Password Hackers Do Big Business With Ex-Lovers

Hugh Pickens writes "The Washington Post reports that disgruntled lovers and spouses considering divorce are flocking to services like YourHackerz.com that boast they have little trouble hacking into Web-based e-mail systems like AOL, Yahoo, Gmail, Facebook and Hotmail. The services advertise openly, and there doesn't appear to be much anyone can do about it because while federal law prohibits hacking into e-mail, without further illegal activity, it's only a misdemeanor, says Orin Kerr, a law professor at George Washington University. 'The feds usually don't have the resources to investigate and prosecute misdemeanors,' says Kerr. 'And part of the reason is that normally it's hard to know when an account has been compromised, because e-mail snooping doesn't leave a trace.' It's not clear where YourHackerz.com is located, but experts suspect that most password hacking businesses are based overseas."

So wait...

[uxbn_kuribo]

You mean people actually still think that web-based, free emails are secure?

Re:So wait...

[Cheesetrap]

You mean people actually still think that web-based, free emails are secure?

But of course they are, they have the big pictures of padlocks on the front page... and you even get that certificate popup thing, that means it's SUPER secure!

Re:So wait...

[linhares]

You mean people actually still think that web-based, free emails are secure?

As opposed to a client-based email, where you can simply get it all through the filesystem? Physical access is game-over. So if you have 30min with your ex's machine, that's pretty much game over, if residing in clients.

Re:So wait...

Encrypt! Encrypt! Encrypt!

Re:So wait...

[Jucius+Maximus]

"As opposed to a client-based email, where you can simply get it all through the filesystem? Physical access is game-over. So if you have 30min with your ex's machine, that's pretty much game over, if residing in clients."

I've been storing my Thunderbird folders inside a truecrypt container for some time now. It's peace of mind.

Re:So wait...

[linhares]

until she installs a keylogger. Physical access is game over.

Re:So wait...

[hansamurai]

Well, if you have 2 minutes with your ex's machine, chances are either they're already logged into their webmail, or their password is saved.

Re:So wait...

[ScrewMaster]

You mean people actually still think that web-based, free emails are secure?

As opposed to a client-based email, where you can simply get it all through the filesystem? Physical access is game-over. So if you have 30min with your ex's machine, that's pretty much game over, if residing in clients.

I had no problem getting my ex-girlfriend's email ... after all, it was residing on my server. As it happened, the only interest I had in it was getting rid of it to reclaim some disk space (the girl didn't understand that you're supposed to delete things now and then.)

Re:So wait...

[19thNervousBreakdown]

Jesus Christ you had your GF's mail on your server? I run my own mail server too, never felt comfortable doing that. I run mail for a couple friends, never been tempted to look and wouldn't look if I was tempted, but I would never give myself that kind of access to someone I was screwing, and besides, what happens when you break up? I guess she lost her e-mail address?

I guess you don't have to worry about things like that when you're ScrewMaster though.

Re:So wait...

[ScrewMaster]

Jesus Christ you had your GF's mail on your server? I run my own mail server too, never felt comfortable doing that. I run mail for a couple friends, never been tempted to look and wouldn't look if I was tempted, but I would never give myself that kind of access to someone I was screwing, and besides, what happens when you break up? I guess she lost her e-mail address?

I guess you don't have to worry about things like that when you're ScrewMaster though.

Well, I'm just point-blank not interested in anything that doesn't concern me. Really, I hate nosy people and I take great pains not be be one of them. So yes, I do take my privacy seriously, but that means I need to take others' seriously as well. Everything on my server is encrypted anyway, so I couldn't read it even if I wanted to. I didn't and I don't.

And no, she didn't lose her email address until she told me she didn't need it anymore. Just because she was a psychotic witch was no reason for me to be a prick. Tempting as it was, I generally feel better if I don't give in to the Dark Side. Anyway, she got a Yahoo account or something like that. As for me, I just wanted the disk space back.

Re:So wait...

Be careful about what TrueCrypt can can't can't protect against. You can have TC volumes with the keyfile stored in the bottom of Mount Doom, a 64 character passphrase, a triple cascade, and fake volume headers. However, if an attacker is able to use your computer while those volumes are mounted, it will do you no good at all.

