* Posts by Dan Goodin

60 publicly visible posts • joined 9 Jul 2007


Security mandates aim to shore up shattered SSL system

Dan Goodin (Written by Reg staff)

Slight clarification

Fair enough. Caching means not *every* HTTPS request is logged. I've updated the article to reflect this.

Additionally, I'm adding the following response from security researcher Moxie Marlinspike, who continues to argue that under the current system, CAs "have a tremendous amount of insight into your browsing history."

His response in full is:

It's true that the OCSP check isn't done with *every* HTTPS request to a site, because the response is cached in the browser for a short time.

It's more like the CA is notified once per "session." If you think about a typical visit to paypal.com, it might involve several requests to the website in order to send or receive a payment. The CA will typically only be notified for the first request, not all of the subsequent ones within a session. For an average user, you can think of it in terms of a CA knowing how many times they sent or received a payment via the PayPal website, but not how many clicks it took them to do it.

In any case, the notion that CAs have a tremendous amount of insight into your browsing history is substantially true.

- moxie

Dan Goodin (Written by Reg staff)

Re: Who fact-checks these articles?


When a web user visits an SSL-protected page, most browsers will check the see if the certificate has been revoked. This database is maintained by the CA who issued the certificate. The CA gets to see the IP address of the person trying to access the certificate.

This ability was underscored during the investigation into the DigiNotar breach. The investigators were able to determine that more than 300,000 people, mostly in Iran, encountered the fraudulently issued GMail certificate.


I hope this answers the question you and several other readers have raised.

Adobe kills two actively exploited bugs in Reader

Dan Goodin (Written by Reg staff)



You're right. 9.4.7 is the updated version, not 9.4.6 as previously reported. My apologies. The error has been corrected.

As for the RPC vulnerability, Adobe spokeswoman Wiebke Lips wrote in an email to The Register:

"Note: CVE-2011-4369 was reported after the security advisory (APSA11-04<http://www.adobe.com/support/security/advisories/apsa11-04.html>) was published. The Adobe Reader and Acrobat team was able to provide a fix for this new issue as part of today's update. Note also that at this time, we are only aware of one instance of CVE-2011-4369 being used."

Army of 'socialbots' steal gigabytes of Facebook user data

Dan Goodin (Written by Reg staff)

Re: I'd be interested to know


In the report linked in the article, the researchers said they strongly encrypted the data and then permanently destroyed it once their project was completed.

Hackers break SSL encryption used by millions of sites

Dan Goodin (Written by Reg staff)

Correction -- Opera doesn't support TLS 1.2 by default

Dear readers,

Contrary to what was published earlier, Opera doesn't support TLS 1.2 by default. Our apologies for the error.

Adobe Reader 0day under active attack

Dan Goodin (Written by Reg staff)

Here it is


The exploit code was written to install malware on Windows machines. The vulnerability itself is present in Reader for Unix and Mac OS X as well. Hence, they are vulnerable to attacks, but not the specific attack posted on the Contagio website.


Dan Goodin

Adobe plans emergency patch for critical Reader bug

Dan Goodin (Written by Reg staff)

In a word: No

Anonymous Coward, the critical PDF vulnerability in the iPhone is of Apple's making, since it resides in PDF viewing software in Mobile Safari. The iPhone doesn't use Adobe Reader. The bugs are completely unrelated.

White House devs overlooked gaping Drupal vuln

Dan Goodin (Written by Reg staff)

@Anonymous Coward

For the record, "gaping" was used to suggest how easy it was for this bug to be spotted during a routine audit. A bug need not be easily exploitable for it to be extremely obvious.

Given the ability for Drupal XSS's to silently reset the super user password, I think it's fair to say this bug should have been caught long ago. It wasn't, even after the White House developers gave themselves a big pat on the back for releasing their own code that built off the same buggy module.

That's why the vuln is news and why The Reg stands by this story.

Carry on.

Google sues alleged work-at-home scammers

Dan Goodin (Written by Reg staff)

@@...malware? ...really?


This is an article reporting the contents of a lawsuit that was filed by Google. It contains numerous allegations Google has made about Pacific WebWorks. How is it "simply incredible" that I'd include that detail?

More importantly, what evidence do you have that this detail is incorrect?

Dan Goodin (Written by Reg staff)

@...malware? ...really?

The source of that information was the complaint Google filed in federal court.

