Comodo continues to issue certificates to known Malware

Discussion in 'other security issues & news' started by hayc59, May 16, 2009.

Thread Status:
Not open for further replies.
  1. Saraceno

    Saraceno Registered Member

    Joined:
    Mar 24, 2008
    Posts:
    2,404
    The admin at the COU forum responds to Melih's reply:
    http://www.calendarofupdates.com/updates/index.php?showtopic=19279&st=0&#entry80462

     
  2. Wolfe

    Wolfe Registered Member

    Joined:
    Jan 23, 2005
    Posts:
    160
    It al boils down to this (emphasis is mine):

    the bolded part from the quote above could well be translated as:

    "My competitors in the auto sales branche do provide waranties for cars with failing brakes. Therefore, I must do one and the same, otherwise it would cost me money".

    In my book that's by no means a justification; on the contrary. Knowing there's something totally wrong, stating in public one and the same - and persisting in doing the wrong thing can't be justified in any way. Symantics are of no importance here.

    Comodo should keep the interest from the public in mind instead of focussing on loosing money/clients themselves. They willingly pick the wrong side.

    Wether or not part of the competition is doing one and the same is of no importance; it's Comodo who solely is responsible for their actions. The same goes for the technical relevancy from certificates in question; that is not the real issue at hand here.
     
  3. spm

    spm Registered Member

    Joined:
    Dec 9, 2002
    Posts:
    437
    Location:
    U.K.
    OK, so Comodo's justification for issuing certs to anyone who asks is ... (1) we need to make money, and (2) as others are doing it this way, so shall we.

    Hey, a neighbour of mine deals in drugs, and I want to make just as much money, so I decided to too. What, your honour, that's not OK? I don't understand.

    I suggest 'melih' stands back and takes a good look at himself. After his complete loss of face over the ask.com toolbar debacle, and his astonishing public revelations over this issue, he (or his superiors) might like to consider how to reintroduce some ethics back into his company.
     
  4. aigle

    aigle Registered Member

    Joined:
    Dec 14, 2005
    Posts:
    11,161
    Location:
    UK / Pakistan
    i think they should not give away their software free. They can make all their software paid while keeping some free versions with less features.
     
  5. ypestis

    ypestis Guest

    More and more it is clear Comodo's main problem is not it's code,but rather it's CEO.
    Perhaps share holders will awake to this fact before it is too late.
    Unless of course "Melih is Comodo",in which case there will only
    be more grandstanding and showboating,until some talented coders are out of work.
     
  6. Mattchu

    Mattchu Registered Member

    Joined:
    Nov 8, 2008
    Posts:
    66
    Location:
    UK
    This was quite an interesting read to start with, and i had a few questions regarding the subject.
    Like Domain Validation, basically that`s just saying the site in question is the site i wen`t to (not really much).

    What more is there?
    How do we know who is what?
    Would you download a product like the one pictured just because the site had been verified? If the answer was yes, then you`d probably still download it from a non-certified site and not even know what a certificate was(this is hypothetical btw)

    I`m not condoning this action but to me guidelines need to be made, this being the World Wide Web what are the chances of that......!!
     
  7. Saraceno

    Saraceno Registered Member

    Joined:
    Mar 24, 2008
    Posts:
    2,404
    The original issue, to me, was what the admin at COU stated:

    "(why did Comodo) ask MVP Mike to shut-up when he's reporting such cert issued to known malware/rogue domains? They (Comodo) as issuer of whatever secure certification have all the rights to reject/refuse/terminate it."

    Basically, when a MVP alerted Comodo through an email address set up to report problems (such as a known domain being used for malware), Comodo told this MVP to keep it quiet. Instead, they should have acted on the MVP's advice and terminated the secure certification, as Comodo represents a security company who should act on preventing malware.
     
  8. FanJ

    FanJ Updates Team

    Joined:
    Feb 9, 2002
    Posts:
    3,984
    Wolfe,

    I fully agree. It is exactly what I was thinking too.
     