One good practice when using TrueCrypt is to compartmentalize, but this does take time mounting and unmounting containers. When done with your TB E-mail, unmount the volume. When just browsing the Web, unmount everything that isn't related to it.

Re:So wait...

[JSBiff]

And of course, this is missing the obvious point that a) most people have never heard of truecrypt, and b) most girlfriends/boyfriends/spouses won't know that such a thing as a keylogger exists. It's true that either situation *could* change (the girlfriend gets a new boyfriend, or just a friend, who teaches her about keyloggers, for example).

Still, I suspect setting up a TC volume for your email is better than nothing. I've done this on my laptop - mostly just to protect my files in case of theft/loss; I think it's probably pretty good for that particular scenario - I realize that TC won't protect me from a determined or sophisticated person/organization, but should protect against the random thief. But, even against someone like a girlfriend/wife, it provides at least some barrier for them to have to penetrate.

Re:So wait...

The email accounts for my girlfriend *and* my ex are run from my home mail server. (I'm on good terms with the ex.) I'm not tempted to look, either, so I don't. Where is the problem?

Re:So wait...

I ran an email server for my ex-wife during and for a year after the divorce before I moved the domain to an outsourced email provider. Never felt the urge to look at her email. People I've known of who have eavesdropped on ex-lovers got what they deserved in the process of seeing what they saw, even if they weren't caught at it.

Re:So wait...

[base3]

All that and if you're at work on a Windows domain network, your friendly eye-tee people have access to your mounted filesystems and everything contained therein . . .

Re:So wait...

[vishbar]

Solution: date technically inept people.

They usually smell better anyway.

Re:So wait...

[Fred_A]

Well, if you have 2 minutes with your ex's machine, chances are either they're already logged into their webmail, or their password is saved.

Frankly, if you have an ex (or an SO for that matter), chances are she/he already gave you that password anyway because you had to fix her/his broken machine more than once. Or you are her/his email provider and already have access to it without password. So that whole conversation is kind of silly to begin with (for tech people anyway).

RTFS

[SanityInAnarchy]

Actually, web-based, free emails could be remarkably secure, if people weren't such morons about passwords.

Re:RTFS

[Mooga]

I just post my Username and Password on Bugmenot so I don't need to worry about ever forgetting it.

Re:RTFS

Actually, web-based, free emails could be remarkably secure, if people weren't such morons about passwords.

I'd imagine it has more to do with those damn required "Security Questions", many of which use publicly available information.
Even the services which allow you to specify the question and answer are probably no match for a cracker working in conjunction with an Ex.

I'd be more worried about what the crackers do with the knowledge they acquire as far as your other accounts are concerned, sure they may hack the e-mail account for you, but they're just as likely to clear out your bank account afterwords.

Re:RTFS

[Jessta]

and that's a good point.
It seems that passwords are kind of a terrible way to secure things.

Needs more OpenID, client certificates, and HTTPS

Re:RTFS

You mean that that prince in Nigeria isn't actually gonna give me all is millions for my password (and help)? No way! :P

The problem isn't that web-based e-mails are "insecure", it's that people *are* morons who won't hesitate to give out their password if someone pretends to need it.

Re:RTFS

[CharlyFoxtrot]

I guess disgruntled lovers wouldn't even have to know the password since they know enough about you to answer the password reset questions.

Re:RTFS

I still think putting all your personal information in a file and uploading it as xxxhardcorexxx.torrent is the better option.

Re:RTFS

[anagama]

With respect to security questions, I'm more concerned about companies gathering needlessly private info about me. So I make up answers and record those along with my username and password in my encrypted password list.

Re:RTFS

If the common user can use passwords effectively, then passwords are broken, not the users. See the sibling of your post.

Re:RTFS

I doubt my ex knows that my favorite color is "ql7ao3s0ufh-erkw=m0x75la44ilpe".

Re:RTFS

[BrokenHalo]

I guess disgruntled lovers wouldn't even have to know the password

... a good reason to keep your lover gruntled. :-)

Re:RTFS

[Cheesetrap]

I'd imagine it has more to do with those damn required "Security Questions", many of which use publicly available information.
Even the services which allow you to specify the question and answer are probably no match for a cracker working in conjunction with an Ex.