Critical bug infests newer versions of Microsoft Windows

Dan Goodin (Written by Reg staff)

@s it or isn't it?

Anonymous coward, the bug is present in Windows 2007 RC. It's not present in Windows 2007 RTM.

Make sense?

Reg readers crack case of the $23 quadrillion overcharge

Dan Goodin (Written by Reg staff)

@Who is Stuart McConnachie?

AC, my bad for not inferring your comment correctly. I assure you McConnachie wasn't trying to take credit for the work of others.

As for your question about the statement, the copy that I've seen lists the fee to the very penny, as in $23,148,855,308,184,500.00.

McAfee false-positive glitch fells PCs worldwide

Dan Goodin (Written by Reg staff)

@James O'Brien

Hey James,

Not sure if your question is just bait. Assuming it isn't, here's the answer:

In journalism, as in many other aspects of life, there are real-time deadlines. So what to do when it's time to hit to publish button and you still haven't gotten an answer to your question? Do you:

a) lay out the fact that you indeed asked the company for their side of the story and didn't get a response by press time (i.e. an "immediate response")? or

b) not mention it at all and let readers wonder if you bothered to email the company at all?

No, companies aren't at journalists' beck and call. But they have a right to have their voice heard in stories that directly concern them. I was only trying to make sure it was clear I tried to give them that opportunity and for whatever reason had not gotten a response by press time.

The reason we say didn't "immediately respond" is to make it clear that there wasn't a whole lot of time between the time we asked and the time the story was published. In the case of this story, it was about 2 and a half hours.

Make sense?

At long last, internet's root zone to be secured

Dan Goodin (Written by Reg staff)

@Jay Daley

Here's the text of the NTIA's press release:

Commerce Department to Work with ICANN and VeriSign to Enhance the Security and Stability of the Internet’s Domain Name and Addressing System

For Immediate Release: June 3, 2009

NTIA Contact: Bart Forbes, [phone number and email address removed]

NIST Contact: Chad Boutin, [phone number and email address removed]

WASHINGTON — The U.S. Department of Commerce's National Telecommunications and Information Administration (NTIA) and National Institute of Standards and Technology (NIST) announced today that the two agencies are working with the Internet Corporation for Assigned Names and Numbers (ICANN) and VeriSign on an initiative to enhance the security and stability of the Internet. The parties are working on an interim approach to deployment, by year’s end, of a security technology -- Domain Name System Security Extensions (DNSSEC) -- at the authoritative root zone (i.e., the address book) of the Internet. There will be further consultations with the Internet technical community as the testing and implementation plans are developed.

The Domain Name and Addressing System (DNS) is a critical component of the Internet infrastructure. The DNS associates user-friendly domain names (e.g., www.commerce.gov) with the numeric network addresses (e.g., required to deliver information on the Internet, making the Internet easier for the public to navigate. The accuracy, integrity, and availability of the data supplied by the DNS are essential to the operation of any system or service that uses the Internet. Over the years, vulnerabilities have been identified in the DNS protocol that threaten the authenticity and integrity of the DNS data. Many of these vulnerabilities are mitigated by DNSSEC, which is a suite of Internet Engineering Task Force (IETF) specifications for securing information provided by the DNS.

“The Internet is an ever-increasing means of communications and commerce, and this success is due in part to the Internet domain name and addressing system,” said Acting NTIA Administrator Anna M. Gomez. “The Administration is committed to preserving the stability and security of the DNS, and today’s announcement supports this commitment.”

"NIST has been an active participant within the international community in developing the DNSSEC protocols and has collaborated with various U.S. agencies in deploying DNSSEC within the .gov domain," said Cita M. Furlani, director of NIST's Information Technology Laboratory. "Signing the root will significantly speed up the global deployment of DNSSEC and enhance the security of the Internet.”

The NTIA in the U.S. Department of Commerce serves as the executive branch agency principally responsible for advising the President on communications and information policies. For more information about the NTIA, visit www.ntia.doc.gov.

As a non-regulatory agency, NIST promotes U.S. innovation and industrial competitiveness by advancing measurement science, standards and technology in ways that enhance economic security and improve our quality of life. For more information visit, www.nist.gov.

# # #

ARIN heads off IP address land grab

Dan Goodin (Written by Reg staff)

@Ian Braithwaite

You're right. It's a single customer allocation that's enough to support 4 billion versions of today's internet. Story corrected.

