Boston Linux & UNIX was originally founded in 1994 as part of The Boston Computer Society. We meet on the third Wednesday of each month at the Massachusetts Institute of Technology, in Building E51.

BLU Discuss list archive

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[Discuss] 19,000 person company passwords stolen via HTTPS

> From: Discuss [ at] On
> Behalf Of Dr. Anthony Gabrielson
> > On Oct 6, 2015, at 10:52 AM, Rich Pieri <richard.pieri at> wrote:
> >
> > The problem isn't encryption or lack thereof. The problem is that the way
> > we handle authentication is fundamentally broken. Centralized
> > authentication is literally an all eggs in one basket deal. Steal the basket and
> > you get all the eggs.
> You are describing one specific approach, not all authentication systems have
> the problem you outline.

I have no idea what RP was talking about, or if there was a point at all, but Anthony, you're right. I know in CBCrypt, there is no basket with all the eggs.

> > The problem is further compounded by the belief that encrypting
> > everything will save the world and make everything better. It won't.
> > Encrypting a broken authentication system and a bass-ackwards verification
> > system will not make them any less broken and bass-ackwards.
> It may not make everything better - but you will can cut down on the MiTM
> and increase the noise. Increasing the noise will go along way to make an
> adversaries job more difficult.

Again, I don't know if RP was making any real point, but Anthony, you're right. When passwords are exposed to servers, it makes it very easy for hackers such as referenced in the Ars article, to steal their passwords, and then compromise their accounts on other services, as well continued breach of the compromised service. For point of comparison, if a hacker breaches the TLS channel on a CBCrypt server, they still cannot access the users' information on *either* the compromised server, or anything else.

When bad guys want to sell bad material, they don't use their own accounts. They find somebody's hacked accounts and use them instead. Peoples' usernames and passwords are sold on the black market every minute of every day. There is a monetary value for bad employees to steal their users' passwords and sell them. The weaker the security in the world, the more innocent people the bad guys have available to hide behind, and the more innocent people get mistakenly arrested for having kiddie porn (for example) discovered in their Dropbox (for example).

Weaker security can be proven to never be effective at catching bad guys ( ), and weaker security leads to more victimized innocent people. So yes, the absolute correct response is more encryption, more security. Save the world, make everything better. Yes.

BLU is a member of BostonUserGroups
BLU is a member of BostonUserGroups
We also thank MIT for the use of their facilities.

Valid HTML 4.01! Valid CSS!

Boston Linux & Unix /