

LinkedIn: 'No customer accounts affected' - TDL
http://video.ft.com/v/1681242005001/LinkedIn-No-customer-accounts-affected-

======
tedivm
What a joke. They're claiming no customers were affected, in part because the
login email addresses weren't released along with the password hashes. All
that really means though is that a private group has this information, not
that the information isn't out there. They're also ignoring the fact that
people reuse passwords- just because they managed to force a password change
for the users of their servers doesn't mean the other services the user
happens to be a member of will do the same (or even know they should).

Shit happens, and we all know this. The fact that this guy is downplaying it
is where I start losing respect for the company.

------
LinXitoW
"We've implemented many different security measures, but talking about them on
camera would be insecure" (Paraphrased)

Yes, because security by obscurity has such an awesome track record. In fact,
if whoever is responsible for this fiasco had asked on Stack Exchange how he
best store passwords, this whole hoopla could've been avoided.

~~~
larrys
"because security by obscurity has such an awesome track record."

Please elaborate on how you feel that security for linkedin would be better if
they talked about the new specific security measures they've implemented.

~~~
jlarocco
If they had talked about storing unsalted passwords in the first place, this
whole thing may not have happened because somebody would have told them, "Hey,
that's dumb" before the leak.

~~~
larrys
We're talking about a major corporation here. They can pay for and hire the
appropriate security experts (even more than one firm) and find something like
that out.

~~~
jlarocco
If they weren't competent enough to do that before, what makes you think
they're competent enough to do it now?

For all we know, they've "fixed" the issue by switching to unsalted MD5
password hashes.

------
asg
This seems to be taking some liberties with the facts, and it is unfortunate
if they are able to get away with this. He said they're unsure if email
addresses have been taken, but is very sure that no customer has been harmed!

Even assuming that no email address has been taken, the fact that this list of
passwords is now seeding rainbow tables across the world is a quite harmful, I
think (and this is true irrespective of any advice to users to use unique
passwords). Also, for a site as large and supposedly sophisticatd as linkedin,
not using salts is inexcusable.

I have been a long time user of linkedin, and have no plans to stop using it.
I certainly dont want to hang them, but an acknowledgement of mistakes are
expected, otherwise declarations that it wont happen again have no weight.
Disappointed.

------
facorreia
They make it sound like implementing salts is some kind of rocket science they
needed an elite team for, and not one of the most basic and well-known
security measures.

Also they act like the file that was posted on that forum is the only
information that is out there. Everything indicates those were the passwords
the hacker couldn't promptly get and needed assistance for.

------
jcromartie
Nobody would steal hashes without the rest of the data, i.e. user IDs and
emails.

And as for the security measures that he "won't put on camera because that
would be insecure"... wow.

~~~
jasonlotito
While security through obscurity shouldn't be relied upon, obscurity does play
a part in security (You don't go around publishing your private keys, for
example, and you don't share your passwords). You'd be foolish to think that
narrowing down the vector of attack won't help.

Physical security works in a similar manner. You have multiple obscure parts
(keys, passcodes, etc), and non-obscure parts (locks, cameras). If I have keys
and passcodes, and I know where the locks are and where the cameras are, I can
get through. And, it's not incredibly difficult to get a key (I have personal
experience with this, hence the specific setup). What saves you is the
passcode and camera that aren't known. That, and the fact that the guy was
half-drunk as it was.

In the end, you don't rely on obscurity, but you don't go out of your way to
tell everyone what you are doing. That's why you pay experts to do it for you.

~~~
jph
> "obscurity does play a part in security (you don't go around publishing your
> private keys...)"

Security by obscurity is the _opposite_ of using private keys. The algorithms
for security by public/private keypairs are published and open to anyone to
see; the strength does not depend on keeping the algorithm secret.

(Worth mentioning, some public/private keypair algorithms may actually have
security by obscurity built in, such as the DES algo that some people
speculate has hidden backdoors in how hashes are created.)

~~~
jasonlotito
Thought it was obvious by the phrasing I was using, but apparently not. The
obscurity part is keeping the private key hidden. The password unknown. The
key in your pocket.

> the strength does not depend on keeping the algorithm secret.

No, it depends on keeping something else secret.

------
dgay42
I don't buy it. My wife's yahoo email account, which shared a password with
her linkedin account (yes, yes...), was accessed from abroad and used to send
spam emails with a link, presumably to some exploit. While the password wasn't
that great, it wasn't likely to be guessable or brute-forceable via login
attempts.

Sounds like at least one affected customer to me...

------
tptacek
"We've been open and transparent in our communications".

