雅虎向黑客送上厚禮 數據泄露事件影響到10億多用戶
Oh, Yahoo, where do I start? We used to be good together back in 2004.
天哪,雅虎(Yahoo),我該從哪裏說起呢?2004年我們在一起時曾經很快樂。
But now I’m angry and disappointed.
但如今,我感到既生氣又失望。
And it’s not me, it’s Yahoo.
而問題不在我,是雅虎。
The data breach the company disclosed last week, affecting more than 1bn users, dates back to 2013 — a year earlier than the breach of 500m accounts reported in September.
雅虎上週公佈的數據泄露事件影響到10億多用戶,時間要回溯到2013年,比今年9月報告的5億賬戶泄密要早一年。
Whether you use Yahoo or not, disabuse yourself immediately of any notion that this breach is like the last.
不管你是否使用雅虎,馬上拋棄這次泄密與上次一樣的看法吧。
The implications are worse and reach beyond the company.
其影響更糟,而且影響範圍超越該公司。
And it’s not just about the number of people affected.
這不僅僅是有多少人受影響的問題。
This time Yahoo is saying outright that all affected user passwords were stored in a manner that makes your average cyber security bod go nuts at the madness of the world.
這一次,雅虎直截了當地表示,所有受影響用戶的密碼存儲方式,都會讓對網絡安全稍有了解的人對世界的瘋狂跳腳。
Security! experts! slam! Yahoo! management! for! using! old! crypto! ran a headline in The Register, an industry rag, mocking the internet company’s corporate punctuation.
行業小報《The Register》的標題是:安全專家抨擊雅虎管理層使用舊的加密技術!這裏的驚歎號是在嘲弄雅虎這家互聯網公司的標識。
To understand the frustration, imagine that a password database is like a bike in an area prone to high levels of bike theft — a university town such as Oxford, UK.
要了解人們的失望之情,想象一個密碼數據庫就像在一個自行車失竊風險很高的地方(例如英國牛津等大學城)停放的一輛自行車。
It matters how securely your bike is stored and also how much it’s rendered unrideable with locks.
重要的是你的自行車存放方式有多麼安全,車鎖在多大程度上使自行車無法被盜用。
As Yahoo’s password bike is known to have been stolen (again), it’s the additional locks and how strong they are that now matter.
我們已知道,雅虎的密碼自行車已(再次)被竊,現在的重要問題是有沒有額外的車鎖以及它們有多麼堅固。
In password terms, strength equates to how easy is it to recover the plain-text version of what you type in — such as hansolo81 — from the unusable hashed version that the company stores.
用密碼的術語來說,密碼強度相當於從該公司存儲的無法使用的經過加鹽(hashed)處理的版本恢復爲你鍵入的純文本格式(例如hansolo81)密碼的容易程度。
A hashed version would look something like: 57dddf57a98dc88c64327fe6bb5b9358.
經過加鹽處理的數據看上去像57dddf57a98dc88c64327fe6bb5b9358。
If the thieves can recover hansolo81, they can ride it into your bank account, PayPal — or anywhere else you used this password or predictable variants of it, such as Hansolo81, han$olo81 or hansolo82.
如果竊賊可以恢復hansolo81,那麼他們就能順藤摸瓜,進入你的銀行賬戶、PayPal或者其他任何你使用這個密碼或這個密碼的可預測變異形式的地方,例如Hansolo81、han$olo81或者hansolo82。
So you’d think Yahoo would deploy chunky chain locks like those that cycle couriers use.
因此你會以爲,雅虎會使用結實的鏈條鎖,就像那些騎車的快遞員所用的那種。
But, actually, it looks as if the company instead tied a ribbon between the front wheel and the frame.
但實際上,該公司好像是用一條絲帶把前輪和車架拴在一起。
In the jargon, they used a method involving a function called MD5 — the same poor choice made by adultery website Ashley Madison for some of its users’ passwords, and by music service , both of which experienced breaches.