Not if you make the question something absurd like:

greendogsuit-goodsite-gesundheit

And the answer isn't as complicated as it seems:

gir-slashdot-achoo

So long as it makes sense to _your_ brain, it doesn't have to conform to the usual 'security questions' format, and thus you can avoid the associated vulnerability of ex-accessible data. ;)

Re:RTFS

[houghi]

Sure. That is what people tell me all the time to use a secure password. http://maord.com/ can easily help you with that. So now I have a secure password like cJQKUG4P generated by that website.
Obviously like most people I have a bunch of different logins, many where I was not able to select my own login. To be secure I must use several ones. e.g. one for work, one for the bank, one for mail and one for websites.
9b3MHDHz
m4YBn3t8
vMSLs44e
CsQnP5Fy

These four I must remember and change every month. And that is if I only use four and group my logins. If I want to be really secure, I will use a different one for each login I am able to change the password (17 of them, not calculating the many websites):
UVvCUmE3
Snip 15 random passwords
Lameness filter encountered. Post aborted!
Filter error: That's an awful long string of letters there.
qAv9qZHR

I am not allowed to save them. I must memorize them. Yes, there are other options, like using the first letters of a sentence, but due to the sheer number of logins it becomes impossible.

It is a known fact that people are stupid. If you make something that proves that fact, then the problem is not the moron users, but the designers. I have no clear answer on how to solve it, but I would start with removing the forceful changing of passwords every month. That WILL lead to weaker passwords.

Re:RTFS

[Espinas217]

I'd imagine it has more to do with those damn required "Security Questions", many of which use publicly available information. Even the services which allow you to specify the question and answer are probably no match for a cracker working in conjunction with an Ex.

Please, is not so hard to just type some garbage there, long, alpha-numeric garbage.

Re:RTFS

[jhol13]

How do these web-mails work at repeated login attempts?
"Kill" the account?
Kill attempts from that IP?
Kill attempts for a limited time?
What about if the attempts come from several different IPs (but more or less at the same time)?

If designed well even easy-to-remember-but-not-totally-trivial passwords can be very hard to crack.

I agree the security questions are a bad idea, unless they have much faster "kill switch".

Re:RTFS

Now she does.

Re:RTFS

[xaxa]

"Hello, Student Loans Company, do you have a reference number?"
"Yes, L238BNM"
"Could you tell me the fourth letter of your mother's maiden... hmm... I'm sorry sir, I think there's a problem with the system, please--"
"Is it a hash symbol?"
"Er... yes. And the first letter of your first pet's name?"
"The number 8"
"That's correct."

Re:RTFS

[mlts]

What I'd like to see would be more ability to use a standardized keyfob (such as RSA's SecurID), a smart card that has one's client certificate, or perhaps both in one device like the Aladdin eToken NG-OTP. Combine this with some type of decentralized but usable authentication system like OpenID, and this would go a long way to making bad or guessed passwords a thing of the past.

Smart cards go a long way to ease authentication hassles, but they bring their own issues, such as card lockouts due to too many failed PIN attempts, lost/stolen/accidently microwaved cards, user training, to malware which captures the PIN on a compromised computer then if the card is still inserted, uses it for its own bad stuff.

Re:RTFS

And how long can the URL or description or whatever in a .torrent file be? Perhaps you could store all the info in folder and file names.

Re:RTFS

Those passwords are not practical unless you remember them. I use passwords derived from sentences. They are much longer then the ones you posted and someone has a better chance of remembering them (so they are not written down somewhere).

"My office phone number is 202-555-1212"
"My license plate number is JET-1283"
"I drive a 2006 Hyundai Elantra"
"Clariion CX3-80 with 14 daes"
"Cisco 4500 with IOS 12.4"
"HP DL380-G6"
"We just upgraded to ESX 4i with shared storage"

Re:RTFS

[masshuu]

i think ill store my new login info for my new gmail email right here, in case i forget it.

heateddeates007@gmail.com g6Y09@e4

Re:RTFS

[houghi]

Great if you are able to do that. I have problems remembering what the sentence was this month for each of them and would confuse them with the ones for last month. The majority of people have the same problem.