~~~
larrys
I'd like to know your opinion of my comment above:

"Please elaborate on how you feel that security for linkedin would be better
if they talked about the new specific security measures they've implemented."

My feeling is that they would have a better outcome by hiring the appropriate
experts rather than being public about anything regarding how they operate.

Keeping in mind of course that linkedin in particular is a mainstream site and
it doesn't really matter whether hackers in particular of any type like
whether they are open or not. Your thoughts? When you consult do you advise
companies to publicly disclose anything (other than misinformation possibly).

~~~
tptacek
I certainly can't fault them for not laying out in detail what the new
security systems in place at LinkedIn are. Only a few companies would.

Generally, I feel sad for LinkedIn, not outraged.

I would strongly dispute the words "open" and "transparent" in Hoffman's
statement, though.

I think you could do a pretty good case study on how not to do security crisis
PR from what happened last week. But the only parties really harmed by bad
crisis PR are LinkedIn investors.

~~~
larrys
"I think you could do a pretty good case study on how not to do security
crisis PR"

Agree but wonder why companies don't have the crash cart ready and always seem
to mess this one up.

"harmed by bad crisis PR are LinkedIn investors"

My feeling is different. If people are talking about your company (and plenty
has been said about this) and it's something that they've heard before many
times I think the publicity is not bad and if anything could get some retail
investors interested. Linkedin is not a food product and, in general, I don't
think people think of linkedin like they think if they find out a product
contains pink slime.

It's like WD-40. You spray it on and the carrier evaporates leaving the stuff
that does the work. So the memory of linkedin remains and the knowledge of the
problem is lost.

People have short memories. The brand will have a publicity gain and the
negative will be forgotten.

This happens with celebrities who do bad things. They just become more famous
and valuable (in that case even if people remember the bad like with Sheen).
(With the exception of, say, OJ Simpson and maybe a few others such as Tiger
Woods because of his squeaky clean image.)

------
niels_olson
My friend's rather unique though imperfect password was among those present on
the list. I'm suspicious.

------
jerrya
Ugh. Autoplay sound (and LOUD) and no warning.

~~~
tom9729
Turn on click-to play for plugins, whitelist sites you trust: you'll have a
brief reprieve before everyone starts using HTML5 audio/video. :-)

------
vitomd
Honest and small mistake? I would like to know more technical details

~~~
haakon
He must be referring to them storing the passwords as unsalted SHA-1 hashes.

~~~
facorreia
I would like to see him explain why they weren't using salts before and why
they thought that was acceptable.

~~~
rhizome
Undoubtedly it would be an invocation of the startup timecrunch trope, hence
the honest mistake. It's analogous reasoning to large data breaches being
successfully handwaved away. Heck, even the US Government says "...nobody
could have known [things would get this bad]"

------
ahi
uh oh. Once LinkedIn became LNKD, its officers had to stop making stuff up. I
anticipate lawyers.

edit: Lawyers trying to represent users were inevitable. Now they'll have
shareholder lawyers too.

------
mibbitier
I like how he says "Lets see" after each question, as if he's trying to spin
the story in a way which will reassure people. Maybe it's a common phrase, but
to me, "lets see" seems fishy.

~~~
joering2
I like it even better when in one of their blog posts they tried to twist the
issue around and make it actually good that this happened cause its a perfect
reason to update your old insecure password.

What a joke LinkedIn is! I wouldn't be able to stand embarrassment of a
hacker-joker to send to all my connections some ads for Viagra (knowing some
non-tech people would really believe I start selling Viagra), so I deleted my
account.

But ain't that breath-taking that a 10 years old revenue-positive company with
NASDAQ presence would not even salt password. [speechless!]

------
rplnt
Is there anything of value on LinkedIn though? So while no users were harmed
on LinkedIn they might have been harmed somewhere else if we assume that also
email addresses were leaked.

------
dbecker
Seeing him be so smug makes me want to close my LinkedIn account.

------
visa
Guys checkout how much LinkedIn is paying to it employees
[http://www.visasquare.com/visa-greencard/salary/linkedin-
cor...](http://www.visasquare.com/visa-greencard/salary/linkedin-
corporation-409793.html)

~~~
dbecker
Those salaries seem neither especially high nor especially low... and I don't
see how this relates to their lost passwords.

If there is a point you are making, can you elaborate?

