LinkedIn Passwords Leaked… Congress Immediately Wants To 'Do Something!'
from the grandstanding... dept
As you hopefully have heard already, a ton of Linkedin passwords were leaked online. They were leaked in encrypted forms — and without associated usernames — leading some to suggest there was no real threat for users, unless someone also had the full list of usernames as well. However, that doesn’t seem quite accurate. Since the passwords were hashed but not salted, it’s made it relatively easy for the passwords to be decrypted. Yes, the usernames haven’t been released, but some are suggesting that whoever leaked the data probably only released this subset, because they had already decrypted a bunch of easier passwords (and probably had the usernames) and just needed “the crowd” to help decrypt the rest.
Linkedin took its time, but did admit that there was a breach, and reset those passwords. However, Congress is never one to miss an opportunity to grandstand. Rep. Mary Bono Mack was quick to jump up and announce that something must be done!
“How many times is this going to happen before Congress finally wakes up and takes action?” said Rep. Mary Bono Mack, R-Palm Springs, who heads a House Energy and Commerce subcommittee that has looked at online-privacy issues, in a statement. “This latest incident once again brings into sharp focus the need to pass data protection legislation.”
Similarly, Senator Pat Leahy jumped in with a similar statement:
“Reports of another major data breach should give pause to American consumers who, now more than ever, share sensitive personal information in their online transactions and networking,” Leahy said in a statement provided to The Hill. “Congress should make comprehensive data privacy and cybercrime legislation a top priority.”
First of all, it does appear that LinkedIn wasn’t using particularly smart security techniques (no salting? really?). But would a law really change things? And Leahy’s claim that we need “cybercrime” legislation, again doesn’t seem likely to help “fix” anything. If anything, the “cybersecurity” legislation that’s out there might make such data even more vulnerable, by making companies more encouraged to share information.
Yes, these kinds of data breaches are bad. And we should be concerned when we find out that a company as big as LinkedIn still uses such weak security practices. But does that really mean we need a law?
Filed Under: congress, data breach, mary bono mack, passwords, pat leahy, security
Companies: linkedin
Comments on “LinkedIn Passwords Leaked… Congress Immediately Wants To 'Do Something!'”
Someone should check to see which cyber security or defense firms Leahy and Mack are getting their re-elections funded by.
Re: Re:
Leahy supports the military. Bono is mainly bought off by the RIAA. I’m not liking their message of more “cybersecurity”.
I don't think you understand how politics work.
They don’t want to ‘Do Something’. They want to pretend they’re doing something by talking shit and ‘passing’ paper in that nice air-conditioned, tax-funded, palace of Mighty Legislature.
How else will they convince people they matter in the practicality of everyday life? If anybody catches on, they’ll lose their cushy, over-paid, government jobs.
Re: I don't think you understand how politics work.
“They want to pretend they’re doing something”
Actually, what they want is to be “seen” doing something. Whether the something helps the situation or makes it worse, they don’t really care, as long as people “see” them doing something about it.
The second congresscritters want to “do something”, we all lose.
Re: Re:
I agree the more “gridlock” we have in Washington the better off We the People are.
Rabble Rabble
There was another deadly shooting in [insert American city here].
“How many times is this going to happen before Congress finally wakes up and takes action?” Some Senator says. “This latest incident once again brings into sharp focus the need to pass gun control legislation.”
Re: Rabble Rabble
Yay! A game I can play too!
There was another public nude flashing incident in [insert American city here].
“How many times is this going to happen before Congress finally wakes up and takes action?” Some Senator says. “This latest incident once again brings into sharp focus the need to pass overcoat control legislation.”
Re: Re: Rabble Rabble
There was another face chewing incident in [insert American city here].
“How many times is this going to happen before Congress finally wakes up and takes action?” Some Senator says. “This latest incident once again brings into sharp focus the need to pass zombie control legislation.”
Re: Re: Re: Rabble Rabble
There was another political scandal in [insert American city here].
“How many times is this going to happen before Congress finally wakes up and takes action?” Some Senator says. “This latest incident once again brings into sharp focus the need to pass another pay-raise for ourselves.”
Leahy Skroob: Do something!
Mack Helmet: Do something!
Lamar Sandurz: Do something!
Hey Gov, how about you first stop collecting all kinds of leakable data yourselves? Then we’ll talk. Kthnxbye.
Oh, right.
Congress can’t do anything here. People choose their own security measures. Some are retarded, some are sensible.
