

Xkcd: Encryptic - ohazi
http://xkcd.com/1286/

======
neya
As funny as this comic is, it wasn't so funny when my card was hacked and my
personal details were released online. Now anyone who searches for my email
(on Google) is displayed a (spammy) link to the dumped file containing my
email, along with some jumbled letters, possibly my encrypted password.

One super-good thing I did when I signed up for adobe was:

I created a separate email address (purely by co-incidence) that I used
exclusively for Adobe (and for some spammy services like some deal sites,
which didn't require my card). As a result, I know for sure that my card was
compromised because of the Adobe's breach and no one else.

Lessons and observations:

1) I'm glad I bought the CS6. With the cloud comes great risks too. Not to say
that you should avoid cloud products, but when you have a version you can own
forever, then you might as well go for it. Imagine if I was on CC and my card
was hacked and I decided to stop paying Adobe the next month out of
frustration. Do you know what will happen? My company will come to a stand-
still because I will no longer have access to Photoshop and a huge portion of
my company is basically a Media company.

2) Someone else said we're depending too much on Adobe, and I tend to agree.
But there is really no superior equivalent for Adobe's Photoshop at the
moment. Please don't cite GIMP - I've tried it and it needs a lot of work to
even be on par with Photoshop atm. Another factor is the PSD file format which
has painfully spread like a Virus and you can't erase it out of your workflow
if you're a Media shop like us (Most printing services accept PSDs/TIFF). I
sincerely wish why YC companies who generally want to change the world, don't
want to create a Photoshop clone/competitor to kill this stupid Adobe that's
ruining all of our lives with the stupid CC bundle.

3) The people who really won, like someone else said, were the ones who used
pirated versions. I mean, I've paid a total of ~$1400 till now to Adobe and
what have I received from Adobe? A 'fuck you' from their CEO in the form of
their Creative cloud bundle and a hack that leaked my personal details online
making me look like a jack ass to anyone who searches for me by my email. Oh
also don't forget the uncounted number of "fuck you's" he's sent me while
developing for Flash (on mobile) and Flex.

4) Always create a separate email (or an alias) while signing up for cloud
services, so you can eliminate guess work during a crisis. So, instead of
signing up with example@gmail.com for Adobe or someone else, use
example+adobe@gmail.com (this will redirect to example@gmail.com) or rather
create adobe.example@gmail.com or something (gmail is just an example). This
way, you can always trace out the right service responsible for the leakage of
your details whenever something goes wrong.

I was lucky enough that my bank blocked my card on observing a fraudulent
transaction initiated from another country and thus issued me with a new card.
I have no plans to upgrade from CS6 or to something else for the next few
years. Hopefully GIMP will get better by then, or some YC company will create
a better Photoshop and let us own it forever for a one-time fee.

~~~
arb99
Good points, but:

>4) Always create a separate email (or an alias) while signing up for cloud
services, so you can eliminate guess work during a crisis. So, instead of
signing up with example@gmail.com for Adobe or someone else, use
example+adobe@gmail.com (this will redirect to example@gmail.com) or rather
create adobe.example@gmail.com or something (gmail is just an example). This
way, you can always trace out the right service responsible for the leakage of
your details whenever something goes wrong.

Doesn't stop someone just removing the + tag on the email address.

A better way is to set up a catch all on a domain... but then you're likely to
get a lot more spam... (to things like mail@, contact@ and a whole bunch of
firstnamelastname@ guesses)

~~~
Flenser
> Doesn't stop someone just removing the + tag on the email address.

It won't stop spam but the biggest risk with these leaks is from automated
testing of a password found from a leak on one service you use with the same
email address on another. As long as you use a separate + address for both
you'll be safe as they are unlikely to automate testing of different +
addresses since most users don't do that.

> A better way is to set up a catch all on a domain... but then you're likely
> to get a lot more spam

I forward my catch all domain emails to gmail. I hardly get any spam now
except to leaked addresses which I've filtered to add bright red labels so I
can ignore them.

~~~
bigiain
Is it too much of a reach to assume that any half-talented identity thief or
exposed-user-list-scammer might be smart enough to know about rfc5233, and
would write hs scripts/bots to automatically try the obvious variations of an
email address of the form localpart+tag@example.com?

If I were attempting to exploit the Adobe list, every email address I saw like
name+adobe@example.com, I'd try the exposed password using not just
name+adobe@example.com and name@example.com, but also
name+othertarget@example.com, where "othertarget" might be something like
twitter, facebook, paypal - depending on where I'm attempting to misuse the
exposed credential.

------
deletes
Image tooltip text made me laugh:

>>It was bound to happen eventually. This data theft will enable almost
limitless [xkcd.com/792]-style password reuse attacks in the coming weeks.
There's only one group that comes out of this looking smart: Everyone who
pirated Photoshop.<<

[xkcd.com/792]: [http://xkcd.com/792/](http://xkcd.com/792/)

~~~
RyanZAG
He missed a group of people: any designer who did not entrust their entire
professional workflow to a single, for-profit company whose best interests are
in moving your workflow in ways that benefit the company over the user. Being
dependent on something like Photoshop for your only income is a terrible
position to be in, yet it is how I'd describe most designers today.

~~~
hengheng
Not being able to use CMYK is a terrible perspective if you ever get a chance
of printing something.

~~~
hnha
CMYK is not exclusive to Photoshop, is it?

~~~
arb99
I guess one of the main competitors to Photoshop is gimp... last time I
checked it had bad support for CMYK (see
[https://wiki.archlinux.org/index.php/CMYK_support_in_The_GIM...](https://wiki.archlinux.org/index.php/CMYK_support_in_The_GIMP)
)

~~~
hnha
Gimp is just one free alternative, i guess you knew about its cmyk troubles
and posted because of that. Why limit yourself to Gimp though? Check.out other
alternatives. I posted some in another comment in this thread.

