back to article Krebs: I know who hacked Ashley Madison

It appears someone closely linked to the hacking gang that ransacked adultery website Ashley Madison has accidentally outed him or herself. Investigative computer security journo Brian Krebs, with the help of pals, today named a Twitter user they believe is involved with Impact Team, which publicly leaked 33 million accounts …

  1. Doctor Syntax Silver badge

    "The most popular password was "123456" (202 of the 4,000),... and 12345 (99)."

    It's good to see that the need for longer passwords is getting through to users.

    1. Mark 85

      I'm waiting to see how many went for the full 8 characters "12345678" per most sites' guidelines. Or maybe they just can't count that high.

      1. Anonymous Coward
        Anonymous Coward

        Incidentally, I discussed this matter with Ello around the time they were getting lots of press and they agreed that they would put a limit on how many people could have the same password. The system would simply reject passwords that too many people already had.

        Dunno if they actually did it.

        1. Destroy All Monsters Silver badge

          I am not sure how I would feel about a popup telling me "too many users have that password already, please choose another one".

          1. Anonymous Coward
            Anonymous Coward

            If they followed my advice, the popup would simply say "This password is too obvious, please try again." - rather like if you chose a dictionary word.

            But like I say I don't know what they did.

          2. Medixstiff

            "I am not sure how I would feel about a popup telling me "too many users have that password already, please choose another one""

            Better yet "Ha, that one will be easy for your wife to guess"

            1. Desidero

              How about, "sorry, your wife and teenage daughter are already using that one"?

            2. This post has been deleted by its author

        2. Michael Wojcik Silver badge

          The system would simply reject passwords that too many people already had.

          It should be infeasible for the system to determine this. If it isn't, then the password storage mechanism is vulnerable to offline attacks.

          The password verifiers should be cryptographic hashes with substantial salt, which would make it computationally infeasible to compare a candidate (plaintext) password against many existing verifiers in a timely fashion.

      2. Medixstiff

        What no qwerty?

    2. Anonymous C0ward

      How do they tell how many users have the same password, if they're using salts, PBKDF etc and not just MD5 or SHA1? Weak.

      1. MacroRodent
        Boffin

        salted duplicate check

        How do they tell how many users have the same password, if they're using salts, PBKDF etc and not just MD5 or SHA1? Weak.

        If salted hash is used, the salt values for all existing passwords are necessarily stored in the authentication database along with the hashes. So the check for same password simply salts and hashes the candidate with each of them and checks if the resulting hash is already in the database.

        1. Bronek Kozicki

          Re: salted duplicate check

          rather than comparing against passwords of other users, the comparison should be against an existing password dictionary - i.e. something that both researchers and blackhats would use to brute force hashes which may potentially leak from the database. I say "potentially" because it's the same as with home insurance - you do not want this to happen, you do not really expect it, but when it does happen you are prepared. Although I have to admire that AM used bcrypt, which gave the passwords good protection and greatly reduced the rate of brute force attack on hashes.

        2. h4rm0ny

          Re: salted duplicate check

          >>"If salted hash is used, the salt values for all existing passwords are necessarily stored in the authentication database along with the hashes"

          No, that is NOT correct. In fact, storing your salt in the database alongside the passwords would be bad practice. You store it elsewhere and just query the database for the salted hash, not do it all on / within the database. All the database needs is the hash, not the salt.

          1. MacroRodent

            Re: salted duplicate check

            No, that is NOT correct. In fact, storing your salt in the database alongside the passwords would be bad practice. You store it elsewhere and just query the database for the salted hash, not do it all on / within the database. All the database needs is the hash, not the salt.

            In any case, you need to store each user's salt value in plaintext so that you can use it when the user logs in. From this point of view, it is irrelevant if it is the same database, or a separate one for the salts. So all the salt values are available if you want to check if the user's candidate password is already in use by someone else.

            1. h4rm0ny

              Re: salted duplicate check

              >>"In any case, you need to store each user's salt value in plaintext so that you can use it when the user logs in."

              This is correct, but the original statement was not. You do store your salt in the database - certainly not in the one that contains your password hashes. So for example, the webserver might have the salt, and it will use that to send only the hash to the database. That way if your database is compromised, the salt may not be. If people are going to use the Boffin icon and correct others, they should get their facts right. It is not necessary to have your salt in the database and is actually a bad thing to do.

            2. Michael Wojcik Silver badge

              Re: salted duplicate check

              In any case, you need to store each user's salt value in plaintext so that you can use it when the user logs in. From this point of view, it is irrelevant if it is the same database, or a separate one for the salts. So all the salt values are available if you want to check if the user's candidate password is already in use by someone else.

              All true, but this is precisely what should be infeasible once you have a substantial number of password verifiers. The security value of rejecting a "too common" password - which is very small, if there's any at all - doesn't justify throwing a bunch of computational resources at hashing the candidate password with every salt in the database. That's a dumb use of resources to achieve a pointless objective.

              Password-strength restrictions are already a sign of failure: it indicates that users aren't willing to comply with security mechanisms because they see those mechanisms as too expensive for the value they provide. So the user experience is broken or the user doesn't have a clear view of what's at risk (or the risk is perceived as an externality). You have either a user interaction model problem or an economic problem.

