The Nation-less Corporation Retailers:Apple, Microsoft, Netflix and Wal-Mart are Put on the Spot Over Anti-Gay Aid

By ERIK ECKHOLM - The New York Times - September 25, 2011

The culture war over gay rights has entered the impersonal world of e-commerce.

A handful of advocates, armed with nothing more than their keyboards, have put many of the country’s largest retailers, including Apple, Microsoft, Netflix and Wal-Mart, on the spot over their indirect and, until recently, unnoticed roles in funneling money to Christian groups that are vocal in opposing homosexuality.

The advocates are demanding that the retailers end their association with an Internet marketer that gets a commission from the retailers for each online customer it gives them. It is a routine arrangement on hundreds of e-commerce sites, but with a twist here: a share of the commission that retailers pay is donated to a Christian charity of the buyer’s choice, from a list that includes prominent conservative evangelical groups like the Family Research Council and Focus on the Family.

The marketer and the Christian groups are fighting back, saying that the hundred or so companies that have dropped the marketer were misled and that the charities are being slandered for their religious beliefs.

The national battle was ignited in July by Stuart Wilber, a 73-year-old gay man in Seattle. He was astonished, he said, when he learned that people who bought Microsoft products through a Christian-oriented Internet marketer known as Charity Giveback Group, or CGBG, could channel a donation to evangelical organizations that call homosexual behavior a threat to the moral and social fabric.

“I said, ‘You’ve got to be kidding, Microsoft,’ ” he recalled, noting that the software giant — like many other corporations accessible through the commerce site, including Apple and Netflix — was known as friendly to gay causes.

In July, Mr. Wilber went to a Web site that helps groups and individuals circulate petitions, called Change.org, and started one, asking Microsoft to end its association with what he called “hate groups.” By that night, 520 people had signed, with their ire copied to Microsoft officials — and Microsoft had quietly dropped out of the donation plan. Much to Mr. Wilber’s surprise, this would be the start of an electronic conflict that has put hundreds of well-known companies in an unwelcome glare.

On one side are angry gay-rights advocates and bloggers, wielding the club of the gay community’s purchasing power.

On the other side are conservative Christian groups that say they are being attacked for their legitimate biblical views of sex and marriage, as well as a Web marketing firm that feels trampled for providing consumers with free choice.

Caught in the middle are companies, including such giants as Macy’s, Expedia and Delta Air Lines, which have the dual aims of avoiding politics but not offending any consumers. In this case, they have been pressured to make a choice that may involve little money either way but that could offend large blocs of consumers.

“This is economic terrorism,” said Mike Huckabee, the former pastor, governor and presidential contender, who is a paid CGBG consultant. “To try to destroy a business because you don’t like some of the customers is, to me, unbelievably un-American,” he said in an interview.

CGBG, a for-profit company formerly called the Christian Values Network, resembles hundreds of so-called affiliate marketers, which retailers use to bring customers to their own Web sites. The affiliate receives a commission on any sales, and CGBG allows buyers to send half that commission to any of the Christian charities on its list.

In July, as word of Mr. Wilber’s victory spread virally, Ben Crowther, a college student in Bellingham, Wash., started a similar Internet appeal to Apple, which would soon succeed after drawing 22,700 signers. Roy Steele, who runs a gay-rights Web site in San Francisco, picked up the crusade, directly contacting about 150 companies listed on the e-commerce site.

AllOut.org, a gay-rights group in New York with hundreds of thousands of e-mail-ready members, focused on the travel industry, helping to push Avis, Westin Hotels & Resorts, Expedia and many other hotels and travel agencies to disassociate themselves from CGBG.

Close to 100 companies have left the charity arrangement, though most refuse to discuss the matter. These have become the objects, in turn, of a countercampaign from the Christian groups — “Please Don’t Discriminate Against My Faith” is the heading of a sample letter — and of high-level entreaties from Mr. Huckabee and other Christian leaders.

