A cool calculator for the size of the search space that an attacker would have to cover to guess your password using a brute force approach:
Archive for 2012
Looks like someone managed to extract a copy of linkedin’s password hash database today.
Didn’t take me long to get my hands on a copy of the file. Here’s what
- The file contains password hashes, but not user IDs. I guess it’s intended to demonstrate that the hashes got exfiltrated and that users pick weak passwords, rather than to compromise actual users.
- The hashes are sha-1 without a salt. Forgetting to salt password hashes is a novice mistake – I’m surprised linkedin did that and in their shoes I would remediate that immediately. A simple way to do so would be to rehash every user’s password at successful login time, using a 64-bit random salt.
- There are 6.5 million hashes in the file…
- It looks like the file has passed through “sort|uniq” — i.e., each hash appears exactly once. Nothing to learn here about password popularity, alas.
- Since the hashes were not salted, I was able to write a script to SHA-1 hash every password in a common dictionary and search the file for matches. That took all of about 10 minutes and yielded almost 20,000 passwords. No big surprise there (out of 6.5M different passwords, 20,000 are common words).
- I’m sure that if I spent some time with it, I could do what crack used to do — add digits at the front and back, implement various capitalization rules and in general permute my dictionary to get many more hits. Probably not worth my while though, since the bit that would really make it interesting is missing (frequency of occurrence of each unsalted hash).
So lessons learned from all this:
- Vendors: use best practices. Protect your password DB and salt password hashes.
- Users: assume that your logins on at least some public web sites will eventually be compromised to some degree. Some people are screaming “change your password!” or “choose a strong password!” but really — you should just keep in mind the risk level of compromise of any given account. Personally, I wouldn’t care all that much if my linkedin account got compromised, but others might be more concerned than me.
- It doesn’t look like anyone really malicious was involved here (they didn’t publish the user IDs, after all) but you have to wonder what would happen if this really was malicious?!
These days, software seems to be headed in just one direction: bloatware. Think of the typical “enterprise” solutions which run in Java or .NET (interpreted, sandboxed runtime), running on top of a UI framework, object framework, session state management framework, app server, web server, DB server, object broker and more.
If all this sounds like a bloated architecture — it is. I’ve seen many applications (including from our competitors, who I won’t name here) with multi-gigabyte installations of barely functional software, that yield performance on the order of minutes-per-HTML-form. Just brutal.
At one point, I figured the reason Sun was so hot on selling Java, was that Java/J2EE performance was so brutally awful, that it forced customers to buy more hardware. This was pre-Oracle acquisition, though I’ve no reason to imagine this has changed with Oracle buying Sun. There is likely some truth in that. .NET was really just Microsoft saying “Me Too!” and I’ve noticed that .NET somewhat less awful than Java, but still – as an end user, I hate dealing with Java and .NET apps, since they inevitably make me wait. And wait. And wait some more.
So here we are in the age of bloatware. Software platforms and architectures designed to keep unskilled safe against their own mistakes and to protect lazy developers against actual work.
Not a cheerful state of the industry.
But then – once in a while – I see something like this:
- Demoscene: 64k Intros At Revision Demoparty
- Gaia Machina by Approximate
- F – Felix’s Workshop by Ctrl-Alt-Test
You should definitely follow the links and watch the videos. These are self-running 3-d ray-traced animations. They run for several minutes, with music. The amazing thing is that each of these is a single, self-contained, 64-kilobyte Windows executable.
Think about that for a minute. Several minutes of complex, 3-D, ray-traced animation, with music. Running in real-time on your commodity PC. In 64 kilobytes of code.
Compare that 64-kilobytes of pure computer science goodness to the crapware you get from ERP vendors in their .NET and Java padded cages. With hundreds of megabytes or gigabytes of code, that accomplish close to nothing. With brutal performance profiles.
This stuff is pure gold. It shows that there is still some real software development talent in this world.
For those of you who don’t follow Canadian politics, there has been an interesting story developing in the past week. It’s quite illustrative of the direction that public discourse about privacy and security seems to be taking in the Internet age.