              If you aren't able to address that issue in any way other than a password-strength restriction (ie you're admitting failure), there are much, much better checks to use than "gosh, a whole bunch of other people used that password".

        3. Anonymous C0ward

          Re: salted duplicate check

          If salted hash is used, the salt values for all existing passwords are necessarily stored in the authentication database along with the hashes. So the check for same password simply salts and hashes the candidate with each of them and checks if the resulting hash is already in the database.

          So you have to read every row in the table and do some computation on it, before inserting your single new row? Nice DDOS opportunity.

          1. h4rm0ny

            Re: salted duplicate check

            >>"So you have to read every row in the table and do some computation on it, before inserting your single new row? Nice DDOS opportunity."

            That would indeed be a consequence of what they wrote. Happily, despite some people cheerfully upvoting them, they got it wrong. However as I've been downvoted for correcting them, I like your method of actually proving why it's unworkable. Good catch.

    3. Graham Marsden
      Coat

      Remind me...

      ... to change the combination on my luggage...

      Spaceballs: The Coat

    4. Mpeler
      Coat

      Size matters

      Maybe they didn't think that size (erm, length) matters...

    5. Anonymous Coward
      Anonymous Coward

      12345 that's the kind of password an idiot has on his travel luggage.

      1. Danny 14

        travel luggage locks are there to stop accidental lock openings when the cases are bashed about. They aren't strong enough to deter thieves.

      2. h4rm0ny

        >>"12345 that's the kind of password an idiot has on his travel luggage

        And coincidentally the number of times I have heard that joke on El Reg forums..

        1. Anonymous Coward
          Anonymous Coward

          Re: 12345

          That's the kind of off-topic movie quote an idiot posts in the comments, thus distracting from a very serious discussion. And he/she didn't even take credit. Hmm...upvote for trolling?

    6. JeffUK

      The most popular of the passwords he was able to successfully crack...

  2. admiraljkb
    Joke

    ...Finally, if you're sick and tired of endless coverage of the Ashley Madison scandal....

    Dolly Madison bakeries has changed their slogan:

    "Life is short, have an eclair"

    1. Anonymous Coward
      Anonymous Coward

      Re: ...Finally, if you're sick and tired of endless coverage of the Ashley Madison scandal....

      Please tell me this is true. Link please?

      1. Anonymous Coward
        Anonymous Coward

        Re: ...Finally, if you're sick and tired of endless coverage of the Ashley Madison scandal....

        Sadly it appears not to be so - Dolly Madison, so far as I can tell from this side of the Pond, went bust in 2014. :-(

        1. Mpeler

          Re: ...Finally, if you're sick and tired of endless coverage of the Ashley Madison scandal....

          They're back - in Canada. The US part went under, but the Canadian licensee is still going.

          Not too cheap on this side of the pond, though, €12,90 for a 10-pack.

          1. a_yank_lurker

            Re: ...Finally, if you're sick and tired of endless coverage of the Ashley Madison scandal....

            The Hostess Brands (parent) was sold during the bankruptcy proceedings and is still limping around.

        2. admiraljkb

          Re: ...Finally, if you're sick and tired of endless coverage of the Ashley Madison scandal....

          A real shame too, if only they could have held out a little longer, their sales could have really risen to the occasion. Particularly with all the double entendre snackfood names they had. :)

          1. Keven E.

            Sick and tired of endless coverage...

            "Particularly with all the double entendre snackfood names they had."

            This needs chicken/egg research...

            .. Brownie bites? Sno balls? Tiger tails?

    2. Mpeler
      Paris Hilton

      Re: ...Finally, if you're sick and tired of endless coverage of the Ashley Madison scandal....

      All those Ding-Dongs with their Ho-Hos hoovering up the twinkies, zingers, and pom-poms...

    3. This post has been deleted by its author

      1. macjules

        Re: ...Finally, if you're sick and tired of endless coverage of the Ashley Madison scandal....

        Or not, unless it is with another man, as it turns out.

  3. Roo
    Windows

    Halloween ?

    Blimey ! Is it Halloween already ? This is getting creepier by the hour...

  4. stringyfloppy

    How did Impact Team (do we really have to call them that?) contact Krebs? This makes it sound like Krebs knows who is associated with Impact Team and has contact with them.

    1. PleebSmash
      Happy

      Krebs man wins reward, upgrades to become world's cyber guardian.

  5. Anonymous Coward
    Anonymous Coward

    So Krebs thinks Zu is less important than himself, and nobody else likes Thunderstruck... uhhh.. Q.E.D.

  6. Anonymous Coward
    Anonymous Coward

    Thunderstruck

    good song, seen it used well by some ice hockey teams for team enterance, but can't help thinking tempted by squeeze wouldn't have been a better choice

    1. Crazy Operations Guy

      Re: Thunderstruck

      But there are so many other songs that would be much better suited for the breach. "What do you do for money, honey?" popped right into my head, you also got "Caught with your pants down" and dozens of others that would've fit better than Thunderstruck...

