Feeds

back to article NVIDIA Developer Zone, user forums plundered in hack attack

Graphics processor biz NVIDIA has contacted users of its discussion forums and Developer Zone to warn that its servers have been hacked. The message boards hosted at forums.nvidia.com and the programming resource developer.nvidia.com were breached last week. Data lifted from the compromised systems included account passwords …

COMMENTS

This topic is closed for new posts.
Silver badge
Coat

"As soon as the chip designer became aware of the attack it shut them down" -- Didn't anybody think to contact the Webmaster?

0
2
Thumb Up

Its nice to see...

Its nice to see a technology company being sensible, and upfront about whats happening. I mean you'd expect them to be but so many won't these days.

Salted passwords? Check

Advised users clearly about what information was possibly accessed? Check

Advised users to change passwords "Just in case" Check.

Well done nVidia, while I might hate some of your practices concerning drivers at least you seem to be sensible with your users data.

7
0
Bronze badge
FAIL

NVIDIA, Again

NVIDIA has a lot of disgruntled customers, given NVIDIA's distaste for the open-source community and their abandonment of developers. They might want to start looking there first.

0
0
Silver badge

Re: NVIDIA, Again

Or perhaps just any developer using the site.

Download anything, need a devzone sign up, which needs them to 'approve' your use.

Then download CUDA and that's a different cuda-zone signup, some feature needs the unreleased beta of NSight so you need to sign up for the parralels preview zone site

All these sites look identical - NVidia only have one web designer - but they all have separate logins AND the security rules (one uppercase, three klingon chars) are all different.

1
0
Silver badge
Boffin

There is only one way to stop passwords being stolen from a web server

The only way to be certain something can't be stolen from a web server is to not have it stored on that web server.

It is well past time that passwords were stored on a physically separate box. The server sends it a user name / password pair, and after a fixed time interval (to stop analysis attacks) the box sends back a 1 or a 0.

It would also need to accept new accounts and amended passwords. It would need very strict control of those of course. That must be designed in from the start so that no possible input value can compromise it.

It is not expensive to do this. For small systems it could be implemented on elderly kit running a pre-packaged Linux app, and for sites that have much more traffic they presumably have enough money for better kit. Sod it, you could run a lot of sites using a Raspberry Pi!

2
0
Silver badge

(to clarify)

There's also an ID sent with each request and returned with the result so you know which request it's replying to.

0
0
Silver badge
Facepalm

Re: There is only one way to stop passwords being stolen from a web server

Those who do not learn from history are doomed to repeat it

2
0
Silver badge

Again with this hash nonsense?

"a one-way encrypted hash"

Why do Reg writers insist on getting this wrong?

It's a cryptographic hash. I haven't found any claim (from a reputable source) that Nvidia actually encrypts its hashes, and that would be an implausible and not-very-useful practice anyway. "Encrypted" does not mean "cryptographic".

And like any non-perfect hash, cryptographic hashes are always "one-way" (in the sense of being functions with much more expensive inverses). That's one of the requirements.

This is supposed to be a tech site, so please, please, please stop using the phrase "one-way encrypted hash". Get it right or stop writing about it.

0
0
This topic is closed for new posts.