Based on the news today that 6 million LinkedIn passwords were published on a hacker blog in Russia, I feel that by quitting these two Internet time-wasters, I have greatly enhanced my security from identity theft.
A few thoughts come up from this episode. In no obvious order:
- A lot of people use the same password for their email, bank accounts, Facebook and LinkedIn accounts. A breach of one, may be a catastrophic breach for some people.
- The other striking fact was that may users used linkedin as their password to LinkedIn. This sort of thing enabled the Russian hackers with small penises to break the SHA-1.
- LinkedIn was negligent in not "salting" the passwords with random bits to enhance the security so that the same passwords do not hash out the same every time.
- This is a prime opportunity for some young hotshot lawyer to sue the pants off LinkedIn in a class action suit for not protecting its users privacy.
- We trust these websites a lot with our identities, and when they fail to protect them, they should be made to pay for that negligent lapse. After all, they make money from the users who sign up. You would think that they would protect that revenue stream.
- A class action suit would work, because LinkedIn has some pretty heavy corporate hitters who value their identity privacy.
- This sort of thing spells opportunity for any geek who can solve the intrinsic problems of traditional user name and password credentials for websites.
And I can't go a day without mentioning my own personal bête noire -- Facebook. I am not sure if Facebook tightened things up with a complete https session, but various industry insiders pointed out that there are vulnerabilities in Facebook. If Anonymous or the diminuitive tallywhacker hacker Russians ever break Facebook security, it would greatly accelerate its inevitable destiny of becoming a penny stock.