HTC sues Apple using Google patents

HTC fired another legal salvo against Apple, but this time it's armed with patents it received from Google, according to Bloomberg.

HTC employed nine patents that originally came from Palm, Motorola, and Openwave Systems, which Google bought within the past year, Bloomberg said, citing U.S. Patent and Trademark Office records. Google transferred the patents to HTC on September 1.

The latest lawsuit marks Google's strongest show of support for its Android partners. Apple has levied multiple lawsuits against Android supporters including HTC, Motorola Mobility, and Samsung Electronics in a bid to halt their momentum in the increasingly cutthroat smartphone market.

HTC filed the lawsuit in the federal district court in Delaware using the patent originally issued to Motorola. It also amended a complaint with the ITC using patents issued to Openwave and Palm.

"HTC will continue to protect its patented inventions against infringement from Apple until such infringement stops. We believe that we have an obligation to protect our business, our industry partners and our customers, who love using our products," Grace Lei, HTC's general counsel, said in an e-mailed statement to CNET.

Apple reiterated its statement from the original lawsuit.
"We think competition is healthy, but competitors should create their own original technology, not steal ours," according to a company representative.

HTC previously filed three rounds of lawsuits and complaints in the courts and ITC, with the last one alleging Apple illegally used HTC's patents related to WiFi capabilities for multiple devices and technology used to combine a phone and personal digital assistant.

Google had initially left many of its partners hanging early on, leaving many to fend for themselves in their own individual suits. But it has more recently has taken steps to offer better protection. Last month, it agreed to buy Motorola Mobility for $12.5 billion to get access to its patents, which it said would provide protection for all Android users.

HTC has enjoyed success as an early support for Android. The company created the first Android smartphone, the G1, and has seen its profile rise over the past few years. The company was also the first target of an Apple lawsuit related to Android, and is among the most deeply entrench in the various lawsuits and complaints.

HTC is also seen as the Android partner with the weakest patent portfolio. The company has attempted to shore up its position with various acquisitions, including the purchase of S3 Graphics. S3 holds patents that it claims Apple is infringing upon.

Google's willingness to supply HTC with patents for protection could hint that it may eventually take its own direct action against Apple. So far, the two companies have been fighting through proxies and partners.
"This intervention on Google's part increases the likelihood of direct litigation by Apple against Google," said Florian Muller, a consultant in intellectual property cases and publisher of the Foss Patents blog site. "Apple may hold patents that could affect Google beyond Android."
Openwave, meanwhile, has increasingly become a player in the wireless legal battles. Last week, the company took aim at Apple and Research in Motion, claiming the two companies infringed on its intellectual property in a lawsuit filed in Delaware and a complain filed with the ITC. Openwave specifically claimed that virtually all of its iOS products infringed on its patents, which related to Web browsing, cloud computing, wireless networking and offline e-mail.

Technology companies have increasingly used the courtroom as a second front in the smartphone and tablet wars. In particular, many have filed complaints with the U.S. International Trade Commission, which typically goes through the review process faster and can potentially bar products from being shipped into the U.S. The ban, however, has never been leveled on a company, since the threat is high enough to spur a resolution.

The potential reward of a licensing agreement, and the slowdown of a competitor, is enough to go through the trouble.

Read more »

SF police launch probe into iPhone search

SAN FRANCISCO--Police here have begun looking into what role officers played in a search by Apple for a missing unreleased iPhone.

Lt. Troy Dangerfield, of the San Francisco Police Department, told CNET today that an internal investigation has begun into determining how officers assisted two Apple security employees in their July search of a home in the Bernal Heights neighborhood for the handset.

A week ago, CNET reported that members of the SFPD and the two Apple employees showed up to the home of Sergio Calderon and started questioning him. Apple had gone to police for help after an employee lost possession of the handset at a San Francisco tequila bar. Apple told police that it had electronically tracked the phone to the Bernal Heights address where Calderon resides.
Calderon told SF Weekly following CNET's story that when police arrived, he told them he had no knowledge of the phone or its whereabouts. He did, however, acknowledge being at Cava 22 the night the phone went missing. A source close to the investigation said police asked to search the house and told Calderon that if he declined they would return with a search warrant. Calderon then consented.