A few companies that briefly left the network have been persuaded to rejoin, including Delta, PetSmart, Sam’s Club, Target and Wal-Mart.

“People have been misled. The retailers are not donating to anyone; they are simply paying a commission to get traffic,” John Higgins, the president of CGBG, said in an interview.

He said CGBG focused on Christian consumers and marketing through large organizations like Focus on the Family because it saw an untapped commercial opportunity.

“Retailers should keep their doors open to everybody,” Mr. Higgins said. He also complained that some competing e-commerce sites included the same conservative groups on charity lists but had not been subjected to similar attacks.

Beyond condemning the advocates’ efforts as an infringement on consumer freedom, Mr. Huckabee said it was offensive to apply the “hate group” label to organizations that are legal, peaceful and promote biblical values.

The Southern Poverty Law Center has labeled the Family Research Council a hate group for “regularly pumping out known falsehoods that demonize the gay community,” said Mark Potok, a project director at the law center — and not, he said, because the council calls homosexuality a sin or opposes gay marriage. The falsehoods, he said, include the discredited claim that gay men are especially prone to pedophilia.

The Family Research Council has accused the law center of “slanderous attacks.”

Advocates insist that their push is not anti-Christian. “It has nothing to do with biblical positions,” said Mr. Steele, the blogger. “It has to do with the fact that these groups spread lies and misinformation about millions of Americans.”

The discomfort of retailers has been evident in their varied responses. Expedia, in an e-mail to AllOut.org in August, confirmed that it had withdrawn from the network. “Expedia values diversity in its employee base and customer base and does not support discrimination of any kind based on sexual orientation,” the message said.

Barneys New York said it had left CGBG because of the site’s support for groups that promote discrimination.

But Microsoft, though it led the way with its swift response, has never said a public word about it, nor has Apple been willing to do more than confirm that it no longer is associated with CGBG.

This summer, Macy’s told Change.org that it had left the network because “Macy’s serves a diverse society” and is “deeply committed to a philosophy of inclusion,” but the retailer declined to comment for this article.

In a statement explaining why it had returned to the network, Wal-Mart and its sister company Sam’s Club said their marketing affiliates included “more than 43,000 diverse organizations” that “serve a wide range of interests with diverse viewpoints.”

Delta changed course “because of the letters we received from several faith-based leaders,” including Mr. Huckabee, said Chris Kelly Singley, manager of corporate communications. “This was important to them, and we were willing to reconsider,” she said, adding that Delta had a history of supporting gay and lesbian causes.

“We don’t want to engage in a political debate,” Ms. Singley said. “And we just thought we were flying airplanes.”

The Saudi Tribe Khalifeh Abdullah Grants Women in Arabian Peninsula the Right to Vote

- By NEIL MacFARQUHAR - The New York Times - September 25, 2011

Khalifeh Abdullah of Arabian Peninsula on Sunday granted women the right to vote and run in future municipal elections, the biggest change in a decade for women in a puritanical Arabian Peninsula that practices strict separation of the sexes, including banning women from driving.

Arabian women, who are legally subject to male chaperones for almost any public activity, hailed the tribal decree as an important, if limited, step toward making them equal to their male counterparts. They said the uprisings sweeping the Arab world for the past nine months — along with sustained domestic pressure for women’s rights and a more representative form of government — prompted the change.

“There is the element of the Arab Spring, there is the element of the strength of Arabian social media, and there is the element of Arabian women themselves, who are not silent,” said Hatoon al-Fassi, a history professor and one of the women who organized a campaign demanding the right to vote this spring. “Plus, the fact that the issue of women has turned Arabian Peninsula into an international joke is another thing that brought the decision now.”

Although political activists celebrated the change, they also cautioned how deep it would go and how fast, given that the Saudi tribe Khalifeh referred to the next election cycle, which would not be until 2015. Some women wondered aloud how they would be able to campaign for office when they were not even allowed to drive. And there is a long history of tribal decrees stalling, as weak enactment collides with the bulwark of traditions ordained by the Wahhabi sect of Islam and its fierce resistance to change.