There are two ways around this. 1) Alter the people. 2) Alter the system

1) is tried now for many years and it does not seem to help. Perhaps it is time to think about changing 2)

Or we can just keep blaming the people for being morons and sit on our ivory throne laughing at these morons and be able to blame them for the insecurity of our infallible system.

Re:RTFS

[phyreskull]

I can see you doing that, if you haven't already...

Re:RTFS

[SanityInAnarchy]

That's bitten me once -- and only once -- since I started doing it.

My bank requires security questions.

It then picks a random security question when I login, as part of their wish-it-was two-factor authentication scheme.

Re:RTFS

[SanityInAnarchy]

I am not allowed to save them. I must memorize them.

Nonsense. While Chrome doesn't seem to have this yet, Firefox and Konqueror come with encrypted password stores out of the box.

That is, you enter one master password, and it then remembers all your passwords for you.

I also have a friend who wrote a Firefox extension, which I'm seriously considering replicating (or finding, if he ever published it), which would take one master password that he'd remember, combine it with the domain, and computer a hash. Thus, nothing is ever stored, but there's still only one password to remember.

This scheme prevents a breach at one website from compromising others, so long as your master password and/or local password store is safe. And it's a lot easier to try to keep that safe than to try to create and memorize tons of random passwords.

Finally, there is the option to use client-side certificates and/or OpenID, with services that support them. This would allow you to choose whatever means of authentication you like, passwords or otherwise.

The point is, you're not allowed to save them somewhere obvious in plain text, or especially, taped to your monitor.

It is a known fact that people are stupid. If you make something that proves that fact, then the problem is not the moron users, but the designers.

But trying to idiot-proof it is the wrong approach, or at least, should not be a priority. As the saying goes, they'll always build a better idiot.

No, the right approach is to increase the ease with which someone could use the system properly, and how far "properly" extends. After you've done that -- in this case, after OpenID is ubiquitous -- then you can worry about how to dumb it down to where an idiot can use it.

But if you design the system for an idiot in the first place, you're both creating more idiots, and in this case (using passwords and "pet's name" security questions), making the system less secure and/or less convenient for experienced users.

Re:RTFS

[xaxa]

Several UK banks use the EMV card (branded as "Chip+PIN" here (wiki it), a debit/credit card with a chip) for authentication with online banking. The readers don't connect to a computer, and getting the PIN wrong three times in the portable reader only means you need to reset the card by using it in an ATM.

The trouble is, it's been done cheaply, and has some *big* problems. Ignoring problems with encryption, the biggest one is a social problem: I have a small card reader. I can put one of my debit/credit cards in, press "Identify", type in my PIN, and get the message "PIN OK" and a code. Fine, I can put the code in the online banking website to authenticate.

The problem is, if I get the PIN wrong, the message says "PIN incorrect", and no code is produced. Argh! Introducing the chips has drastically cut face-to-face (shop, ATM) fraud in the UK, and means criminals now want a PIN to go with a card. They sometimes install a tiny camera in an ATM and steal the card when you walk away, but ATMs are in "safe" places, and have CCTV around them etc -- or at least, people don't use them if they don't feel safe.

So instead, they steal your card somewhere more private:
*thump* *thump* "Tell me the PIN!"
"5-2-9-1! Let me go!"
*"Identify"* *tap-tap-tap-tap* *schking* "Tell me the real PIN, or else!"

Re:RTFS

Dude, you can't just reveal your password like that out in the open. That's REALLY bad for security.

I did you a favor and went ahead and changed it to $ecurePa$$w0rd

You're welcome.

Re:RTFS

There is a solution for that, a duress code. It can be one or two digits above or below the normal PIN. So if your PIN is 5291 (as mentioned above), you enter 5292. This will allow access, but notify the authorities of a holdup.

Re:RTFS

[houghi]

Nonsense. While Chrome doesn't seem to have this yet, Firefox and Konqueror come with encrypted password stores out of the box.

