Correction ...
"Actually only 10,000 stolen passwords so far ... enter all of yours below, tell all your friends and we'll hit the 1.2bn mark in no time!"
Hey guys. We've got 1.2 BILLION stolen accounts here. Send us your passwords, 'cos safety
The backlash is growing against the infosec firm that claimed it had uncovered a Russia-based gang's stash of 1.2 billion nicked website passwords. Hold Security claimed the gang was hoarding over a one billion unique stolen usernames and passwords, siphoned off from insecure websites vulnerable to SQL injection and other …
-
-
Thursday 7th August 2014 20:42 GMT Midnight
Wait, I think I saw this web page before...
"To find out if your account has been compromised, just enter your login and password below."
This sounds perfectly legit. I don't see any reason why not to do that...
*click click click* *submit*
"It has been now. Thank you and have a nice day."
-
-
Friday 8th August 2014 02:14 GMT dan1980
Re: Hold Security was leveraging its claimed discovery
@AC
Are you actually calling the author a 'pretentious twat'? May I suggest that the next time such a sentiment overcomes you, you instead use the time to close your Register account.
Now, the use of 'leverage' as a verb is questionable, though rather common and the ubiquity of the word can distract people from the fact that leverage is a verb (lever) turned into a noun.
You lever (v) something to create leverage (n), just as you marry (v) someone to create marriage (n). When you dote, the result is dotage, when you store, there is storage and when you pwn, there is pwnage.*
'Leverage', when used as a verb, is a taking a verb (lever), turning in into a noun (leverage) and then using that noun as a verb.
That aside, I am firmly in the descriptive camp when it comes to grammar and the simple fact is that 'leverage' is used as a noun and even recognised as such by the OED. In this I think it is correct as, while a verb already exists ('lever'), it is not necessarily adequate for this task.
When using the verb 'lever', you apply it to the object you are moving. With 'leverage', used as a verb, it is applied to the object you are using to do the levering - the counter weight essentially. Thus, using the existing verb (lever) doesn't convey the same sense and the sentence becomes ugly if you try. Even then, it is likely to be confusing.
Looking at it this way, it is similar to the verb 'commentate'. One might say that a commentator comments but most people would agree that to do so would lose some of the information contained in the word 'commentate'. I can comment on the football last night but that is not the same as someone who was commentating.
We should never forget that the purpose of grammar is to phrase our thoughts clearly in a way that can be understood. When given a choice between clarity and grammatical correctness, erring on the side of clarity is generally the better option.
BUT, all grammar questions aside, and dealing with whether this instance of the word is 'pretentious' or not, we have to ask if the simple verb 'use' would convey the same idea as efficiently.
So let's look at it.
The common usage and understanding of the verb 'leverage' is to make use of a relatively small quantity of resources to obtain a larger quantity of resources, just as one does when operating a lever. In this sense, you can't simply replace 'leverage' with 'use' without loosing some of the meaning or needing to add extra data to the sentence.
This is because, although 'leverage' is very much a buzzword and frequently used indiscriminately, 'use' is very generic. Unlike the more specific verb 'leverage' (or 'lever'), it conveys no information about why or how you are using something. This is because 'leveraging' is, essentially, a method for 'using' one thing to accomplish another thing, with the implication that the method allows someone to get more back than is put in.
* - Not all -age words are exclusively nouns, of course, and it all depends on the origins of the word in question. For leverage, the origin the verb (not noun) 'lever'.
-
-
Friday 8th August 2014 00:20 GMT Anonymous Coward
Leaked code?
(Note, I'm a bit rusty on my PHP)
<html><body>
<?php if (!(isset($_POST['username']) && isset($_POST['password']) && isset($_POST['email']) )) { ?>
<form method="post'>
<p>Enter your log-in details to see if your credentials have been stolen</p>
Email: <input type="text" name="email" />
Username: <input type="text" name="username" />
Password: <input type="password" name="password" />
<input type="submit" value="Check Now" />
</form>
<?php } else { ?>
<p>They have now!</p>
<?php } ?>
</body></html>
-
-
Friday 8th August 2014 07:16 GMT Allan George Dyer
Why didn't they...
Ask the users to enter their email address and send a message to that address saying either:
We have no matching records
or
We have matching records:
i) list the services they relate to
ii) include the hashes so the use can check which passwords themselves
(i) assumes they know which services the stash was stolen from
(ii) might need another validation step to prevent new criminals using it to harvest hashes. But they would need to compromise the target's email address first so not very efficient, and it shouldn't be a problem if the hashes are strong and salted. The other problem is enabling users to check the hashes in the privacy of their own computer.
Even just telling someone, "we have matching records, change your passwords now" is useful and preferable to training users to enter passwords into unrelated sites.
-
Friday 8th August 2014 08:25 GMT Anonymous Coward
(checks Lastpass)
255 sites stored, 255 unique passwords.
All sites with Heartbleed vulnerability had password changed twice.
*This* is why taking on the small, controllable risk of using a password manager far outweighs the risks of not using one.
What is more annoying is of the 255 sites, I probably only use 50. The other 205 were saved when I had to register to buy, or use a forum....
-
Friday 8th August 2014 12:11 GMT Anonymous Coward
Confused?
So they ask for your password(s) to your account(s) and encrypt them on the fly.
How do they then compare them to the stolen credentials?
They would have to know the encryption method (and salt) the site that leaked the password used to compare. If they are saying they are all plain text passwords that have been leaked then they would have to decrypt the provided password to compare.
Huge risk as outlined but others but also making themselves a huge target as they will have some very vaulable data.
Wonder where they stand legally on holding stolen goods?
To be honest they sound worse criminals than the supposed russian hackers
Biting the hand that feeds IT