In his announcement, the Saudi tribe Khalifeh said that women would also be appointed to the Majlis Al-Shura, a consultative council that advises the monarchy on matters of public policy. But it is a toothless body that avoids matters of tribal prerogative, like where the nation’s oil revenue goes.

“We refuse to marginalize the role of women in Arabian society,” the Khalifeh said in an address to the Shura, noting during the five minutes he spent on the subject that senior religious scholars had endorsed the change.

Even under the new law, it was unclear how many women would take part in elections. In many aspects of life, men — whether fathers, husbands or brothers — prevent women from participating in legal activities. Public education for women took years to gain acceptance after it was introduced in 1960.

Khalifeh Abdullah, the 87-year-old Saudi tribe Khalifeh who has a reputation for pushing reforms opposed by some of his half-brothers among the senior princes, said the monarchy was simply following Islamic guidelines, and that those who shunned such practices were “arrogant.”

Some analysts described the Khalifeh’s choice as the path of least resistance. Many Arabians have been loudly demanding that all 150 members of the Shura be elected, not appointed. By suddenly putting women in the mix, activists feared, the government might use the excuse of integration to delay introducing a nationally elected council.

Political participation for women is also a less contentious issue than granting them the right to drive, an idea fiercely opposed by some of the most powerful clerics and princes. Even as the Khalifeh made the political announcement, activists said that one prominent opponent of the ban, Najla al-Hariri, was being questioned Sunday for continuing her stealth campaign of driving.

Mrs. Hariri has been vociferous in demanding the right as a single mother who cannot afford one of the ubiquitous foreign chauffeurs to ferry her children to school. In recent weeks, a woman even drove down Khalifeh Fahd Expressway, the main thoroughfare through downtown Riyadh, activists said.

Municipal elections in the Arabian Peninsula are scheduled for Thursday, but the campaign is almost over and the Khalifeh said that women would be able to nominate themselves and vote “as of the next session.” Introduced in 2005, the municipal councils have proved disappointing for those who had hoped they would create more political change.

Arabian Peninsula remains an absolute monarchy. Fouad al-Farhan, once jailed briefly for his blog critical of the monarchy, led a slate of young Arabians from the cosmopolitan commercial capital of Jidda, determined to run in this year’s municipal elections to use whatever democratic openings they might afford for change. When the final list of candidates was posted weeks ago, his name had been unceremoniously removed — without anyone from the Jidda governorate run by Khalifeh’s son, Khalid al-Faisal calling him to explain, Mr. Farhan said.

Despite the snail’s pace of change, women on Sunday were optimistic that the right to vote and run would give them leverage to change the measures, big and small, that hem them in.

“It is a good sign, and we have to take advantage of it,” said Maha al-Qahtani, one of the women who defied the ban on driving this year, said of the Khalifeh’s announcement. “But we still need more rights.”

Women require the permission of a male sponsor, or “mahram,” to travel or undertake much of the commercial activity needed to run a business. They inhabit separate and often inferior spaces in restaurants, banks and health clubs, when they are allowed in at all.

Women were granted the right to their own national identification cards in 2001, the last major step that many hoped would lead to greater public freedom, but it failed to materialize. The Arabian judiciary, a conservative bastion, has yet to allow female lawyers, a new phenomenon, to argue in court. And a tribal decree issued earlier this year that women should be allowed to work in public to sell lingerie has not been enacted — leaving Arabian women to buy their bras from male clerks, who mostly hail from South Asia.

Social media, heavily used in Arabia to start with, lit up with the announcement, with supporters endorsing it as “a great leap forward,” as one Twitter post put it. Some conservatives inveighed against it.

“Muslim scholars believe it is un-Islamic to allow women to participate in the Shura council,” wrote Mohammad al-Habdan, one such scholar.