There are some computers that are under my control. There are some that are NOT under my control. I cn not install software on those systems. I can not add anything on those systems. Further not all logins are weblogins and some that are only work on very locked down IE machines where I can not even do a 'save password'.

Finally, there is the option to use client-side certificates and/or OpenID, with services that support them. This would allow you to choose whatever means of authentication you like, passwords or otherwise.

Almost none have this option. Those are the ones I use privately from my own box, so no issue there. The ones that bother me are all the different systems I need to access remotely. The worst I ever had to work with was a forced password change every 5 days.
I now have several digipasses laying around for different systems.

One is for a company where I first have to enter a login and then the digicode with a pincode, then the same login with a password, then a different login with a different password.
So what I have done is against all security. We have a dedicated machine just for that application (was also a requirement. We needed to install their closed source software, so we decided not to use a standard machine for it.) I have placed a text file on the PC I use it on with all the details AND I have connected the code generator thing to the keyboard AND have the login and password on the monitor so people can login both as user and as admin.
Yes I know it is extremely bad practice. I need the machine perhaps once every two weeks and then I need it fast. I then do not have the time looking what the logins where and where that stupid key was again.

So by increasing the security on their side by doing all the things that are possible, they actually have decreased it in the end. The main difference is that if something goes wrong, they can blame me. So to me that means this is not about security, but about pointing fingers and placing the blame on somebody else.

Some others are not that bad, but still pretty awefull. What I actually do is have the same password, but often I have to guess the login, because I have not chosen them myself and they are various variations on first name, last name, company, numbers and whatever they can think of is logical to THEM.

These are third parties where my company works for and makes money from, so the only option not to use it is taking another job where I most likely would be in a similar situation, unless I would change my sort of job I do.

No, the right approach is to increase the ease with which someone could use the system properly, and how far "properly" extends.

Yes, unfortunately many systems are not under my control. Actually most systems are not under my control. They are third parties or for some other reason beyond my control. The most known reason is that instead of understanding that people have many, many logins nowadays, the sole interest is that they can show that they have done what needs to be done. By doing that, they will cause that people write logins and passwords down. I know that a lot of people use other peoples passwords and logins on some systems, because 'security' is so tight getting a new password is too much of a hassle and takes sometimes two days.

So if after say 20 years of intensive computer usage by non-geeks what we do now does not work, I would suggest we should start looking for something else.

Re:RTFS

[Rick17JJ]

I have recently stopped using real answers to those required "Security Questions." The answers to many of those questions are already known by other people and could probably also be found on the Internet. Instead, I plan to memorize a list of some imaginary answers for those kinds of questions. Just in case I ever forget what my imaginary answers are, I will keep a list of those imaginary answers on a piece of paper in my safety deposit box at the bank. I might also record my list of imaginary answers in an inconspicuous spot, such as possibly somewhere like writing it under some insulation, up in the attic.

Here is a sample of the kinds of answers that I am thinking about using. Of course, those are not the actual imaginary answers which I will be using. I will not tell any of my future girlfriends or my imaginary answers. These are roughly the types of answers that I might decide to use.

My mother's maden name was Van Bopeep-Tinkerbell.
I was born on Booth Island in Antartica.
I graduated from Elephant Island Prep School in Antartica.
My favorite place is Needles, California.
My first dog was a pitbull/timberwolf mix named Fluffy-foofoo Jr.
My first car was a 1923 model E Doble Steam car.
My favorite food is road-kill packrat stew.
My favorite color is infra-red.

Of course passwords should not be something too easy to guess. Personally, I prefer to use the first letter from each word in a short sentence, to create a pass phrase. To make the pass phrase easier to memorize, I try to make the sentence as humorous or bizarre and easy to visualize as possible. If it rhymes, so much the better. If punctuation is allowed in the password, I have also found an easy to remember trick on how to include a few punctuation symbols, as well as mixing in both upper and lower case letters. Just in case I ever forget, I keep a short backup list of those in my safety deposit box at the bank.

By the way, I still use an old-fashioned pop type email account instead of an web-based email account.