Dangerfield confirmed that police participated in the search, but according to Dangerfield, the officers never entered Calderon's home. After Calderon agreed to the search, the policemen stepped aside and allowed Apple to go through his house, car, and computer.
SFPD Chief Greg Suhr told the San Francisco Chronicle on Sunday that it isn't uncommon for police to assist private investigators. "The reason we do civil standby is to make sure there isn't a problem," Suhr said, according to the Chronicle. "Whatever conversations the (Apple) employees had with the resident, I can't say."
An Apple spokesman declined to comment.

Reached outside his home on Tuesday, Calderon declined to discuss the specifics of the incident. He told CNET that he's "talking to an attorney," but didn't specify the reasons for the discussions.

Criminal defense attorneys in San Francisco say that some of the allegations are worrisome if true. According to Calderon's statements to SF Weekly, he suggested that "officers" tried to intimidate him and his family into cooperating with the search. They asked whether everyone living in the house was in the United States legally.

Police aren't supposed to try to obtain permission to search a home by putting someone under duress, said Ginny Walia, of Ginny Walia Law Offices.

Calderon also claims that the Apple security personnel entered his home without identifying themselves as Apple employees. He told SF Weekly that he was under the impression that the group on his doorstep were all police officers. He said he would not have allowed the two Apple employees to conduct the search had he known they were not police officers.

John Runfola, a criminal defense attorney in San Francisco, said that police must be transparent about the facts of a search and not identifying who was performing the search wouldn't be lawful if proven true. However, both Runfola and Walia said that because the phone was not found and nothing was taken, there might be little recourse for Calderon outside of filing a complaint with the police.

To pursue some kind of civil suit against the police Calderon would have to show some kind of loss as a result of the search, the lawyers said.
As for SFPD's internal investigation, it is typical in these sorts of inquiries to talk to all the parties involved, Dangerfield said. He said that the department could seek to interview Calderon.

Read more »

The Net must fight back to regain our trust

Trust is tremendously valuable, but unfortunately supplies are running a bit short on the Internet right now.

We've all heard about Trojan horse malware that poses as software you might want to run, phishing scams that send fake e-mail purporting to be from your bank, and identity thieves who can siphon away your money. But an unpleasant new variety of faith-undermining behavior has shown up twice now in recent months: bogus versions of the digital certificates that enable encrypted communications on the Net.

How does a bogus certificate hit you where it hurts? Think of the Web sites you trust, the ones with the traditional closed-lock icon that signifies a secure connection. Fake certificates, in combination with changes to the way in which data is routed around the Internet, can be used to steal passwords and intercept e-mail from use of those sites.

The problem is that there are hundreds of organizations called certificate authorities (CAs) that issue certificates, and those organizations may be vulnerable to attack. The certificate authority worry is very real: In March, Comodo issued fake certificates after a successful attack, and in August DigiNotar issued 531 fake certificates for Google, Facebook, Twitter, the CIA, and more. Some security experts expect more use of fake certificates, too.

In other words, we're running into a breach of trust not just for Web sites, but for the organizations set up to to tell us whether we can trust Web sites.

That's a particularly corrosive type of doubt to have in the back of your mind: it's systemic, with the potential to undermine faith broadly, not just hurt the reputation of one particular site.

The utility of trust
Trust is tremendously useful. It increases the efficiency of transactions, saving time by not requiring every little detail to be verified in advance.

It can be hard to establish trust, though. Here's a case in point from my recent move to France: my bank required a phone bill with my new address to prove that I really had moved, and my phone company required a bank statement with my new address before it would give me a subscription. (The situation was more complicated, to be fair, but that procedural deadlock was one very real aspect.)

Once the trust is established, though, future transactions get easier. For example, my bank now will send me a replacement debit card or an older bank statement with little fuss.
The bank's process is very formal, but I think systems of human interactions naturally incorporate trust more organically. Perhaps it's human nature, in which we evolved to give others the benefit of the doubt to some degree. Perhaps it's that a system with a certain amount of trust is more efficient and spreads more quickly to other people.

