A BLOG BY MELIH ABDULHAYOGLU

Hi Everyone

http://www.comodogroup.com/products/comodo_security.html

a bit of self promotion, but it does truly help end users. The more sites verified by Comodo the better for end users.

Your help is greatly appreciated.

Melih

Talk Back

Oil Wars and CPU power! 

What the hell has Oil got to do with CPU power?
Well they are somewhat related. One is the enabler for the physical world (Oil) and you have people fighting over it, and the other is the enabler for the Virtual world and you have people (well malware, spammers and hackers) are fighting for it).

Just like Oil is the key component that enables majority of our lives from transportation to heating etc, CPU power is the one that enables our online worlds. Without the CPU power there would be no online world! So who is fighting for that CPU then? We can see who is fighting for Oil but who is fighthing for the CPU?  Nope, I am not talking about Intel or AMD. They are not fighting for the CPU power, they are fighting for market share to sell CPU. But there are more sinister forces who are fighting for the CPU power, forces that without CPU power would be utterly useless. CPU is the food they need to survive. They trick you and your programs to let them in to get some CPU power! With that CPU power, they get more powerful and continue to exist and expand/spread.
(ok, ok.. enough suspense.).

It is the malware, it is the malware providers, it is the spammers, it is the hackers, it is the script kiddie that wants to have access to and control of the CPU power you have! Computer software are made of instructions. (things that instruct the PC to do things like: Display text, do algorithms etc.). These instructions get “executed” in the CPU (eg: intel/amd etc). whether the code/instructions has good intention or bad intentions, they get executed in the CPU. So a bad guy who wants to do bad things will go after your CPU power. Let me give you an example: A spammer, who wants to send lots of spam to millions of people: They write some nasty code that they distribute, to take over unsuspecting victim’s machine and turn them into Zombies. Cos the spammer does not want to send all the spam from his machine! And why should he, its easy enough and less risky for him to take over your machine and send his spam thru your machine. You see, your CPU is able to do a lot of good and bad things, its very powerful and its control is totally up for grabs! It can send millions of spam, it can launch attack on other websites and take them down, it can harbour malware and act as a distribution point and oh btw it can also do word processing !

The question is: How do you get that control back!? How can you make sure you have control of your own CPU!?

Melih

Talk Back

The New Dawn: Security is not Trust
Despite talk about encryption and security on the Internet, we are still falling short of true identity trust assurance every time we go online.  Why?  Our current attempts of encryption only encrypt our communications, but don’t check who is on the receiver.  Thus giving users a false sense of security.  After all, what is the point of encrypting something for someone you have not authenticated?  For all we know we could be encrypting and securing information for the fraudster on the other end.
Through real world examples of fraud, phishing and finally trust, I will outline what steps are necessary to move the Internet from merely encrypted messaging to a secure environment with established trust between user and emerchant and back again. This article will outline why some tools work and some don’t, as well as what actions must be taken to prepare us for the next Internet revolution, the next threat and hopefully an age of trust

Not all Animals – or Internet Padlocks - are created Equal!
It’s a fact of life, we look different, we act different, and we feel different!  And that is why browser providers like MS, Mozilla Firefox, Opera and KDE want to change the way their browsers look, feel and interact with the end user.  Yet, their security padlocks seem to remain unchanged, providing us with an icon of trust and security that may not only be outdated, but may be a wolf in sheep’s clothing. 
Today, not all Secure Sockets Layers (SSLs) – padlocks to the general user - are created equal, and some are even being used as tools in today’s phishing attacks.  However, it is hard to tell a secure lock from a non-secure lock when they all look the same.  This growing online inconsistency is making it more important that our end users be able to identify a true authenticated site and that browsers work with trusted Certification Authorities to ensure that the padlocks are doing what they promise. 
But the good news is: All is about to change! We are about to have a more trusted indicator in the browsers! http://news.com.com/Browsers+to+get+sturdier+padlocks/2100-1029_3-5989633.html  .

thanks
Melih

Talk Back

Well, now that we have a website www.cabforum.org, everyone knows the new standard we have been working on to improve SSL.

I thought I should write a note or two to clarify few issues and make few statements

1)Where the hell this CAB forum came from?
well, in April 05, I thought the time had come to bring together the people in the industry and own up to problems existed so that they could be resolved. One morning , I rang our Competitor Verisign folks and asked them if they would be in. They said np. Then we held the first meeting of this forum in a hotel near wall street in NY, hosted by Comodo.
What do you mean why did I do that? The same reason why I choose to give free firewall, free AV. I believe by bringing the industry together we could create a vehicle to help resolve “trust threats”. 

