82 comments

[ 3.3 ms ] story [ 150 ms ] thread
to which I say "hahaha"

In all seriousness, many people choose shit passwords for the accounts they don't care about. I'm sure Mark's password for his admin account on fb is probably harder to guess.

dadada1
Which raises the entropy from 2^6 (64) to 3^7 (2187)! An increase by over 3000%! So much more secure!
> many people choose shit passwords for the accounts they don't care about

Surely any account tied to your real name / identity is something worth caring about. Doesn't matter how crappy/uninteresting the site is (or becomes), you still don't want to make it easy for someone to take over the account and be impersonating you.

That'll be an excellent example on many security talk slides in the future (PW strength, reuse of PWs, salting)

They probably could have made some money by combining some day trading of FB stock with a well timed announcement of resignation due to health concerns or something. Announce, anticipate drop, buy...leak it was fake, sell. Or whatever else you can come up with with some thinking. [maybe not because he'd post that on FB]

I don't understand your logic.

"If you're going to trespass on someone's property you might as well deface it and steal some of their stuff"

I am not a lawyer but I could see password breaching in the interest of white hat security could be is looked an a lot differently by the courts than what you're suggesting

I believe the passwords came from the 2012 LinkedIn breach and was referring to the original criminals. If you have the criminal energy to steal that data you might as well use it. I don't think there was anything white hat about that incident.
> If you have the criminal energy to steal that data you might as well use it.

No no no. Any self-respecting criminal will not gain directly from a break-in, but rather sell the goods on to someone with a credible laundering story (or at least someone who will put further space between him and the goods).

> Any self-respecting criminal will not gain directly from a break-in, but rather sell the goods on to someone with a credible laundering story

I think that contains a contradiction.

ok, "will not gain from directly leveraging goods acquired in a break-in against the same victims of such break-in". Thieves usually don't try to sell your TV back to you, and the ones who do are widely mocked.

But you know what I meant.

Sounds like an excellent way to spend some time in jail.
Think so? I'm sure lots of people have limit orders in at low prices, so that part alone isn't suspicious. But it might put you on a shortlist of potential hacker suspects.
The features that makes orders not suspicious are the same that make them not terribly profitable in this event. Having a standing buy order at a few percent below current trading is fine, having one for several million dollars isn't (it implies that you know the stock is going to bounce back).
It would be an excellent example in a security talk 10 years ago. If anything it should be used to promote better authentication solutions.
Anyone knows a CEO who used "cube" as a password? I wonder why the top of the extremely competent people can be so sloppy sometimes. I'll suggest that's what you get when you found a startup straight after uni: You don't understand what it's like to jump through employment hoops.
> I'll suggest that's what you get when you found a startup straight after uni

There's no statistical correlation for this. If anything, i would say it's the opposite, most of the young founders knows the importance of the security in this day and age.

I'd say that it makes the argument that reuse of passwords is more dangerous than simply using poor passwords. After all, it's complexity didn't seem to matter in this case. In fact, one could argue that the only thing a user of a site need concern themselves with is not using the same password in multiple locations. Once that is achieved, I wonder, if the chances of your account being hacked dramatically decrease more than any other safety precaution you can take, apart from simply not having any account.
And then they'd spend all that money hiring lawyers to keep them out of jail. First rule of hacking is to stay away from high profile targets because they attract too much attention. I think they handled it nicely. They exposed the vulnerability without doing anything harmful.
First rule of hacking is to separate liability to stay out of jail.

Prosecution is typically limited because the person that discovers the hack isn't the person that exploits the hack, isn't the person day trading Facebook stock after the fake press releases.

And of course - and still up for controversy - selling hacks isn't restricted in any way right now.

Neither is selling antivirus-circumventing RATs. Both are usually sold with the disclaimer "for educational purposes only".
There are way more subtle ways to cause problems and make money that would be less likely to land you in jail.

Are you an entrepreneur? What is it worth to have "Mark" tweet about your company/product? Or maybe make a warm intro to a top tier investor?

Sure, none of them are likely to radically change your business but some things just need a little push to get going and turn into something bigger.

I wrote about this (and other) scenarios in 2010: http://caseysoftware.com/blog/social-media-for-social-evil-p...

“No Facebook systems or accounts were accessed… The affected accounts have been re-secured.”

Sounds to me like they weren't very secure to begin with. So they would be "secured" now, not "re-secured". It's crap like this that makes me miss George Carlin.

"...though at $50 a claimant, no-one stood to be much enriched out of the settlement..."

The lawyers must find that mildly amusing.

How do I go about claiming my $50?
You file the claim form and submit it before May of last year... But you also had to have paid for LinkedIn premium for to be eligible.

