Thanks for the followup, Guy. More inline: On Jun 7, 2012, at 3:14 PM, Guy B. Purcell wrote:
> Now that the followup blog post is out > <http://blog.linkedin.com/2012/06/07/taking-steps-to-protect-our-members/>, I > can comment that our passwords are most definitely hashed--have been ever > since the initial breach we suffered a couple years ago. And now they're > salted, too :^) My apologies if this seems harsh; I don't imagine you were responsible for the decisions and missteps that were made, but you did pop up-- time to open fire! :-) What I read is "first we got breached, so we stopped storing in plaintext. Then we got breached again, so now we're salting the hashes." It seems like you're being almost entirely reactive here. I do realize that you can't ever "win" at security, but these are still some very basic precautions that it seems weren't taken until the headlines were screaming about a breach. Far more concerning from my point of view, is that until the hashes were posted, LinkedIn was (apparently, based upon their tweets and statements in the linked blog posts) entirely in the dark that there had even been a breach at all. Even compressed, the hashes that were posted were in excess of 107MB; the sheer volume of traffic alone should probably have triggered some kind of heuristic anomaly detection that something wasn't "right." [1] Instead, it seems that the first heads-up you guys had was when it started making tech blog headlines. It seems that security is being treated as an afterthought at LinkedIn; as a systems person myself I find this disheartening, as breaches like this tend to reflect in some way upon all of us. I suspect many of us would be very interested to see more in-depth analysis of what the problems at LinkedIn were, and how they're being resolved moving forward. [1] This is how LastPass discovered a problem before it became an outright password leak-- they were watching traffic patterns. http://www.computerworld.com/s/article/9216455/LastPass_alerts_users_about_potential_master_password_breach -- Corey
signature.asc
Description: Message signed with OpenPGP using GPGMail
_______________________________________________ Discuss mailing list [email protected] https://lists.lopsa.org/cgi-bin/mailman/listinfo/discuss This list provided by the League of Professional System Administrators http://lopsa.org/