2)What had to be done: The problem was, people who had root keys could issue certs willy nilly. There were no standards to follow or rules to abide with. That’s why some CAs were issuing unvetted certs. So stage one was to set a standard and get everyone to agree that unless they complied with this, their root would be kicked out of the root programme.

of course, then the question was: where do you draw the line for this standard. It was, still is, difficult to figure out. It was important to have a really good validation but still inclusive. Stage one is a good starting point, however we need to continue in making progress and make EV accessible to every legitimate entity who needs it.  Identity Assurance is a key component in any commerce and especially so for e-commerce.

3)Why did we have to come up with a new GUI and not simply fixed the yellow padlock?: Well that’s a tough one. I don’t think its fair on the browser guys. Let me explain, there was no standard when browser guys included the root keys of certain CAs, so under what circumstance can they turn around and say, ok we are kicking your root out now? On what basis? There was no standard in the first place! So that would, imo, leave a huge liability for browser guys. Also it would take a lot longer to get the standard affected as there are already multi-year certs out there on the old SSL. And few other reasons that I can’t remember (yes, old age!).

4)Is this a way of CAs making more money? Well yes. But that was not the intended consequences at the begining. It was merely tring to address a problem, which turned out to be a new product that actually cost more money to implement due to its high standard requirement. (come on guys, give me a break will you, we give all desktop security for free!! let us make money somewhere  will you(:SHY) )

more will follow as I get more questions/thoughts……

Melih

Talk Back

Interesting reading.

The point that is being raised in this news article is that people use AV mostly and anti spyware is yet to penetrate the market.

One of the major reasons why Anti-Spyware products come as a seperate product is because vendors are looking for ways to charge extra for this. At Comodo we decided to turn our AV engine to also catch spyware hence we called it CAVS (Comodo Anti Virus/Spyware). Hence I believe our strategy is right and our strategy will help fight malware better, cos majority of people still think just AV will be enough and don’t bother with Anti spyware.

Read the article and let me know your thoughts please.

Thanks
Melih

Talk Back

If you have then I strongly recommend that you go see a shrink!

But imagine how your ID would feel in the midst of Bits and Bytes in your computer amongst thousands of executable programs which he does not understand, amongst the viruses that has infected your machines fighting the Trojans who is logging every keystroke for your valuable IDs. The Spyware who is watching both the viruses and Trojan’s on your machine and grabbing that precious ID you have confidently trusted your PC with and sending it back to its creator! Do you think your Valuable Information, your ID, feels lost, overwhelmed and vulnerable in that black box called a “personal computer”!!!

Do you really know how many executables files (these are applications/software that are built to do things on your computer like Internet explorer) running at any one time on your machine? The reason why executable files is because these are the ones that “do” something, they execute an instruction good or bad!

Ok let me ask you a question in a different way: “ Do you know how many people live in your house”? yes majority of us do!  A PC is like a house for your executable files, do you know how many living in that house called PC? Nope! We haven’t got a clue! Should we? Well.. in theory we should but its not as simple as counting people living in a house! It’s a complex animal these PCs. Do you know, when you drop your ID in this house called PC, who is there? Who will see it? When we are getting undressed, we usually do it in the privacy of our own house or even our own room, bar few streakers that might be reading this for whom this will totally not make sense but hey! But we are quite happy to drop our ID into one of these houses called PCs! But wait that’s not all! These houses called PCs have tunnels in them that connects them to other houses around the world!! And never mind knowing who is living in this PC you own anymore, the question becomes who is going to come thru these tunnels (what? Tunnels? More than one?) and do what to your ID? So we have invited this black box called PC into our lives, given it a prominent position in our houses, living rooms, put all our Information valuable and not so valuable information into it, yet we don’t know who is in it or can connect to it!

Do you know what insecurities your PC has?
Do you know which products you should be buying to protect against these?
Do you know how much you should be paying?

No, No and another NO!

Today there is no single place you can go to buy protection against today’s threats that easily without forking out large amount of $$$, never mind a product that will also assure you against any future threats!

In this search to protect ourselves, like a man in a desert drinking the poisonous water, we fall victim to even more fraudsters claiming to offer protection for you!

