[cryptography] Adobe confirms customer data breach

ianG iang at iang.org
Mon Nov 19 05:24:06 EST 2012


On 19/11/12 18:19 PM, Jeffrey Walton wrote:
> An Adobe break in does not surprise me.
>
> Has anyone come across a paper on how to migrate an existing database
> with, for example, unsalted MD5 hashes, to something more appropriate
> for 2012? Naively, I don't see why MD5(password) cannot be an input to
> an improved system. That is, MD5(password) is just a pre-processing
> step to a system built with cryptographic legos.
>
> I'm trying to figure out why folks like Adobe (who know better and
> have the resources) are still using unsalted MD5. I suspect the answer
> has something to do with "its cost effective to be grossly negligent,"
> but I want to give offenders the benefit of the doubt.


Part of the issue is that in the world today, they aren't grossly 
negligent.  This has specific meanings, which are found in court.  Until 
a court case comes that finds such an act as grossly negligent, then 
they aren't.

Which then speaks to the incentives.  The corporations have internalised 
the benefits of the model, and externalised the risks.  Punters have to 
take the costs of the risk of failure, so everyone on the supply side is 
happy.  Until a corporation has some skin in the risk game, they aren't 
going to do more than punt all the risk to the consumer.

In which case, spending more when MD5 does a fine job is pointless; 
even if it breaks there is less point in spending money.  At the moment, 
when a breach happens, companies are responsible for the direct internal 
losses, short term reputation hit, and maybe the cost of a breach 
notification service (which latter is either a bad joke that customers 
don't understand or an insult).

What's worse perhaps is that the first response of companies is to 
bolster their defences with "best practices."  This works well in court. 
  "We do what NIST said" and we're done and dusted.  But as we know the 
risks are far too complicated for some dry government inspired committee 
to navigate.

We end up with a world in which there are companies that do real 
security and risk work, and those that do "best practices."  The latter 
group is far larger, far louder, and unfortunately often more 
cost-effective.

So, this incentives view will clearly change when a wave of class-action 
suits declare companies grossly negligent (or some other legal theory). 
  And, they have to pay for it through external forces.  We are starting 
to see that now, with the first rulings coming out that find the banks & 
suppliers responsible.  But it is slow work - the legal cycle is at 
least as slow as the cycle for systemic security improvements.


iang

> Jeff
>
> http://www.h-online.com/security/news/item/Adobe-confirms-customer-data-breach-Update-1750344.html
> ...
> Update 15-11-12 14:55: According to security firm Sophos, the
> passwords were stored as unsalted MD5 hashes, which can easily be
> cracked quickly using modern CPU and GPU hardware. If the database
> extract turns out to be genuine, Adobe should have invested a little
> more effort in protecting the passwords of its users.
> _______________________________________________
> cryptography mailing list
> cryptography at randombit.net
> http://lists.randombit.net/mailman/listinfo/cryptography
>




More information about the cryptography mailing list