Once again, the always classic lines of: “Should we do something?” “We should do something!” comes up and nothing will ever come out of it. Rinse, lather, repeat. Next!
Re: Re:
Hey Congress good to see that you want to do something. Jobs Legislation and rebuild the infrastructure should be first on the list. John Jobs Jobs Jobs Boehner said that Jobs would be first on the table two years ago. What the hell does Abortion legislation have to do with jobs? Or Linked in….
This is another example of how backwards our system works these days. As Congress should know, issues like this one are easily controlled by our free market system: LinkedIn already took a hit from users on this issue in terms of cancelled accounts and/or removal of apps from devices. If this happens again to LinkedIn they will become another MySpace that slowly fades away. LinkedIn knows it and will spend the money to ensure the problem doesn’t happen again. Wow, the market can fix itself, crazy. This is why we don’t need laws that are completely unenforceable, especially in the digital world.
Re: Re:
Exactly, linkedln can very well fix this on their own, without government influence
Its the job of the individual companies to keep their systems up to date and protected to all known threats, if your gonna put legislation on anything, that would be a start, nothing more nothing less, direct and to the point without the flowery description.
Re: Re: ^^^^^^^
edit : when user information is concerned at the very least
This is a story about four people named Everybody, Somebody, Anybody, and Nobody. There was an important job to be done and Everybody was sure that Somebody would do it. Anybody could have done it, but Nobody did it. Somebody got angry about that because it was Everybody’s job. Everybody thought Anybody could do it, but Nobody realised that Everybody wouldn’t do it. It ended up that Everybody blamed Somebody when Nobody did what Anybody could have done.
ie: Secure the freaking passwords as they should be ie: Salt em.. Cyber-laws will not stop this sort of stupidity. And the passwords are non identified and therefore meaningless for anything other than rainbow tables (look them up).
The only thing that needs to be tightened maybe is consumer negligence laws that if a company knowingly does not allow reasonable and industry standard security policies they are absolutely liable for any and all problems that occur… including statutory fines of a % of revenue (equitable then)
Re: Re:
This is all that needs to be done. Unfortunately, it makes corporations look bad (and punishes them), whereas the type of legislation currently proposed diverts the blame from same corporations (i.e. campaign contributors) and still makes legislators look good.
Nevermind that the current legislation won’t solve the problem and will result in collateral damage; at least the corporate sponsors are safe from blame, and the representatives can say to their constituency: “Look, we’re doing everything in our cyber-power to cyber-solve this cyber-problem!”.
I'm confused
Isn’t hacking an system and stealing data already illegal? Are they going to pass a new law that makes it more illegal?
Cybercrime? These people must moonlight at the patent office where if you slap cyber or internet in front of a word and it magically becomes some strange new thing that is almost impossible to understand.
smh
Re: I'm confused
I’m with you Josef, i was under the impression that there already was legislation to make this illegal. Too bad the politicians are so clueless they don’t realize this.
Scariest words ever. “I’m from the government and I’m here to help.”
Re: I'm confused
Sounds like a pretty good meme:
Cybersecurity law passes.
Cybercrime now DOUBLE illegal.
You can’t legislate stupid…
Re: Re:
Really? If that’s true, then there should be some laws banning all forms of stupidity in this country and the world, even get rid of the stupid people!
If not, is there anything that could cure stupidity or did the congress critters put some legislation that banned scientists from studying stupidity? I need to know!
Re: Re: Re:
I think I got myself backwards there… I blame my own stupidity sometimes…
Maybe there should be a law.
Re: Re:
I think they want to legislate smarts, but the point stands 🙂
Clearly, if companies are unwilling to protect users of their own accord, perhaps a law would be the best way to settle the issue. It’s not so much about requiring the passwords to be complicated, but rather requiring companies to store the passwords in some other manner than “in the clear”. It’s pretty scary when you realize that passwords are too easily accessed.
“Yes, these kinds of data breaches are bad. And we should be concerned when we find out that a company as big as LinkedIn still uses such weak security practices. But does that really mean we need a law?”
Every new law either creates a new crime and/or further enhances government power. Can anyone name a single law which resulted in crime reduction?
Re: Re:
21st Amendment?
