There is a story out that Russian cyber gangs stole 1.2 billion passwords. I think the story is FAKE. You’ll notice the story lacks and details about who and how this happened. They say it was from 400,000 web sites. Running what? How could they know that? I think it’s bull.


  1. Tim says:

    You noticed that to, huu? My miff stemms from the only link to the claim on my regulars being the NYT paywall site. For a whole day! — Even from HN at Y-combinator link to NYT thismorning….

    “”With hundreds of thousands sites affected, the list includes many leaders in virtually all industries across the world, as well as a multitude of small or even personal websites.

    I guess they didn’t have to say ‘Yahoo!’, … , gaysexymidget, …

    “”Do not panic! Try to strategize.”” — I note that these guys are offering three subscription services to nag you in the future to pay them to protect you from this kind of thing…


    But, being full of pi, I feel this is another *ruse*. Perhaps, somebody is remastering a record of misplaced names/numbers and they want everybody checking everything now to coorelate some several catagories of known/unknowns??

    • NSA says:

      Yea, that is it. There is this bitch running for water commissioner district #5 that we would like to blackmail. We have her password for but forgot what she looks like — and they are all sluts there.

      We’re mostly interested in old/abandoned accounts somebody may have set up from a library or something…. Also, we think you might have ebola and were gonna break out of our benevolent guidance to go ahead and let you know.

  2. Tim says:

    “”Running what? How could they know that?

    That part is relatively straight forward… unless you think it reprehensible to port scan — it will tell you what is running on those ports; find the application vulnerable to the SQL injection and then wonder why my neighbor hasn’t already done that to me…

  3. Dummy Up! says:

    If you think it’s bull then perhaps this lil’ bit o lernin’ will help:

    Now that you have watched, you too now know that stealing passwords is total Hollywood crap! But stealing personal information like that which might be contained in an address book or data base is a completely different matter — and still, passwords aren’t saved like that.

    So it seems to me that another so called unbiased (plagiarizing) junior journalist has struck with some more bogus facts. It’s probably in some kind of twisted attempt to once again vilify Russia since the first step in any war is to vilify one’s own enemy (usually by de-humanizing them as criminals and then as low brow unintelligent animals). That’s not to say that there isn’t s story to be told here — and we still haven’t got all the details. But if you thought anyone in the news “business” (like a reporter) had his/her facts straight, think again!

    CBS does seem poised to become the next FOX or CNN when they allow crap like this to happen. So perhaps the bigger story here might be who allowed it to go to press.

    • Tim says:

      “”Now that you have watched, you too now know that stealing passwords is total Hollywood crap!

      Ouch! I’d have thought you’d have heard of *rainbow tables*, being a flammer and all…

    • The Ad Council says:

      stealing passwords is total Hollywood crap!

      wait until you hear our child safety seat ones…

    • Dummy Up! says:

      Let me clear something up:

      … stealing actual passwords is total Hollywood crap! But stealing information which might be contained in an address book or a database ( which MIGHT even have a password written down in said database ) is a completely different matter — and still, passwords aren’t usually saved like that. NOT by competent professional entities, that is.

      Very simply, (ASCII) passwords are NOT kept in a database as most of YOU and even certain CBS journalists seem to believe. HASHES (which require mathematical computations to reconstruct) ARE! But then, you’d know that if you watched the video which explains it.

  4. bobbo, everything I know, I learned on the Discovery Channel says:

    Still suffering from a RAT, ………I BELIEVE whatever this OP is about.

    I do believe it is one password stolen 1.2 billion times.

    I’m not a math guy, but I think the equation works.

    Looks like I “may” have gotten the Trojan ADH2, and Comcasts free Norton Anti-Virus may have cleaned it out. I don’t know….. magic is like that.

  5. Mysterious Insider says:

    This story is simply a way to encourage many to change their passwords so that the latest gathering techniques can gather.

    • Tim says:

      I think you are correct, sir. And, since this is an american firm, I’d give as much credence to their analysis toward ‘secure’ as i would their avid disavowment of their love of fishheads.

  6. bobbo, everything I know, I learned on the Discovery Channel says:

    Still working on my Trojan, I read the short article at the link.

    I believe it. No reason not to.

    I suspect that most of the passwords are irrelevant ones to recipe forums, ZaptoIt tv Listings, Facedbook, and what not.

    NOT, the basis of our growing economy: the encrypted transaction cash for goods and services accounts?