------
sudhirj
Anyone care to explain the DES misuse to laypeople? And why do some passwords
have a salt(?) and some don't?

~~~
ohwp
_" why do some passwords have a salt(?) and some don't?"_

I'm not sure if this is the case, but sometimes this has to do with 'backwards
compatibility'. I've seen databases where some passwords where MD5, some SHA1,
some Bcrypt and so on. The login page then will do something like:

    
    
      if(checkBcrypt(password)) {
        login();
      } else if(checkSha1(password) || checkMd5(password)) {
        updateDbPassword(password);
        login();
      } else {
        loginError();
      }

~~~
nodata
I'd hope the password is marked along with the hashing type, like in
/etc/shadow

------
NateDad
Yay for LastPass - my password at adobe is a long string of gobbedlygook that
is unique to the site. I changed it just in case...

which makes me think...

Why the hell hasn't Adobe reset everyone's password yet? That would be the
FIRST thing I did in that situation. At _least_ prevent the world from being
able to log into my own site with the leaked passwords.

~~~
stonemetal
I believe they are trying to make sure the system is secure first. No point in
having everyone reset their password if the bad guys still have access to the
password db.

------
gberger
Where can I download the breached file? I want to see if I'm in there...

~~~
raws
no need to download it if you just want to check yourself:
[http://adobe.cynic.al/](http://adobe.cynic.al/)

props to:
[https://news.ycombinator.com/item?id=6661774](https://news.ycombinator.com/item?id=6661774)

~~~
nodata
"bill@microsoft.com was found. You need to change your passwords now."

~~~
DanBC
example@example.com

nospam@nospam.com

nospam@here.com

Were all found.

I feel sorry for the people paying a lot of money to buy these short domain
names, and finding huge amounts of spam being delivered to them because people
have misused domain names that don't belong to them.

~~~
p4bl0
Actually example.com is reserved for test usage and this kind of things. You
are right for the two others thought.

~~~
DanBC
But using example on someone else's website to avoid using your own email
address is not using it in documentation. .invalid would be a better choice.

I agree that I'm quibbling over probably unimportant details :-)

[http://www.iana.org/domains/reserved](http://www.iana.org/domains/reserved)

[http://tools.ietf.org/html/rfc2606](http://tools.ietf.org/html/rfc2606)

------
raws
Is there a website out there that will tell you how many times your password
has been used based on this database of the 153millions accounts?

~~~
bladedtoys
To make it searchable on your password, someone would have to go through the
Adobe set and use the hints to manually figure out the clear text form. Off
hand, it's hard to see how posting that on the web could be done responsibly.

But until someone does, you could just Google "most common passwords" and if
yours is in the set, you win!

~~~
tompaton
no, you have known plain text, so you just have to encrypt your password using
the same algorithm and then search the database for matching ciphertext,
there's no need to find the clear text for any of the passwords.

~~~
berberous
you can't re-encrypt since we don't have the keys. but you can search for your
e-mail, pull up the associated hash, and then search for the hash to see who
else used that password, and list all of their password hints.

~~~
raws
That's what I had in mind... Anyone care to make a website for that?

------
ZeroGravitas
What do the boxes on the right represent?

St.peter

St.peter

St.peter1

password

password1

password57

seem to be the first few if I understand correctly.

~~~
abraxasz
The favorite of the 12 apostles would be Saint John, not Saint Peter[1]

[https://en.wikipedia.org/wiki/Disciple_whom_Jesus_loved](https://en.wikipedia.org/wiki/Disciple_whom_Jesus_loved)

~~~
jawr
That's too many characters, plus "Favourite of 12 Apostles" doesn't mean
Jesus', it could be the users. I'm not convinced that it's St. though as when
they say name1 that would suggest St. was part of it :p

------
acqq
The kind of data that probably inspired the comics:

[http://pastebin.com/9AShpF4B](http://pastebin.com/9AShpF4B)

Note the apparent password hints "Our business unit plus 1" or "usual one."
Really crosswordy.

------
kaivi
Someone should assemble the leaked hashes and hints into a real, huge browser-
based multiplayer crossword. Imagine how awesome would that be.

~~~
phreeza
Given the history of life immitates xkcd, that is probably just a matter of
time.

------
coldcode
I wonder who the chief security officer of Adobe is (should be was) and why
they never had sufficient security audits to look at how they did security.
Why is it virtually every time there is a leak people did the encryption
wrong?

------
rmc
What's the status with figuring out the encryption key and breaking all those
passwords? Surely there are known passwords. Is there any distributed brute
force attempt that I can help with?

~~~
shawabawa3
1\. That's probably illegal so if there was one it wouldn't be publicly
advertised

2\. If adobe weren't completely stupid (a big if admittedly) it will be
infeasible to brute force (>100 bits of entropy)

~~~
rmc
> it will be infeasible to brute force (>100 bits of entropy)

Really? Even a massively distributed attempt?

~~~
shawabawa3
100 bits of entropy takes around 10^26 seconds to crack [1]

Even if you somehow managed to get a botnet of 100 million machines, it would
still take longer than the age of the universe to brute force it.

Security of 3DES is effectively 112 bits [2] if random keys are used. Although
as I said, this is assuming adobe weren't completely stupid (and reused one or
more of the keys, or used non-random keys)

    
    
       [1] https://dl.dropboxusercontent.com/u/209/zxcvbn/test/index.html
    
       [2] http://en.wikipedia.org/wiki/Triple_DES

------
moomin
explainxkcd hasn't worked out the passwords yet.

