My dad works for one of those provincial government agencies, and according to him, they're installing Ubuntu. Been trying to convince him to use Fedora !!

OK, let me try if I can restate the problem first, then I'll give the question:

So:
1. You want the CA to *sign* a rouge certificate by having it fooled into signing a legitimate, hash-colluded one.
2. In order to do that, you must carefully choose the legit certificate and ask the CA to sign, while using the rouge ones for bad things.

Now clearly when asking the CA to sign, you ought to agree with some of the legal stuff from the CA. The problem I see lies in this scenarios:
(a) You use the bad certificate to do bad things that affect me.
(b) I somehow trace it back to the problem of the certificate being rouge/malicious, etc. I further backtrack the CA tree and found the one that sign your legit certificate.
(c) I file a law suit, and the CA that signed your cert will then know that its misused signature is for you. Then you'll get into troubles.

SO YOU'RE SHOOTING YOURSELF IN THE FOOT.

You can say that's the way it is, since one of your millions enemies may have framed you. Well, I think it's in many order of magnitude more difficult finding a hash-collisioned certificate to a random legit one. So I don't think so.

I am more concerned with the technical details of the worm, but have no patience reading the Owning Kraken article. Any who, I blogged some of my thoughts here http://tientadinh.blogspot.com/ In summary, as far as I know, Kraken does not scale as well as Storm, because it relies on the the DDNS providers. Plus, how the owner can orchestra a DDOS attack is not very clear for me.