用術語來說,他們所用的方法採用了一種被稱爲MD5的函數,與成人網站Ashley Madison爲其一部分用戶的密碼以及音樂服務公司做出的糟糕選擇一樣,這兩家公司都遭遇信息被竊。
Ask tech nerds what they think about MD5 and you’ll hear incredulity that any company (let alone a large, internet-based company) was still using it in 2013, that doing so is outright negligence, that there’s no excuse for it and that it was discredited a couple of decades ago.
問問那些科技迷他們對MD5的看法吧,你會聽到他們說,任何公司(更別提一家大型互聯網公司了)如果在2013年仍使用這種方法簡直匪夷所思;這麼做是絕對的失職;對此沒有任何藉口;這種方法在20年前就被否定了。
By the time of the 2014 breach, Yahoo had nearly finished a wildly overdue upgrade to its locks, switching to bcrypt.
到了發生2014年那次黑客入侵時,雅虎已接近完成早該進行的對其密碼加鎖方法的升級,即改用bcrypt加密工具。
If well implemented, this makes its password bike unusable to thieves.
如果實施得當,這將讓竊賊無法盜用雅虎的密碼自行車。
Getting from 57dddf57a98dc88c64327fe6bb5b9358 to hansolo81 would be very unlikely.
從57dddf57a98dc88c64327fe6bb5b9358恢復到hansolo81將是極不可能的。
So, while that breach endangered users, it was a less epic fail than the more recently reported compromise.
因此,儘管那次泄密危及用戶,但與最近報道的事件相比,那還是一個不那麼嚴重的失誤。
It’s worth being clear about the consequences of Yahoo’s incredibly poor security practices as recently as three years ago: the company has probably unleashed the single biggest known data set showing how the world constructs passwords.
值得明確雅虎在僅僅3年前非常糟糕的安全做法的後果:該公司很可能泄露了已知單一最大數據集,顯示世界是如何構建密碼的。
This is a powerful tool for guessing one’s way into accounts, especially on services that don’t limit such attempts well or offer additional security measures, such as two-factor authentication.
這是依靠猜測侵入賬戶的強大工具,特別是對於沒有很好地限制這種企圖或者沒有提供額外安全措施(例如二元驗證)的服務。
And it’s a gift to malicious actors who increasingly know us better than we know ourselves.
這是送給那些惡意黑客的一份厚禮,後者對我們的瞭解日益超過我們自己。
Also, Yahoo can force password resets only on its own service.
另外,雅虎只能強迫用戶在其網站上重置密碼。
There is nothing Yahoo can do to make people change identical or similar passwords used on other sites.
它無法讓用戶修改在其他網站使用的同樣或類似的密碼。
Furthermore, as with the last breach, the company hasn’t disclosed how many security questions and answers were badly stored.
此外,與上次泄密一樣,雅虎沒有披露有多少安全問題和答案是以糟糕的方式存儲的。
They state only that the data were kept either encrypted or unencrypted — the latter being in readable text.
他們只是聲明,這些數據的存儲方式可能加密,也可能未加密,後一種意味着可讀文本。
How many people can remember whether or not they once had a Yahoo account, let alone what security information they used, and whether they used that same information in their other accounts?
有多少人還能記得他們是否曾經擁有過雅虎賬戶?更別提他們用過的安全信息、以及他們是否在其他賬戶上使用過同樣的信息了。
Where else did you use your mother’s maiden name, first pet, favourite colour, school or teacher?
你還在哪裏使用過你母親的孃家姓氏、第一隻寵物的名字、最喜歡的顏色、學校或老師的名字?
The consequences of organisations’ poor security decisions will come back to haunt us.
公司糟糕安全決定的後果將回過頭來困擾我們。
I only hope Yahoo marks the worst, if not the last.
我只希望雅虎標誌着最糟糕的的安全實踐,如果不是最後一個的話。