Re:RTFS

[Landshark17]

"Security Questions" can be, for lack of a better word, prefectly secure if you use them right. The simple solution is to give a non-sequiter answer to the question. Anyone trying to get through with publicly available information will be stopped dead in their tracks. The added benefit is you also don't forget the answer because it's so bizarre. Anyone who's serious about cracking your account won't let that stop them, but it's more secure than letting anyone who knows what high school you went to/ what car you drive/ who your first kiss was have access to your account.

Re:RTFS

I guess disgruntled lovers wouldn't even have to know the password ... a good reason to keep your lover gruntled. :-)

I have no idea what that means, but it sounds like a great excuse for anal! "No, seriously honey, I read it on slashdot!"

Re:RTFS

[base3]

Covert duress works great in protecting nuclear weapons, but Joe Sixpack is going to fatfinger and enter the duress code so many times that there aren't enough cops on earth to respond. Got to admit that I'd had the same idea in the past, though.

Re:RTFS

http://maord.com/ can easily help you with that.

...and it doesn't even support HTTPS.

Re:RTFS

[ajlisows]

Must be some cracker to guess some of those security answers. *I* can't remember my own answers. "What was your favorite food (when you created this account 5 years ago)?" Ugh. For trivial accounts I started typing "IHateYou" as the response for all of them. (Yeah, I told my big secret. Now you can go try to crack my Adobe.Com account so you can download Adobe Acrobat 1000 times or something.)

Re:RTFS

[yoyhed]

I can't believe it was still unchanged after all these hours! I made a small revision inside, but left the password the same.

Re:RTFS

[Fred_A]

I have recently stopped using real answers to those required "Security Questions." The answers to many of those questions are already known by other people and could probably also be found on the Internet. Instead, I plan to memorize a list of some imaginary answers for those kinds of questions.

This is of course the only way to use those "security" questions. I'm troubled that there still are so few people thinking out of the box nowadays even with the high profile hacks widely published in the popular press.

The few sites that store both your question and your answer help a bit.

Re:RTFS

[Fred_A]

Sure. That is what people tell me all the time to use a secure password. http://maord.com/ can easily help you with that. So now I have a secure password like cJQKUG4P generated by that website.

Those passwords are terrible they should have some non alphabetical characters, like punctuation, to be more effective.

When will PAM finally support Unicode passwords for Linux (and how do you enter runes on this stupid keyboard ?)

Re:RTFS

[muckracer]

> I'd imagine it has more to do with those damn required "Security Questions",
> many of which use publicly available information.

While I agree, that those questions are stupid, I do not agree, that they "use
publicly available information". Your answer does, if at all. And that's
your choice. So treat the answers just as another password. What's your
highschool? EswB2aal!

Re:RTFS

[shvytejimas]

I think this is the extension you are looking for: PasswordHasher. It creates a hash from your master password and the base domain, has options for excluding special symbols from the hash and integrates nicely with the password fields.

If the guy who wrote is your friend, give him my best. What I like the most about this hasher is that it's also available in a standalone html file, which helps when you need to login from a computer without the extension installed. You can host the file yourself, but since it's written in javascript, there's no need to (hashing is done locally).

Re:RTFS

[gmprog]

If I ever found a female customer service rep that knew what a "hash" is I'd drop a marriage proposal on the spot.

Re:RTFS

[neurovish]

If I ever found a female customer service rep that knew what a "hash" is I'd drop a marriage proposal on the spot.

What if she knew what an octothorpe was?

Re:RTFS

[Cro+Magnon]

So, if you forget your password, you recover it with another password that you can't remember?

Re:RTFS

[muckracer]

> if you forget your password, you recover it with another password that you
> can't remember?

You don't recover passwords. You write them down and store them accordingly.

Re:RTFS

[SanityInAnarchy]

There are some that are NOT under my control.

Potential security hole right there.

I cn not install software on those systems. I can not add anything on those systems. Further not all logins are weblogins and some that are only work on very locked down IE machines

Look at shvytejima's reply -- that is, PasswordHasher is available both as an extension and as a standalone HTML page -- thus, easy to host yourself, if you don't trust someone else to. Visit with your locked down IE, type your password and the base domain, copy/paste the hash into the page (or program) you needed.

So by increasing the security on their side by doing all the things that are possible, they actually have decreased it in the end.