We need protection, assurance on our machines. Something that tells us: Everthying is Ok carry on doing what you are doing on your computer and don’t worry about a thing. This should not require me to be an expert to understand what is what! On contrary it should be totally invisible to the user! I have an Air Bag in my car and I haven’t got a clue as to how it works and not interested in learning how (there are too many things to learn in this world! And I only have very (I do mean very) limited number of grey cells). But I know what it can do for me which is enough for me to know. So should a user be burdened with a decision about “ services.exe is trying to connect to internet do you want to allow it?” by your firewall which is really clever to intercept any calls that any programs make to internet but does not tell you what you should do with it! What’s the bloody point!!! How many of us know the difference between service.exe a legitimate program and services.exe which is a Trojan! Not many! We need to change the way we protect ourselves! We need to change the way we protect our identity and everything of value! Technology is one part of the equation! The other part, as and when you have the technology, is the accessibility!

So, in this house called PC living thousands of executables, where I don’t have a clue about who is who, connected to millions of other PCs around the world and I don’t even have a proper protection!

God save us!

Melih

Talk Back

Phishing is a type of fraud that is ideally suited to a lazy fraudster! After all, what work do they have to do? They don’t have to build a website, just simply copy one of the bank’s site, and they don’t have to even send the email themselves, just go to your nearest spammer who will be more than happy to do that for you! And writing the email!!?? Worry not Mr Lazy Fraudster, you will also get that from your nearest bank. All you have to do is add your domain voila, now you can collect people’s bank account details. And we are sorry, Mr. Fraudster that we can’t automate the withdrawals from each account - you have to do that manually! But then again maybe a 14 year old script kiddie could automate that for you too! Just ask your nearest nerd. 
 
The point is Phishing is not even intelligent, nor require such hard work! It hardly is your “Italian Job”! Where is your strategist, disciplined and clever fraudster who is after your money!
 
Well, they are on their way!
 
When I invented this tool called Verification Engine to verify web content, people said what for? I said: Wait and see! I called it a tool to eliminate “spoofing a website” – today’s term for  “phishing”. Was I a “scare monger” then? Time has proving that I wasn’t! Am I scare mongering now when I claim that these phishers are just the “first wave of attackers” or the  foot soldiers . Unhappily, this first wave will be followed by the “armoured cavalry” as the next wave and they will keep coming! Just wait and see! Today, we mainly have the opportunist fraudster, but we are seeing the organised crime with more resources moving into the Internet feeding ground. Now it’s commercially viable for organised crime to exploit Internet.

We have this castle called Internet and someone has left the castle gates open so all these opportunists fraudster are waltzing in! We have built the internet with no authentication “doors”, no verification whatsoever!

Is that wrong? No of course not. In any technological development you first get it to work, then you get it to work, faster, more secure, more efficient etc. It’s the way the technology gets built! Just look at cars, in 1950s security was not the biggest selling feature - was it! It is now! People were getting killed at 30 Miles an hour crashes, because they did not have seat belts and cars were not built with security in mind! Compare that to today’s cars with Side Impact Bars, Air bags everywhere, with Anti Lock Brake systems and so on…

What’s important is to understand when we need security, authentication and assurance! Did we need assurance technologies on the internet on early 90s, maybe we did maybe we did not. But do we need it now because now we have built “Value” into Internet which needs protection. We do our banking there, we purchase things there and we share confidential information with other people on the Internet. And anything of value it must be protected!

Where would we be without Side impact bars, air bags, Anti lock brake systems? Roads would be more dangerous for all of us. Internet must be secured, authenticated and I as a user must have assurances that I can confidently use Internet……… Funny.. As I am writing this article, I just received an email from “Paypal” asking me to login to my account and I don’t have a paypal account and the URL is not a Paypal URL, but nevertheless I went to that side and entered my “Username and password” for the lazy fraudster who now has to enter one more password to paypal account only to realize that its the wrong one . ……………….

Anyway, here is the point - let’s understand the underlying problem and fix that! The reason why Phishing and Pharming exist is because we cannot verify what we see! It has little to do with the way we receive emails. Unless we give the users the ability to “verify what they see” we will continue to suffer from this vulnerability called phishing. Instead of trying to fight the enemy once they through the open castle doors, let’s close the doors!

Melih

Talk Back

Imagine me, if you will, doing for Internet what the David Attenborough does for nature. I will consider myself utterly accomplished even if I could only achieve a small fraction of what David Attenborough has done bringing the beauty and power of nature to us I will describe the beauty and efficiency the way a Shark swims or how a tree pollinates  by shedding its fruit that can swim thru rivers and also talk about how sharp the teeth of Sharks are how they can attack us! Internet is like Nature, its beautiful, its something we’ve come to admire, its something we can’t live without, its something that will help us propel into our next level of human evolution.