    ………althouth from what I’ve been looking at the last few days, I don’t see how the key logging Trojans wouldn’t be causing a meltdown RIGHT NOW! Spidey tells me the “banks” can tell when the cash transfer request comes from the “real” computer verses a Trojaned computer===otherwise our entire financial system would be gray goo right now.

    What am I missing?

  7. NIck the Rat says:

    I think its fake too. Why aren’t NA posted here anymore? :(

    • Tim says:

      Probably since we’re a bunch of asstards kibitzing about bullshit instead of commenting on the show.

      Adam and John do such a good job, there is no need to… However, some may wander here to this necro-chamber and get the wrong idea.

    • pedro says:

      I didn’t noticed! Then again, I stopped listening eons ago so maybe I didn’t notice because I don’t give a damn.

  8. Just_AC says:

    me, the most common password I use is “idontcare” do I REALLY care that I have to have a user id and password to submit comments to the local paper? Hell no! Now, if it something I care about, like my bank I use a simple scheme that I was taught a long time ago. THink of a song then add something else, like the first name of the girl you lost your , ahem, virginity to
    So, the ants go two by two and cindy turns into

    TAgm2x2TAgm2x2C1ndy – figure that one, Putin!

    • Tim says:

      “”like the first name of the girl you lost your , ahem, virginity to

      fuck. me. running. Is there an ascii for {null string}??

  9. CrankyGeeksFan says:

    I think that the story is more real than not. Forbes security writer Kashmir Hill found out last night that Hold Security was charging a person $120 to see if they’ve been hacked. The company has since taken down the page. Here’s her story with a screenshot of this page:

    The New York Times article that broke the story states a very plausible method – Use of giant botnets that direct the infected computers to execute an SQL injection against a website upon login from the infected botnet computer.

    Question: Couldn’t this be prevented if the passwords were stored in encrypted form?

    • Dummy Up! says:

      Yes! Thank you for something a little more credible than some idiot with CBS saying the sky is falling.

      “[quote]… passwords stolen.” Kiss my ass! It was INFORMATION that was stolen. Even more interesting is how it was done — or allowed to happen.

      The fact that any database is so easily accessed is the real story here. It’s a bit like a 7-11 using a part of the check out counter for storage of money instead of putting it in a cash register or any other kind of drawer and then being shocked that some/all of it was stolen.

      The fact that actual passwords and not password hashes are even kept is another issue. The very thought of storing user passwords along with user credentials in the same company database should have people up in arms. And not just stored in one old database but one that is either unencrypted or encrypted with a very crackable password itself! (Psssst! the password is “password” Mister Ludden.)

      Sure, you might want to mention the criminals. But it’s really a wonder that with such rampant pompous stupidity in the IT circles that everyone in every developed country isn’t a victim of ID theft by now.

    • Tim says:

      A pretty nifty ‘splainer.

      From a reader comment

      — Hold Security already reported this 2 months ago. At that time with zero details. Now a bit more, but it is also introducing its new payed service to see if you are hacked.

      Now don’t get me wrong, it is fine to earn money on work like this, but it feels in this case like recycling an old discovery for PR purposes … —


      SQL? where have I heard this before??

      School: …Did you really name your son Robert’); DROP TABLE Students;–?

      • OnslDave says:

        Krebs would be more convincing if he weren’t on Hold Security’s board and hawking his own book on the subject in his article. . .

        • Tim says:

          I’ll admit that it’s probably the first time I’ve visited the site… I’ve always just taken the excerpts as ‘pretty credible’… I guess I still think that as his writing ‘rings true’ to an uninitiate as myself.

          Deer in headlights?? Having to explain that his wife is having a rather heavy period and wouldn’t want to bleed all over the seats??

          I feel his pain.

        • NotSA says:

          “The basis of the world economy is not gold, silver, or even uranium but, rather, cereal boxtops. Fiduciary Blurt, the head of the World Economic Council, has informed members that someone is flooding the market with counterfeit box tops, threatening to devastate the world economy. Suspicion quickly falls on Bullwinkle, who has amassed tens of thousands of box tops. However, Bullwinkle has come by his fortune legitimately, and once his name has been cleared he is asked to appear before the Council as an expert on box tops. Blurt also summons his chief security officers, Hemlock Soames and Dr. Watkins, who are actually Boris and Natasha in disguise.”

          Krebs better get a disguise!

