So ... what's the lesson here for our non-nerdy friends & family? I immediately sent my closest friends a "change your Dropbox password" email, which is still valid because, whether they were hacked or not, someone may now have their password. Which is probably also their password to Facebook.
I suppose the question is, does it matter if Dropbox was hacked or if these credentials were gained by some other means? The end result for a poor user^ is the same.
No offence, but in my humble opinion using 1password, or any password manager, does not make you a better or more secure user.
Perhaps even lowers your security in ways.
Sharing the fact (with the internet) that you use a password manager, lowered your security already, technically speaking.
I find the idea to use one password (and a private key etc) to protect all my other accounts and passwords a bit strange, specially synced over 3rd party servers/services.
Not to mention when people use it on devices often discussed to have ways to eavesdrop on a user, android, iPhone. The security of the password vault is now equal to that of that particular device. (which could be as low as no security)
When you use a password manager and separate passwords for each website, you're effectively eliminating an entire class of potential attacks, because any leaks from the website will not affect your accounts elsewhere (especially bad for accounts with privileges such as your email or bank accounts).
In exchange, you use a password or key to locally decrypt the rest of your passwords. This means for someone to have access to your password store they have to (1) find a vulnerability in the password manager store file or (2) obtain access to your machine. Comparing these, (1) is much less likely than getting a password list from a server with more attack surfaces, and (2) would also leak your passwords even without a password manager.
It may seem strange to think of all your passwords as being protected by a single password, but the key concept is that you aren't sending that password across the wire, but do regularly send the others. If your local machine is insecure, it doesn't really matter whether or not you are using a password manager.
Obviously, it would be even more secure to have different passwords for each website and be able to remember all of them, but it's not a very reliable method of storage and puts too large a burden on the user.
Then let's agree to disagree. But points 1 and 2 that you describe are both more likely (to specifically compromise/capture your vault unlock).
Then somebody managing to capture all my login details in different websites with a per website login in a particular time frame, they would need a year to capture all logins as i don't use all sites daily weekly, or even monthly.
One can discuss it short, one can discuss it long :) but you remain to put all your (generated) eggs in a single basket. A basket (computing security does not exist, it only delays things) that cannot be more secure then your mind.
Start them with the idea that a few things matter far more than the others. Email because all password resets use it, file storage as any identity theft will probably try and use it, and so on.
Use a long pass phrase and two-factor authentication for the few things that really matter.
These are: your domain name seller, your email provider, your file storage provider.
If you suspect your family members will do a poor job of keeping their 2FA backup codes, or that they lose their phone often... then centralizing the 2FA codes through Authy and choosing a long backup phrase there allows your family to use their 2FA codes on more than one device.
Note: I haven't even said "unique pass phrase per site". Yes it would help, but simply having a long pass phrase with 2FA is probably going to be more helpful for those who already find LastPass or 1Password too much to use that they needed the same password everywhere.
People associate Snowden's arguments with government surveillance and shrug it off with the "nothing to hide" argument.
Here we're talking about average people's passwords leaked to the general public. Your files could be accessible by anyone. Or irrecoverably lost due to a bug. This has obvious consequences to the average person.
Well, I don't expect the average to understand the issue nor be able (read: want) to do anything about it (ie. encrypt before handing over their data to untrusted third parties).
Quite frankly, Jennifer Lawrence's nude photographs had more influence on the average person's thoughts about computer security than Snowden's revelations. As sad as it is.
Try to get them on password managers. I've gotten my extremely non-technical wife to use Lastpass and she does it with ease. It really is the best thing they can do for their own security.
Interestingly enough, on the same pastebin site that the leak first appeared, we now have someone programmatically changing the account passwords in the leak: http://pastebin.com/LsKrspK5
There's another set of account credentials here: http://pastebin.com/jHEjBLrQ which are all starting with the letter A. It covers AA to AZ, and spans 900 accounts. Does this mean there's only ~24,000 accounts compromised?
Strangely enough, that was the 'sixth' teaser. I found the fifth -- http://pastebin.com/CsN3SrGA -- but all of the passwords in that list are "latenightbootycalls". I cannot find the 'fourth' just yet.
(Someone let me know if the link to the paste is frowned upon. It's pretty easy to find on Google, however, so I figure I'm doing no additional damage.)
Like the other set of credentials, there's a relative scarcity of gmail addresses. I'd expect dropbox accounts to be a pretty good sampling of email addresses. Either these have had gmail addresses removed (unlikely as a few are in there), or the list comes from somewhere where hotmail and yahoo are more popular that gmail - wonder where that would be?
I got dropbox with an email starting with "al" and my email wasn't included in that list. So they are either not from Dropbox or only a subsection of the account they got hold of.
Would be interesting to know what third party service it was and how they were able to make that link.
Also the pastebin claimed such a large amount (6,937,081) of impacted users but only showed a really small sample that started with the letter 'b'. Based on that sample they were already covering letters (bf, bg, bh). So I doubt this is anywhere near the claimed amount.
