[Cryptography] millions of Ashley Madison bcrypt hashes cracked efficiently

ianG iang at iang.org
Sat Sep 19 10:47:50 EDT 2015

On 12/09/2015 01:33 am, Bill Frantz wrote:
> What I find interesting is that the security failure at Ashley Madison
> is the first security failure I know of which has seriously impacted
> individual people.

Yes, I think you're right, but:

> When your bank account is cracked, the bank makes it
> right. When you SSN is misused, there are ways to make it right.
> Admittedly any of these problems can be a royal PITA, but you don't lose
> any reputation when your accounts get cracked this way, even if your own
> negligence contributed to the incident.

People pointing out you can't get an SSN is interesting 
counter-evidence.  And, there is plenty of evidence that people are 
screwed by their banks, and not a few court cases.

Phishing has been running wild for a decade now.

So why do we think AshMad is a first?  I think it is because it is the 
first time we've got a readily identifiable tribe as victim, rather than 
dispersed individuals, and, the damages are not in dispute.

A continuing-forever problem we have with security as a business is that 
it is very hard to put a number on the damages.  Without knowing what 
you are trying to achieve, it's basically a voodoo art to know how much 
to spend.  If you go out and start calculating direct damages as 
incurred by businesses for hacks, the information is incredibly sparse.

Now we see people popping up and phoning their divorce lawyer, or 
suiciding in at least one case.

That other factor - that we ignore damages to individuals, can be put 
down to the syndrome of "it won't happen to me."  Which is actually 
rational.  If the event is so rare that it becomes news, then it likely 
won't happen to you.  What we should be concerned about is the event 
that is so frequent it doesn't become news.

> With the Ashley Madison crack, people are being outed for behavior that
> does not have approval in much of society. The affected people are
> seeing the results in their relations with friends, neighbors,
> coworkers, employers, etc.

Right.  Which brings to mind that infamous Sydney Morning Herald 
headline after the Starr report came out, around 1998:

"Thank god we got all the convicts and they got all the puritans."

> The next question is, will an event which affects individuals have an
> effect on net security? The costs of cracks have had an effect on
> businesses. Will this crack change individual's behavior?

Yep - a question.

Heartbleed had an effect.  If you believe in improving security, does 
this mean you believe in more Heartbleeds?


More information about the cryptography mailing list