Rubénerd!

So, I was one of the super lucky 250,000 users to have their Twitter account details leaked. While I did create my account in March 2007, my #875,971 account ID is still higher than 250,000. Maybe they only hacked earlier accounts that are still active?

UPDATE: The Guardian is saying the attack only affected Twitter accounts created in the first half of 2007. Mystery solved, if true.

Dear Twitter User:

As a precautionary security measure, we have reset your Twitter account password. Check your inbox for a separate email from Twitter with instructions on how to reset your password. If you don't see an email, you can go to this page in our Help Center to request a password reset. More information is below.

We recently detected an attack on our systems in which the attackers may have had access to limited user information - specifically, your username, email address and an encrypted/salted version of your password (not the actual letters and numbers in your password). Further information about the attack can be found in this blog post.

Since your password has been reset, your old password will not work when you try to log into Twitter. We strongly encourage you to take this opportunity to select a strong password - at least 10 (but more is better) characters and a mixture of upper and lowercase letters, numbers, and symbols - that you are not using for any other accounts or sites. Using the same password for multiple online accounts significantly increases your odds of being compromised.

For more information about making your Twitter and other Internet accounts more secure, read our Help Center documentation or the FTC's guide on passwords.

This attack was not the work of amateurs, and we do not believe it was an isolated incident. The attackers were extremely sophisticated, and we believe other companies and organizations have also been recently similarly attacked. For that reason we felt that it was important to reset your password and publicize this attack while we still gather information. We are also helping government and federal law enforcement in their effort to find and prosecute these attackers to make the Internet safer for all users.

Over the weekend, a subdomain at the University of Technology Sydney was defaced, and with it the names and passwords of several staff members. What isn't being talked about much is: it was bound to happen.

Image of computers in UTS Building 10 taken by me in 2011.

Well, bother

According to Michael Lee of ZDNet Australia, the breach affected an older content management system (CMS) backend used to deliver news. Once the system was compromised, the information of staff members was published including their names, email addresses and their passwords as plaintext.

The site also had an ASCII art picture of Zoidberg from Futurama added, performing his trademark roar of exasperation. I see what they did there.

The good news is this breach did not affect the primary site, though it exposes a far larger issue.

The claws of the problem

When I first enrolled at UTS, I was surprised at how easy it was to choose subjects, set up my timetable and get started. Some of my fellow students may scoff at this, but having studied in several places, UTSs system is far superior. They may use Blackboard for everything else, but at least they had the common sense to keep clear of it for enrollment. But I digress.

The one part of the process that gave me pause was when I was prompted for a password. I proceeded to type in a unique passphrase that I'd be using for logging into UTS, only to be told it was too long.

Warning bells.

I've blogged at length about the risks of accessing sites with password character limits, and why they're technically unnecessary in a securely designed site. You can read about it here.

In a nutshell, passwords that are stored securely as a cryptographic hash have no technical reason to be limited in length. When a site informs you of a length limit, it's a fairly sure sign they're storing your password insecurely as plaintext, which means when there's a breach, your password is viewable. Like they were here.

UTS uses student passwords for administration, student email, the Blackboard Learn environment, WPA2 passwords for wireless access, Faculty of Engineering and IT access to student servers, login access to shared computers and many more places. I can appreciate the challenge of keeping all these the same, as students are unlikely to be willing to remember different passwords for each of these.

Still, for an institution of higher learning, I can't help but think they could solve this challenge securely. It dismays me when action is taken only as a result of a breach. I hope UTS uses this as an opportunity to revise their security policies.

There have been so many password "hacking" stories lately, I thought I'd write this post so I can refer back to it. For added security, I've included the above image of Makise Kurisu, the scientist in my anime harem.

Covering my behind

Crypto is an exact science, so before I go any further I will make these clear.

• When I say random, technically I mean pseudorandom. Algorithms are deterministic, and computer order and logic can't strictly speaking produce "true" randomness. Contemporary algorithms are an order of magnitude better than the BASIC RND() function of yore though.

• When I say impossible and one way, I mean practically speaking. Our current algorithms would take the birth and death of several universes to brute force with current hardware, but that doesn't mean it's impossible. Just very very very very improbable!

How passwords are supposed to be stored

When you create an account with a well designed, secure website, your chosen password is not stored anywhere. Instead, your password is put through a one way cryptographic hashing algorithm which converts it to random gibberish, along with some salt or random information only the web server knows.

When you attempt to log into your site, the password you give is hashed and compared to the hash on file. If they're the same the server knows you have the right password.

It's a proven, tested technique and it works... provided everything is implemented properly. No doubt you've seen plenty of news stories suggesting sound security is harder than coming up with some snappy alliteration on a blog post.

Why go to the trouble?

Rather than storing a hash of a password, you could simply store the password and compare it when someone logs in. It's simpler, and a worryingly large number sites still do this.

The problem is, if the database is broken into, the malicious hacker has access to all your customer's passwords. People like conserving energy (politically correct way of saying lazy!), and are probably using those same passwords for all sorts of stuff including their banking sites, email, social networks and so on. You can see what a disaster this could be!

