Yahoo used MD5 hasing to store passwords

Yahoo has suffered another hack.

The company disclosed today that it has discovered a breach of more than one billion user accounts that occurred in August 2013. The breach is believed to be separate and distinct from the theft of data from 500 million accounts that Yahoo reported this September.

Troublingly, Yahoo’s chief information security officer Bob Lord says that the company hasn’t been able to determine how the data from the one billion accounts was stolen. “We have not been able to identify the intrusion associated with this theft,” Lord wrote in a post announcing the hack.

“The stolen user account information may have included names, email addresses, telephone numbers, dates of birth, hashed passwords (using MD5) and, in some cases, encrypted or unencrypted security questions and answers,” Lord added.

Yahoo was alerted to the massive breach by law enforcement and has examined the data with the help of outside forensic experts. The data does not appear to include payment details or plaintext passwords, but it’s still bad news for Yahoo account holders. The hashing algorithm MD5 is no longer considered secure and MD5 hashes can easily be looked up online to discover the passwords they hide.

Yahoo says it is notifying the account holders affected in the breach. Affected users will be required to change their passwords.

Yahoo also announced today that its proprietary code had been accessed by a hacker, who used the code to forge cookies that could be used to access accounts without a password. “The outside forensic experts have identified user accounts for which they believe forged cookies were taken or used. We are notifying the affected account holders, and have invalidated the forged cookies,” Lord said, adding that he believed the attack was launched by a state-sponsored actor.

Today’s revelations add to Yahoo’s long string of security problems. Yahoo employees reportedly knew of the intrusion that led to the theft of data from 500 million users as early as 2014, but the company did not announce the breach until this September. What Yahoo executives knew about the breach, and when they knew it, have been crucial questions in Verizon’s ongoing acquisition of Yahoo. Yahoo did not disclose the first breach until several months after the deal was announced.

Larger block size is not an option for any cryptocurrency

Decentralized networks are defined by the lowest common denominator. If you want to push a large amount of data throughout the network, you need to push it everywhere, even to the slowest devices. Also, the mempool synchronization is not, and cannot be, exact. If a peer asks you to synchronize the mempool with them, neither of you know which transactions the other party already has in their pool and which not. In many cases, you end up resynchronizing the entire mempool. Which means that the block size limit now on Bitcoin is not in fact 1 MB, but 1 MB times the amount of users times the amount of mempool block of mempool volume in between blocks. And every time a block sync happens, you need the whole block and mempool to travel across the entire world, to every node. You also need to remember that the mempool synchronization takes away resources shared with block synchronization, so the larger the block limit is, the more unwanted forking happens because the information about new blocks arrives later to many miners – again, exponentially. If anyone with a single-chain solution tells you they can transfer thousands of transactions per minute and satisfy millions of users, they are lying or using cheap tricks.

So the blocksize limit is a technological problem, or more specifically a Bitcoin-related design flaw. Is there a theoretical solution? Yes, since at least 2014, and it’s called sidechains or childchains, and these have been inspired by nothing else than altcoins. Why? Because altcoins in themselves are the scaling solution for Bitcoin, where Bitcoin is only used as the common chain with some market arbitrary value of the altcoin in question. Once you buy an altcoin, you are no longer putting any pressure on the Bitcoin blockchain, until you decide to sell your altcoin and use BTC as a mediator again. Childchains/sidechains are just like that, but only use one network, one dev team, and one common token. It’s like the whole bitcoin/altcoin market virtualized.

Who is working on this technology at the moment? I am not aware if there is any working solution yet, but quite certainly Ardor, or NXT 2.0 development team is releasing their testnet in Q1 2017. It will be spiced up with additional features already present in NXT like the decentralized exchange. Also, Ethereum made some announcements lately and would like to push their solution public early 2017.

Why should you want to use something like this instead of another altcoin? Three reasons – support, price stability and security. Simply, if you use an unknown altcoin because your main coin like BTC has reached it’s technological limit, you are putting yourself at risk of the altcoin holders, who may decide to dump on you. Also, you don’t know how long the chain will be alive, you don’t know if the devs have capabilities of solving issues, etc.

disclaimer: no proofreading done

Your private keys and passwords all belong to Intel/AMD/ARM

Five or so years ago, Intel rolled out something horrible. Intel’s Management Engine (ME) is a completely separate computing environment running on Intel chipsets that has access to everything. The ME has network access, access to the host operating system, memory, and cryptography engine. The ME can be used remotely even if the PC is powered off. If that sounds scary, it gets even worse: no one knows what the ME is doing, and we can’t even look at the code. When — not ‘if’ — the ME is finally cracked open, every computer running on a recent Intel chip will have a huge security and privacy issue. Intel’s Management Engine is the single most dangerous piece of computer hardware ever created.

Researchers are continuing work on deciphering the inner workings of the ME, and we sincerely hope this Pandora’s Box remains closed. Until then, there’s now a new way to disable Intel’s Management Engine.

