You might like

20 Responses to Guy mocks Heartbleed, posts passwords online, invites everyone to do their worst

  1. Feel · 500 days ago

    Quite entertaining, really.

  2. Anonymous · 500 days ago

    Events like this make me wonder: was this his account, a fake account (as you pointed out), or the account of someone he didn't like? In the latter case, why compromise and deface your enemy's account when you can have the entire world do it for you? This way, there's no defacement IP that leads directly back to the instigator who did the original compromise.

  3. Colin · 500 days ago

    This sorts of looks like a set-up. His WordPress blog's subtitle is "Pitching, Bitching and itching" and has not been defaced, previous content seems unaltered, and most of it is well-written in a thought-provoking way. He's probably just having some sort of "PR stunt" there :)

  4. ComeAndGetMe · 500 days ago

    What if the passwords he posted actually belonged to someone else whose identity he lifted? This sounds a lot like what some retard on 4chan would do.

  5. Anonymous · 500 days ago

    Never thought of giving away passwords of reporters and politicians. Great idea.

  6. Site Administrator · 500 days ago

    Don't worry folks, we've implemented PassFiltr in this comment section.
    If you try and type a password here, it is replaced by asterisks.

    Don't believe me? Here's our admin password:

    Clever huh?

    • Paul Ducklin · 500 days ago

      Your password is:


      So that will be:



    • Jim · 499 days ago

      I'm not sure you want to joke like that. That row of asterisks does NOT protect a password in any meaningful way. It's called security by obscurity, and it's only useful if the person hacking your information is an amateur or an idiot. That's not exactly a safe assumption to make.

      For the younger folks, a little history: that row of asterisks you see in place of passwords dates way back to the days of paper teletype (TTY) machines (60s and 70s). When you typed in your password, the mainframe (server) would tell the TTY unit to type, right over the top of your password, several keystrokes over each letter. If you used a 3 character PW, you got (perhaps) 3 # symbols, 3 capital Os, 3 capital Es, 3 plus signs, ... you get the idea. If the mainframe picked its keystrokes correctly, it basically covered all the possible dots on the paper (the TTYs were "dot-matrix"), making the actual password supposedly impossible to discover.

      It wasn't. Discovering the password was actually quite easy. Despite this fact, this technology still morphed into the PC world. In fact, it operated basically the same way: It let you type the actual password, and then immediately covered it up (with a graphic, like an asterisk). The designers (chuckle) actually thought it was secure, because you couldn't react fast enough to stop the flow of information. Tsk, tsk.

      HOWEVER, a hacker can simply send his/her request in a way that stops transmission right after the last character is typed, before any of those messy asterisks show up. No need to stop the monitor; just divert the transmission.

      (Don't laugh too hard; the technology is still in use today, and even the PC industry's heavy hitters used it until not too long ago.)

  7. Saw hoax right away. It's not as easy as Sophos seems to be implying.

  8. idon'thaveapassword · 499 days ago

    I'm posting my password here for all to read and hack me :P

    My password is: idon'thaveapassword

  9. "If you're reading this post, there's a good chance you don't reuse passwords. Instead, you probably create strong passwords, at least 12 characters long, that mix letters, numbers and special characters whenever possible"
    Hehe, so true.

    Quite a funny article, but I am going to assume it is staged. Thanks for the laugh, though!

  10. Heatshiver · 499 days ago

    I guess, as long as he didn't have anything too pertinent in those accounts, he was right. What was the worst they could? Post things up on his account. Touche reader! I salute you.

  11. 4caster · 499 days ago

    I don't really care who gets into my newspaper blogs, Apple community or Lidl accounts, because they can't do any damage. Therefore I use identical, insecure, memorable passwords for those.
    I can't remember unmemorable passwords, so need to keep a record of them. The effect is worst when I'm out and about with my iPhone. I can't even remember my iCloud password (because they've made me change it so many times): let alone BT SmartTalk, Telegraph Rewards, Facebook or Google.
    Applications frequently require usernames and passwords, especially after software has just been upgraded, which happens once or twice a week with one application or another. If I use a different, gobbledygook one for each, I need to carry a written record of them, which rather defeats the object as I'm carrying both the phone and the list on my person. For that reason I shall never use mobile phone banking.

