
The LinkedIn hack: what the experts think - gerryg
http://www.newstatesman.com/blogs/business/2012/06/linkedin-hack-what-experts-think
======
jgrahamc
One of the most fascinating aspects of this has been watching LinkedIn's
response. The latest blog post is an example of 'reassurance through
obscurity' where a large number of words say very little.

[http://blog.linkedin.com/2012/06/09/an-update-on-taking-
step...](http://blog.linkedin.com/2012/06/09/an-update-on-taking-steps-to-
protect-our-members/)

"First, it’s important to know that compromised passwords were not published
with corresponding email logins. At the time they were initially published,
the vast majority of those passwords remained hashed, i.e. encoded, but
unfortunately a subset of the passwords was decoded. Again, we are not aware
of any member information being published at any time in connection with the
list of stolen passwords. The only information published was the passwords
themselves."

Look, either LinkedIn knows that rest of the information was stolen or they
don't. If it was stolen then people need to be told, not fobbed off with this
'only the passwords were published'. The publishing of the passwords is
irrelevant. What was taken? The other possibility is that LinkedIn doesn't
know what was taken.

"Under this team’s leadership, one of our major initiatives was the transition
from a password database system that hashed passwords, i.e. provided one layer
of encoding, to a system that both hashed and salted the passwords, i.e.
provided an extra layer of protection that is a widely recognized best
practice within the industry."

That doesn't address the issue of which algorithm is being used. At worst it
sounds like they've updated to the late 1970s. Why not say the algorithm?
Because...

"We want to be as transparent as possible while at the same time preserving
the security of our members without jeopardizing the ongoing investigation."

Basically, they don't believe in Kerckhoff's Principle and think they
'preserve' security by being obscure. That was further reflected in Reid
Hoffman's interview the other day when he said that a variety of security
measures were put in place but that talking about them would be insecure.

[http://video.ft.com/v/1681242005001/LinkedIn-No-customer-
acc...](http://video.ft.com/v/1681242005001/LinkedIn-No-customer-accounts-
affected-)

------
quaunaut
So the security experts make no statements on just how completely inept
security at LinkedIn was? It's not like it's hard to have salting in your
password storage. I don't mind that they got hacked so the hashes got stolen-
that is gonna happen, and that's gotta be okay.

But it also has to be understood: Anything less than good hashes with good
salt is going to be worthless. They used a plain SHA1 hash with zero salt,
making it relatively trivial to get through that security 'layer'. It's like
an unlocked door.