I am an Engineer! (Electronic/Computer Engineer with a BSc Degree from Bradford University from the UK, to be exact). To me an Engineer exist to make Lives of Everyone, easier, better, safer. I believe we exist to help Human evolution by creating enabling technologies! Its our job to serve you by creating technology! We all choose a path of what to create, some engineers choose to build bridges so that we can make transport easier and safer, some of us choose to build machines to speed up production, some of us choose to build internet and there are some that choose to build security to enable useful technologies like internet. That’s where I come in! I would like to create technologies that will secure internet so that we can all use it safely. Why have I chosen this? Not a clue! Honestly, since I have known myself, even when I was a child, I used to build houses that Thiefs could get in, but couldn’t get out! Some people asked me: did you have a bad childhood to make you feel so insecure! On contrary I had a really good childhood with loving parents and siblings and no I don’t feel insecure, I just see the insecurity in things we build (sometimes ). I build my first Electronic Circuit when I was 9 years old (ok, ok, I copied the circuit diagram and I just soldered few components, that I knew nothing about, together). I thought it was OK to replace our door bell with a 20dB Siren that I had built, until my father told me off ) I was just trying to make our Door answering better by having a louder door bell!!! Of course, I also had my room wired so that I knew who was coming to my room and when! I have taken it as my duty as an engineer to identify vulnerabilities that could hinder our progress on Internet! Can I do it on my own? Not a chance! Are there many good people out there doing the same. Of course there are and thank god for that too! But as collective work, I can put my 110% into trying to

a)identify vulnerabilities
b)create solutions for identified vulnerabilities

Alright, Alright Melih, we get your point! You are an engineer and you want to help secure the internet, But why Internet, why not cars or satellite tv or something else?

In my younger days, I kept raking my brain with this question “why did human race rode on a horse back for thousands and thousands of years and all of a sudden, within very short period of time jumped from a horse back to a Jet plane!!”

Why?

It took me sometime! I had a very strict history teacher in high school! I hated every minute of History or Geography lessons as I did not see the point of learning what the longest river in Hungary was, but luckily one thing that stuck in my mind from one of the history lessons that my history teacher made me take a note on!

Johannes Gutenburg and the Guttenberg Press(1450)  that allowed information to be retained and shared!

In my opinion, one of the greatest contributors to our Industrial Revolution was the ability to share and retain information thanks to printing!

And now we have internet! Better, more efficient, faster way of sharing and retaining information! Its interactive, can hold much more information and accessible in your home! I used to spend my Saturdays at a great book shop called Foyles in London! Now I have internet (and a back ache because I sit front of the computer too long! Ouch) I can have any information (sometimes more than what you have bargained for or ready to digest). If we are to accept that printing helped culminate the previous industrial revolution, and I totally believe that, then Internet will help create the next industrial revolution! So as an engineer, believing this to be the case I am more than motivated to make sure that “we enable internet” so that it helps the human race to take the next step into the next industrial revolution! Just think it through, how many percent of your time were you spending being connected to another human being using a technology in 1960s and how many percent of your time are you spending now being connected to another person using technology (cell phones, internet etc). If there is a mad mathematican who could draw a chart, please do and extrapolate this into the future, it will show you that we will be connected to everybody all the time! Imagine, how much of our wealth were reliant on technology in 1960s and how much of your wealth is reliant on technology now! We are becoming more reliant on technology all around, we are becoming technology ourselves! And we better make sure to identify vulnerabilities and fix them! That’s what I want to do!

Yeah but, Melih, you are the CEO of Comodo you are running a business, surely you are motivated to make money! Hmmm. True I am the founder and CEO of Comodo, yes true that I am motivated, very motivated actually to make as much money as possible! But not for money itself but what it will enable me to do. (private jets, wild parties, cool toys, houses all around the world that I don’t use, hmmmm enticing.. ) well joke aside, of course I want the cool toys here and there, but I also think about kids going blind in countries because they can’t afford to buy $2 worth of cream to cure them! I can see what money can do and I also see what I can do with money! (spend, spend, spend ).

 A great guy and a dear friend of mine said to me once: “Melih, responsible people should make as much money as possible as they will do responsible things with that money”. My responsibility is to help enable internet by trying to fix its vulnerabilities! And I will make as much money as I can and I will spend (actually I have been spending already since I setup Comodo in 1998) (like we have spent some of the money by investing and building technologies like Comodo Personal firewall, Comodo Antivirus for free to the masses) whatever is necessary to fulfil this responsibility.

Melih

Talk Back