Which is exactly why the important thing here is to allow tighter security, not require it. The hardware key is a great example -- I'd stick it on my keychain and be happy to have it. Most people would probably physically attach it to the machine it's used from. Make it optional and we can both be happy.

The right way to solve the problem users have with their passwords is educating those users, not writing off a service as "insecure" because the people using it are. After all, social engineering is always possible.

So if after say 20 years of intensive computer usage by non-geeks what we do now does not work, I would suggest we should start looking for something else.

Depends what you mean by "what we do now".

Everything you've just mentioned is fairly stupid design, where the systems are entirely outside your control as a user, and you are "forced" to have a level of security they will accept, leading to you doing things like writing passwords down. About all I could suggest from your side is, that text file should be encrypted with a password you can remember.

But we weren't talking about that. We were talking about webmail -- and most webmail is either smart enough to use OpenID, or not smart enough to do more than a straight username/password. In either case, it's possible to be both reasonably secure (seemingly-random password) and convenient (hashing, save password, etc).

It's certainly possible to be at least secure enough that no one's going to pull it directly off a hard drive or a sticky note, nor guess it based on your pet's name, favorite movie, dictionary attack, etc.

So I think I'm justified in not feeling a lot of sympathy for someone who had their webmail account cracked by guessing a password. I can sort of see someone not knowing to force https, at least when using wireless (hint: https://mail.google.com/, and Gmail will remember it once you login), but it's not that difficult to deal with a secure password, especially in that context.

Re:RTFS

The solution to that problem goes "bang."

-USA

Re:RTFS

Make them yourself

cat /dev/urandom | tr -dc _A-Z-a-z-0-9 | head -c8 | more

Re:RTFS

What if she knew it in another language? e.g. sinal tralha, diése, octotborpe, or ÐнÐÐ ÑÐÑÐÐ (russian does not compute!).

Re:RTFS

[flghtmstr1]

It's still accessible as of 12:58 EST

Re:RTFS

[masshuu]

its still accessible. i think 5 people actually logged into it(going by account access history)

No resources to investigate misdemeanors?

No resources to investigate misdemeanors? No problemo then - just post it on /. and I'm sure we'll shlashdot them out of business.

Blaming the tools, instead of the behaviour...

[Cheesetrap]

"normally it's hard to know when an account has been compromised, because e-mail snooping doesn't leave a trace."

Well that's incorrect. I'd be fairly confident that most web-based email services have a way of telling when you logged into your account last (otherwise how would they know when to deactivate your account after X months of inactivity?) - they simply choose not to allow Joe Average to access this information.

Re:Blaming the tools, instead of the behaviour...

[PIBM]

GMail has a nice line at the bottom, telling you from which other computer you are connected, when you last took any action, and then some more details. Anyone can take a look at it, but I don't expect much of their users to know what that is for, nor to check it everytime they login ...

Re:Blaming the tools, instead of the behaviour...

[Hrdina]

The problem with that little notice is that if you have a lot of email in your inbox, you have to make an effort to scroll down to see it.

Most people don't make efforts.

Maybe if the last activity notice were in the sidebar or near the top of the screen it might be more effective.

I also love how the lead-in to the story discusses a woman who apparently became jealous because her "married boyfriend" was cheating on her...

Re:Blaming the tools, instead of the behaviour...

[Thanatos81]

The problem with that little notice is that if you have a lot of email in your inbox, you have to make an effort to scroll down to see it.

There is this little key on most keyboards that's imprinted with "end". One press and all the way down you go ;-)

Re:Blaming the tools, instead of the behaviour...

[flamingnight]

One press and all the way down you go ;-)

Ooh, look. Turtles!

Seriously though, most people don't know what an IP address is, and don't care. There are ways that this could be made easier (when you log in from a "new-to-gmail" IP more than a few times, have it ask you to label as Home/Work/Friend's House/etc), but 1.2.3.4 means nothing to most people outside of /. It's just that computer-speak anyway and "I never need to worry because I've got this friend in Nigeria who's giving me lots of money".

Re:Blaming the tools, instead of the behaviour...

[Hrdina]

Pressing one key (two if you count going back to the top) is exactly the kind of effort that most people don't make. :-D

Re:Blaming the tools, instead of the behaviour...