  10. bobbo, a new Nom de Flame: the hair on fire CACC who understands why first fermentation stops at 13%, and so will Hoomans says:

    Story gets more detailed: here is a short article implying most of the info is probably garbage of little worth:

    Given I’m still sensitive to these types of issues, I’ll be going through this info closely:

    Knowledge is Power===>to the stars, and beyond!!!!!

  11. HUGSaLOT says:

    Just another attempt at FUD. Fear, Uncertainty, and doubt.

  12. NotSA says:

    “Thursday morning, the Milwaukee Journal Sentinel says Holden is getting heat for capitalizing on its discovery — by introducing a new service to notify companies of data breaches.

    The paper also says Holden’s college credentials are in question. His LinkedIn page said he graduated from UW-Milwaukee with an engineering degree in 2001 — but the school said he merely attended the school without graduating.

    Holden cited a technical issue and a misunderstanding — and he would correct the information. The 39-year-old expert emigrated to Milwaukee from the former Soviet Union when he was 14.”

    (Story courtesy of Wheeler News Service)

    “The disclosure catapulted Hold Security LLC founder Alexander Holden, who immigrated to Milwaukee with his parents from the former Soviet Union at age 14, onto the front page of The New York Times.

    But it also brought out detractors who criticized Hold Security for capitalizing on the news by rolling out a $120-a-year service notifying companies of data breaches.

    And while Holden’s LinkedIn page indicates he holds an engineering degree from the University of Wisconsin-Milwaukee, and he also told a Journal Sentinel reporter he graduated from the school in 2001, UWM said its records show he only attended and did not graduate.

    At the same time, widely respected cybersecurity blogger Brian Krebs, who broke the news last December of the Target data breach, backed Holden on Wednesday. Writing on his blog, KrebsonSecurity, he called Holden “a talented and tireless researcher” whose work has been central to several of Krebs’ revelations.”

    I don’t know. There’s so much fraud that faking it seems like a waste of time. Trying to monetize it? I’m working on Secvrity Made Stvpid. Do a cheese engraving!

  13. NotSA says:

    What is Science?
    “Put most simply, science is a way of dealing with the world around us. It is a way of baffling the uninitiated with incomprehensible jargon. It is a way of obtaining fat government grants. It is a way of achieving mastery over the physical world by threatening it with destruction….Science for Everyone
    Sound simple? It is.
    Once, when the secrets of science were the jealously guarded property of a small priesthood, the common man had no hope of mastering their arcane complexities. Years of study in musty classrooms were prerequisite to obtaining even a dim, incoherent knowledge of science.
    Today, all that has changed: a dim, incoherent knowledge of science is available to anyone. Popular science books, magazines and computer programs – with their simple, fatuous and misleading prose, their garish illustrations, their flimsy modern production values – have brought science within the reach of anyone who can afford their inflated prices or who can mooch off someone else.
    Indeed, today a myriad of sources are available to explain science facts that science itself has never dreamed of.
    This web site is one of them. ”

    With security made stupid everyone can now afford security.

  14. NotSA says:

    Fearless Leader
    A reference to the Rocky and Bullwinkle cold-war cartoons, Fearless Leader was Boris Badenov’s boss. We apply this term of endearment to all project leaders, managers or other authority figures that take credit for your successes, take no credit for failures, and in general don’t have a clue as to what you’re trying to accomplish! Don’t say “The Fearless Leader”, just refer to “Fearless Leader” as a proper name or you’ll be screwing up this unique reference that no one under the age of 40 will get!

    Here’s some Rocket J. Squirrel and Bullwinkle trivia: who was Fearless Leader’s (unseen) boss? Mr. Big!

    Real slang-real story.

    “According to the Rialto Theater’s “Moosebill” for “Downhill: The Musical” (a special table of contents insert created for the DVD box set Rocky and Bullwinkle & Friends, The Third Season), Boris was educated in the Pottsylvania public schools before taking a scoundrelship to U.S.C. (the University of Safecracking), from which he graduated magna cum louse. He has a cast-iron stomach; and because of it was one of only three survivors of the ruling clique of Pottsylvania, the other two being his superiors Fearless Leader and Mister Big. Boris enjoys light reading; his favorite book is an anthology of fiendish plans called the Fireside Crook Book. He is also a charter member of the Van Gogh Society, a Pottsylvanian club whose members collect human ears.”

    Got your ears on?