Olympic champ's mom sues Google for dead blogger's post

Dan Goodin (Written by Reg staff)


That was a typo on my part, which has now been fixed. My apologies.

Busted! Conficker's tell-tale heart uncovered

Dan Goodin (Written by Reg staff)

@Can someone point us to the NMAP signatures?


Nmap creator Gordon Lyon, aka Fyodor, just emailed me to say he expects the Conficker update to be available within the next hour or so. For those who can't wait and don't mind mucking about with manual commands, the code is available at:


Fyodor plans to announce availability of the patch at:



Dan Goodin

A grim day for browser security at hacker contest

Dan Goodin (Written by Reg staff)

In defense of Charlie Miller

To those criticizing Charlie Miller for sitting on a Safari bug for more than 12 months, please consider the following:

A bug isn't the same thing as an exploit. While Miller discovered the bug more than a year ago, it was only recently that he figured out a way to exploit it so he could remotely execute code. Charlie told me he spent considerable time an effort making this happen. Meanwhile, he has paying clients and hard deadlines to meet. Under the circumstances, I don't think there's anything wrong with him dusting off an old bug when entering this contest.

TinyURL, your configs are showing

Dan Goodin (Written by Reg staff)

I Stand corrected

Thanks to Jack and AC for setting me straight. Story has been corrected.

Proxy server bug exposes websites' private parts

Dan Goodin (Written by Reg staff)


AC, unfortunately, the advisory is less than crystal clear on this.

It says: "To exploit this issue an attacker needs to execute active content (Java, Flash, Silverlight, etc) in the context of a web browser." Elsewhere it says, "Browser plugins (Flash, Java, etc) may enforce access controls on active content by limiting communication to the site or domain that the content originated from."

Not sure if the author really meant javascript. If anyone from CERT knows, please contact me.

How the Feds shook hands with an internet pedophile

Dan Goodin (Written by Reg staff)

@Alex King @Patrick Clark

"Maybe it's the shocking spelling in the article title. I too was expecting an insightful article about foot fetishism."

Cute, but reality is that for 305 million Americans, "pedophile" is the preferred spelling. Geez, and people accuse us yanks of living in a cocoon.


Feds: IT admin plotted to erase Fannie Mae

Dan Goodin (Written by Reg staff)

@"where sabotage by disgruntled employees is common"

Brent Weaver and others,

No doubt, the overwhelming majority of IT admins are honest, hard-working and law-abiding. But the fact remains that The Reg reports these types of stories with a fair amount of regularity. A small smattering includes:









Microsoft boasts 'out of box' IE8 clickjack protection

Dan Goodin (Written by Reg staff)

@gratutitous FUD

Anonymous coward, no conspiracy or FUD mangling going on here. Just disclosing that Maone is the creator of a product that competes with these Internet Explorer security measures and pointing out that security researchers with no dog in the fight agree with Maone.

Microsoft issues emergency IE patch as attacks escalate

Dan Goodin (Written by Reg staff)

@Details = good


Thanks for the kind words. I've updated the article to include the following paragraph:

Attack strings in separate SQL injections include 17gamo.com/1.js. Researchers say the number of attack sites is too high to keep exhaustive lists, but Shadowserver is doing an admirable job here (http://www.shadowserver.org/wiki/pmwiki.php?n=Calendar.20081210)

Someone else asked what platforms the hacked sites were running on. That information wasn't available, but in general SQL injections attack web applications that fail to sanitize user input rather than the underlying database. Many of the SQL injections in the past worked on a variety of database programs. (See http://www.theregister.co.uk/2008/05/14/asprox_attacks_websites/ and http://www.theregister.co.uk/2008/04/25/mass_web_attack_grows/)



Dan Goodin (Written by Reg staff)

@Matt Ashworth

Good point. Story updated. Thanks for the suggestion.

Google Analytics — Yes, it is a security risk

Dan Goodin (Written by Reg staff)

@Andrew Ness

If you read the article, you clearly didn't comprehend it. Yes, The Reg uses Google Analytics, just like so many other web sites. But I assure you we don't link it to the admin section of our website for the reasons laid out above.

