[Discuss] 19,000 person company passwords stolen via HTTPS

[blu at nedharvey.com (Edward Ned Harvey (blu))]

> From: Discuss [mailto:discuss-bounces+blu=nedharvey.com at blu.org] On
> Behalf Of Dr. Anthony Gabrielson
> 
> > On Oct 6, 2015, at 10:52 AM, Rich Pieri <richard.pieri at gmail.com> wrote:
> >
> > The problem isn't encryption or lack thereof. The problem is that the way
> > we handle authentication is fundamentally broken. Centralized
> > authentication is literally an all eggs in one basket deal. Steal the basket and
> > you get all the eggs.
> 
> You are describing one specific approach, not all authentication systems have
> the problem you outline.

I have no idea what RP was talking about, or if there was a point at all, but Anthony, you're right. I know in CBCrypt, there is no basket with all the eggs.


> > The problem is further compounded by the belief that encrypting
> > everything will save the world and make everything better. It won't.
> > Encrypting a broken authentication system and a bass-ackwards verification
> > system will not make them any less broken and bass-ackwards.
> 
> It may not make everything better - but you will can cut down on the MiTM
> and increase the noise. Increasing the noise will go along way to make an
> adversaries job more difficult.

Again, I don't know if RP was making any real point, but Anthony, you're right. When passwords are exposed to servers, it makes it very easy for hackers such as referenced in the Ars article, to steal their passwords, and then compromise their accounts on other services, as well continued breach of the compromised service. For point of comparison, if a hacker breaches the TLS channel on a CBCrypt server, they still cannot access the users' information on *either* the compromised server, or anything else.

When bad guys want to sell bad material, they don't use their own accounts. They find somebody's hacked accounts and use them instead. Peoples' usernames and passwords are sold on the black market every minute of every day. There is a monetary value for bad employees to steal their users' passwords and sell them. The weaker the security in the world, the more innocent people the bad guys have available to hide behind, and the more innocent people get mistakenly arrested for having kiddie porn (for example) discovered in their Dropbox (for example).

Weaker security can be proven to never be effective at catching bad guys ( http://bit.ly/1K9gEFP ), and weaker security leads to more victimized innocent people. So yes, the absolute correct response is more encryption, more security. Save the world, make everything better. Yes.