According to KPN, the hacked website was not part of the CA's issuing system. Assuming they're being wholly truthful, this article is pure sensationalism: A company has a non-critical website that's hacked: whooptie.

Of course it's bad PR: it doesn't inspire confidence in their other security matters. However, its just as likely that they're concentrating on their actual business (managing certificates), and the site was an afterthought. In any case (maybe I'm just cynical) it doesn't surprise me that a very low traffic, low volume site is negligently secured.

Totally misleading headline.

The hacked machine seems unrelated to the actual CA business, though - it's just a website, not a CA management tool or whatever. Source: http://forum.kpn.com/t5/News-stream/UPDATE-11-30-KPN-sluit-tijdelijk-website-Gemnet/ba-p/8477

Yeah; people seem to have this idea that because FF will change versions several times a year that this mean they'll see the same amount of change and the same amount of plugin breakage several times a year they used to see just once every year or two.

Of course, that's nonsense - development speed won't go up by an order of magnitude; it's just a different (and better) way of packaging essentially the same changes.

I kinda hope they adopt something like chrome's auto-updater for an even less intrusive experience.

You're telling me people never use Chrome in the commercial world? Or, for that matter Windows? Or Firefox 3.6? Or really, anything? All of this big-attack-surface area stuff gets patched regularly, and if a client refuses to patch, they're generally on their own (or paying a lot for a custom solution).

Supposedly, the compatibility version string should be automatically updated in many cases: http://blog.mozilla.com/addons/2011/04/13/add-ons-review-update-29/

It's more akin to saying that SQL is broken because some versions of PHP allow SQL injection. The bug was in two common library implementations and can be fixed merely by updating the library... I also love how the article sensationalizes the issue and calls this a "serious" vulnerability... how exactly is this vulnerability going to be exploited in a "serious" fashion? That sure doesn't sound easy to do for most openid uses...

Not quite; it trains your users to only ever enter their password into precisely one site. In addition to which, under common usage you'll already be signed in and will rarely need to enter a password in the first place.

Also, your openid provider is free to use a less risky authentication method. E.g. if you use google's you might use two-factor authentication; a process that would be far too complex and annoying if it needed setting up for every site, but hardly problematic if used for just one or two.

Except of course if the entire lawsuit is merely a cynical ploy to garner media attention, and relying on the fact that filing the lawsuit will be covered, but that dismissing it later isn't nearly as exciting.

Why else wait 2 years after the show to file? It's not like the show was top secret - and since the racing is prefilmed, they'd even had had plenty of time to review the cars before the show ever airs.

Dishonest litigation isn't something to be applauded - and it seems to me that's what they're into.

Sounds like an efficient business practice! Have you patented it yet?

I'm not sure which "certain jurisdictions" you refer to, but assuming those countries participate in the European Convention on Human Rights, any such remants are void anyhow.

Note that though blasphemy per se is legal, that doesn't mean it's use is always; e.g. incitement to violence can be a crime and might contain blasphemy.