  15. NotSA says:

    All of America’s TV antennas have gone missing. The culprit is an army of 6-foot-tall (1.8 m) robot mice from the moon, led by Boris Badenov. The plan, concocted by Mr. Big, is to get everyone to leave the USA.

    Everybody follow Snowden to Russia!

  16. NotSA says:

    To “dry-lab the data” means to fake it. A correct usage: President Bush dry-labbed the Iraq WMD data. The origination of the work is in chemistry, where a “wet” experiment is left unperformed. Faking data is always a bad move, do it regularly and you will get caught, like when Dateline caught Dr. Patel in 2011… watch the video below and you might understand why this is another area that the government really should regulate. Like banks, Wall Street, the environment, there are always greedy people that require close supervision for the common good. So far, Dr. Patel is still in business, as there is no government regulation of dietary supplements or the people that test them. Examples of dry-labbing in microwave production facilities include qualification data…. honest, we did 250 thermal cycles on your hardware….
    An even worse idea than dry-lab data is selling it as wet. Your whistle blowers will do that free of charge.

  17. NotSA says:

    “Community Health Systems Inc., agreed to pay $98.15 million in a settlement with federal officials August 4 to resolve several lawsuits alleging the company knowingly billed government health care programs for inpatient services that should have been billed as observation or outpatient services. – U.S. Department of Justice”

    I’m old, I remember when all that resulted in bankruptcy and liquidations. With all the criminals operating the business it makes the politicians look honest. Find more criminals to run things to ratchet up the fines to keep the bloated bureaucracy look busy. They must of ran out of VA dough to steal or people to kill and now are killing each other. It’ll be fine.

  18. NotSA says:

    If someone is selling it, run away -­‐-­‐ you don’t want to be around when it breaks

    Goes back to a pre-crypto principle called geographic entitlement
    •More modern term: location-limited channel

    Thatz science! Sand County Almanac? “The passenger pigeon, a bird whose giant flocks once darkened the skies of the American Midwest, is no longer alive. Neither is the giant moa or the Irish elk.”

  19. NotSA says:

    “Keepassing your credentials synced and under control

    Do you use the same few passwords over and over? Is there a piece of paper with hard-to-remember ones somewhere? How about a file that lives on five different devices and is never up-to-date?

    Even the most secure passwords can be broken with a $5 wrench. Long forgotten websites are frequently compromised. Files can be stored in The Cloud, but is that really where such sensative data should be?

    I ‎will demonstrate how keepassx and git-annex can be combined to maintain and syncronize all of your secure credentials.”

    A $5 wrench is cheaper than $120 notification service.

    Real Crime
    Natasha is supposedly the only child of Axis Sally and Count Dracula. A former Miss Transylvania, she was expelled from college for subversive activities at a local cemetery. She traveled from Transylvania to the United States at the age of 19, landing in New York, where she spent two years posing for Charles Addams and as the party girl who pops out of the big cake at embalmers’ stag parties. She met Boris Badenov in 1948, when they were both arrested for throwing rocks at Girl Scouts hawking Girl Scout Cookies. Boris was immediately smitten with her charms, and they have been partners in crime ever since. In her spare time, Natasha raises tarantulas and is the National Chairman of the Society to Restore The Real Meaning of Halloween.

  20. NotSA says:

    Dr. Microsoft, How I learned to stop worrying and love NTLM.

    “In 2012 Microsoft published an 82 page paper, “Mitigating Pass-the-Hash (PtH) Attacks and Other Credential Theft Techniques”, that includes policies and procedures around protecting from and mitigating Pass-the-Hash attacks. These procedures place the responsibility on the system administrators, and users. They also say little about the underlying issue of the flawed authentication.

    Adopting policies and procedures is a good way to mitigate these attacks, however we believe the focus should be on moving forward and making NTLM obsolete in the enterprise environment. NTLM authentication has been the cornerstone of Windows authentication for over a decade, with NTLMv2 and client/server challenges being the pinnacle of development. A strong and complex password can make cracking harder, but it’s not fool proof.

    Despite that, the existence of relay and Pass the Hash techniques/tools undermines nearly all of the mechanisms of NTLMv2. We will demonstrate some of the vectors that we have found to be the most useful in the course of every day security testing. Once domain access is obtained, it’s only a matter of time before it’s game over.”