      1. skeptical i

        Re: Thunderstruck

        "There's something I must tell you.

        There's something I must say.

        The only really perfect love

        is one that gets away."

        -- The Residents

      2. Anonymous Coward
        Anonymous Coward

        Re: Thunderstruck

        As there were aproximately zero women on the site, a certain Stones anthem springs to mind

      3. Meerkatjie

        Re: Thunderstruck

        Dirty deeds done dirt cheap

    2. Dan Paul

      Re: Thunderstruck @AC

      Does anyone remember that one of the anti Iranian nuclear program viruses played Thunderstruck at full volume on the infected computers back in 2012. I don't think it was Stuxnet or Flame but another one? Anyone think the hackers could be somehow related to the same group>

      https://www.google.com/?gws_rd=ssl#q=virus+plays+thunderstruck

  7. Anonymous Coward
    Anonymous Coward

    the ultimate sausage party

    This article explains everything with the data anyway.

    http://gizmodo.com/almost-none-of-the-women-in-the-ashley-madison-database-1725558944

    1. Turtle

      @Anonymous Coward: Nearly 100% Fraudulent.

      "the ultimate sausage party: This article explains everything with the data anyway. http://gizmodo.com/almost-none-of-the-women-in-the-ashley-madison-database-1725558944"

      /speechless

      1. Anonymous Coward
        Anonymous Coward

        Re: @Anonymous Coward: Nearly 100% Fraudulent.

        30+ million accounts and less than 2000 ladies accounts ever checked their messages even once lol. So sad and so predictable.

        1. Anonymous Coward
          Anonymous Coward

          Re: @Anonymous Coward: Nearly 100% Fraudulent.

          And with numbers that low, you are probably in the territory where a good number of them are sicko men pretending to be women for kicks. So Ashley Madison ends up being like one of those costly Red Light district tourist bars your stag party "crack team" get conned into visiting, where the embarrassed looking clientele are all sad tourists, men, thin on the ground, the drinks cost £100 a measure and the couple of "women" present are weird looking with five o'clock shadow... Allegedly.

          Could say more about James and his beer goggles, but what goes on tour stays on tour.

  8. Anonymous Coward
    Anonymous Coward

    Juries

    It looks like that every prosecutor in the world would like Krebs as juror or "expert" witness. With hard hitting, incontrovertible evidence as he as presented, we will all need to watch our step.

    Note to self - change music to "The Angels" (in particular "Am I ever going to see your face again?") to confuse this genius...

    1. macjules
      FAIL

      Re: Juries

      deuszu gets the drop just before Krebs so Krebs screams like the spoiled little b*tch he is.

      Diddums.

  9. Winkypop Silver badge
    Devil

    Dirty Deeds Done Dirt Cheap

    You got problems in your life of love

    You got a broken heart

    He's double dealin' with your best friend

    That's when the teardrops start, fella

    Pick up the phone

    I'm here alone

    Or make a social call

    Come right in

    Forget about him

    We'll have ourselves a ball

    Dirty deeds, done dirt cheap

    Dirty deeds, done dirt cheap

    Dirty deeds, done dirt cheap

    Dirty deeds and they're done dirt cheap

    Dirty deeds and they're done dirt cheap

  10. h4rm0ny

    Hmmmm

    Reading this I have to conclude one of three things. Either this Twitter account is a dead-end, well protected and untraceable back to any physical body, someone has set them up to be a patsy or, option three, the hacker is an idiot.

    EDIT: I suppose a couple of other possibilities having just had a look at their Twitter feed. Deuszu could just be a fan, playing at being a red-herring. If they and Krebs have a common source for that link then that is viable. Alternately they could be the hacker and are so confident in their concealing of evidence they actually want to "taunt" people with visibility. That would be rather nuts, though. Finding someone who hacked you can be very hard. Finding if a specific someone hacked you, is a lot easier because you can start from the answer and work backwards, as it were.

    1. Anonymous Coward
      Anonymous Coward

      Re: Hmmmm

      I was thinking similar things.

      I'm sure Brian Krebs is very smart - and I'm no security expert - but I'm not sure he has really "identified" the hacker as such. He might be right about the Twitter handle but that's not quite the same as having a real name and address where you can rock up with squad cars and a warrant. You need evidence and stuff for that.

      Still, there's a lot more to play out so let's see.

      1. Joe Harrison

        Re: Hmmmm

        Exactly, because everyone who likes a particular song has it playing 24x7. It's not only the song that's being played, Krebs is as well.

  11. TeeCee Gold badge
    Coat

    Let me fix that.

    OzzieAussie hard rock heroes

    Otherwise you'd be talking about Black Sabbath.....

  12. chivo243 Silver badge

    It's just entertainment...

    If there are only 1% women, then I have to believe AM is some sort of perverted online game and not really an infidelity website. It's a real game of chance - chance of getting in touch with a real woman...

  13. John B Stone
    Trollface

    Krebs royalty check is in the post

    Has anyone asked Krebs if the whole point of the hack was as a viral advert for AC/DC?

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon