"Windooze insecurity puts Iranian dissidents in mortal danger," states the subject line of an anonymous USENET post, quoting this article. "A Dutch CA called DigiNotar," says the poster, "was hacked by Iranian hackers, likely with the intention of intercepting SSL traffic (Gmail, Facebook etc.) of Iranian activists and freedom fighters. I checked DigiNotar's website and guess what operating system they're using? You guessed it! WINDOOZE ASP.NET!!!
“And as long as otherwise respectable companies insist on e-mailing me "slide shows" in the form of IrfanView .exe files because "it's so user-friendly", Windows will remain as secure as a wet paper bag.”
--Richard RaskerA more moderate Dutch poster, Richard Rasker, wrote separately: "I guess we've all heard how a Dutch Certificate Authority by the name of Diginotar, formerly used by even the Dutch IRS authority and countless city councils, has screwed up severely, when their systems were breached by Iranian hackers, who managed to poison the world with many hundreds of bogus certificates. Then they screwed up even more by hushing up about the hack for months -- a huge no-no in a world where trust is the highest good.
"And now it turns out that the screw-up has soared to even greater heights. In case you wondered what OS these people were using, here's the answer:
http://webwereld.nl/nieuws/107833/fox-it--diginotar-gebruikte-niet-eens-virusscanner.html
"For those who don't understand Dutch:
"Fox-IT: Diginotar didn't even use a virusscaner
Fox IT has delivered a devastating verdict on Diginotar's infrastructure. The company didn't adhere to agreements and procedures. Even elementary security measures were totally absent.
These are the conclusions from an investigation by Fox IT into the security breach at Diginotar, as passed by Webwereld and NU.nl through a governmental source. It turns out that all operations were taking place from within one single Windows domain. This made it possible to gain access to the certificate administration from any work station; logging in to one's work station was sufficient to get access to the systems. This is a mortal sin in the world of IT security. In addition, Diginotar was already aware of the abuse of its certificates as early as July.
No secure zones Even when issuing certificates for government use, standard security rules were trodden underfoot. The government's PKI computers operate from within a secure vault, and should never have been connected to Diginotar's network. Yet even on those machines, investigators found evidence that connections had been made to the Windows domain.
..." [no virus scanner ... no proper logging ... no strong password enforcement ... inadequate intrusion detection ... hackers got & used administrator rights ... certificates chucked in an easily accessible database ... etcetera]