Cryptosmith

A social networking site called Rockyou.Com was hacked a few months ago, and someone was thoughtful enough to tell them about it in December. After some dithering, they announced it to their user community.

Unfortunately, they were trying to do site aggregation stuff – using other site login credentials to link that site to theirs. All very Web 2.0. All very dangerous, especially since passwords were stored in plaintext. Thus, the attackers collected 32 million user login credentials: ids, passwords, e-mail addresses. This was courtesy of a cross site scripting vulnerability.

John, a former colleague, sent me a note about a security group named Imperva that analyzed the list of passwords.

The actual report is poorly drafted – you can’t tell how much of the database they really analyzed, or how they chose a set to analyze. However, it seems that they analyzed a sampling of the passwords and compiled a list of the 5,000 most common ones. Which they didn’t share. They did share a list of the 20 most common: the most common word was “Password” while “princess” and “Nicole” were the most common names.

Continue Reading »

Posted under Security | No Comments »

Paul Ardoin, a former colleague, has posted some comments on Bring-Your-Own-Computer, the notion that companies should rely on employees’ personal laptops. My security-wonk-alarm went off when I read this, but I’m thinking the concept has some merit.

This is somewhat related to the question of using a company car versus the company paying you for mileage on your own car. People in general tend to take better care of their own car. The same may be true of computers.

However, if the company needs to enforce security constraints on employee computing, as in health care or finance, then personal machines are a bad idea. Even in companies where only a few sensitive activities take place, the company should provide and maintain special computers for those purposes.

Posted under Security | No Comments »

If it’s public information on paper, is the electronic version also a public record?

As a techie, I tend to think so. The electronic version carries more information, is easier to work with, and is sometimes easier to authenticate.

The city of Phoenix, AZ, recently argued the opposite in court, and ultimately lost. Someone was suing the city and demanded some public records. The city provided paper copies, some of which appeared to be backdated. The plaintiff demanded the electronic copies so he could examine the metadata. The city refused, saying that the metadata was not public record. Two courts agreed, but the Arizona Supreme Court disagreed. So a court is on record saying that, if the document is a public record, the electronic form is also a public record.

Continue Reading »

Posted under Security | No Comments »

Apparently someone in the UK has proposed a sort of “three strikes” law – if your household is accused by a copyright holder of illegal downloading multiple times, then the holder can demand removal of the househ0ld’s Internet connection.

Cory Doctorow, the author, wrote a polemic about how this reflects on the big media firms it tries to help.

He notes how copyright owners now use “takedown notices” as an extrajudicial form of censorship. There is no practical defense against such notices: the ISPs are caught in the middle and aren’t inclined to take on such a legal challenge. The Internet has become such a part of modern life that its removal is tantamount to imprisonment.

Posted under Personal Expression & Security | No Comments »