Source: www.linkedinclassactionsettlement.com

Makes me wonder how securely passwords were stored when he first opened Facebook to colleges.
Everyone who works at Facebook should watch out right now. Endgame Systems (CIA) is trying to hack profiles right not to terrorize people. This is only the beginning.
Memes are coming...
I am using that password for dummy accounts (internal) all the time. As an Eastern European it means something in the language (yes). What does it mean in English?
It's what pre-verbal toddlers tend to call their male parent in the UK. They'd often stop at just dada, but everybody knows 4 character passwords are insecure
Ich lieb dich nicht, du liebst mich nicht. Da da da!

(am I the only one who remembers Trio of their song that VW used in ads a few years ago?)

Don't know about the ad, but I remember the 80's.
And see here I was about to go and change all my passwords...
All I can think of is that song... Ich lieb' dich nicht, du liebst mich nicht. Da da da.
How is that possible? Many systems require at least 1 digit, and/or at least an uppercase character.
Yes. These days they do. It wasn't so in the past. Look at how many times the four-letter sequence "asdf" shows up in password dumps.
Which usually doesn't help in the slightest and is merely annoying. dadada vs dada123 is .. not exactly an improvement.
Anyone tried his TeamViewer with that passw yet?
As soon as I saw the password I wondered if Mark was left-handed.

Turns out I was spot on: a bit of googling revealed he was.

Why? A password as simple as dadada has the great advantage that one can write it quickly with one hand - and for this you typically choose a password that you can write with your other hand on the mouse for when you are using it.
But you can access more than 20 keys with your left hand, including numbers and special characters, it's no excuse.
I'm a southpaw myself, and therefore quite biased, but I've always been struck by the prevalence of CEOs, Presidents, notable scientists, etc. that I have met who are fellow lefties. Don't have a p-value, but it seems much higher than the ambient (~10%) rate.

For instance, for the last 4-5 years in our computational science research group, we have been sitting pretty steadily near 50%.

At my PPOE it was 50% too. I can remember being in meetings where everyone except one PHB was left handed.
Selection bias? There are some studies indicating left-handed children tend to score lower (on average) on IQ, verbal scores, etc: http://www.ncbi.nlm.nih.gov/pubmed/16643966 (Edit: Seems the IQ difference varies between studies and is negligible, if even exists.)

Hypothesis is that left-handedness can be caused by early brain trauma, so if "lefties" are disproportionately represented in such positions, the ones with non-pathological causes would seem to have an even bigger advantage over the right-handed to make up for the lower mean. Or perhaps it's associated with other talents that make up for the deficits. (Edit: Wikipedia seems to support this - https://en.wikipedia.org/wiki/Handedness#Intelligence)

Or perhaps the research conclusions are just wrong.

It's possible for both phenomena to coexist. Extreme case: Suppose 95% of left-handers are low-functioning, and 5% of them are INCREDIBLY high-functioning. You'd then have them simultaneously overrepresented in top positions AND scoring lower on IQ, verbal scores, etc.

If true (in a less extreme sense), I imagine it would be vaguely correlated with post-traumatic stress and post-traumatic growth. Some of the most amazing people humanity has produced went through unimaginable suffering. And yet the vast majority of people who go through hideous suffering end up dysfunctional.

So it's something like– most people with a disadvantage get messed up, but the few who manage to overcome it, manage to overcompensate dramatically.

> You'd then have them simultaneously overrepresented in top positions AND scoring lower on IQ, verbal scores, etc.

Yep... you can have distributions with identical means, and fatter tails.

I'm a righty... so my left hand never leaves the keyboard my right moves all over the place dadada is super easy for me to type. I would think if you're a lefty and using a laptop like most ceos are likely to be doing (if they have a laptop at all) then your left hand is on the mouse making dadada harder to hit?
Lefty here... but as with many other things in life (e.g. gloves, golf clubs, etc.), the prevalence of 'right handed' mice forced me into being a mouse/trackpad righty.

Most left-handed people I know have a mixture of left/right-handedness, whereas it seems all the right-handed people are right all the way.

interesting I guess I'm used to games artists who often use left handed mice to throw their brain off.

I use my left for lots of things.

Oddly, learning ukulele currently I noticed that left hand is what hits the frets... which is way more dexterous work than strumming.

You could be right handed and use a password like !@#asdQWEewq#@!123 (using the pinky on the shift) because it doesn't require you to take your right hand off the mouse
still better than me ... abc123
As long as we have way too many unnecessary passwords, this will happen.

Merchants have figured this out. Many now allow purchases without creating an account (no doubt also because if people have to create another password, some will just abandon the purchase.)

I was reading about the Eero router. They figured this out. They get the user's phone number and send a token by text.

Passwords are horrible for usage and horrible for security. Just horrible all around.

haha easy to remember..
So the combination is... da, da, da? That's the stupidest combination I've ever heard in my life! That's the kind of thing an idiot would have on his luggage!
da, da, da?

That's amazing! I've got the same combination on my luggage!

An infant could have come up with that combination!
I think he was paying to someone else to manage his media.