The problem is that it's easy to get ahead in the short run if you're willing to abuse trust. The September 11 attacks took advantage of some built-in goodwill in pilot training, aircraft security, and air traffic control. Other examples of abuses: fabricated news stories, fraudulent scientific results, investment funds that are actually Ponzi schemes, and the patron who stiffs the restaurant. If everybody skipped out on paying bills, you can bet that all restaurants would demand payment in advance, but for now, we generally get the flexibility of being able to add dessert and a coffee onto the bill at the end of the meal.
Happily, human systems repair themselves because overall the advantages of trust are pretty high, too. The stock market, airline industry, news media, scientific research community, and restaurant business all have surmounted plenty of trust-based challenges.

Hidden tax on the Net
What worries me about the Internet is that it operates at a massive scale and with greater automation. Even though the overall Net will keep on humming, a large number of individuals could suffer. Consequently, we're seeing a gradual rise in technical countermeasures. That means a tax on the Net's use, one way or another.

Here's one example: I use Google two-factor authentication, and it's a pain. For one thing, I have to have my phone around to provide a verification code when I log into my account from a new browser. Given that I have two phones, two tablets, three computers, and at least a dozen browsers in regular use, that's a lot of work.

Just as inconveniently, two-factor authentication means I have to generate passwords for apps that use Google services--Gmail and Google+ on my Android phones and tablet, Mail on my Mac and iPad, Chrome settings and iTunes-Google sync, and more.
I've thought about ditching two-factor authentication on many occasions, but each time I ponder the risks and leave it on.

Likewise, my bank makes me jump through hoops to sign on--but in today's world I grit my teeth and put up with it. When I sign up for new services, I worry that I'm adding one more potential way that some identity thief or fraudster will find a way into my life.
Browsers, the gateway to the Web, are on the front lines of this battle. There are encouraging signs here that browser makers are getting more serious.

Google has modified Chrome so that for particular domains such as Gmail, it will only use certificates from a short list of certificate authorities it deems solid. That won't stop all abuse, but it was useful enough to flag the DigiNotar problem.

Browser makers are also making it harder for add-ons to add themselves without user permission, asking difficult questions about balancing new features' utility and risk. More broadly, Google is pushing the use of secure Web connections, not just for Gmail but also for search.

No longer naive
This isn't the first time trust took a hit on the Net, of course, and computing systems continuously evolve away from their early, naive designs. Gone are the days when it was possible to break into servers with the username "guest" and an empty password, as described in Cliff Stohl's 1989 book "The Cuckoo's Egg."

The trouble is that the Internet is increasingly essential to school, business, politics, and our personal lives. The damages of breaches of trust are worse than ever.

It's great that the Net's technologists are responding. But there's no miracle cure here, and malicious hackers are advancing the state of the art at the same time. Governments and armed forces, not just thieves, are getting involved as cyberwar becomes just a facet of ordinary war.
It's a great time to be on the Net, and I'm confident that ultimately it will withstand this current hit to its trustworthiness. But the time being, I'm keeping the annoying, heavy-duty Google authentication.

Read more »

Korean trustbusters raid Google offices

The Korean Fair Trade Commission, that country's antitrust agency, raided Google's offices in Seoul today, CNET has learned.

Regulators are apparently interested in information about Google allegedly limiting access to rival search engines on its Android mobile operating system. In April, two Korean Internet companies--NHN, which operates the popular Naver search engine there, and Daum Comminications--asked the country's Fair Trade Commission to investigate Google's business practices regarding mobile search.

It's also possible that mobile-device makers, some of which are based in South Korea, may have raised concerns related to restrictions Google places on use of its Android mobile OS.
In a statement, Google defended its Android strategy and said that it intends to comply with Korean regulators.
"We will work with the KFTC to address any questions they may have about our business," the company said in a statement. "Android is an open platform, and carrier and OEM partners are free to decide which applications and services to include on their Android phones. We do not require carriers or manufacturers to include Google Search or Google applications on Android-powered devices."

The Google Seoul office was also the target of a raid in May, when South Korean police investigated suspicions that AdMob, Google's mobile advertising unit, had illegally collected personal location data without permission, according to a Reuters report. At the time, a Korean police official told Reuters that that the police suspected Google of collecting personal location information "without consent or approval from the Korean Communication Commission."
Today's raid, though, appears to focus on a different matter. And if the focus is on Android, Korean authorities aren't the only ones looking. In June, Google disclosed that the U.S. Federal Trade Commission had served the company with a civil subpoena. Last month, The Wall Street Journal reported that the agency was targeting Android, looking into concerns about Google preventing mobile device makers that use the operating system from also featuring services from Google competitors.

Read more »

Yahoo's Bartz out as chief executive

The Carol Bartz era at Yahoo has ended.
Bartz, named Yahoo chief executive in January 2009, is no longer in the job. In a note sent to Yahoo employees this afternoon, Bartz noted that the board fired her.
"I am very sad to tell you that I've just been fired over the phone by Yahoo's chairman of the board," Bartz wrote. "It has been my pleasure to work with all of you and I wish you only the best going forward."

Yahoo said that Chief Financial Officer Tim Morse has been named interim CEO. The news was first reported by AllThingsD.

When Bartz took over the CEO role from co-founder Jerry Yang in January 2009, the company was struggling to become more competitive and profitable. One of her first tasks as CEO was a reorganization of Yahoo in an attempt to make the Internet pioneer faster, simpler, and more responsive to those who use its services. But Yahoo has continued to founder under her leadership, never regaining the ground it lost to Web leader Google.


Rumors that Yahoo's board was secretly considering replacing Bartz had been circulating for months. Yahoo Chairman Roy Bostock declined to address the rumors at the company's annual shareholder meeting in June but did say the board "is very supportive of Carol and the management team." A spokesperson was more adamant, saying at the time, "Rumors suggesting there is or has been any sort of search for a replacement to Carol are categorically untrue."
In a statement this afternoon, Bostock did not disclose the board's reasons for removing Bartz, though he noted the "very challenging macro-economic backdrop" in which she led the company. And he, not surprisingly, was bullish on the company's prospects.
"I am very sad to tell you that I've just been fired over the phone by Yahoo's chairman of the board. It has been my pleasure to work with all of you and I wish you only the best going forward."

--Carol Bartz
"The board sees enormous growth opportunities on which Yahoo can capitalize, and our primary objective is to leverage the company's leadership and current business assets and platforms to execute against these opportunities," Bostock said. "We have talented teams and tremendous resources behind them and intend to return the company to a path of robust growth and industry-leading innovation. We are committed to exploring and evaluating possibilities and opportunities that will put Yahoo on a trajectory for growth and innovation and deliver value to shareholders."
Bartz spent 14 years as Autodesk's CEO before becoming executive chairman in April 2006. Before Autodesk, she worked at Sun Microsystems, 3M, and Digital Equipment Corp.
Morse joined Yahoo in June 2009, a former General Electric executive who came to the company from chipmaker Altera. Before joining Altera in 2007, Morse spent 15 years at General Electric in a variety of senior management positions, including chief financial officer of GE Plastics. Morse has a bachelor's degree in finance and operations and strategic management from the Boston College Carroll School of Management.

Yahoo's Tim Morse

For his part, Morse said in a statement that he intends to work with the board to "invest in the organization and continue to drive its ongoing growth plans."
Yahoo also appointed an Executive Leadership Council that will help Morse manage day-to-day operations until a permanent chief executive is appointed. The group will also oversee "a comprehensive strategic review" to improve growth prospects. That group includes Michael Callahan, executive vice president, general counsel, and secretary; Blake Irving, executive vice president and chief product officer; Ross Levinsohn, executive vice president, Americas; Rich Riley, senior vice president, EMEA Region; and Rose Tsou, senior vice president, APAC Region.
Bartz joined the embattled company after a rough year that saw Microsoft launch an unsolicited bid for the company but later walk away after a $33-a-share offer was rejected by Yahoo. The stock has lost more than half its value since then, never recovering to the price Microsoft offered.

The search pioneer was also the target of a proxy fight by shareholder activist Carl Icahn, who eventually joined Yahoo's board as part of a settlement with the company. He stepped down from the company's board in October 2009, and unloaded much of his Yahoo stake the following February.

Yahoo also tried to boost its revenue with an advertising search partnership with Google. But the search giant walked away from the deal when the U.S. Department of Justice notified the companies it would challenge such an arrangement under antitrust grounds. Shortly after the Google deal collapsed, Yang announced he would step down as CEO as soon as a replacement was found.

