That'll be an excellent example on many security talk slides in the future (PW strength, reuse of PWs, salting)
They probably could have made some money by combining some day trading of FB stock with a well timed announcement of resignation due to health concerns or something.
Announce, anticipate drop, buy...leak it was fake, sell. Or whatever else you can come up with with some thinking.
[maybe not because he'd post that on FB]
And then they'd spend all that money hiring lawyers to keep them out of jail. First rule of hacking is to stay away from high profile targets because they attract too much attention. I think they handled it nicely. They exposed the vulnerability without doing anything harmful.
First rule of hacking is to separate liability to stay out of jail.
Prosecution is typically limited because the person that discovers the hack isn't the person that exploits the hack, isn't the person day trading Facebook stock after the fake press releases.
And of course - and still up for controversy - selling hacks isn't restricted in any way right now.
"If you're going to trespass on someone's property you might as well deface it and steal some of their stuff"
I am not a lawyer but I could see password breaching in the interest of white hat security could be is looked an a lot differently by the courts than what you're suggesting
I believe the passwords came from the 2012 LinkedIn breach and was referring to the original criminals. If you have the criminal energy to steal that data you might as well use it. I don't think there was anything white hat about that incident.
> If you have the criminal energy to steal that data you might as well use it.
No no no. Any self-respecting criminal will not gain directly from a break-in, but rather sell the goods on to someone with a credible laundering story (or at least someone who will put further space between him and the goods).
ok, "will not gain from directly leveraging goods acquired in a break-in against the same victims of such break-in". Thieves usually don't try to sell your TV back to you, and the ones who do are widely mocked.
Anyone knows a CEO who used "cube" as a password? I wonder why the top of the extremely competent people can be so sloppy sometimes. I'll suggest that's what you get when you found a startup straight after uni: You don't understand what it's like to jump through employment hoops.
> I'll suggest that's what you get when you found a startup straight after uni
There's no statistical correlation for this. If anything, i would say it's the opposite, most of the young founders knows the importance of the security in this day and age.
Think so? I'm sure lots of people have limit orders in at low prices, so that part alone isn't suspicious. But it might put you on a shortlist of potential hacker suspects.
The features that makes orders not suspicious are the same that make them not terribly profitable in this event. Having a standing buy order at a few percent below current trading is fine, having one for several million dollars isn't (it implies that you know the stock is going to bounce back).
I'd say that it makes the argument that reuse of passwords is more dangerous than simply using poor passwords. After all, it's complexity didn't seem to matter in this case. In fact, one could argue that the only thing a user of a site need concern themselves with is not using the same password in multiple locations. Once that is achieved, I wonder, if the chances of your account being hacked dramatically decrease more than any other safety precaution you can take, apart from simply not having any account.
“No Facebook systems or accounts were accessed… The affected accounts have been re-secured.”
Sounds to me like they weren't very secure to begin with. So they would be "secured" now, not "re-secured". It's crap like this that makes me miss George Carlin.
So the combination is... da, da, da? That's the stupidest combination I've ever heard in my life! That's the kind of thing an idiot would have on his luggage!
I'm a southpaw myself, and therefore quite biased, but I've always been struck by the prevalence of CEOs, Presidents, notable scientists, etc. that I have met who are fellow lefties. Don't have a p-value, but it seems much higher than the ambient (~10%) rate.
For instance, for the last 4-5 years in our computational science research group, we have been sitting pretty steadily near 50%.
Selection bias? There are some studies indicating left-handed children tend to score lower (on average) on IQ, verbal scores, etc: http://www.ncbi.nlm.nih.gov/pubmed/16643966 (Edit: Seems the IQ difference varies between studies and is negligible, if even exists.)
Hypothesis is that left-handedness can be caused by early brain trauma, so if "lefties" are disproportionately represented in such positions, the ones with non-pathological causes would seem to have an even bigger advantage over the right-handed to make up for the lower mean. Or perhaps it's associated with other talents that make up for the deficits. (Edit: Wikipedia seems to support this - https://en.wikipedia.org/wiki/Handedness#Intelligence)
Or perhaps the research conclusions are just wrong.
It's possible for both phenomena to coexist. Extreme case: Suppose 95% of left-handers are low-functioning, and 5% of them are INCREDIBLY high-functioning. You'd then have them simultaneously overrepresented in top positions AND scoring lower on IQ, verbal scores, etc.
