slash dev slash null

stuff about puters

Month: May, 2016

Why isn’t LinkedIn using SRP?

This morning I was dismayed to get an email from LinkedIn to say that emails and passwords stolen in 2012 were available online. So they had reset the passwords of all emails accounts that haven’t changed their passwords since 2012. Okay sounds like a solid precaution against dictionary attacks on the stolen encrypted password details, right? Wrong.

They then want on to say:

LinkedIn has taken significant steps to strengthen account security since 2012. For example, we now use salted hashes to store passwords and enable additional account security by offering our members the option to use two-step verification.

Wow so in 2012 they were not properly salting the passwords and so those passwords, which users may have used across different sites, were not properly encrypted. That’s shockingly bad.

Further more salting passwords isn’t state of the art security. LinkedIn are still having the password set over the network to then salt it and save it in the database. So they are safe again the database getting stolen again but not against any other form of compromises on their network infrastructure. They should have upgrade to the Secure Remote Password protocol.

For a social network site or professionals it would seem that LinkedIn is lacking knowledgeable engineers and don’t have security as something built into their software development lifecycle.


Update: See this 2016 paper for a modern take on the problems of salted passwords which LinkedIn “upgraded to”.

Click Trajectories: End-to-end analysis of the spam value chain

interesting analysis of the world of spam

the morning paper

Click Trajectories: End-to-end analysis of the spam value chain – Levchenko et al. IEEE Symposium on Security and Privacy, 2011

This week we’re going to be looking at some of the less desirable corners of the internet: spam, malvertisements, click-jacking, typosquatting, and friends. To kick things off, today’s paper gives an insight into the end-to-end spam value chain. If we really want to stop spam it turns out, talk to the banks…

As an advertising medium, spam ultimately shares the underlying business model of all advertising. So long as the revenue driven by spam campaigns exceeds their cost, spam remains a profitable enterprise. This glib description belies the complexity of the modern spam business…

How does spam work?

There’s much more to spam than just the email! There are three key stages – advertising, click support, and realization – supported by a whole value chain.

Advertising concerns how…

View original post 1,531 more words

Uncovering bugs in Distributed Storage Systems during Testing (not in production!)

the morning paper

Uncovering bugs in Distributed Storage Systems during Testing (not in production!) – Deligiannis et al. 2016

We interviewed technical leaders and senior managers in Microsoft Azure regarding the top problems in distributed system development. The consensus was that one of the most critical problems today is how to improve testing coverage so that bugs can be uncovered during testing and not in production. The need for better testing techniques is not specific to Microsoft; other companies such as Amazon and Google, have acknowledged that testing methodologies have to improve to be able to reason about the correctness of increasingly more complex distributed systems that are used in production.

The AWS team used formal methods with TLA+, which was highly effective but falls short of checking the actual executable code. The Microsoft IronFleet team used the Dafny language and program verifier to verify system correctness and compile it to…

View original post 1,019 more words