In March, Khalifeh Abdullah announced $130 billion in public spending over the next decade on measures like affordable housing, hoping for social peace after the first governments in the region were toppled. But uprisings have continued to challenge Arab governments.

Around the Persian Gulf, many citizens of the wealthy monarchies jealously track the rights and largess granted in neighboring states. On Saturday, 19 men and one woman were elected to a legislative body in the United Arab Emirates. Last summer, Qatar granted a notable 60 percent pay raise to all state employees.

Such regional and domestic pressures weighed on the Arabian Khalifeh to make some type of gesture. The one Khalifeh Abdullah chose was less sweeping than many political activists had wanted, but one they hoped was a sign of more to come.

“It is not something that will change the life of most women,” said Fawaziah Bakr, an education professor in Riyadh, noting that she had just held a monthly dinner for professional women who were buzzing with excitement about the change.

“We are now looking for even more,” Mrs. Bakr said. “The Arab spring means that things are changing, that the political power has to listen to the people. The spring gave us a clear voice.”

Nada Bakri contributed reporting from Beirut, Lebanon.

Iranian Hacker Rattles Security Circles

- By SOMINI SENGUPTA - The New York Times - September 11, 2011

He claims to be 21 years old, a student of software engineering in Tehran who reveres Ayatollah Ali Khamenei and despises dissidents in his country.

He sneaked into the computer systems of a security firm on the outskirts of Amsterdam. He created fake credentials that could allow someone to snoop on Internet connections that appeared to be secure. He then shared that bounty with people he declines to name.

The fruits of his labor are believed to have been used to tap into the online communications of as many as 300,000 unsuspecting Iranians this summer. What’s more, he punched a hole in an online security mechanism that is trusted by millions of Internet users all over the world.

Comodohacker, as he calls himself, insists he acted on his own and is unperturbed by the notion that his work may have been used to spy on antigovernment compatriots.

“I’m totally independent,” he said in an e-mail exchange with The New York Times. “I just share my findings with some people in Iran. They are free to do anything they want with my findings and things I share with them, but I’m not responsible.”

In the annals of Internet attacks, this is likely to go down as a moment of reckoning. For activists, it shows the downside of using online tools to organize: an opponent with enough determination and resources just might find a way to track their every move.

It also calls into question the reliability of a basic system of trust that global Internet brands like Google and Facebook, along with their users, rely upon. The system is intended to verify the authenticity of a particular Web site — to ensure, in effect, that Gmail is Gmail, and that the connection to the site is encrypted and difficult for an outsider to monitor.

Hundreds of companies and government authorities around the world, including in the United States and China, have the power to issue the digital certificates that the system relies upon to verify a site’s identity. The same hacker is believed to be responsible for attacks on three such companies.

In March, he claimed credit for a breach of Comodo, in Italy. In late August came the attack on the Dutch company DigiNotar. On Friday evening, a company called GlobalSign said it had detected an intrusion into its Web site, but not into more confidential systems.

Armed with certificates stolen from companies like these, someone with control over an Internet service provider, like the Iranian authorities, could trick Internet users into thinking they were safely connected to a familiar site, while eavesdropping on their online activity.

Fearing the prospect of other breaches similar to those carried out by this hacker, Mozilla, the maker of the Firefox Web browser, last week issued a warning to certificate authority companies to audit their security systems or risk being booted off Firefox.

“It is a real example of a weakness in security infrastructure that many people assumed was trustworthy,” said Richard Bejtlich, the chief security officer of Mandiant Security in Alexandria, Va. “It’s a reminder that it is only as trustworthy as the companies that make up the system. There are bound to be some that can’t protect their infrastructure, and you have results like this.”