    • Paul Ducklin · 498 days ago

      You ought to care who masquerades as you online.

      Even if it's just to stop your friends getting hit by crooked messages apparently from you that they are more likely to trust.

  12. Jinx The Kat · 498 days ago

    been on the interwebs since the beginning of time and only have 1 email account that i use. I'm anti-social media, never used it never will. it's all just crap wrapped in pretty paper. it's sad to see all the sheeple flocking to them. if you use them you've given them control over your life. it's drug and you're all addicted to it. what are you going to do when the power goes out, and you can't post your pinterest pic of your favorite can of beans because there's no electricity to use your microwave to heat them up? you've all been bamboozled and you don't know it. silly humans.

    • Paul Ducklin · 498 days ago

      Tinned beans are generally precooked, so you can eat them without electricity! Of course, you won't be able to open the tin, because your electric can-opener won't work, but it's the thought that counts :-)

      • Mang · 495 days ago

        Don't most electric can openers run off batteries?
        Problem solved!
        And if there's still power to the mobile network (Likely, due to their backup generators, at least for a short while) then you can even still upload the photo using your pocket stalker. Yay! Post apocalypse food photos! :)

        I get the feeling I'm thinking about this far too much...

  13. Laurence Marks · 489 days ago

    Back to Heartbleed. What to do if the supplier just doesn't care. I have a Craig Electronics tablet (CMP748), a cookie-cutter design based on the Rockchip 2928 chipset. It runs Android 4.1.1 and is vulnerable to Heartbleed. (I've tested.)

    Rockchip says updates come only from the manufacturers. Craig says they have no updates--and their tech support didn't seem to want to be bothered escalating the issue.

    What's an innocent-victim user to do?

  14. Oh...I wish I'd seen this little article a month ago. It doesn't badly present what happened when I posted my internet passwords. It has a little trouble, quite understandably, sorting-out which statements are actually mine and which posted by others via my accounts.

    I posted those passwords to illustrate the realistic worst case scenario of having done so. If no passwords existed for, let's say the social network sites...what, exactly, do you risk? A few pranks...that's it, maybe someone changes your photo, makes a statement in your name--or...or what?

    There's really almost nothing security worthy that goes up on your Tumblr, Facebook, Twitter, WordPress, Instagram, etc. sites. If zero passwords existed, almost no one would waste the time fiddling with your account--there's no money to be had, no property to pinch, no loved ones to harm. Add a password and the irony is, now they have a password to pinch.

    [Post edited for length]

    There is no Russian mob after your bank account. There are thousands of corporations however who upload trackers, loggers and info gatherers to your devise. Governments are scanning your eMail, password or not.

    Stop being so mindlessly functionally fixed over net security. There isn't at stake what the hype wants us to believe there is. No one is launching computer crashing bugs just begging to swim between the cracks in your firewall...ebola is a virus to worry about--not Heartbleed.

    • micchickenburger · 55 days ago

      Of course you would only implement security controls based on the measured risk. In the case of social media, proper account controls help friends and family trust that you really are who you say you are. It's not always just about financial gain. Trust and reputation are also important.

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

About the author

I've been writing about technology, careers, science and health since 1995. I rose to the lofty heights of Executive Editor for eWEEK, popped out with the 2008 crash, joined the freelancer economy, and am still writing for my beloved peeps at places like Sophos's Naked Security, CIO Mag, ComputerWorld, PC Mag, IT Expert Voice, Software Quality Connection, Time, and the US and British editions of HP's Input/Output. I respond to cash and spicy sites, so don't be shy.