A tweet from former Yahoo executive Brad Garlinghouse after Carol Bartz was fired at Yahoo's CEO.

Her departure was hailed by at least one former Yahoo executive, Brad Garlinghouse. In 2006, he wrote the widely circulated Peanut Butter Manifesto, complaining that Yahoo was spreading itself too thin, not focusing on important strategy. Upon the news of Bartz's departure, Garlinghouse, now president of applications and commerce at AOL as well as the West Coast lead for its venture capital arm, tweeted: "ding dong the witch is dead."
The news of Bartz's firing came after the stock market closed. But the company's stock climbed in after-hours trading by 90 cents, or 6.97 percent, to $13.80.

Read more »

Smartphones Unlocked: How cell phones get their names (column)

Welcome to Smartphones Unlocked, my new monthly column designed to explain the ins and outs of smartphones to help you better understand how they work. The world of smartphones is fast-paced and can sometimes be confusing and difficult to keep track of all the new technology in these devices, particularly if you're new to them, so if there are any topics you'd like to see covered here, please feel free to e-mail me at bonnie.cha@cnet.com.

Last month, my colleague Jessica Dolcourt wrote a great two-part series on how cell phones are born, along with some behind-the-scenes confessions from the handset designers. The articles provided a great insider's look at the cell phone design business, but there's another part that's always intrigued: how do cell phones and smartphones get their names?
In my seven years of reviewing phones, I've come across some great names and some that have come from the department of "What were they thinking?" Samsung has had its fair share of both, so for this month's column, I reached out to the handset manufacturer to shed some light on the subject. What follows is a Q&A session with Paul Golden, vice president of strategic marketing for Samsung Telecommunications America (Samsung Mobile).

Golden, whose responsibilities include coming up with brand and marketing strategy for new product launches, advertising, media, consumer and in-store promotions, walked me through how the company names its cell phones and smartphones. As I've learned since starting this column, the process is much more involved than I thought, so read on to see what's in a (cell phone) name.

Question: When do you begin the process of coming up with a name for a phone? Is it during the development process? Once a phone is complete? Somewhere in between?
Golden: As you might imagine, the product naming process and protocol is not the same for every phone Samsung manufactures. I can tell you that on average, the product naming process takes about five to seven weeks to complete, starting with the initial idea brainstorm and reaching completion once our team and our respective carrier partner for that device give their final approval.

Samsung Messager Touch

How do you come up with them? What influences the decision?
Golden: We develop a positioning statement for each product that articulates the consumer benefit and key support features. The positioning statement will act as a guideline to define the best product name.

How difficult is it coming up with a name? What challenges are there?
Golden: It is definitely a challenge to match the right name with the right product. First, we have to make sure that the product name is not already taken by a competitor or a very similar version of that product name. It can also be difficult to find a product name that has a balance between being memorable and descriptive, while also being relevant, quickly understood, and recognizable to consumers.

How long does the process take? What are the different stages and who gives the final approval?
Golden: There are typically six stages that a product will go through over a five- to seven-week period before its final name is selected and confirmed. The first phase is creative development where hundreds of names are provided from an extended brainstorm period. In the second phase, we take those potential product names to a legal pre-screen to determine possible conflicts with current or future products from our competitors and make significant cuts to the initial list.
The third stage involves taking a list of about 10 to 20 leading product name candidates to our carrier partners to get their impressions. The fourth stage moves those 10 to 20 product names into a full legal search for any conflicts or potential liabilities and risks. From there, the list is whittled down to the fifth phase, which is an even shorter list of product names that are submitted to our legal team to ensure the remaining options are defensible and legally protected.

In the sixth and final phase, one product name emerges as the selected go-to market name, complete with the legal research findings and all of that information shared with the carrier for confirmation.

Do you have a team or is there a dedicated person whose job it is to come up with names?
Golden: Samsung does have a dedicated individual whose chief responsibility is to manage the product name process through the six phases, including the feedback from our legal team and the product naming/branding counterparts at each carrier Samsung works with. It's important to note that iconic devices, such as the Galaxy S, receive more product naming attention and research and go through a more in-depth approval process with our senior executives.
Are focus groups ever involved?