If true (in a less extreme sense), I imagine it would be vaguely correlated with post-traumatic stress and post-traumatic growth. Some of the most amazing people humanity has produced went through unimaginable suffering. And yet the vast majority of people who go through hideous suffering end up dysfunctional.
So it's something like– most people with a disadvantage get messed up, but the few who manage to overcome it, manage to overcompensate dramatically.
Why?
A password as simple as dadada has the great advantage that one can write it quickly with one hand - and for this you typically choose a password that you can write with your other hand on the mouse for when you are using it.
I'm a righty... so my left hand never leaves the keyboard my right moves all over the place dadada is super easy for me to type. I would think if you're a lefty and using a laptop like most ceos are likely to be doing (if they have a laptop at all) then your left hand is on the mouse making dadada harder to hit?
Lefty here... but as with many other things in life (e.g. gloves, golf clubs, etc.), the prevalence of 'right handed' mice forced me into being a mouse/trackpad righty.
Most left-handed people I know have a mixture of left/right-handedness, whereas it seems all the right-handed people are right all the way.
You could be right handed and use a password like !@#asdQWEewq#@!123 (using the pinky on the shift) because it doesn't require you to take your right hand off the mouse
Since when has SHA1 been crackable in three days? AFAIK with proper passwords SHA1 is nearly impossible to crack. Did I get something wrong? Salting does make the process slower with bad passwords, but with good ones there's very little difference. Just my gut feeling.
There's nothing to stop anyone from creating a reverse lookup table by systematically generating strings and their hash, and aside from dictionary words, this is an example of low hanging fruit. It's a repeated sequence of characters, which would be the second most obvious heuristic (after the dictionary) when trying to generate plausible passwords and their associated SHA1 hash.
Before the LinkedIn leak, I was guilty of sharing passwords across sites, and I got a wake up call by a "someone tried resetting your password" email. Started resetting them all, got to the point where I noticed there were a lot and I should probably use a password manager. Eventually I found out I had over 100 online accounts for various things, all of them now having unique passwords. I've deleted a handful of them (e.g. MySpace, MyCokeRewards). There are a couple more I'm trying to get deleted (e.g. Dominos) but haven't been successful yet.
From what I understand, salting prevents computing the tables ahead of time and the ability to cross-reference a single password hash against all other password hashes. It doesn't prevent people who have access to both the salt and the hash from performing the same attack against individual passwords.
Yes, that sounds correct. I thought the idea, though, was to make the salt non-obvious for this reason. I would hope people aren't storing passwords in a table with a "salt" column, but I don't really know. But I think you're right: if you know the salts and you want to use this approach to go after a small number of high-value targets it could work.
But in case of passwords, the input masking (limited character set, length etc) makes most of found collisions nonviable? Because can't just freely enter colliding bits for the algorithm.
Mark Zuckerberg doesn't care about his Pinterest and Twitter accounts. He created them to scope out the competition and doesn't care if they get compromised. That's why his Instagram didn't get affected; he does care about that one (or at least somebody on the team of people he employs to protect the security of his websites does).
Now, I'll bet the lesson Zuck takes away from this is actually that other people care more about his Pinterest than he does (e.g. If John Doe sees Zuck pin something John may be much more likely to check that product out).
As long as we have way too many unnecessary passwords, this will happen.
Merchants have figured this out. Many now allow purchases without creating an account (no doubt also because if people have to create another password, some will just abandon the purchase.)
I was reading about the Eero router. They figured this out. They get the user's phone number and send a token by text.
Passwords are horrible for usage and horrible for security. Just horrible all around.
I am using that password for dummy accounts (internal) all the time. As an Eastern European it means something in the language (yes). What does it mean in English?
It's what pre-verbal toddlers tend to call their male parent in the UK. They'd often stop at just dada, but everybody knows 4 character passwords are insecure
Its kinda hard to believe that he used "dadada" as a password. Anyone who have a bit of understanding about how passwords are cracked would never use such a sloppy password.
And he had one password for all the social accounts? Ew... How could he be so stupid?
Everyone who works at Facebook should watch out right now. Endgame Systems (CIA) is trying to hack profiles right not to terrorize people. This is only the beginning.
In all seriousness, many people choose shit passwords for the accounts they don't care about. I'm sure Mark's password for his admin account on fb is probably harder to guess.
> many people choose shit passwords for the accounts they don't care about
Surely any account tied to your real name / identity is something worth caring about. Doesn't matter how crappy/uninteresting the site is (or becomes), you still don't want to make it easy for someone to take over the account and be impersonating you.