If you store them as hashes, all anyone ever sees is random gibberish... even the site owner!

How to tell

Short of asking the site administrator, there are two main tells that a site is storing your passwords instead of a hash:

• They're able to provide you with your password. This could happen when you first create your account and they send you a welcome email, or if you've said you've forgotten your password. A secure site should always direct you to a page to reset it, because they don't know your password either.

• Hashes take any password length and adjust them to a uniform size (such as 128 bits). Not always, but often if a site puts a limit on your password length, it's because they're storing it as plaintext in their database.

There may have been (bad) excuses for these practices in the past, but not any more. If a site you access does either of these, it's time to question how important they are and whether they're worth risking your data and security over. Blunt, but true.

If you suspect a site you access is storing your password in plain text and you have no choice but to use them, complain, and make sure you pick something random and unique to that one site. If/when they get broken into, you'll be glad you did.

Detailed information about Telstra's customer accounts - including usernames and passwords - has been found to be sitting on the open web for anyone to access via a Google search. ~ Sydney Morning Herald

Inexcusable. No database should be storing passwords as plaintext. If people forget their passwords, they should be reset.

No doubt we'll read a press release saying they've learned a lot from their mistake, and have changed their system. Here's hoping they do learn from it, and implement some basic security protocols. They can start by ditching their revised coloured logos and going back to their retro orange one. It looks more serious, and classy.

France's new data retention law requires online service providers to retain databases of their users' addresses, real names and passwords, and to supply these to police on demand. Leaving aside the risk of retaining all this personal information (identity thieves, stalkers, etc -- that which isn't stored can't be stolen and leaked), there's the risk of requiring providers to store plaintext passwords, as Bruce Schneier points out. ~ BoingBoing

Patently absurd, insecure, and will end up only driving French web services overseas. Therefore, unenforcable.

So I wanted to download some trial software from Adobe.com. No wait, scratch that, I was required to download some trial software from Adobe.com. This is My Tale.

Adobe hates Firefox extensions

Firstly, I'm fully aware that I'm a paranoid internet user. I run NoScript for dynamic content, XSS protection and a slew of other privacy and security features, PermitCookies for cookies and RequestPolicy for XSRF protection. These tools all operate on a whitelist principle; that is block everything by default unless I explicitly make an exception.

Most sites break with these extensions blocking everything, but temporary exceptions allow sites that were written poorly (in my opinion!) to work. That is, except Adobe.com. No matter what I did with these extensions, Adobe.com refused my login credentials, and when I attempted to create a new account just in case my old password didn't work, the site refused to finish the signup form.

For a company with billions in the bank and with the specialities they have, this is inexcusable. I'm sorry, but I don't buy into the idea that it's my fault for my privacy and security extensions if almost every other site is able to work without problems!

Adobe hates security

So eventually I gave up attempting to use Firefox to access this site, so I fired up Camino. Before I got extremely paranoid Camino was my favourite Mac browser, and I still use it for sites that refuse to play nicely with my bolted down Firefox installs.

After ascertaining that the site wouldn't log me in because I'd forgotten my password (which they didn't inform me of in Firefox), I went through the process of resetting my password. Adobe.com assured me they'd be sending me an email to my elected email account with a link to reset my password.

That was over two hours ago, and nothing arrived. Nothing in my spam folders or filters, nothing. Eventually I gave up and opted to create a new account with a disposable email address, which fortunately worked.

I got a kick out of the fact the sign up screen truncated the Australian Capital Territory rather than just abbreviating it, and that they informed me my password was not between 6-12 characters. That's right, Adobe complained that my password was too secure. @ShaunLorrain on Twitter knows what I'm talking about.

@Rubenerd I know right, @Adobe always tells me my password is too long or complex.

Seriously though, who designed this facacta site? What a bunch of jabronis.

Adobe hates simplicity

Of course downloading trialware from Adobe can't be easy either. Adobe, like IBM/Lotus and Microsoft, can't just give us a direct download to the software we're requesting, they have to get us to download a stub application that is then used to download the application. Reminds me of this dialog box on Windows that I blogged about, and my adventures with downloading Windows 7.

Unfortunately its even worse than the obnoxious Java applet you need to run from IBM to download Lotus Symphony. Like the Microsoft download tool, Adobe actually makes you download an application to your desktop in the form of the Akamai Download Manager that then downloads the file you requested.

I like to keep my systems extremely neat, clean and tidy, and I simply don't install software unless I have to. Considering I spent most of my living days in front of computers, my /Applications folder on my Macs and my package managers on FreeBSD and Linux are kept reasonably trim. The fact I have to download and install software to download and install software... is offensive. It means I have to uninstall the junkware they got me to install... to install something. Given Adobe's appalling software security track record and the fact they're software is known to be the most insecure in the industry now, installing extra software from then puts me on edge.

So, did it work?

