Nginx http server, possibly a criminal indicator?

Just like using Linux doesn't automatically make you a criminal, I doubt that using Nginx (proncouned, "Engine-X") is necessarily a criminal act. But is it an indicator?

I noticed it today as part of a light analysis of a real world exploit of the Overlong RTSP link bug for Quicktime. This is a lightweight http server that is now associated with at least one case of network crime by serving up a fairly fresh exploit.

Again, most phishing sites today run on Apache with PHP, and most phishing login pages have words like "FDIC Insured" and "All Rights Reserved" and have a login form with a password input field. Taken separately, none of these indicators a phishing site make. Taken together, it's a strong indication of crime.

So, I'm wondering -- has anyone else run into Nginx doing evil? I'm curious what the evil:good ratio is in the real world, and if it's something defenders/auditors/LEOs can use to help profile potentially malicious sites.

Paypal Introduces Security Fob

Strikingly similar to the RSA SecurID, PayPal has rolled out their own two-factor authentication (2FA) dongle.

While it's easy to dismiss random number key fobs as susceptible to man-in-the-middle attacks, I do think that if such this device were required on all accounts, it would significantly impact the effectiveness of traditional phishing scams -- assuming the attacker is actually going for PayPal account access.

Trouble is, the Security Key is a) optional and b) non-free, which will surely impact its rollout significantly. Maybe VeriSign (the manufacturer of the fob) will have a fantastically better marketing plan than RSA did, and actually get more than 5% of the PayPal users to adopt it.

The other problem is that there are plenty of PayPal-targeted phishing sites that really don't care about your PayPal login information -- there's just riding on the trust of PayPal to do things like collect credit card numbers, secondary banking information, and identity information. So, they really won't care if you give a correct or incorrect security code.

All that said, it is nice to see that PayPal is deploying a real second channel 2FA, rather than the "ask me for more passwords" 2FA schemes that other financial sites have deployed to comply with U.S. regulatory requirements. I just don't think 2FA, generally, is particularly effective in solving the problem of phishing. I suppose it's better than nothing, though.