Re: Re:
Assuming a law is needed, any law will initially cause an increase in crime because it is making a behavior criminal which was previously not criminal. Once that barrier is passed it would be enforcement of the law that mattered.
is anyone surprised at the response from the thick f*****s in Congress? what a gift for all in favour of CISPA and similar bills. non of these will have the slightest impact on the likes of LinkedIn, eHarmony or similar or it’s customers but will be used as good reason for the government to introduce legislation allowing them to spy on everyone! mind you, perhaps some Senators use it themselves to try to get a date? wouldn’t want any info about them released. dont matter that the world and his wife will know about every other person!
The problem kind of solved itself didn’t it? LinkedIn is dumb and now people won’t trust them anymore. Another service will be used.
Surely it would be prudent to reset all affected passwords to be on the safe side, pain in the ass, but affective?
What Congress is likely to do is pass legislation mandating a “standard” internet ID for all US citizens. They’ll probably want to tie it to the SSN. That will make everything more secure. Or not. It’s about control, the facade of action but not about fixing anything.
salt goes on steaks not on LinkedIn passwords
So tell me, what happens when CISPA passes and the Government servers get hacked with all this data on it’s citizens that it aquired via “spying” gets leaked? It’s not like we can change our identities as easily as changing our password.
Re: Re:
Don’t worry, they’ll just pass another law if that happens.
/sarc?
I dunno…how about set a minimum standard for password security. If company X is found not to use that minimum standard, company X execs are fined/jailed/flogged/quartered/etc.
I’m tired of waiting for the free market to work…sorry, a regulatory framework can be put in place that doesn’t impede on your individual rights. Heck…that’s exactly what the constitution is, no?
Re: Re:
Have you learned nothing over the last couple of years? CEOs and execs don’t get jailed or fined. They get a pat on the back and a bonus.
It would have helped if the spammers at LinkedIn...
…had used the rather well-known technique of salting the passwords — see, for example Password Security: A Case History (1978). I believe early Unix systems used a 12-bit salt, but contemporary ones should be using at least a 64-bit one, preferably 96-128.
This wouldn’t have stopped the leak of the encrypted passwords, of course — that appears to be the result of a security hole that has nothing to do with passwords. But it would raise the bar considerably for attackers attempting to decrypt them.
The solution to this problem — and many, MANY others like it, including the endless stream we see from the federal government — isn’t legislation. It’s competence. And as we see on a continuous basis, there is absolutely no IT competence in the United States Congress.
What is really frustrating about all this is that I have yet to receive any notification from Linkedin that there was a data breech. As a user, I would like the comfort of hearing it from them directly.
Re: Re:
none of my roomates, or my company’s accounts or mine for that matter got a notice about being compromised.
Re: Re: Re:
odd I got one. Maybe they know whose passwords got jacked?
When information gets hacked from credit card companies we blame the credit card companies and claim that maybe laws aren’t harsh enough on them (and, instead, we should mostly just go after those who hacked the security and leave the credit card companies alone, despite their obvious lack of security). Then this happens and the claim is the opposite, we should do nothing.
I’m sorta inbetween. I don’t mind good laws being passed requiring a minimal amount of security to protect people’s private data. I don’t mind punishment to repeat offenders who continuously implement bad security policies that precariously endanger the privacy of its users.
But, at the same time, I know Congress may hastily end up passing a bunch of irrelevant laws that do little to deter and punish poor security measures and do something to serve an entirely different agenda. I think that maybe something needs to be done but it needs to be done very carefully. The laws need to be carefully written and examined by the public before being passed.
Re: Re:
Also, I don’t necessarily think anything should be done at the criminal level. Perhaps at the civil level laws can be passed that ensure that if I get my data hacked due to precarious security standards I can successfully sue the offending company for enough money to deter further security breaches. Class actions can go forward and gain enough money to prevent further bad security and there is just enough incentive for lawsuits of bad offenses to be initiated.
Laws regulating minimum standard security procedures would sure be nice. Linkedin should salt their passwords, sony’s servers shouldn’t fall to pieces from sql injection. These corporations should be legally required to have a certain level of security in place.
OMG! Someone's going to use my LinkedIn account...
…to apply for a job in the IP-intensive grocery store industry, on my behalf?
Basically its like having your house robbed and then yelling at the police for not locking your door.
Implementing..
Back doors, once they are in place, legislation for more secure cyberspace will be just around the corner.. WE HAVE TO HAVE BACK DOORS!!
@Congress
Congress doesn’t need to do anything … I just change my password when necessary … I agree it’s tedious and irritating however, that’s what I do and it doesn’t cost me any tax-dollars to do it … just a new and different keyboard pattern … Congress SUCKS!
Do something! …….. Changes the password.