As of now this download is moving along at about 430KB/s, which means it should be done in about an hour. Granted at least their downloads are faster than getting drivers from HP, if I were downloading 1.72GiB of stuff from them I'd be waiting for weeks for it to finish. Not an exaggeration!

In the meantime, if you'll excuse me, I'll be using Inkscape!

Channel NewsAsia Singapore: A recent survey [of 800 students aged 18-35] has found that online privacy in social networking sites is not a concern for youths [...]

Of course they're not concerned, they're too busy using Google Chrome and Facebook. </oldmanvoice> This was the part that scared me though:

67.5 per cent have never changed their passwords. Some of the reasons cited were that they were too lazy to do so, and saw no danger in not changing them.

And here be the reason why I use my disposable Gmail instead of my regular mail account to register for websites!

I, along with a ton of other people, got sent this email a couple of days ago.

Dear addons.mozilla.org user,

The purpose of this email is to notify you about a possible disclosure of your information which occurred on December 17th. On this date, we were informed by a 3rd party who discovered a file with individual user records on a public portion of one of our servers.

OUCH!

We immediately took the file off the server and investigated all downloads. We have identified all the downloads and with the exception of the 3rd party, who reported this issue, the file has been download by only Mozilla staff. This file was placed on this server by mistake and was a partial representation of the users database from addons.mozilla.org. The file included email addresses, first and last names, and an md5 hash representation of your password.

Scary stuff. I'd be interested to know who comprises "Mozilla staff" in this case, and for how long it was public.

The reason we are disclosing this event is because we have removed your existing password from the addons site and are asking you to reset it by going back to the addons site and clicking forgot password. We are also asking you to change your password on other sites in which you use the same password. Since we have effectively erased your password, you don’t need to do anything if you do not want to use your account. It is disabled until you perform the password recovery.

Done and done. Yikes.

We have identified the process which allowed this file to be posted publicly and have taken steps to prevent this in the future. We are also evaluating other processes to ensure your information is safe and secure.

We apologize for any inconvenience this has caused.

Chris Lyon
Director of Infrastructure Security

To their credit, at least they disclosed this issue to their users instead of sweeping it under the rug. I hope lessons have been learned, and this doesn't happen again.

Amusing anecdotes

This whole thing reminds me of a time I was doing a week's work for a relatively large IT firm that will remain anonymous, and their ticket system were validating users with plain text versions of their passwords. My first thought was "didn't people stop doing this in the 80s?" and secondly, that I was glad I didn't have an account with them.

Then there are time times I've forgotten my passwords for sites, but instead of sending me an email with a reset token or the like, they send me my password, indicating they have it stored in a database. Last time that happened it was something trivial like a creaky old forum, but suffice to say I left there quicker than that strip club I was tricked into going to for my 19th birthday by my room mates at the time. Hey shaddup, I was scared.

You don't need a degree in cryptography to know you never store people's passwords! Kudos to Mozilla for not doing this too ;).

The street sweeper webhost perfect storm episode!

The issue that everyone is thinking about: motorised street sweepers. Also discussing Twitter password adventures; internet obsessions when asleep; transit stops in Bali; code injection attacks; file permissions giving permission; domain adventures; the Googles refusing indexing; Ourmedia; the Internet Archive; Harvie Krumpet's backyard (not to be confused with Burke's backyard; Starbucks Christmas blend; NesCafe; the ill fated Viennese Coffee House; the Boatdeck Cafe; throwing bottles at people's faces and midlife crisis coffee roasting machines!

Download MP3 to listen ↓ 21:03 9.8MiB

You can also stream this episode and view its Internet Archive page.

The Elke Sims 2 bombardment episode!

ACT ONE: The Simpsons Bombardment, Elke's first live morning Whole Wheat Radio show, Elke on The Sims 2.

ACT TWO: Slow Singapore internet today, Microsoft gets new open source chief, Ruben rants about "shared source" nonsense, CalgaryGuru on Flickr's new video uploading service, is Yahoo's brand failing?

ACT THREE: Elke on different social networks across the world, suss people on Bebo, verbose MySpace video profiles.

ACT FOUR: Rant on people intentionally misspelling names, Ruben versus Reuben, Miss Cook adventures in primary school in Melbourne, Web 2.0 buyout baiting, Jerry Yang's haircut, Wikipedia as a drug, Yahoo Mash.

ACT FIVE: Facebook discussion including remembering 30 passwords, Elise Hopkins, The Schade Clan group, rant on how useless nationalities and patriotism are becoming, origin of the word expat, Mr Slave.

ACT SIX: Ridiculously long lists of Facebook requests, fun in my own introversion, testy-pops, 2005 was a very good year, "Liberal" meaning different things in the US and Australia, Lotus SmartSuite, Microsoft Plus 95, my OBSESSION with screeshots!

ACT SEVEN: Ruben's dad Rainer debunks mind-controlling chemtrails, huge ships near the Port of Singapore, illuminati controlling my mind as a sheeple, why it's hard to find words that rhyme with sheeple.

Download MP3 to listen ↓ 1:07:00, 30.7MiB

You can also stream this episode and view its Internet Archive page.