This point has been repeated umpteen times. Please finally take it in: It would be trivial for anyone with control to urchin.js to add scripts that steal session cookies, siphon the username and password entered and send them to any server of the attacker's choosing. With either of these two pieces of data, Change.gov has now been compromised. This is a risk that The Reg isn't willing to take, and it should be a risk that Change.gov isn't willing to take either.


New address spoofing flaw smudges Google's Chrome

Dan Goodin (Written by Reg staff)

story updated to correct link


Kentucky commandeers world's most popular gambling sites

Dan Goodin (Written by Reg staff)



You're right, it was Secretary Brown who said that, not the governor. Thanks for pointing out. Error corrected.

VPN security - if you want it, come and get it

Dan Goodin (Written by Reg staff)

This configuration of OpenVPN should *not* be blocked by most hotspots

To those complaining that OpenVPN is frequently blocked by hotspots, note that the configuration offered here uses port 443, which is open on the typical Wi-Fi network. This is exactly the configuration that JohnG discusses a few comments back.

CERT: Linux servers under 'Phalanx' attack

Dan Goodin (Written by Reg staff)

@James Penketh

Sorry, that was a typo. Story has been corrected to show the command is "cd".

Federal judge halts Defcon talk on subway card hacking

Dan Goodin (Written by Reg staff)

Presentation slides

AC, I've replaced the link to TG Daily with a link to an MIT site. As of Sunday, it was still hosting the slides.

Disgruntled admin gets 63 months for massive data deletion

Dan Goodin (Written by Reg staff)

@Keir Snelling

"At a guess, I'd say MS Remote Desktop. The client has a default setting that maps local printers to the terminal server. The client will advertise all of its local printers to the terminal server, and if the server has a matching driver, the printer will map. This is all recorder in the event log."

Remote Desktop is exactly correct. Should have included that detail in the story.

Hacker cops to $70k botnet rampage

Dan Goodin (Written by Reg staff)

@Anonymous Coward

Do you even think before spewing out such drivel? This won't be the first time Gregory King has spent time before bars. Tami alluded to this, but you're too busy offering knee-jerk reactions to take this in. I suppose if someone inflicted tens of thousands of dollars in damage on your business you'd sit the chap down by a campfire and sing Kumbaya.

And since when is Greg King a "kid"? He's 21 years old. Do try to get your facts straight before posting, will you?

Dan Goodin (Written by Reg staff)

Re: Isn't this the guy...


You must be thinking of the profile we did of a hacker nicknamed SoBe, who recently pleaded guilty to crimes committed while he was a juvenile. That article is at:


El Reg also did an earlier profile of Greg King that you can find at:




EFF pushes court to block unmasking of anonymous MySpace user

Dan Goodin (Written by Reg staff)

@What is free speech

Stranger: You're right: Megan Meier was 13, not 16. The error has been corrected. Thanks for bringing it to our attention.

TJX employee fired for exposing shoddy security practices

Dan Goodin (Written by Reg staff)

@BillPhollins RE: PCI Compliace

AC, I think you're confusing the TJX breach with a different breach. TJX secured its network with WEP, allowing the intruders easy assess. TJX also held on to data well after it should have dumped it.




Lifelock's fraud-prevention service takes more legal flak

Dan Goodin (Written by Reg staff)

Geez David Wiernicki

Where do you think CNN.com got the story? From the same AP reporter credited. Do feel free to think before commenting in the future.

Whitehats tackle The Great Botnet Dilemma

Dan Goodin (Written by Reg staff)

Contact them???

James Smith, et al.

Ever notice how slow ISPs are to deal with anything? Now multiply the delay by 25,000. I'm pretty sure TippingPoint has better things to do. As for popups and other types of notification: anytime you're running code on an infected machine, you're likely to get unintended consequences. Bottom line, contacting the infected users isn't practical. Anyone who believes otherwise should go ahead and contact each user himself (a list of the infected IP addresses is at http://dvlabs.tippingpoint.com/pub/pamini/kraken_uniq_ips.txt)

M. Burns, if you'd bother to look, you'd notice TippingPoint documented infected IPs and gave a deep dive analysis into their infiltration. What kind of proof do you want?

Modern 'primitive' could ease the pain of encrypting massive amounts of data

Dan Goodin (Written by Reg staff)

@Simon Whitehouse

Ever heard of key signing parties? Even with asymmetrical schemes, there is a need to securely exchange public keys. If a bad guy fools me into using the wrong public key to encrypt a message, the entire system fails.