  9. Saraceno

    Saraceno Registered Member

    Joined:
    Mar 24, 2008
    Posts:
    2,404
    True, then Melih's reply, which was along the lines of, 'if we can't beat them, join them', probably shocked a few people.

    I don't know if it's the best thing having a CEO respond on forums. Something can be taken out of context. Best to have a media team do that - save the CEO for the important announcements.

    I think it's great he's always involved, but at the same time, posting under another username, 'Comodo staff', would probably be better for the company.
     
  10. Mattchu

    Mattchu Registered Member

    Joined:
    Nov 8, 2008
    Posts:
    66
    Location:
    UK
    I do not agree with the theory "My neighbour sells drugs to make money so i`ll have a bit of that" or "That garage gives mot`s to dodgy cars so i`ll do that to make a bit extra"

    These things are illegal are they not?

    What is the answer......

    Cash will allways be king, and as someone has said these malware authors can make a lot, so what`s gonna stop them?
     
  11. Leonid

    Leonid Registered Member

    Joined:
    Dec 23, 2008
    Posts:
    42
    Morality? There is no such thing in business! What are you all trying to say? That before this, you truly believed that COMODO cares about end users? Yeah, sure! Their freely available CIS is just an intelligent way to spread the word about COMODO. Althugh, it's free, it's a big moneymaker. They don't care about end users at all, just like any other company does not!
     
  12. m00nbl00d

    m00nbl00d Registered Member

    Joined:
    Jan 4, 2009
    Posts:
    6,623
    This is also an interesting thread over COMODO forum that I've found in the Digital Certificates, Encryption and Digital Signing sub forum.

    http://forums.comodo.com/digital_ce...igital_signing/is_this_for_real-t38305.0.html

    Not even an explanation by COMODO staff members. If that domain is or not distributing not so clear software, etc., beats me up, but, as other users mentioned there, nowhere in that domain a COMODO certificate is used.

    Now, why would a domain place information that they're using COMODO certificates, when they're not?

    And, no concern from COMODO?
     
  13. m00nbl00d

    m00nbl00d Registered Member

    Joined:
    Jan 4, 2009
    Posts:
    6,623
    And, that's why wise people tend to say that in most cases charity pays charity.

    Do you really think that those famous people do charity because they're nice people? No, it's great publicity... Just as CIS is.
     
  14. Longboard

    Longboard Registered Member

    Joined:
    Oct 2, 2004
    Posts:
    3,227
    Location:
    Sydney, Australia
    Sorry cant ignore that..
    What a load of preposterous BS.
    What a staggeringly stupid self serving statement that is, both as a stand alone effort and some sort of twisted attempt to justify comodo.

    I have tried not to post in any threads re comodo since Ask.com blemish and absurd grab for cash at expense of credibility, unhappily as posted above this is apparently an ongoing escalating issue at comodo.
    I watched perfectly sensible posters at the comodo forums get flamed by the drooling dolts of the melih fanboi club for posting well reasoned and articulate analyses of Ask.com fiasco and now watching the same happen elsewhere.

    Initially I had tremendous regard for melih and his 'mission' but he, as prime representative for comodo, has become tainted by his own words and deeds.

    I've watched mods from comodo here whinging and complaining about how hard we are being on poor old comodo :p
    I've watched wilders cop a ( fairly pathetic attempt at) bashing at comodo forums by individuals who post frequently here. :cautious:

    CPF and then CIS are good tools, but I felt tainted by association when using them.
    Lie down with dogs , you get their fleas.
    (even with an opt-out box or three :cautious: )

    I know melih has been banned here previously and so cannot respond to these threads so I dont want to drag this out as a free hit: I've already posted @comodo forums ( member since 04/2007) and been sandblasted. :)

    Absolutely; my choice as to whether or not to use comodo apps: guess which?