Previously, the first iteration of the ME found in GM45 chipsets could be removed. This technique was due to the fact the ME was located on a chip separate from the northbridge. For Core i3/i5/i7 processors, the ME is integrated to the northbridge. Until now, efforts to disable an ME this closely coupled to the CPU have failed. Completely removing the ME from these systems is impossible, however disabling parts of the ME are not. There is one caveat: if the ME’s boot ROM (stored in an SPI Flash) does not find a valid Intel signature, the PC will shut down after 30 minutes.

A few months ago, [Trammell Hudson] discovered erasing the first page of the ME region did not shut down his Thinkpad after 30 minutes. This led [Nicola Corna] and [Frederico Amedeo Izzo] to write a script that uses this exploit. Effectively, ME still thinks it’s running, but it doesn’t actually do anything.

With a BeagleBone, an SOIC-8 chip clip, and a few breakout wires, this script will run and effectively disable the ME. This exploit has only been confirmed to work on Sandy Bridge and Ivy Bridge processors. It should work on Skylake processors, and Haswell and Broadwell are untested.

Separating or disabling the ME from the CPU has been a major focus of the libreboot and coreboot communities. The inability to do so has, until now, made the future prospects of truly free computing platforms grim. The ME is in everything, and CPUs without an ME are getting old. Even though we don’t have the ability to remove the ME, disabling it is the next best thing.

Neutralizing Intel’s Management Engine

If you have AMD or ARM processor, you’re in the same trouble:
http://www.tomshardware.com/news/AMD-TrustZone-Security-ARM-CPU-Cortex-A5-APU,16000.html

Ethereum takes lessons from Ardor

On Mar 28, 2014, Vitalik Buterin was interviewed about the differences between NXT and Ethereum (https://www.youtube.com/watch?v=niVodrtLWgM
). He noted that Ethereum is Turing-complete, while NXT is not and pushing a decentralized app code to NXT would be difficult as an additional layer outside the code core.

Many, including senior developer John Connor from project Vanillacoin/Vcash (XVC) doubted usefulness of Touring-completeness for a P2P project and several Etehreum hacks and hardforks have proven my optimism to be farfetched.

But happily, almost 2 years later, Vitalik also indirectly acknowledged Ardor, the “NXT 2.0” project through adopting a sharding mechanism (https://github.com/ethereum/wiki/wiki/Sharding-FAQ) to Ethereum, which is their custom sidechain implementation, similar in many ways. Vitalik aims at releasing sharding before Ardor testnet goes live in Q1 2017, apparently scared by the possibility of Ardor technological taking advantage over Ethereum, which has always considered itself most progressive on the fintech fringe.

Wait 12 months to see 60% of your Monero value disappear

All altcoins sing the same song. Hype, enter, pump, dump. The value goes up, a new standard is established and then slowly, over a period of many months, the value disappears so slowly that it does not even leave the bagholders angry. Well, not angry enough to sell. This is especially true for coins which have incompetent development and immediate existential threat posed by competition, as with Zcash ZEC in case of Monero XMR. Years have passed, there is still no GUI. Some of my friends think that the GUI is missing because the developer is a nerd who only cares about cryptography but don’t lie to yourself. Everyone knows GUIs are important and what’s more important – programming a GUI takes less than a week. Leaving aside the obvious coding incapabilities pointed out by various sources directly on GitHub in the past, I will leave you with a suggestion to think about Monero’s price. Especially now, when bagholders are starting to scream so loud it touches the people who even never heard of Bitcoin.

Perfect timing for Ardor trading on Poloniex

Today, Ardor, the NXT 2.0 platform, started trading on Poloniex. Coincidentally, Ethereum is going though a second fork, which was originally rumored to be done on Monday. This will shift at least some attention towards Ardor.

At this time, NXT has reached it’s pre-Adror prices as most people predicted in the NXT price speculation thread here https://nxtforum.org/general-discussion/price-speculation/28360/ while I took a contrarian stance and continued catching the falling NXT knives.

What to take away from all this? Well, it is important to correlate price of Ardor to the price of NXT as it is being traded on the decentralized NXT exchange. If you want to trade it there now, you need NXT (similar principle of ETH and DAO/Augur).

However, since Poloniex is the most important altcoin platform right now, this may become irrelevant as a ARDR/BTC pair is now directly available.

The general consensus is that the future price of Ardor is supposed to dwindle due to fundamentals being still far in the future as it is supposed to be released only during Q3 2017, when a snapshot of Ignis, the first childchain will occur, again based on your NXT holdings.

The positive hype wave may push both Ardor and NXT in a short term upward spiral.

The Ethereum era is over. For now.

All ETH hopes and advertising efforts have been targeted towards the Devcon2 on September 19 in China. Judging from this picture, I judged that there would be no big annoncements as there were only some clowns and scammers and the only honorable person was Vitalik himself – for which we did not need to have a Devcon2.

Be ready to sell, there might still be an exit pump, but I see no hope for sustaining the hype in mid to longterm, at least in the current market, technical and development situation.