    Natasha’s main catchphrase is referring to everyone as “dollink” — that is, “darling” as spoken with her thick Pottsylvanian accent (a mock-Russian accent) — an homage to actress-socialite Zsa Zsa Gabor

    Work arounds?
    “HamWAN: Running Secure Networks on Amateur Radio

    The FCC rules of using Amateur Radio spectrum are unique in that they explicitly forbid encryption. How then does one stand a chance of implementing a modern secure network with such a restriction? This talk outlines some of the unique solutions HamWAN had to devise to ensure compliance while providing a strict security model, which includes identity and integrity all without secrecy. We’ll also cover open problems which some of you may have solutions for! Amateur radio offers a lot of spectrum for free. It’s up to us to figure out how to make networks compatible with it so it’s useful in the digital age.”

  21. NotSA says:

    Detecting and Defending against State Actor Surveillance

    “This talk is based on recent leaks that show how state-actors could be engaging in surveillance against people they deem as ‘threats’. I will cover the basics on what was leaked, and cover a pragmatic approach on how to detect hardware bugs, implanted radio transceivers, firmware injections and cellular network monitoring.

    No need to bring your tin-foil hats though, the discussion here is a pragmatical approach to how to detect such threats and identify if you have been targetted. No blind faith approaches, or attempts to sell any privacy snake oil will be found here.”

    Got snake oil? Trials and Tribulations in Applying Lang Sec

    “The goal of Language-Theoretic Security, or Lang Sec, is to identify and stop security flaws that exist because of accepting invalid input and/or valid input that causes unexpected behavior in the host application. The former is nothing new and something we’ve seen for decades. The latter however is something more interesting and more difficult to detect completely. These occurrences have been dubbed weird machines by the language security community.”

  22. NotSA says:

    Computer from ancient Greece

    The ancient Greeks were responsible for such marvels as the catapult and the camera obscura. They invented the astrolabe, a forerunner of the sextant, which aided marine navigation by (among other things) measuring the angle between the horizon and the sun or other celestial bodies. By the end of the first century B.C., they had even invented the odometer, which measured the distance a cart or carriage traveled. So when it comes to engineering, they were no slouches. When it comes to preserving their most advanced inventions for posterity…well, that’s another story.

    It should not require passwords to be useful. Next thing you know they’ll want to prosecute people based on computer generated evidence. You’ll have to prove your passwords were stolen and you did not do it and pay them to back up your claims. DROP DEAD! No $120 do not pass Go do not collect $200. It’s the American Way! Mofo Russians, eh?

  23. NotSA says:

    World’s First Computer Rebuilt, Rebooted After 2,000 Years
    “Now, though, it has been rebuilt. As is almost always the way with these things, it was an amateur who cracked it.” A $5 wrench will crack your password. They want plumber rates. $120 my arse crack.

  24. NotSA says:

    “He has done a lot of research on intelligence,” Roberts said, adding that he hired Holden in a start-up company several years ago.

    “He has gone off and done his own thing. He has his way of doing it — very different than mine.” Roberts said Holden can sometimes grow frustrated with corporate clients.

    “All of us want them to get better, but we have different ways of approaching it,” Roberts said. “Ours is to try to be instructive. His way is very much more of a baseball bat, confrontational.”

    Writing on his blog, Krebs said he has known Holden for nearly seven years and has been an unpaid adviser at Holden’s request.

    Krebs described Holden as “forthright and honest,” and praised his research skills. He said the discovery of the huge cache of stolen email credentials in Russia was legitimate. Collins-270240091.html

    That $4K you made required $100K in sales. The baseball bat approach changes all that. Make $4K without any sales.

    New racket: ” Lurk-flinging cybercrooks have infected over 350,000 computers, turning them into click-fraud bots that have earned them thousands of dollars, Dell SecureWorks estimates.”

    Earned might be the wrong word. That assumes actual gains on both sides of the balance beam. Earn a living with baseball bats and no fans in the stands.

  25. NotSA says:

    Maybe stick with instructive. Avoid baseball bat confrontational types. You can do some work. My house demo turned into a real estate riches deal. These are the sort of people reselling used cars after floods. In a dead economy the zombies multiply faster than the suckers and with the new casinos we’re banking on more suckers showing up. You used to just increase the payout. There was something to payout with. Stealing is the new earning and Snowden is a national hero. Go back to Russia. Be careful flying.

  26. pedro says:

    Bobbo’s competitor wins!!!!!!!!!

  27. buy gold says:

    Great weblog here! Additionally your site rather a lot up very fast!
    What host are you the usage of? Can I am getting your affiliate link
    on your host? I desire my site loaded up as fast as yours lol