So yes, an organization of 1,000 people still need to figure out a way to securely distributed their public key to each of their colleagues, and if you do the math, that's very close to 1 million exchanges.

Wikipedia-reading boffins jimmy keyless door to entire universe

Dan Goodin (Written by Reg staff)

@Minor nit

R Callan,

Here in San Francisco, that's how meter is spelled . . . or is it spelt?

UK teen is world's youngest certified ethical hacker (maybe)

Dan Goodin (Written by Reg staff)

Story corrected

Hey Anonymous Coward,

Due to incorrect information supplied to The Register, we got the name of the university wrong in an earlier version of the story. The article has been updated. Thanks for pointing out the mistake.

Mass web infection leaves researcher scratching her head

Dan Goodin (Written by Reg staff)

@Whew, thought it was a serious threat


Kindly read the article. Many if not all of the servers are running Apache.

Apple keeps critical security fixes to itself

Dan Goodin (Written by Reg staff)


Many thanks to all the readers who are weighing in. I've just updated the story to respond to comments that there are inaccuracies.

Rogue servers point users to impostor sites

Dan Goodin (Written by Reg staff)

Sorry about the confusion

Based on the number of comments saying the article is confusing, it's obvious we could have done a better job explaining things. Essentially, XXX is correct when writing:

"This article is about a CLIENT vulnerability!

"The malware is changing the DNS setting at the CLIENT (Windows) to make the CLIENT query the WRONG DNS server. You can secure your DNS server to the point of unplugging it and locking it in a bank vault 5 miles underground and it won't fix this problem. All of the servers are functioning as intended and designed (including the "bad" ones).

"Sure, there are DNS server vulnerabilities (some highlighted above) but THIS IS NOT ONE OF THEM.

"The malware ... typically involved a single line of code"

"Only Microsoft can fix this, not the sysadmins for 17,000,000 DNS servers."

The client vulnerability generally works by changing a single registry setting, rather than altering a victim's hosts file. During any given week while the study was being conducted, the researchers found hundreds of URLs pointing to exploits.

The questions about recursion and authoritative, vs forwarding DNS servers are beyond my ken, I'm afraid, so I won't touch them.

Rove investigator erases his PCs - to kill computer virus

Dan Goodin (Written by Reg staff)

Bloch is a Republican

"Bloch is a DEMOCRAT investigating the Bush White House! The wipe happened maybe because HE is being investigated?"

Actually, Bloch is a Bush-appointed Republican.

California gov site invaded by smut and malware again

Dan Goodin (Written by Reg staff)

No harm in viewing Google searches

AC2: Calm down. There is no harm in clicking on the links in the Reg story. They simply take you to a Google page and run a search that shows links to the infected pages. Heck, even clicking on the search results themselves doesn't install malware so long as you don't click yes to popups that ask if they can install software on your machine.

Just to make things extra clear, I've updated the story to say "safe to click if you don't mind "porn" in your url, but you probably shouldn't click on any of search results."

Leopard security bug puts Mail users at risk

Dan Goodin (Written by Reg staff)

@guess it does not effect everyon

"I'm using Leopard 10.5.1. I ran the heise email check and tried to open the attachment, quickview showed nothing, so I clicked on the email attachment and got the standard security warning:-

“Heise.jpg” may be an application. It was attached to a mail message and will be opened by Terminal. Are you sure you want to open it?"

Wonder what version of Leopard he was using? A pre-final?"

Hey Derek,

Thanks very much for writing. As noted in the article, The warning fails to run "about 90 percent of the time," with little understanding as to what causes it to display in some cases and not in others.

I've yet to install Leopard on my MacBook Pro, so I can't test Schmidt's demo. I'd be eager to hear the results other Leopard users get.

Monster.com attack puts users at risk (again)

Dan Goodin (Written by Reg staff)


Story updated to reflect comment from Monster.com representatives.

Thumb twiddling Mozilla promises fix for privacy-biting bug

Dan Goodin (Written by Reg staff)

@Mac or Windows or both?

Anonymous Coward,

Good question. According to Mozilla, Linux, Mac and Windows versions of Firefox are vulnerable. We've updated our story to reflect this.

Coming to a Windows PC near you: 4 critical security updates

Dan Goodin (Written by Reg staff)

you're right

Indeed, it is advance notice. Thanks for spotting that.