In all seriousness, many people choose shit passwords for the accounts they don't care about. I'm sure Mark's password for his admin account on fb is probably harder to guess.
> many people choose shit passwords for the accounts they don't care about
Surely any account tied to your real name / identity is something worth caring about. Doesn't matter how crappy/uninteresting the site is (or becomes), you still don't want to make it easy for someone to take over the account and be impersonating you.
That'll be an excellent example on many security talk slides in the future (PW strength, reuse of PWs, salting)
They probably could have made some money by combining some day trading of FB stock with a well timed announcement of resignation due to health concerns or something.
Announce, anticipate drop, buy...leak it was fake, sell. Or whatever else you can come up with with some thinking.
[maybe not because he'd post that on FB]
"If you're going to trespass on someone's property you might as well deface it and steal some of their stuff"
I am not a lawyer but I could see password breaching in the interest of white hat security could be is looked an a lot differently by the courts than what you're suggesting
I believe the passwords came from the 2012 LinkedIn breach and was referring to the original criminals. If you have the criminal energy to steal that data you might as well use it. I don't think there was anything white hat about that incident.
> If you have the criminal energy to steal that data you might as well use it.
No no no. Any self-respecting criminal will not gain directly from a break-in, but rather sell the goods on to someone with a credible laundering story (or at least someone who will put further space between him and the goods).
ok, "will not gain from directly leveraging goods acquired in a break-in against the same victims of such break-in". Thieves usually don't try to sell your TV back to you, and the ones who do are widely mocked.
Think so? I'm sure lots of people have limit orders in at low prices, so that part alone isn't suspicious. But it might put you on a shortlist of potential hacker suspects.
The features that makes orders not suspicious are the same that make them not terribly profitable in this event. Having a standing buy order at a few percent below current trading is fine, having one for several million dollars isn't (it implies that you know the stock is going to bounce back).
Anyone knows a CEO who used "cube" as a password? I wonder why the top of the extremely competent people can be so sloppy sometimes. I'll suggest that's what you get when you found a startup straight after uni: You don't understand what it's like to jump through employment hoops.
> I'll suggest that's what you get when you found a startup straight after uni
There's no statistical correlation for this. If anything, i would say it's the opposite, most of the young founders knows the importance of the security in this day and age.
I'd say that it makes the argument that reuse of passwords is more dangerous than simply using poor passwords. After all, it's complexity didn't seem to matter in this case. In fact, one could argue that the only thing a user of a site need concern themselves with is not using the same password in multiple locations. Once that is achieved, I wonder, if the chances of your account being hacked dramatically decrease more than any other safety precaution you can take, apart from simply not having any account.
And then they'd spend all that money hiring lawyers to keep them out of jail. First rule of hacking is to stay away from high profile targets because they attract too much attention. I think they handled it nicely. They exposed the vulnerability without doing anything harmful.
First rule of hacking is to separate liability to stay out of jail.
Prosecution is typically limited because the person that discovers the hack isn't the person that exploits the hack, isn't the person day trading Facebook stock after the fake press releases.
And of course - and still up for controversy - selling hacks isn't restricted in any way right now.
“No Facebook systems or accounts were accessed… The affected accounts have been re-secured.”
Sounds to me like they weren't very secure to begin with. So they would be "secured" now, not "re-secured". It's crap like this that makes me miss George Carlin.
Everyone who works at Facebook should watch out right now. Endgame Systems (CIA) is trying to hack profiles right not to terrorize people. This is only the beginning.
I am using that password for dummy accounts (internal) all the time. As an Eastern European it means something in the language (yes). What does it mean in English?
It's what pre-verbal toddlers tend to call their male parent in the UK. They'd often stop at just dada, but everybody knows 4 character passwords are insecure
Why?
A password as simple as dadada has the great advantage that one can write it quickly with one hand - and for this you typically choose a password that you can write with your other hand on the mouse for when you are using it.
I'm a southpaw myself, and therefore quite biased, but I've always been struck by the prevalence of CEOs, Presidents, notable scientists, etc. that I have met who are fellow lefties. Don't have a p-value, but it seems much higher than the ambient (~10%) rate.
For instance, for the last 4-5 years in our computational science research group, we have been sitting pretty steadily near 50%.
Selection bias? There are some studies indicating left-handed children tend to score lower (on average) on IQ, verbal scores, etc: http://www.ncbi.nlm.nih.gov/pubmed/16643966 (Edit: Seems the IQ difference varies between studies and is negligible, if even exists.)
Hypothesis is that left-handedness can be caused by early brain trauma, so if "lefties" are disproportionately represented in such positions, the ones with non-pathological causes would seem to have an even bigger advantage over the right-handed to make up for the lower mean. Or perhaps it's associated with other talents that make up for the deficits. (Edit: Wikipedia seems to support this - https://en.wikipedia.org/wiki/Handedness#Intelligence)
Or perhaps the research conclusions are just wrong.
It's possible for both phenomena to coexist. Extreme case: Suppose 95% of left-handers are low-functioning, and 5% of them are INCREDIBLY high-functioning. You'd then have them simultaneously overrepresented in top positions AND scoring lower on IQ, verbal scores, etc.
If true (in a less extreme sense), I imagine it would be vaguely correlated with post-traumatic stress and post-traumatic growth. Some of the most amazing people humanity has produced went through unimaginable suffering. And yet the vast majority of people who go through hideous suffering end up dysfunctional.