Golden: Focus groups are generally not used, but we do conduct market testing research with consumers to help identify which product attributes and features would likely resonate the strongest when people are shopping for a new phone. Our ultimate goals in naming a product are driving Samsung's business and building an emotional and loyal connection with consumers.

Samsung Droid Charge

What part do the carriers play in the naming process?
Golden: Some carriers do own product names that evolve into specific brands across multiple manufacturers, such as Verizon and its Droid brand. But more often than not, Samsung conducts the product naming process for our phones and accessories and own the intellectual rights to that product name and potential future generations of products that share all or part of a older product name.

How much influence do the OEM's have? Can you tell the carrier that you want a phone to keep its original name/branding (e.g., Samsung Galaxy S II) or if you don't agree with a name, can you push back?
Golden: Naming a product is definitely a collaborative process between Samsung and our carrier partners. Let's face it, if the carrier is a big fan of a product name that we choose to bring to market, the better our overall synergy will be with the carrier in marketing, launching and promoting the product both in advance and after retail availability begins.
How different is the naming process for the U.S. and other parts of the world? When do you change the name of the same phone for different countries?

Golden: Many of the phones that we sell in the U.S. are unique to the U.S. market. In those cases the names will also be unique. For global devices, our preference is to use common naming as much as possible in order to leverage global media. In today's media world, there are no real borders so consumers get exposed to online and social media that we do globally as well as in the U.S. The more consistent we can be in our naming globally, the better. In some cases, we may have different strategies for product branding in the U.S. than other parts of the globe.
Does Samsung check a proposed name to see what cultural or religious meanings it has in other countries or societies?

Golden: Being a global company, Samsung and our legal counsel are very sensitive and careful to avoid introducing product names that could offend consumers here in the U.S. as well as other parts of the world. That is one of the reasons that our product naming process goes through multiple waves of legal reviews. Our legal agency checks names against other languages (always Korean) to ensure there are no potential hidden meanings. The Samsung HQ intellectual property team also will ask the meaning of a name if it is a coined name, such as APTOS, which combines apt and operating system.

What are some of the legal issues you have to deal with with coming up with names?
Golden: Aside from the obvious problems associated with launching a product name that is the same as a competitor, we also have to be aware of product names that could unintentionally mislead consumers into thinking that our phone or tablet has a specific feature or capability that it does not actually possess. Also, the mobile phone product industry is growing with more manufacturers and products every day. More products in the telecom industry creates a smaller number of original product names for Samsung and our competitors to choose from.
Once you come up with a unique name, is that exclusive to Samsung? Do you own it or can other companies use them?

Golden: Once a product name is registered as Samsung's intellectual property, our rights typically extend to exclusivity among the consumer technology industry. However, other consumer product industries, from cars to food or airlines all have the ability to use a name of one of our products, as long as their legal counsel can prove there is minimal to no chance that a consumer will confuse our product with the product from a completely unrelated industry.
Why do you use the model number for some devices?
Golden: We still use numbers on some entry-level feature phones where consumers are looking more for economy and basic functionality.

Samsung BlackJack II

Any names that have been favorites among customers, as well as within Samsung? Least favorite?
Golden: The Samsung BlackJack and its successors, the BlackJack II and the Jack, both seemed to resonate with consumers. More recently, our Galaxy S and Galaxy Tab portfolio of products have been very successful in branding Samsung as a provider of premium, durable, and powerful smartphones and mobile tablets. Out of fairness to our naming team and to keep me out of trouble, I should probably plead the Fifth on the least favorite product name.
Any fun brainstorming sessions or war stories you'd like to share?
Golden: Again, probably in my best interest to keep quiet on that question to keep myself out of trouble.

Finally, I have to ask about the Samsung :) (Smiley) and Messager. The use of an emoticon is novel, but got a bit of ribbing in the press. And Messager isn't technically a word. Can you share how these two names came about and provide some thoughts on some of the criticism?
Golden: For Smiley, I can confirm that T-Mobile owned the rights to that product name, so their marketing team would be the best place to start. In this case, the carrier had a very strong interest in the name.

On the Messager, you are correct that its not a proper word in the technical sense, but it Messager did a great job of conveying its primary use case in a very straight-forward way. The Messager had a slide-out full QWERTY keyboard and was marketed to teenage/young adults as a phone that was great for text messaging.