Asking for 'BTC' to leak more (who wants to pay for a public list?) is also extremely suspect.
Would be interesting to know what third party service it was and how they were able to make that link.
Dropbox uses email address + password for authentication.
If you have a list of email addresses and passwords from accounts on some other compromised service, why not try them against Dropbox to see if any of those people have Dropbox accounts with the same password?
Why do you trust the hacker? By definition, hackers are not the trustworthy kind. He may have 7 million emails and passwords from elsewhere and make bold claims to collect bitcoins from lower ranks of hackers. I initially thought that some smartass created a bunch of accounts and posted them to collect some bitcoins from the naive. Particularly, because emails are so similar, i.e. I speculated that he did that to simulate having a 7 million users database.
It would be really interesting if a hacker found a way to harvest _new_ passwords and faked a huge data breach to get millions of people to change their passwords. Threatening fake data breaches if not paid a ransom could be the next profitable hacker market. It would probably work a few times, and certainly muddy up the waters for both organizations and people. Imagine trying to figure out how to respond when 10 major groups have a data breach per week, but 2 of those are real and the rest are fakes. Chaos and massive frustration.
Exactly my point! I've always wondered why journos give the wrong advice to people and why people stupidly trust them and not a technical authority on the subject. At the end of the day, all companies now reset passwords if necessary, so, people should wait for the companies to tell them what to do, and not some journo in the business of clickbaiting and scaremongering.
We use a different meaning than the widely-accepted one here. I'm taking a about real hackers, not about developers who aren't satisfied being called "developers" and look for something fancier.
Here is a list of US patents for key escrow systems: 380/286 [1]. It is important to know that key escrow does not itself mean that the keys are escrowed to law enforcement, but in many cases it is obvious or it is spelled out explicitly: "In order to receive the information, law enforcement may submit a request to each of the entities identifying the communication session and their basis for authorization." [2] It is also important to know that law enforcement escrow systems may also apply under different categories, so this list has both type 1 and type 2 error.
The number of companies on the list is huge and include essentially all of the 'blockbuster' names in the tech industry, from IBM to Amazon to Fujitsu to Seagate to Apple to Symantec to F-Secure, etc. (I have a longer list here, although it has not been combed for law enforcement escrow and it is also not representative of the names on the patent search list [3]). Care must be taken to discern which patents would have applicability to serve orders such as those by National Security Letters or to comply with the decryption requirements of CALEA.
There's some scary stuff in there, like "Automatic recovery of TPM keys" (Lenovo) [4] and "Cloud key escrow system" (Microsoft) [5].
HP obtained a patent (in 2008) for PC backdoors [6].
This looks nice. But unfortunately, the headline is WAY to technical for "regular" people:
> DECENTRALIZED CLOUD STORAGE
> Storj is based on the Bitcoin blockchain technology and peer-to-peer protocols to provide the most secure, private and efficient cloud storage.
"Regular" people, people that just want their stuff backed up and synced, do not necessarily know what "decentralized cloud storage", "Bitcoin blockchain" or "peer-to-peer protocols" are.
Also, Dropbox clearly stated that it was not hacked. I cannot imagine Dropbox storing passwords in clear text. To me, this "hack" looks like a scam trying to make easy Bitcoin money.
What we need is to make people aware of the security implications of using the same password everywhere.
Decentralized storage is definitely cool, but I'm not convinced the blockchain is the right place to do it. There are already multiple implementations of decentralized storage like this, like Tahoe-LAFS, Freenet, or SpaceMonkey.
Isn't it obvious? The list giving such a small sample of b- usernames, the passwords all super-vulnerable to simple dictionary attacks, the request for money and what not. Some idiot got hold of a bunch of hashes (could even be from a previous dump), bruteforced a few hundreds and cross-referenced with known dropbox accounts. Voila.
Which journalists? Ars Technica posted an article with the qualifying word "apparently" in the title, weasel words like "appears" in the body, contacted Dropbox for comment, had obviously tested the password reset functionality since they mention it was sluggish.
Their suggestion was "reset your password anyway, and turn on 2fa". None of this seems unreasonable.
Any site that published anything related to Dropbox and being hacked prior to receiving a response from Dropbox for clarification is guilty IMO. Everyone is in a rush these days to be the first with the most click-baity headline, accuracy be damned. They have zero fucks to give about the repercussions of what they publish and it is downright shameful. The more people allow weasel words to be acceptable in news, the more they're willing to accept narratives and not objectivity. I genuinely despise Dropbox, but that doesn't mean they deserve falsehoods blasted about them. We live in the disinformation era and it has and will destroy many arguments, careers, companies, and lives. Shameful.
I suppose the question is, does it matter if Dropbox was hacked or if these credentials were gained by some other means? The end result for a poor user^ is the same.
(^Not me, of course. I use 1Password.)