So it's something like– most people with a disadvantage get messed up, but the few who manage to overcome it, manage to overcompensate dramatically.
I'm a righty... so my left hand never leaves the keyboard my right moves all over the place dadada is super easy for me to type. I would think if you're a lefty and using a laptop like most ceos are likely to be doing (if they have a laptop at all) then your left hand is on the mouse making dadada harder to hit?
Lefty here... but as with many other things in life (e.g. gloves, golf clubs, etc.), the prevalence of 'right handed' mice forced me into being a mouse/trackpad righty.
Most left-handed people I know have a mixture of left/right-handedness, whereas it seems all the right-handed people are right all the way.
You could be right handed and use a password like !@#asdQWEewq#@!123 (using the pinky on the shift) because it doesn't require you to take your right hand off the mouse
As long as we have way too many unnecessary passwords, this will happen.
Merchants have figured this out. Many now allow purchases without creating an account (no doubt also because if people have to create another password, some will just abandon the purchase.)
I was reading about the Eero router. They figured this out. They get the user's phone number and send a token by text.
Passwords are horrible for usage and horrible for security. Just horrible all around.
So the combination is... da, da, da? That's the stupidest combination I've ever heard in my life! That's the kind of thing an idiot would have on his luggage!
82 comments
[ 3.3 ms ] story [ 150 ms ] threadIn all seriousness, many people choose shit passwords for the accounts they don't care about. I'm sure Mark's password for his admin account on fb is probably harder to guess.
Surely any account tied to your real name / identity is something worth caring about. Doesn't matter how crappy/uninteresting the site is (or becomes), you still don't want to make it easy for someone to take over the account and be impersonating you.
They probably could have made some money by combining some day trading of FB stock with a well timed announcement of resignation due to health concerns or something. Announce, anticipate drop, buy...leak it was fake, sell. Or whatever else you can come up with with some thinking. [maybe not because he'd post that on FB]
"If you're going to trespass on someone's property you might as well deface it and steal some of their stuff"
I am not a lawyer but I could see password breaching in the interest of white hat security could be is looked an a lot differently by the courts than what you're suggesting
No no no. Any self-respecting criminal will not gain directly from a break-in, but rather sell the goods on to someone with a credible laundering story (or at least someone who will put further space between him and the goods).
I think that contains a contradiction.
But you know what I meant.
There's no statistical correlation for this. If anything, i would say it's the opposite, most of the young founders knows the importance of the security in this day and age.
Prosecution is typically limited because the person that discovers the hack isn't the person that exploits the hack, isn't the person day trading Facebook stock after the fake press releases.
And of course - and still up for controversy - selling hacks isn't restricted in any way right now.
Are you an entrepreneur? What is it worth to have "Mark" tweet about your company/product? Or maybe make a warm intro to a top tier investor?
Sure, none of them are likely to radically change your business but some things just need a little push to get going and turn into something bigger.
I wrote about this (and other) scenarios in 2010: http://caseysoftware.com/blog/social-media-for-social-evil-p...
Sounds to me like they weren't very secure to begin with. So they would be "secured" now, not "re-secured". It's crap like this that makes me miss George Carlin.
The lawyers must find that mildly amusing.
Source: www.linkedinclassactionsettlement.com
https://www.youtube.com/watch?v=lNYcviXK4rg
(am I the only one who remembers Trio of their song that VW used in ads a few years ago?)
(https://en.wikipedia.org/wiki/Dada)
Turns out I was spot on: a bit of googling revealed he was.
For instance, for the last 4-5 years in our computational science research group, we have been sitting pretty steadily near 50%.
Hypothesis is that left-handedness can be caused by early brain trauma, so if "lefties" are disproportionately represented in such positions, the ones with non-pathological causes would seem to have an even bigger advantage over the right-handed to make up for the lower mean. Or perhaps it's associated with other talents that make up for the deficits. (Edit: Wikipedia seems to support this - https://en.wikipedia.org/wiki/Handedness#Intelligence)
Or perhaps the research conclusions are just wrong.
If true (in a less extreme sense), I imagine it would be vaguely correlated with post-traumatic stress and post-traumatic growth. Some of the most amazing people humanity has produced went through unimaginable suffering. And yet the vast majority of people who go through hideous suffering end up dysfunctional.
So it's something like– most people with a disadvantage get messed up, but the few who manage to overcome it, manage to overcompensate dramatically.
Yep... you can have distributions with identical means, and fatter tails.
Most left-handed people I know have a mixture of left/right-handedness, whereas it seems all the right-handed people are right all the way.
I use my left for lots of things.
Oddly, learning ukulele currently I noticed that left hand is what hits the frets... which is way more dexterous work than strumming.
http://static4.businessinsider.com/image/4dde798949e2ae723d0...
http://leadinvestor.com.au/wp-content/uploads/2014/08/mark-z...
Merchants have figured this out. Many now allow purchases without creating an account (no doubt also because if people have to create another password, some will just abandon the purchase.)
I was reading about the Eero router. They figured this out. They get the user's phone number and send a token by text.
Passwords are horrible for usage and horrible for security. Just horrible all around.
That's amazing! I've got the same combination on my luggage!
https://www.youtube.com/watch?v=L7abNYC0KQI