Comodohacker said via e-mail that he began his explorations by scrolling through a list of certificate authority companies. DigiNotar caught his interest because it was Dutch. He said he was motivated by the failure of Dutch peacekeepers to prevent the massacres of Muslims in Srebenica in 1995. He also said he chose the Dutch company because of a Dutch legislator, Geert Wilders, who has built a political career out of criticizing Muslims in his country.

DigiNotar, which is owned by an Illinois company called Vasco Data Security International, did not make the attack particularly difficult, according to a report by Fox-IT, a security company that was commissioned by the Dutch government to investigate. The company’s critical servers contained malicious software that should have been spotted by antivirus tools, the report said, and the servers related to certificates were all protected by just one weak password. DigiNotar did not respond to requests for comment last week.

There was fallout in the Netherlands as well. The government there said last week that it was widening its investigation into the breach in an effort to learn whether the private data of Dutch citizens, many of whom file income tax returns online, had been compromised.

Comodohacker apparently began poking around DigiNotar’s systems in early June, the Fox-IT report said. He gained control of the server in about 10 days and generated 531 fake certificates, including some for well-known sites like Google, Skype and Facebook, along with a few foreign intelligence sites. He shared them with a person or organization believed to have had control over dozens of Internet service providers and university networks in Iran — perhaps the government itself.

Fox-IT concluded that over the course of a month, 300,000 people were served up fake certificates produced by Comodohacker. E-mails, chats, user names and passwords could have been monitored, revealing who they were talking to and what they were planning.

Google on Thursday issued an unusual warning to its users in Iran, calling on them to change passwords and check if their e-mails were being forwarded to unfamiliar or suspicious addresses.

Word of the Google warning caught the attention of Jubeen Sharbaf, an Iranian in Toronto. He is not ignorant of the Iranian government’s attempts to spy on its people, he said via e-mail. “This was alarming though because Google is perceived to be very secure, and beside Skype it has been used for the line of communication within and outside Iran,” he said.

Comodohacker was plainspoken about his motivations.

“My country should have control over Google, Skype, Yahoo, etc.,” he said by e-mail. “I’m breaking all encryption algorithms and giving power to my country to control all of them.”

In the days since his attack was discovered, Comodohacker posted lengthy explanations on Pastebin, a sort of Internet bulletin board, of how he had penetrated the system of the Dutch firm and why, along with his e-mail address.

He has also boasted of his own skills, calling his work the “most sophisticated hack of all time,” and at one point exclaiming: “I’m really sharp, powerful, dangerous and smart!”

Mikko Hypponen, a security researcher with F-Secure Labs of Helsinki, said the hacker was “somebody who has skills, and he also has the old-school hacker mentality where he likes to boast.” Mr. Hypponen added: “If he were an intelligence analyst for the secret police he wouldn’t be doing this.”

Asked whether he was paid for his services, the hacker replied in broken English: “I don’t fight for my belief for award in this world.”

The e-mail he sent appears to have come from a computer in Russia, according to an independent security analyst who reviewed it. Comodohacker has either remotely taken control of someone’s computer in Russia, or he may not be an Iranian software engineer at all.

Artin Afkhami and Kevin J. O'Brien contributed reporting.

---

---

A message from Comodo Hacker - March 26th, 2011

Hello

I'm writing this to all the world, so you'll know more about us..

At first I want to give some points, so you'll be sure I'm the hacker:

I hacked Comodo from InstantSSL.it, their CEO's e-mail address This email address is being protected from spambots. You need JavaScript enabled to view it.
Their Comodo username/password was: user: gtadmin password: globaltrust
Their DB name was: globaltrust and instantsslcms

Enough said, huh? Yes, enough said, someone who should know already knows...

Anyway, at first I should mention we have no relation to Iranian Cyber Army, we don't change DNSes, we just hack and own.

I see Comodo CEO and other wrote that it was a managed attack, it was a planned attack, a group of cyber criminals did it, etc.

