Recently, a popular website "phpbb.com" was hacked. The hacker published approximately 20,000 user passwords from the site. This is like candy to us security professionals, because it's hard data we can use to figure out how users choose passwords. I wrote a program to analyze these passwords looking for patterns, and came up with some interesting results.
This incident is similar to one two years ago when MySpace was hacked, revealing about 30,000 passwords. Both Wired and InfoWorld published articles analyzing the passwords.
The striking different between the two incidents is that the phpbb passwords are simpler. MySpace requires that passwords "must be between 6 and 10 characters, and contain at least 1 number or punctuation character". Most people satisfied this requirement by simply appending '1' to the end of their passwords. The phpbb site has no such restrictions, the passwords are shorter and rarely contain anything more than a dictionary word.
It's hard to judge exactly how many passwords are dictionary words. A lot of things like "xbox" or "pokemon" are clearly words, but not in an English dictionary. I ran the phpbb passwords through various dictionary files, and come up with a 65% match (for a simple English dictionary) and 94% (for "hacker" dictionaries). The dictionary words were overwhelmingly simple things, like "apple" or "orange", rather than complex words like "pomegranate".
Dan Kaminsky was in Atlanta yesterday. We and some of the usual suspects met for food and drinks at the Vortex in midtown. Some odd/funny things were said, and To keep track, I kept SMSing myself so I could preserve these for posterity.
Chris: I'm going to create Nemisis-oasis. Its the inverse of Match.com and Facebook. You type in what you like and it finds someone that you would absolutely hate. Dan: Its like a Fuck You Cupid!
Tom: (handing me a girlie drink) Here Billy, this will make hair grow on your vagina.
(I have no context for this next quote. I have no idea why Tom said this) Tom: I can only get off if the sheep is from Luxembourg Billy: I'm totally putting this on Memestreams... how do you spell Luxembourg?
Tom: (About a computer scientist at a recent conference) They're proof that every now and then Appalachia produces something good. So its: Bucked Toothed Redneck, Bucked Toothed Redneck, Bucked Toothed Redneck, Cryptographer, Bucked Toothed Redneck...
You know you've been out drinking with Billy when you wake up with a receipt in your pocket that says:
PolitiFact | The Obameter: Tracking Barack Obama's Campaign Promises
Topic: Miscellaneous
4:33 pm EST, Jan 28, 2009
PolitiFact has compiled about 500 promises that Barack Obama made during the campaign and is tracking their progress on our Obameter. We rate their status as No Action, In the Works or Stalled. Once we find action is completed, we rate them Promise Kept, Compromise or Promise Broken.
I’m working on a book for Addison/Wesley entitled " Protocols And Performance: A Web Server In Three Acts (plus supporting cast)". The book will lead the reader through the history of the HTTP protocol by building three separate web servers: HTTP 0.9-1.0, HTTP 1.1, and HTTP “2.0”. During the process of putting these different servers together the reader will continually evaluate their performance and stability using statistical analysis methods.
As the story unfolds there will also be tales from other HTTP alternatives, internet bodies, and other protocols in development at the time. These will be told from the point of view of HTTP as a player in the story.
A big part of the book is teaching modern protocol design using scientific analysis, reusable libraries, modern techniques, and confirming that these new approaches are valid with evidence. This means taking on existing myths and dogma pushed by many proponents and also looking at other project’s bad code.
This seems like it will be a great book that I'll want to get when it's finally published. Addison/Wesley seems to try and publish technical books that involve story telling rather than just technical reference books. Good stuff.
Now, the captchas provided by the site aren't very "hard" to solve (in fact, they're downright bad):
But there are many interesting parts here:
1. The HTML 5 Canvas getImageData API is used to get at the pixel data from the Captcha image. Canvas gives you the ability to embed an image into a canvas (from which you can later extract the pixel data back out again). 2. The script includes an implementation of a neural network, written in pure JavaScript. 3. The pixel data, extracted from the image using Canvas, is fed into the neural network in an attempt to divine the exact characters being used - in a sort of crude form of Optical Character Recognition (OCR).
Nozzle: detecting heap spraying attacks - Microsoft Research
Topic: Technology
5:29 pm EST, Jan 22, 2009
Heap spraying is a new security attack that significantly increases the exploitability of existing memory corruption errors in type unsafe applications. With heap spraying, attackers leverage their ability to allocate arbitrary objects in the heap of a type-safe language, such as JavaScript, literally filling the heap with objects that contain dangerous exploit code. In recent years, spraying has been used in many real security exploits, especially in Web browsers.
We propose Nozzle, a runtime monitoring infrastructure that detects attempts by attackers to spray the heap. Nozzle uses lightweight emulation techniques to detect the presence of objects that contain executable code. To reduce false positives, we developed a notion of global “heap health”.
Ben Livshits vs. Mark Dowd The ultimate showdown. The ultimate destiny.
