What a joke. They're claiming no customers were affected, in part because the login email addresses weren't released along with the password hashes. All that really means though is that a private group has this information, not that the information isn't out there. They're also ignoring the fact that people reuse passwords- just because they managed to force a password change for the users of their servers doesn't mean the other services the user happens to be a member of will do the same (or even know they should).
Shit happens, and we all know this. The fact that this guy is downplaying it is where I start losing respect for the company.
"We've implemented many different security measures, but talking about them on camera would be insecure" (Paraphrased)
Yes, because security by obscurity has such an awesome track record. In fact, if whoever is responsible for this fiasco had asked on Stack Exchange how he best store passwords, this whole hoopla could've been avoided.
To be fair though, all security is about obscurity. The questions is just how obscure. One could certainly argue that using bcrypt instead of SHA-1 without salting is a lot more important than not disclosing your security practices but they are not mutually exclusive.
TLS is secure, right? TLS is by no means obscure. Good security does not need to be obscure. If it does, that means that it can be defeated if its methods are known, which doesn't sound like very good security to me.
All security is about obscurity because it involves having a secret that you don't believe anyone else can get. (ie; a password, a private key, cert, a random number, a physical object).
That isn't what security through obscurity ever means though. You're taking the words at face value while everyone else is using the words for what they actually mean.
Security by obscurity doesn't refer to the secrets used as keys but instead to the way those keys are stored used to perform authentication.
"because security by obscurity has such an awesome track record."
Please elaborate on how you feel that security for linkedin would be better if they talked about the new specific security measures they've implemented.
Good security is safe in spite of knowing exactly how it works. While revealing the exact details does not make an algorithm less vulnerable, it should not make it more so.
And if it turns out that you are using a flawed solution, talking about it early will, at the very least, get people to yell at you as to what you should do instead.
In this age, the best security algorithms are usually the one most talked about. The more you test it and the more people you get to look at it and write theorems and papers about size of the search space, results from various attacks and so forth, the better.
If they had talked about storing unsalted passwords in the first place, this whole thing may not have happened because somebody would have told them, "Hey, that's dumb" before the leak.
We're talking about a major corporation here. They can pay for and hire the appropriate security experts (even more than one firm) and find something like that out.
This seems to be taking some liberties with the facts, and it is unfortunate if they are able to get away with this. He said they're unsure if email addresses have been taken, but is very sure that no customer has been harmed!
Even assuming that no email address has been taken, the fact that this list of passwords is now seeding rainbow tables across the world is a quite harmful, I think (and this is true irrespective of any advice to users to use unique passwords). Also, for a site as large and supposedly sophisticatd as linkedin, not using salts is inexcusable.
I have been a long time user of linkedin, and have no plans to stop using it. I certainly dont want to hang them, but an acknowledgement of mistakes are expected, otherwise declarations that it wont happen again have no weight. Disappointed.
They make it sound like implementing salts is some kind of rocket science they needed an elite team for, and not one of the most basic and well-known security measures.
Also they act like the file that was posted on that forum is the only information that is out there. Everything indicates those were the passwords the hacker couldn't promptly get and needed assistance for.
While security through obscurity shouldn't be relied upon, obscurity does play a part in security (You don't go around publishing your private keys, for example, and you don't share your passwords). You'd be foolish to think that narrowing down the vector of attack won't help.
Physical security works in a similar manner. You have multiple obscure parts (keys, passcodes, etc), and non-obscure parts (locks, cameras). If I have keys and passcodes, and I know where the locks are and where the cameras are, I can get through. And, it's not incredibly difficult to get a key (I have personal experience with this, hence the specific setup). What saves you is the passcode and camera that aren't known. That, and the fact that the guy was half-drunk as it was.
In the end, you don't rely on obscurity, but you don't go out of your way to tell everyone what you are doing. That's why you pay experts to do it for you.
> "obscurity does play a part in security (you don't go around publishing your private keys...)"
Security by obscurity is the opposite of using private keys. The algorithms for security by public/private keypairs are published and open to anyone to see; the strength does not depend on keeping the algorithm secret.
(Worth mentioning, some public/private keypair algorithms may actually have security by obscurity built in, such as the DES algo that some people speculate has hidden backdoors in how hashes are created.)
Thought it was obvious by the phrasing I was using, but apparently not. The obscurity part is keeping the private key hidden. The password unknown. The key in your pocket.
> the strength does not depend on keeping the algorithm secret.
I don't buy it. My wife's yahoo email account, which shared a password with her linkedin account (yes, yes...), was accessed from abroad and used to send spam emails with a link, presumably to some exploit. While the password wasn't that great, it wasn't likely to be guessable or brute-forceable via login attempts.
Sounds like at least one affected customer to me...
I'd like to know your opinion of my comment above:
"Please elaborate on how you feel that security for linkedin would be better if they talked about the new specific security measures they've implemented."
My feeling is that they would have a better outcome by hiring the appropriate experts rather than being public about anything regarding how they operate.
Keeping in mind of course that linkedin in particular is a mainstream site and it doesn't really matter whether hackers in particular of any type like whether they are open or not. Your thoughts? When you consult do you advise companies to publicly disclose anything (other than misinformation possibly).
I certainly can't fault them for not laying out in detail what the new security systems in place at LinkedIn are. Only a few companies would.
Generally, I feel sad for LinkedIn, not outraged.
I would strongly dispute the words "open" and "transparent" in Hoffman's statement, though.
I think you could do a pretty good case study on how not to do security crisis PR from what happened last week. But the only parties really harmed by bad crisis PR are LinkedIn investors.
"I think you could do a pretty good case study on how not to do security crisis PR"
Agree but wonder why companies don't have the crash cart ready and always seem to mess this one up.
"harmed by bad crisis PR are LinkedIn investors"
My feeling is different. If people are talking about your company (and plenty has been said about this) and it's something that they've heard before many times I think the publicity is not bad and if anything could get some retail investors interested. Linkedin is not a food product and, in general, I don't think people think of linkedin like they think if they find out a product contains pink slime.
It's like WD-40. You spray it on and the carrier evaporates leaving the stuff that does the work. So the memory of linkedin remains and the knowledge of the problem is lost.
People have short memories. The brand will have a publicity gain and the negative will be forgotten.
This happens with celebrities who do bad things. They just become more famous and valuable (in that case even if people remember the bad like with Sheen). (With the exception of, say, OJ Simpson and maybe a few others such as Tiger Woods because of his squeaky clean image.)
Undoubtedly it would be an invocation of the startup timecrunch trope, hence the honest mistake. It's analogous reasoning to large data breaches being successfully handwaved away. Heck, even the US Government says "...nobody could have known [things would get this bad]"
I like how he says "Lets see" after each question, as if he's trying to spin the story in a way which will reassure people. Maybe it's a common phrase, but to me, "lets see" seems fishy.
I like it even better when in one of their blog posts they tried to twist the issue around and make it actually good that this happened cause its a perfect reason to update your old insecure password.
What a joke LinkedIn is! I wouldn't be able to stand embarrassment of a hacker-joker to send to all my connections some ads for Viagra (knowing some non-tech people would really believe I start selling Viagra), so I deleted my account.
But ain't that breath-taking that a 10 years old revenue-positive company with NASDAQ presence would not even salt password. [speechless!]
Is there anything of value on LinkedIn though? So while no users were harmed on LinkedIn they might have been harmed somewhere else if we assume that also email addresses were leaked.
Shit happens, and we all know this. The fact that this guy is downplaying it is where I start losing respect for the company.