Read more »

Dutch firm linked to many more fraudulent Net certificates

The number of fraudulent security certificates issued by a hacked Dutch firm has ballooned from the 247 reported last week to 531, and the main purpose of the attack appears to have been to spy on Iranian dissidents.

The list of domains for which fraudulent Secure Sockets Layer (SSL) certificates were issued by DigiNotar, a root certificate authority, now includes sites such as the CIA, MI6, Facebook, Microsoft, Skype, Twitter, and WordPress, among others, according to a list released this weekend by the Dutch Ministry of Justice. In the wake of the new revelations, the Dutch government has reportedly expressed a lack of confidence in the Netherlands-based company and taken control of it.

DigiNotar representatives did not respond to a request for comment.
The intrusion was revealed late last month when Google said Gmail users in Iran were at risk of having their log-in credentials stolen after someone broke into DigiNotar to steal the digital equivalent of an identification card for Google.com. The problem first surfaced on a Google support site on August 28. However, DigiNotar only acknowledged last week that it had detected an intrusion into its Certificate Authority infrastructure on July 19.
During the intrusion, someone issued fraudulent certificate requests "for a number of domains," but DigiNotar said earlier--when the list of affected domains was smaller--that it had revoked them. A fraudulent certificate allows someone to impersonate the secure versions of those Web sites--the ones that are used when encrypted connections are enabled--in some circumstances.
The Gmail incident affected mostly Iranian users, and it now appears the certificates might have been issued for the purpose of spying on Iranian dissidents, perhaps by the Iranian government. The Tor Project's Jacob Appelbaum, who published the list of affected domains, notes that one domain certificate on the list is "a calling card from a Farsi speaker," the language spoken by most Iranians:

RamzShekaneBozorg.com is a bogus address, and Appelbaum reported that "RamzShekaneBozorg" translates from Farsi to "great cracker," while "Hameyeh Ramzaro Mishkanam" translates to "I will crack all encryption" and "Sare Toro Ham Mishkanam" translates to "i hate/break your head."
Ot van Daalen, director of Bits of Freedom, a Dutch group that defends digital privacy rights, said the hacking put Iranian dissidents "at grave risk."

"It's horrible to say, but it's entirely possible that the hacking attack has endangered lives in Iran," Van Daalen told Radio Netherlands Worldwide."There is a real chance that the Iranian authorities have used these certificates to eavesdrop on users. And it can't be ruled out they will continue doing so with other certificates."

Appelbaum, who noted that DigiNotar's audit trail is incomplete, said the list includes certificate authority (CA) roots that should probably never be trusted again.
"The most egregious certs issued were for *.*.com and *.*.org while certificates for Windows Update and certificates for other hosts are of limited harm by comparison," Appelbaum wrote in a Tor Project post. "The attackers also issued certificates in the names of other certificate authorities such as 'VeriSign Root CA' and 'Thawte Root CA' as we witnessed with ComodoGate, although we cannot determine whether they succeeded in creating any intermediate CA certs."

The latest versions of Internet Explorer, Chrome, and Firefox have revoked trust in DigiNotar certificates, and users will see warnings if they visit Web sites that use that root authority's certificates.

This is the second time this year that the Iranian government has been linked to attempts to obtain fraudulent certificates to impersonate major Web sites. Comodo, a Jersey City, N.J.-based firm that issues digital certificates, said in March the nine certificates were fraudulently obtained. The Internet Protocol addresses used in the attack were in Tehran, Iran, said Comodo, which said that because of the focus and speed of the attack, it was "state-driven."
Kaspersky Lab's Roel Schouwenberg wrote in a blog post that the DigiNotar attack may prove to be more of a watershed moment than Stuxnet, a worm code discovered last year that is widely believed to have been designed to sabotage a uranium enrichment facility in Iran.
"The attack on DigiNotar doesn't rival Stuxnet in terms of sophistication or coordination," Schouwenberg wrote. "However, the consequences of the attack on Diginotar will far outweigh those of Stuxnet. The attack on DigiNotar will put cyberwar on or near the top of the political agenda of Western governments."

Read more »