This OpenSSL vulnerability’s been around for two whole years! And now we’re supposed to suddenly be terrified the foundation of the internet has been turned into rice pudding? Oh, puh-leez.
That’s basically what one reader had to say when commenting on Brian Fung’s coverage for the Washington Post about Heartbleed and how it will slow the internet down to a crawl.
This is precisely what the reader had to say about that “Heartbleed thingamajig”:
I couldn't give a flying fig about the Heartbleed thingamajig. Two years already the thing has been running loose ... and not a word of someone crying over its damage. Say ... does anyone really know its origin? Russian crackers? Seattle high-schoolers? the NSA? Yahoo's marketing department?
Then the reader did what any skeptical/cyber-suicidal person might do: he threw his passwords online and invited people to go at him.
According to Fung, the reader posted the two passwords he regularly reuses across all of his main accounts (reusing passwords? tut tut).
Then, he invited everyone to:
read all the eMail I have. Sneak into my WaPo, NYT or CNN accounts and go crazy making comments in my name. Break-into my Facebook or Twitter profiles and change my hometown to Gas City Indiana, swap-out my avatar with a picture of your nads, make friends with people I don't know.
Well, tally ho! The gauntlet was picked up, with gusto!
The Twitter account of the reader as of Thursday was, in fact, informing visitors that his location was Gas City, Indiana.
So they did in fact go crazy, making comments such as these in the skeptical one’s name:
LOL GUYS HEARTBLEED IS NO BIGGIE YOU SILLY PARANOID AMERICANS
OK, Perhaps putting my password on a national news site is not so good
I am REALLLLLLY stupid - I am REALLLLLLY stupid...
His WordPress account also appears to have been accessed, with one blog post headlined “OK, Perhaps putting my password on a national news site is not so good” very likely also written by somebody who grabbed his login credentials.
The post reiterates his lack of flying figs comment, then it goes on to give the order in which his online accounts were hijacked:
I actually posted my password right after this on a national news site, as well as bragging that my doors were open and I have no AV software. I see my Facebook was hit first, but perhaps I didn’t think that if someone gets access to my email, they have access to my bank, credit cards, most anything.
His Facebook account was also still hijacked as of Thursday. So too was his account on Tumblr.
As Fung pointed out, this could all be a hoax. The WordPress blog post is written in the first person voice, but it sure seems to echo the comments on the reader’s other accounts.
This scenario – purloined identities, comments posted by people who could be who they say they are or who could be imposters – echoes what happened at Mumsnet, which suffered one of the first two big Heartbleed breaches last week.
At Mumsnet, it became clear that user data was at risk when the username and password of the parenting site’s founder, Justine Roberts, were used to post a message online.
The stealing of online identities is nothing new. But in the wake of Heartbleed, identity theft might as well be popping steroids.
For the love of all things security, let’s not make it easier by posting our passwords online.
That stunt didn’t need Heartbleed to be stupid. It was pre-Heartbleed stupid.
But before he ever posted his passwords online or dared people to disembowel his online persona (another very bad idea), he committed another, far more pervasive security sin, one committed by many people: namely, he reused passwords.
If you’re reading this post, there’s a good chance you don’t reuse passwords. Instead, you probably create strong passwords, at least 12 characters long, that mix letters, numbers and special characters whenever possible.
Obviously, we’re always talking about not reusing passwords at Naked Security but it’s just one of our 3 essential security tasks. So while you’re fixing your passwords please do the other 2 tasks as well. And regardless of how much espresso you might have drunk this morning, please don’t post your passwords online.
Image of Heartbleed courtesy of Shutterstock.
20 comments on “Guy mocks Heartbleed, posts passwords online, invites everyone to do their worst”
Quite entertaining, really.
Events like this make me wonder: was this his account, a fake account (as you pointed out), or the account of someone he didn’t like? In the latter case, why compromise and deface your enemy’s account when you can have the entire world do it for you? This way, there’s no defacement IP that leads directly back to the instigator who did the original compromise.
This sorts of looks like a set-up. His WordPress blog’s subtitle is “Pitching, Bitching and itching” and has not been defaced, previous content seems unaltered, and most of it is well-written in a thought-provoking way. He’s probably just having some sort of “PR stunt” there 🙂
What if the passwords he posted actually belonged to someone else whose identity he lifted? This sounds a lot like what some retard on 4chan would do.
Never thought of giving away passwords of reporters and politicians. Great idea.
Don’t worry folks, we’ve implemented PassFiltr in this comment section.
If you try and type a password here, it is replaced by asterisks.
Don’t believe me? Here’s our admin password:
Your password is:
So that will be:
I’m not sure you want to joke like that. That row of asterisks does NOT protect a password in any meaningful way. It’s called security by obscurity, and it’s only useful if the person hacking your information is an amateur or an idiot. That’s not exactly a safe assumption to make.