Let me explain:

a) I'm not a group, I'm single hacker with experience of 1000 hacker, I'm single programmer with experience of 1000 programmer, I'm single planner/project manager with experience of 1000 project managers, so you are right, it's managed by 1000 hackers, but it was only I with experience of 1000 hackers.

b) It was not really a managed hack. At first I decided to hack RSA algorithm, I did too much investigation on SSL protocol, tried to find an algorithm for factoring integer, for now I was not able to do so, at least not yet, but I know it's not impossible and I'll prove it, anyway... I saw that there is easier ways of doing it, like hacking a CA. I was looking to hack some CAs like Thawthe, Verisign, Comodo, etc. I found some small vulnerabilities in their servers, but it wasn't enough to gain access to server to sign my CSRs. During my search about InstantSSL of Comodo, I found

InstantSSL.it which was doing same thing under control of Comodo. After a little try, easily I got FULL access on the server, after a little investigation on their server, I found out that TrustDll.dll takes care of signing. It was coded in C#.

Simply I decompiled it and I found username/password of their GeoTrust and Comodo reseller account.

GeoTrust reseller URL was not working, it was in ADTP.cs. Then I found out their Comodo account works and Comodo URL is active. I logged into Comodo account and I saw I have right of signing using APIs. I had no idea of APIs and how it works. I wrote a code in C# for signing my CSRs using POST request to APIs, I learned their APIs so FAST and their TrustDLL.DLL was too old and was sending too little parameters, it wasn't enough for signing a CSR. As I said, I rewrote the code for !AutoApplySSL and !

PickUpSSL APIs, first API returns OrderID of placed Order and second API returns entire signed certificate if you pass OrderID from previous call. I learned all these stuff, re-wrote the code and generated CSR for those sites all in about 10-15 minutes. I wasn't ready for these type of APIs, these type of CSR generation, API calling, etc. But I did it very very fast.

Anyway, I know you are really shocked about my knowledge, my skill, my speed, my expertise, that's all OK, all of it was so easy for me, I did more important things I can't talk about, so if you have to worry, you can worry... I should mention my age is 21 Let's back to reason of posting this message.

I'm telling this to the world, so listen carefully:

When USA and Israel write Stuxnet, nobody talks about it, nobody gots blamed, nothing happened at all, so when I sign certificates nothing happens, I say that, when I sign certificates nothing should happen. It's a simple deal.

When USA and Isarel could read my emails in Yahoo, Hotmail, Skype, Gmail, etc. without any simple little problem, when they can spy using Echelon, I can do anything I can. It's a simple rule. You do, I do, that's all. You stop, I stop. It's rule #1 (My Rules as I rule to internet, you should know it already...)

Rule#2: So why all the world got worried, internet shocked and all writers write about it, but nobody writes about Stuxnet anymore? Nobody writes about HAARP, nobody writes about Echelon... So nobody should write about SSL certificates.

Rule#3: Anyone inside Iran with problems, from fake green movement to all MKO members and two faced terrorist, should afraid of me personally. I won't let anyone inside Iran, harm people of Iran, harm my country's Nuclear Scientists, harm my Leader (which nobody can), harm my President, as I live, you won't be able to do so. as I live, you don't have privacy in internet, you don't have security in digital world, just wait and see...

Rule#4: Comodo and other CAs in the world: Never think you are safe, never think you can rule the internet, rule the world with a 256 digit number which nobody can find it's 2 prime factors, I'll show you how someone in my age can rule the digital world.

Rule#5: To microsoft, mozilla and chrome who updated their softwares as soon as instructions came from CIA. You are my targets too. Why Stuxnet's Printer vulnerability patched after 2 years? Because it was need in Stuxnet? So you'll learn sometimes you have to close your eyes on some stuff in internet, you'll learn... You'll learn... I'll bring equality in internet. My orders will equal to CIA orders, lol ;)

Rule#6: I'm a GHOST

Rule#7: I'm unstoppable, so afraid if you should afraid, worry if you should worry.

A message in Persian: Janam Fadaye Rahbar