    "Creating Trust OnLine" ( trademarked) is looking a bit hollow, but then again millions of users cant be wrong, right.
    Congrats to the mods here for allowing these issues to be aired.
    Go Donna.
    Over and out.
     
    Last edited: May 17, 2009
  15. nielsson

    nielsson Registered Member

    Joined:
    May 13, 2009
    Posts:
    18
    Kinda boring to read all rubbish here at wilders..

    First you guys make us belive that CIS is a popup bomb while its not. Then you post this junk, all know that certificates are there for the following:

    1) Make sure you are sending the info to a site YOU trust.
    2) Make sure noone can read your traffic (encryption)..

    Comodo don't deserves this rubbish, any site can buy a certificate from any company, a security related page like wilders with all the "pros" should know that.. Shame on you guys for posting all this nonsens. Read about Certificates and what they do before posting. :thumbd: :thumbd: :thumbd: :thumbd:
     
  16. m00nbl00d

    m00nbl00d Registered Member

    Joined:
    Jan 4, 2009
    Posts:
    6,623
    So, what you're saying, is that, COMODO is certificating that the malware domain the user is at is the real deal, and not some bogus malware domain? Is that it?

    Please, explain me as if I know nothing about certificates.
     
  17. Peter2150

    Peter2150 Global Moderator

    Joined:
    Sep 20, 2003
    Posts:
    20,590
    Couple of comments on my on feelings about all this.

    1. I think you can deliver quality free software, as long as you have other business income that covers the cost, and they don't have to be shady.

    2. I thank Josh for providing the explanation, but I simply don't buy it. My business provides a service, but the business is really about trust. Just because another service does something that is slightly tainted, but legal, and just because everyone else may do it, doesn't mean I have to. It is all about trust and your reputation for being trustworthy.

    I've learned in the long wrong, passing the bucks that might be questionable, even though others do it and it isn't illegal, has been better for my business then those few quick bucks.

    Everyone should learn that lesson.

    Pete
     
  18. Steven Avery

    Steven Avery Registered Member

    Joined:
    Nov 13, 2007
    Posts:
    112
    Hi Folks,

    I didn't know that Melih was banned here. With his posturing and arrogrance and dubious promotion, I am not surprised -- however I wonder sometimes if the Wilder's mods might look for more intermediate solutions -- posting limits, moderated posts, directed threads, etc, and offer the posters a chance for limited exposure and rehabilitation, if they learn to follow the forum decorum.

    There was a fellow on another forum who was obviously quite intelligent who mentioned, without acrimony, how he was banned here. I'm sure stuff happened of which I am not aware, however the thought occurred that he would be a strong addition here.

    Please understand -- I am all for mods having a good solid, banning policy. And this has in general surely made Wilder's a stronger and friendlier forum. I am just suggesting that it be a policy that is under almost continual review.

    Hope you don't mind the divergence. I appreciate that Wilder's has been a prime forum for exposing the Comodo and Melih problems (even Softpedia felt to walk lightly -- not happy about all those legal beagle letters). I would say that I learn more about these problems here than anywhere else.

    The blind mice certificate thing is just another example, I gave up on Comodo when the legal bluster letters went out to Softpedia. Simply because they were consistent and acting with integrity. The arrogance and stupidity, followed by the Melih double-talk, were amazing. (I probably would have given up on them because of the deceptive toolbar shenanigans, but the letters and continual double-talk and bluster were carob fudge cake-icing.)

    Shalom,
    Steven Avery
     
  19. Longboard

    Longboard Registered Member

    Joined:
    Oct 2, 2004
    Posts:
    3,227
    Location:
    Sydney, Australia
    Apropos of absolutely nothing at all to do with anything here:

    “My Dear,” said the gentleman to the lady, “would you go to bed with me for a million dollars?”
    “Well, yes, I suppose I would,” she replied.
    “Here’s $100. Let’s go then.”
    “How dare you! What kind of person do you think I am?”
    “My Dear, we have already established that. Now we are merely haggling over the price!”

