[Cryptography] millions of Ashley Madison bcrypt hashes cracked efficiently

Bill Frantz frantz at pwpconsult.com
Sun Sep 20 00:15:04 EDT 2015

On 9/19/15 at 7:47 AM, iang at iang.org (ianG) wrote:

>On 12/09/2015 01:33 am, Bill Frantz wrote:
>>What I find interesting is that the security failure at Ashley Madison
>>is the first security failure I know of which has seriously impacted
>>individual people.
>Yes, I think you're right, but:
>>When your bank account is cracked, the bank makes it
>>right. When you SSN is misused, there are ways to make it right.
>>Admittedly any of these problems can be a royal PITA, but you don't lose
>>any reputation when your accounts get cracked this way, even if your own
>>negligence contributed to the incident.
>People pointing out you can't get an SSN is interesting 
>counter-evidence.  And, there is plenty of evidence that people 
>are screwed by their banks, and not a few court cases.

I would love to have a reference for "You can't get a new SSN." 
Is there something on a government web page? But not all people 
are screwed by their banks. So being screwed by a bank falls in 
the "there but for the grace..." bucket where people can say, 
but it won't affect me.

>So why do we think AshMad is a first?  I think it is because it 
>is the first time we've got a readily identifiable tribe as 
>victim, rather than dispersed individuals, and, the damages are 
>not in dispute.

I think this is an important point. Most of the other attacks 
hit individuals who can be blamed for doing things like 
answering Nigerian email. Most people think they are too smart 
to be a victim.

>A continuing-forever problem we have with security as a 
>business is that it is very hard to put a number on the 
>damages.  Without knowing what you are trying to achieve, it's 
>basically a voodoo art to know how much to spend.  If you go 
>out and start calculating direct damages as incurred by 
>businesses for hacks, the information is incredibly sparse.

We have the same problem with scams in general. 
People/businesses/governments are too embarrassed to report 
their losses, so it is hard to come up with a number.

>>The next question is, will an event which affects individuals have an
>>effect on net security? The costs of cracks have had an effect on
>>businesses. Will this crack change individual's behavior?
>Yep - a question.
>Heartbleed had an effect.  If you believe in improving 
>security, does this mean you believe in more Heartbleeds?

I think there may be more effective ways to improve security, 
but on the other hand, I've been trying to improve security for 
many many years, without notable success. If could publicize the 
costs, organizations and individuals might have a rational 
reason to opt for better security.

Cheers - Bill

Bill Frantz        | I like the farmers' market   | Periwinkle
(408)356-8506      | because I can get fruits and | 16345 
Englewood Ave
www.pwpconsult.com | vegetables without stickers. | Los Gatos, 
CA 95032

More information about the cryptography mailing list