit by her. She's so fucking polite, omg. She will tell you not to feel bad about something you couldn't possibly feel bad about.

"I can't transfer Julie's private school tuition fees until I land in KL. I can't get internet in this shithole airport and my laptop keeps crashing with BSODs before I can even run a Microsoft diagnostic assessment informing me that they can't detect a problem. So it'll hit your account like Wednesday, and Julie starts next week right?"

"In a fortnight, so you shouldn't feel bad. You know you don't even have to pay for these things; so if you can't, you shouldn't feel like you have to. Julie can just go back to her old school. I've asked her already, and she understands; she says she'll be fine."

What the fuck. Why would I feel bad. I know I don't, it's an agreement between Julie and I. Yes, she could go back to her shitty hellhole school if I was a cunt like you who makes promises they cannot keep; like "get ready for dinner" trusting in the Lord and then when the Lord doesn't come through with dinner, break into tongues thanking him for 'testing' you. Why the fuck would you alarm Julie. Of course she's going to say it's fine, and then stress cause you've made her think she's going to be bounced between schools. FUCK OFF YOU FUCKING CREEP. Christ.

I would never say the above. I would just shudder and get very dark trying to think about something else. I was in denial because I couldn't take care of them.

And now they're all dead.

[SkyNigger]

The Conspiracy Theory I Seem to Remember I Proved (part 1):

Quote:

After I noticed Yahoo was coming up Green for UTN-USER cert (which I KNEW was in my Untrusted Publisher store), I furiously opened up the Wizard and sure enough, there is a fucking UTN-USER Intermediate Certification Authority sitting there. I never approved that. This is outrageous. Because it's existence, instantly means all the fraudulent Comodo certificates are negated. Every cert issued by UTN-USER will be deemed Trusted. And this crap just happens silently, whilst idiots like me believe they've protected themselves from the ludicrous corruption, by placing the Fraudulent Certs in the Untrusted Publisher store.

Wrong. And maybe - just maybe - that's the reason for their ludicrous existence, in the first place. Getting into the Certificate Root Stores, even as 'Untrusted'. A difference between Trusted and Untrusted in my Certificate store should be easy enough to test. So I tested it.

I was surprised to learn I was both right and wrong. At the same time.

[SkyNigger]

The Conspiracy Theory I Seem to Remember I Proved (part 2):

Quote:

I decided to test this corrupted Trusted Certificate store, as I didn't trust them with squat. This random warning is shown, and I decided to install the certificate in the Untrusted store and see what error message comes up.

But it's ridiculous that I get this random warning after I delete ALL Certificates in ALL stores, with the exception of the default Microsoft Windows 7 certificates (there are three, and I've even deleted those in desperation - which renders Windows inoperable). But leaving the three defaults, this warning is given which ostensibly means that Microsoft trusts the corrupt ones that end up in my store but not this one.

That's fine, but the reason given is the clue.

It's expired, but that's not the reason it's not Trusted. I have Trusted Root CAs dated as far back as 1999 for Microcode.

The reason given is that it's not trusted by a Trusted Publisher in my store. Or it's not trusted by a Trusted Intermediary. But then neither were the corrupt Trusted Root CAs after I delete them all except for two Microsoft and one Thwate (for timestamping only).

So the reason given is a bold-faced lie. The ones IE, Google and Firefox accepts silently are from Root CAs which don't have Microsoft or Thwate in the Certificate Chain.

Microsoft gives the answer:

Quote:

Originally Posted by Microsoft

In Windows Vista and Windows 7, root certificates are automatically updated when a user visits a secure Web site (by using HTTPS), reads a secure email (S/MIME), or downloads an ActiveX control that is signed (code signing) and encounters a new root certificate. This process is seamless to the user, so no security dialog boxes or warnings are displayed.

Can you believe this shit? This shit is unbelievable. What this means is that the ability to control Root CAs is TAKEN OUT OF YOUR HANDS by Microsoft. You cannot control them by deleting them back to defaults. When you encounter a corrupt Certificate, Microsoft uses a hidden mechanism for establishing whether or not the Cert is automatically added to your Root Stores.

Which, unsurprising, is exactly what fucking happens.

[SkyNigger]

The Conspiracy Theory I Seem to Remember I Proved (part 3):

Quote:

So I installed the Untrusted Certificate in my UNTRUSTED Certificate Store. As you can see, it then comes up a curious message "the certificate has been revoked by its authority". No it hasn't, unless Microsoft finally looked at the dates but that's unlikely because an expired certificate does NOT equal a revoked certificate. And neither an expired certificate nor a revoked certificate equal my refusing to trust a certificate that I place in the Untrusted Store. So this is bullshit right here.

And unless you're blind, you will have noticed something more....relevant? When I try to access the dubious website with the certificate clearly installed in the UNTRUSTED Store; Microsoft just takes me there. One warning preventing proceeding when the certificate was unknown. Once it's known and UNTRUSTED, there isn't any protection.

What good is an alert once the webpage has loaded? Thanks Microsoft I guess I won't download any virus applications from this website. Apart from the website, of course.

[SkyNigger]

The Conspiracy Theory I Seem to Remember I Proved (part 4):

Quote:

When you install an unknown certificate in the Untrusted store, the certificate purpose/s fields are editable. I had installed the Certificate without editing it, which by default meant it was listed for All Purposes.

You can change this to block some purposes, or block all purposes. Press Advanced > Insane nonsensical "purpose" editing functionality. At best, moronically redundant. At worst? Those 'bogus' Microsoft certificates signed by Verisign are installed by Microsoft automatically no matter how often I delete them. It doesn't matter how often I delete them, they just get installed back within a couple hours.

Why was I deleting them? Because they're installed silently by Microsoft into my Certificate Store, into the Untrusted Store sure; but installed into Untrusted with < All Purposes > enabled. There are a few theories I have for how this can be exploited with scripts; but they all revolve around the same principle: Microsoft FORCES those certificates onto your machine. Why?

Why can't they just be "Unknown" and therefore, UNTRUSTED; just like the billions of untrusted unknown certificates in the wild?

WHY AREN'T CERTIFICATES PLACED IN THE UNTRUSTED STORE INSTANTLY BLOCKED FOR ALL PURPOSES?

The answer to both questions:

Quote:

Originally Posted by Microsoft

In Windows Vista and Windows 7, root certificates are automatically updated when a user visits a secure Web site (by using HTTPS), reads a secure email (S/MIME), or downloads an ActiveX control that is signed (code signing) and encounters a new root certificate. This process is seamless to the user, so no security dialog boxes or warnings are displayed.

They cannot be Untrusted when they're unknown and in the wild, because Microsoft is FORCING you to trust all of Verisign's certificates. Now why would they do that, when as Bruce Schneier wrote correctly in Crypto-Gram:

Quote:

...there is no way to revoke the certificates (Windows has no CRL features)...

Microsoft responded to this claim with a claim that they did have this functionality. Gregory Guerin's 2001 blog, which I posted an excerpt from, proved Microsoft were full of shit.

Quote:

This leaves a really big unanswered question:

Why would Microsoft base its entire CRL and revocation infrastructure on an optional feature that was absent from certificates issued by one of its principal certificate providers?

At the very least, there are some gravely flawed design assumptions here, or there is a major breakdown in communication and requirements. Microsoft alone knows the real answer, and Microsoft alone should be held accountable.

The question has never been answered. Here is your fucking answer, dipshits. I've answered it.