

Nvidia Hacked - gdi2290
http://www.nvidia.com/content/forums/index.html

======
mootothemax
There seems to have been an increase in big-name-related releases recently. Is
there a particular reason behind it?

Are there more break-ins happening, or more being reported, or are more
companies being more open about this kind of thing? Or is it even that the
burglars are being more open?

I'm not involved in the field, but am finding it interesting that a lot more
of these break-ins appear on my radar.

------
Kelliot
To many high profile names falling in the last few weeks. Must remember to
always use different passwords.

~~~
dsirijus
I have over 50 overly strong passwords in a little black book, encrypted by
simple method so I can decipher at "runtime".

I've memorized most of the regulary used ones though.

~~~
cshimmin
From previous incarnations of this thread on HN (I think the linkedin one...),
I have learned to use SuperGenPass.

There are a few similar utilities, basically it hashes your password browser-
side with the site domain. This allows you to maintain unique passwords on all
different sites by memorizing a single "master password".

~~~
gsundeep
"hashes your password browser-side with the site domain"

Does this mean using the domain as a salt?

~~~
ibotty
yes. and that's a problem.

~~~
Jach
It's only a problem if the secret key is compromised. (But that's a problem
for pretty much everything, isn't it?)

~~~
ibotty
are you sure? that makes it possible to use rainbow tables (rainbow tables per
domain obviously, but still pretty bad). or am i missing something?

~~~
Jach
You wouldn't use rainbow tables for a scheme like using hash(secret phrase +
domain) to generate personal passwords, you'd use a dictionary attack where
domains are the words, followed by a brute-force technique (which you'd use if
you lacked the secret key). If I know you use such a scheme and I learn your
secret phrase, your email provider and bank account websites would be the
first on my list. It becomes no more secure than using the same password on
every site plus the domain name at the end. The benefit is that you never have
to trust all those different websites with your secret phrase.

The parenthetical in my above comment calls back to a comment by some early
giant in cryptology (I think). It's best to have all the details about your
specific method of hiding data known publicly, with the secret key being the
only private piece of information.

------
cshimmin
From their email to users: "As a precautionary measure, we strongly recommend
that you change any identical passwords that you may be using elsewhere."

I suppose it's a good idea, as a "precautionary" measure. But is this their
way of admitting to hashing without salt...?

~~~
reidrac
No, unless they're lying. The submitted page says "hashed passwords with
random salt value".

That doesn't mean they're doing it right, but it's a good start point.

------
coderdude
What software are they using for their forums? It seems like you're just
begging for this to happen to you if you go with any of the open source
options. They all eventually have exploits available for them (some have them
all the time). As long as you know what you're doing you should always cook up
your own solution for this sort of stuff even if what you come up with lacks
features. One day you might be hacked by someone clever who figured out a
weakness in your implementation, but at least it won't be a script kiddie with
some automated method of attack.

~~~
mavroprovato
This is a classic argument against open source, but security through obscurity
never works. If you want to keep safe from script kiddies, always keep your
software up to date.

~~~
jvdongen
Keeping your software up to date is great advise. However I do not entirely
agree with the statement that security through obscurity never works. It can
never work _alone_ \- true. But in combination with other measures it can be a
great help.

And with respect to the point cshimmin makes, there is some merit to it. Yes
nearly every piece of software, open or closed source is bound to have
vulnerabilities. However, the chance of someone taking the time for finding
and exploiting a moderately hard to find bug (not referring to a run-of-the-
mill sql injection) in a piece of software I've written myself and I'am the
only user of is vastly lower than in case of a popular piece of open source
forum software (to some extend depending on who I - the only user - am of
course).

~~~
ibotty
unless, of course, you are vulnerable to a certain class of attacks (e.g. the
ruby on rails attack this year). the chance that others have already fixed it
is way better when more people use the same software.

i'm not subscribing to the "enough eyeballs, all bugs are shallow"-argument,
but the opposite is also wrong. deeply wrong.