For the younger folks, a little history: that row of asterisks you see in place of passwords dates way back to the days of paper teletype (TTY) machines (60s and 70s). When you typed in your password, the mainframe (server) would tell the TTY unit to type, right over the top of your password, several keystrokes over each letter. If you used a 3 character PW, you got (perhaps) 3 # symbols, 3 capital Os, 3 capital Es, 3 plus signs, … you get the idea. If the mainframe picked its keystrokes correctly, it basically covered all the possible dots on the paper (the TTYs were “dot-matrix”), making the actual password supposedly impossible to discover.
It wasn’t. Discovering the password was actually quite easy. Despite this fact, this technology still morphed into the PC world. In fact, it operated basically the same way: It let you type the actual password, and then immediately covered it up (with a graphic, like an asterisk). The designers (chuckle) actually thought it was secure, because you couldn’t react fast enough to stop the flow of information. Tsk, tsk.
HOWEVER, a hacker can simply send his/her request in a way that stops transmission right after the last character is typed, before any of those messy asterisks show up. No need to stop the monitor; just divert the transmission.
(Don’t laugh too hard; the technology is still in use today, and even the PC industry’s heavy hitters used it until not too long ago.)
Saw hoax right away. It’s not as easy as Sophos seems to be implying.
I’m posting my password here for all to read and hack me 😛
My password is: idon’thaveapassword
“If you’re reading this post, there’s a good chance you don’t reuse passwords. Instead, you probably create strong passwords, at least 12 characters long, that mix letters, numbers and special characters whenever possible”
Hehe, so true.
Quite a funny article, but I am going to assume it is staged. Thanks for the laugh, though!
I guess, as long as he didn’t have anything too pertinent in those accounts, he was right. What was the worst they could? Post things up on his account. Touche reader! I salute you.
I don’t really care who gets into my newspaper blogs, Apple community or Lidl accounts, because they can’t do any damage. Therefore I use identical, insecure, memorable passwords for those.
I can’t remember unmemorable passwords, so need to keep a record of them. The effect is worst when I’m out and about with my iPhone. I can’t even remember my iCloud password (because they’ve made me change it so many times): let alone BT SmartTalk, Telegraph Rewards, Facebook or Google.
Applications frequently require usernames and passwords, especially after software has just been upgraded, which happens once or twice a week with one application or another. If I use a different, gobbledygook one for each, I need to carry a written record of them, which rather defeats the object as I’m carrying both the phone and the list on my person. For that reason I shall never use mobile phone banking.
You ought to care who masquerades as you online.
Even if it’s just to stop your friends getting hit by crooked messages apparently from you that they are more likely to trust.
been on the interwebs since the beginning of time and only have 1 email account that i use. I’m anti-social media, never used it never will. it’s all just crap wrapped in pretty paper. it’s sad to see all the sheeple flocking to them. if you use them you’ve given them control over your life. it’s drug and you’re all addicted to it. what are you going to do when the power goes out, and you can’t post your pinterest pic of your favorite can of beans because there’s no electricity to use your microwave to heat them up? you’ve all been bamboozled and you don’t know it. silly humans.
Tinned beans are generally precooked, so you can eat them without electricity! Of course, you won’t be able to open the tin, because your electric can-opener won’t work, but it’s the thought that counts 🙂
Don’t most electric can openers run off batteries?
And if there’s still power to the mobile network (Likely, due to their backup generators, at least for a short while) then you can even still upload the photo using your pocket stalker. Yay! Post apocalypse food photos! 🙂
I get the feeling I’m thinking about this far too much…
Back to Heartbleed. What to do if the supplier just doesn’t care. I have a Craig Electronics tablet (CMP748), a cookie-cutter design based on the Rockchip 2928 chipset. It runs Android 4.1.1 and is vulnerable to Heartbleed. (I’ve tested.)
Rockchip says updates come only from the manufacturers. Craig says they have no updates–and their tech support didn’t seem to want to be bothered escalating the issue.
What’s an innocent-victim user to do?
Oh…I wish I’d seen this little article a month ago. It doesn’t badly present what happened when I posted my internet passwords. It has a little trouble, quite understandably, sorting-out which statements are actually mine and which posted by others via my accounts.
I posted those passwords to illustrate the realistic worst case scenario of having done so. If no passwords existed for, let’s say the social network sites…what, exactly, do you risk? A few pranks…that’s it, maybe someone changes your photo, makes a statement in your name–or…or what?
There’s really almost nothing security worthy that goes up on your Tumblr, Facebook, Twitter, WordPress, Instagram, etc. sites. If zero passwords existed, almost no one would waste the time fiddling with your account–there’s no money to be had, no property to pinch, no loved ones to harm. Add a password and the irony is, now they have a password to pinch.
[Post edited for length]
There is no Russian mob after your bank account. There are thousands of corporations however who upload trackers, loggers and info gatherers to your devise. Governments are scanning your eMail, password or not.
Stop being so mindlessly functionally fixed over net security. There isn’t at stake what the hype wants us to believe there is. No one is launching computer crashing bugs just begging to swim between the cracks in your firewall…ebola is a virus to worry about–not Heartbleed.
Of course you would only implement security controls based on the measured risk. In the case of social media, proper account controls help friends and family trust that you really are who you say you are. It’s not always just about financial gain. Trust and reputation are also important.