Graphics processor biz NVIDIA has contacted users of its discussion forums and Developer Zone to warn that its servers have been hacked. The message boards hosted at forums.nvidia.com and the programming resource developer.nvidia.com were breached last week. Data lifted from the compromised systems included account passwords …

COMMENTS

House rules Send corrections

This topic is closed for new posts.

Friday 13th July 2012 14:53 GMT Miek

"As soon as the chip designer became aware of the attack it shut them down" -- Didn't anybody think to contact the Webmaster?

0 2
Friday 13th July 2012 14:54 GMT DJ Smiley

Its nice to see...

Its nice to see a technology company being sensible, and upfront about whats happening. I mean you'd expect them to be but so many won't these days.

Salted passwords? Check

Advised users clearly about what information was possibly accessed? Check

Advised users to change passwords "Just in case" Check.

Well done nVidia, while I might hate some of your practices concerning drivers at least you seem to be sensible with your users data.

7 0
Friday 13th July 2012 15:38 GMT BillG

NVIDIA, Again

NVIDIA has a lot of disgruntled customers, given NVIDIA's distaste for the open-source community and their abandonment of developers. They might want to start looking there first.

0 0
1. Friday 13th July 2012 16:04 GMT Yet Another Anonymous coward
  
  Re: NVIDIA, Again
  
  Or perhaps just any developer using the site.
  
  Download anything, need a devzone sign up, which needs them to 'approve' your use.
  
  Then download CUDA and that's a different cuda-zone signup, some feature needs the unreleased beta of NSight so you need to sign up for the parralels preview zone site
  
  All these sites look identical - NVidia only have one web designer - but they all have separate logins AND the security rules (one uppercase, three klingon chars) are all different.
  
  1 0
Friday 13th July 2012 18:32 GMT Christoph

There is only one way to stop passwords being stolen from a web server

The only way to be certain something can't be stolen from a web server is to not have it stored on that web server.

It is well past time that passwords were stored on a physically separate box. The server sends it a user name / password pair, and after a fixed time interval (to stop analysis attacks) the box sends back a 1 or a 0.

It would also need to accept new accounts and amended passwords. It would need very strict control of those of course. That must be designed in from the start so that no possible input value can compromise it.

It is not expensive to do this. For small systems it could be implemented on elderly kit running a pre-packaged Linux app, and for sites that have much more traffic they presumably have enough money for better kit. Sod it, you could run a lot of sites using a Raspberry Pi!

2 0
1. Friday 13th July 2012 18:37 GMT Christoph
  
  (to clarify)
  
  There's also an ID sent with each request and returned with the result so you know which request it's replying to.
  
  0 0
2. Friday 13th July 2012 19:01 GMT Tom 38
  
  Re: There is only one way to stop passwords being stolen from a web server
  
  Those who do not learn from history are doomed to repeat it
  
  2 0
Friday 20th July 2012 21:34 GMT Michael Wojcik

Again with this hash nonsense?

"a one-way encrypted hash"

Why do Reg writers insist on getting this wrong?

It's a cryptographic hash. I haven't found any claim (from a reputable source) that Nvidia actually encrypts its hashes, and that would be an implausible and not-very-useful practice anyway. "Encrypted" does not mean "cryptographic".

And like any non-perfect hash, cryptographic hashes are always "one-way" (in the sense of being functions with much more expensive inverses). That's one of the requirements.

This is supposed to be a tech site, so please, please, please stop using the phrase "one-way encrypted hash". Get it right or stop writing about it.

0 0