Graphics processor biz NVIDIA has contacted users of its discussion forums and Developer Zone to warn that its servers have been hacked. The message boards hosted at forums.nvidia.com and the programming resource developer.nvidia.com were breached last week. Data lifted from the compromised systems included account passwords …
"As soon as the chip designer became aware of the attack it shut them down" -- Didn't anybody think to contact the Webmaster?
Its nice to see...
Its nice to see a technology company being sensible, and upfront about whats happening. I mean you'd expect them to be but so many won't these days.
Salted passwords? Check
Advised users clearly about what information was possibly accessed? Check
Advised users to change passwords "Just in case" Check.
Well done nVidia, while I might hate some of your practices concerning drivers at least you seem to be sensible with your users data.
NVIDIA has a lot of disgruntled customers, given NVIDIA's distaste for the open-source community and their abandonment of developers. They might want to start looking there first.
Re: NVIDIA, Again
Or perhaps just any developer using the site.
Download anything, need a devzone sign up, which needs them to 'approve' your use.
Then download CUDA and that's a different cuda-zone signup, some feature needs the unreleased beta of NSight so you need to sign up for the parralels preview zone site
All these sites look identical - NVidia only have one web designer - but they all have separate logins AND the security rules (one uppercase, three klingon chars) are all different.
There is only one way to stop passwords being stolen from a web server
The only way to be certain something can't be stolen from a web server is to not have it stored on that web server.
It is well past time that passwords were stored on a physically separate box. The server sends it a user name / password pair, and after a fixed time interval (to stop analysis attacks) the box sends back a 1 or a 0.
It would also need to accept new accounts and amended passwords. It would need very strict control of those of course. That must be designed in from the start so that no possible input value can compromise it.
It is not expensive to do this. For small systems it could be implemented on elderly kit running a pre-packaged Linux app, and for sites that have much more traffic they presumably have enough money for better kit. Sod it, you could run a lot of sites using a Raspberry Pi!
There's also an ID sent with each request and returned with the result so you know which request it's replying to.
Re: There is only one way to stop passwords being stolen from a web server
Again with this hash nonsense?
"a one-way encrypted hash"
Why do Reg writers insist on getting this wrong?
It's a cryptographic hash. I haven't found any claim (from a reputable source) that Nvidia actually encrypts its hashes, and that would be an implausible and not-very-useful practice anyway. "Encrypted" does not mean "cryptographic".
And like any non-perfect hash, cryptographic hashes are always "one-way" (in the sense of being functions with much more expensive inverses). That's one of the requirements.
This is supposed to be a tech site, so please, please, please stop using the phrase "one-way encrypted hash". Get it right or stop writing about it.