The story begins with the current federal government, which calls itself conservative, bringing forward a bill that would enable police to demand logs from public ISPs, without a warrant. Basically warrantless wiretapping for the digital age, at least in certain circumstances.
It’s interesting to see a “conservative” government promote such legislation — they are clearly torn between libertarian impulses (small government) and law-and-order impulses (heavy-handed police powers). It’s not at all clear that their caucus is uniformly in support of this bill.
Incidentally, the offending bit of language appears to be this:
“487.11 A peace officer, or a public officer who has been appointed or designated to administer or enforce any federal or provincial law and whose duties include the enforcement of this or any other Act of Parliament, may, in the course of his or her duties, exercise any of the powers described in subsection 487(1) or 492.1(1) without a warrant if the conditions for obtaining a warrant exist but by reason of exigent circumstances it would be impracticable to obtain a warrant.”
Really? Under what “exigent circumstances” could it conceivably be “impracticable” to obtain a warrant to violate the privacy of a citizen?
Anyways, the story gets more interesting from there, and this is where the intersection of privacy and politics really comes up:
First, Vic Toews, the minister in charge of this dubious legislation stoops to the following assertion in Parliament: “you stand with us or with the pedophiles.” You just have to expect some negative response when you use language like that! The bill has nothing to do with children, incidentally.
So no surprise – a storm of public indignation. Mr. Toews cheerfully renames the bill to “Protecting Children from Internet Predators Act” but nobody buys this weak attempt at spin.
Next, some twitter accounts show up. Notably two:
- One divulging all sorts of tawdry details about Mr. Toews’ recent divorce: Vikileaks30
- One where Canadians share all sorts of inane details from their personal lives, to illustrate the point that the government has no business intruding in this manner, especially without a warrant: #TellVicEverything
So some citizen has access to personal details about Mr. Toews’ divorce and is using it to embarass the minister in an effort to push back against this proposed bit of legislation.
So that’s it, right? Social networking vs. politics?
First, it turns out that the Twitter account is being updated by someone inside Parliament: Ottawa citizen investigative report
The Citizen used a honeypot to lure the genius posting these Twitter messages. The person behind Vikileaks30 is almost certainly one of the newly elected NDP members — many of whom are little more than children, elected by Quebecers who wanted “anything but the static quo” during the last election.
In a final bit of irony it seems that:
- Mr. Toews’ divorce was triggered at least in part by two affairs over multiple years, one of which led to a child.
- At least one of the affairs was with a much younger woman and at least one (the same?) was with his childrens’ babysitter.
This last is rich — Mr. Toews is a vocal social conservative, making public noises about the sanctity of heterosexual marriage — but has an affair. He relabels the current bill “Protecting Children from Internet Predators Act” but has sex with his own childrens’ babysitter, who is of course much younger than himself. Does hypocrisy know no bounds?
So that’s it. The modern face of privacy and politics:
- Politicians are dirty — both the NDP operative behind Vikileaks30 and Mr. Toews.
- Politicians talk a good game — ethics and decorum in parliament, protecting children, sanctity of marriage, etc. but practice something entirely different.
- Legislation relating to privacy, intellectual property, Internet throttling, wireless spectrum access and more is very much on the public agenda, and is in no way obscure legalese that the public doesn’t care about.
- Even a majority government has to listen to citizens, or risk their wrath at the polls next time around.
- The opposition seems to be effective in the short term, leveraging public media and exposing dirty laundry, but they are also nasty and ugly, and may be punished for those characteristics on the next poll.
An amusing graphic that everyone could benefit from:
Does your organization do business in Europe? Sell any products or services to EU citizens?
If so, you’ll want to watch developments regarding a refresh to the EU privacy directive. There is a proposal to turn it into a uniform regulation (at least it will be the same in all 27 countries!) but also to make it quite onerous (100 pages of text?), to make compliance more onerous and to make incidents where privacy was compromised very expensive.
Read more here:
My take is that compliance will get quite expensive.