    :)
    Wasn;t that something we were taught as children ..I think..
     
  20. Saraceno

    Saraceno Registered Member

    Joined:
    Mar 24, 2008
    Posts:
    2,404
    If you're in the business of 'fighting malware', you should do all you can (within your capacity) to squash it.

    But if you're not in it (computer security business), and you're issuing secured certificates to malware distributers, then you don't have the same duty/obligation.

    As aigle said, Comodo should start charging for their software, and creating limited-feature free products. That should boost their income stream.
     
  21. nielsson

    nielsson Registered Member

    Joined:
    May 13, 2009
    Posts:
    18
    This is one of Melihs responses.

     
  22. Mattchu

    Mattchu Registered Member

    Joined:
    Nov 8, 2008
    Posts:
    66
    Location:
    UK
    Picture this scenario for a minute.

    A young lad/lass works in the Domain Validation section of any of the major players out there. Said person gets a correspondence enquiry about a DV certificate.
    Now they get payed commission for every certificate they sell, it`s been a tough few months with the `credit crunch` and all so what do they do?

    The`re gonna sell it and go for a few beers on friday o_O


    "The writing of this post and everything in it are all made up and do not in any way represent anyone or anything that has ever happened in real life, as far as i`m aware"

    :p
     
  23. eXPerience

    eXPerience Registered Member

    Joined:
    Apr 28, 2009
    Posts:
    98
    No wait, they're not going to sell it and lose their jobs o_O
    even then, an other will still sell it, so there is no gain....
     
  24. BlueZannetti

    BlueZannetti Registered Member

    Joined:
    Oct 19, 2003
    Posts:
    6,590
    To all:

    A number of posts comprising an off-topic tangent have been moved offline.

    Here's the deal. Past and present moderation decisions are not open to public debate. Period. If it's not something you agree with, move on.

    If you wish to present a counter view, do it privately offline via PM.

    Blue
     
  25. Fuzzfas

    Fuzzfas Registered Member

    Joined:
    Jun 24, 2007
    Posts:
    2,753
    The problem with Melih is... that deep down, he is a born politician. :D

    So, most other companies, choose a business model and they say it to you or you guess by their silence, that, it's about making the $.

    But this, was not enough for Melih. He started the "political campaign" with the "Melihvision" etc, the "save the world", "we must stop the malware", "trust", we offer this for free because we love you , not another 9/11 yadda, yadda.

    So when time comes and reality behind the rhetoric is shown, people get disappointed and it becomes a major issue.

    First it was "we don't need money from you, we get enough from selling certificates". Then the extra services and Ask.com toolbar arrived.

    Now we suddenly learn that what's legal is also morally OK, because at the end, it's about $, not about "trust, "love" , "save the world, save the internet" etc.

    If this was done by Verising, probably now this discussion would have been over.


    I leave you with advice of how to fight "evil" and "securing internet ", "authentication and malware prevention".

    http://www.youtube.com/watch?gl=IT&v=1rRslZHhvLY

    Melih for President!!! :argh: :thumb:

    Just a thought. Maybe he should leave the immoral grounds of validation to the others, since he doesn't agree with how it's done, and make Comodo products with a payware and freeware version. In this way, he could still say that he must earn the $, while not doing something that he doesn't like or isn't according to his consciousness.

    I can almost hear Melih's answer to this: "No, we won't leave the sector of validation to the unethical powerhouses. We will give our fight, from inside, to change this, because what is legal, isn't always automatically ethical. Hence, i will put all my resources to make Comodo grow stronger, take the place of Verisign and lay my own rules to the certification sector. I will make the world a safe place. Together, you and me, will raise the Comodo flag to the peaks of internet, we shall never, ever surrender!" :D

    Oh, Melih, Melih... If you 'd just stay in your office and leave alone fora and Melihvisions, just like the 99% of other CEOs do. It would be the usual "Ok, the world is about $, what's the big deal".
     
Thread Status:
Not open for further replies.
  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.