And now it’s last.fm


Last.fm have had a security breach and advised all their users (such as me) to change their passwords. As with LinkedIn, having passwords hashed may not be enough to keep them secure.

I don’t know what has happened here and will refrain from commenting on Last.fm in particular, but one does begin to feel that these companies need some form of forceful reminder of their duty to hold these things as securely as possibly. People should just not be able to filch masses of passwords. Not even the chief executive (again, for the avoidance of doubt I am certainly not accusing any chief executive of having done so – the point is a general one).

What can be done? Two piece authentication, as practised by GitHub – the machines I use GitHub on have to have access to a public key I have registered with them as well as a per session password – would be one form. But can you see users of mass social network sites generating public keys and registering them? Neither can I and more importantly I don’t think the companies can either: but if they are not going to implement that then they need to tighten things up considerably at the server side.

Why you should change your LinkedIn password


Several million LinkedInpasswords have been stolen and posted online. The fact that they are “encrypted” does not mean they are safe.

Image representing LinkedIn as depicted in Cru...
Image via CrunchBase

The encryption – hashing – means that a lone password cracker trying to “brute force” the passwords would probably take a very long time to get through any significant number.

But the point is that they don’t have to do that. Instead they can look up the hashed password in a “rainbow table” of pre-cracked passwords and look it up that way.

Not everybody’s password will be one that has been “pre-cracked” and stuck in a rainbow table, but how confident are you that’s yours isn’t?

So, you have to change the password for LinkedIn and change that password anywhere else you use it – because the password will be associated with your email address and crackers are not likely to stop just because they locked them out of LinkedIn.

It’s a pain but surely not as big a pain as having your identity stolen.

GitHub message confirmed genuine


Image representing GitHub as depicted in Crunc...
Image via CrunchBase

It seems the GitHub message is genuine, though looking through Twitter suggests there is a lot of unhappiness about the way the message was spread, its timing and its content.

Not sending such a message from your own mailservers also looks very foolish to me – checking the headers of a dodgy looking email is, I am sure, the first thing many of us do when we are not sure.

Anyway, as GitHub don’t tell you – here is how to do what they are asking (approve as valid your SSH keys):

ssh-keygen -lf ~/.ssh/id_rsa.pub

And check the output against GitHub’s public key.

Brokenness of MD5 leads to attack on “The Sun”


lulzsec and Anonymous magnets
Image by goblinbox (queen of ad hoc bento) via Flickr

News coverage in Britain has been dominated by “hackgate” for several weeks now, the interest only subsiding as the horrific nature of what happened in Norway on Friday became clear.

In the middle of all this the website of News International‘s leading daily, the Sun, was taken over by the “LulzSec” crackers – who spent several hours boasting over Twitter about how they were battling the Sun’s admins.

Human security is the weakest form of security – we have all worked in places were management expect you to share passwords, after all. But it seems that one of the issues here was technical, according to the latest issue of New Scientist.

Various passwords at NI were hashed with the MD5 algorithm, which is thoroughly broken: something which is pretty worrying when a locate md5 command throws up 2928 references.

What makes it worse is that the breakage has apparently been known since 1996. (From what I can gather the issue is that the hashed code can have duplicates ie two different inputs can give the same output – meaning it is possible to create an MD5 hash that matches the expected code but which does not indicate that the supplier of the MD5 hash is genuine.)

Update: (And with thanks to John Rentoul for spotting the spelling mistake). It has been said to me that “this explanation makes no sense whatsoever”. Well, I am merely commenting on  what others have reported – click on some of the links below – to make the point that a clearly very broken hash algorithm is in very widespread use. But there are many ways to pick up a password file that admins may have exposed and not worried about because they think it’s encrypted and so unbreakable. Perhaps that happened here? Back in the ‘olden days’ before the web crushed all internet competitors, FTP sites were very common and littered with password files. Perhaps the Sun has an FTP site (this venerable protocol still has some uses after all)?