[s1lverl0rd]

You should if you expect your ex to go snooping.

Re:Blaming the tools, instead of the behaviour...

[LordAndrewSama]

I think they should put in the sidebar near the top something about the 5 last IP addresses that were used. but most people have no idea what an IP address is, so maybe just something saying "You last logged on from a different computer" or "You last logged on from a different computer, and a different computer again before that" or some plain english(or whatever default language) explaining each IP address or something.

and a frikken bright red warning if your account is suddenly accessed from a different city or country.

and yes, a part of me knows that most people still wouldn't care. but I can hope.

compromised

[Korbeau]

And part of the reason is that normally it's hard to know when an account has been compromised, because e-mail snooping doesn't leave a trace

Simply do like most client systems and put in big red bold: "someone tried to connect to your account 32 times from w.x.y.z ...", and keep something like a 30 days log of connection history browsable somewhere. I'm sure modern techniques can also be used to highlight strange connection patterns and/or unusual connection location. Although it's far from perfect it at least gives some basic tools to be aware and deal with this situation. And if the hackers know their address is not only logged in an obscure web log but also available to the user (with a nice helpful tips page about what to do and who to contact when you're a victim) it would probably intimidate part of them.

Re:compromised

[girlintraining]

Simply do like most client systems and put in big red bold: "someone tried to connect to your account 32 times from w.x.y.z ...", and keep something like a 30 days log of connection history browsable somewhere.

Yeah, because the average person is going to know what subnet or network they're coming in from. And they'll remember that time they logged in from the coffee house. No -- the information is useless to the average person because they don't know how to interpret it. It'd be like me telling you that the R0 of variola vera is about 6.5. Meaningless to you in this context.

Re:compromised

[moonbender]

Google Mail gives you an activity log: http://mail.google.com/support/bin/answer.py?ctx=gmail&answer=45938

It's pretty damn cool.

Re:compromised

[nitroamos]

for websites, it's super easy to see who's visited, with many online services providing this.

why isn't there a way to attach a counter to your inbox (i'm looking at gmail)? could it be embedded in a custom theme?

Re:compromised

It'd be like me telling you that the R0 of variola vera is about 6.5. Meaningless to you in this context.

But people might just remember at what time the logged in. Time is quite a common concept in modern society. That said, your estimate on smallpox contagiousness is rather optimistic (depending on your viewpoint: http://www.ncbi.nlm.nih.gov/pubmed/11742399

Re:compromised

[ScrewMaster]

No -- the information is useless to the average person because they don't know how to interpret it.

So? Help them interpret it. That's what computers are for. You can't tell me that that raw data can't be presented in some way that does make sense to Average Joe and at least gives him the idea that somebody is screwing with him.

Re:compromised

[Threni]

So Gmail tells me that someone's tried to guess my password - so what? What am I supposed to do with this information? Which part of a hacker would be intimidated by the fact that the IP address of the proxy(s) they are using is logged somewhere?

Re:compromised

Yes, but then it becomes a problem of education. How do you educate users who don't care to read what's on the screen, even if it's for their own good?

Re:compromised

Are you saying the average person will have trouble interpreting something like this:

"The last time you logged in was yesterday at 3:15 P.M."

And some people actually gave you +Insightful for this?

The context is simple. You are presented the date and time of your last login. Don't remember logging in at that time? Deduction, someone else did.

There is nothing useless about simple information we all understand. Why jump to the technical details of subnets etc.?
That kind of information you keep in the logs, obviously. Give th client the information they can use.

Re:compromised

[darthflo]

"Since the last successful login Yesterday at 7:13, 48 attempts to log into your account with a wrong password have been made from 3 locations. [details]"

Simple as that. More detail wouldn't help most users, so let them know something potentially bad is happening. If they care about their account, they'll have a techie friend look into it.

Re:compromised

[nuckfuts]

It's not the IP address that matters, it's the fact that a single source made 32 attempts to login to your account. This warning might prompt you to take additional steps, such as changing your password to something random.

I once had someone try repeatedly to access one of my online accounts. I changed the lost password challenge question to "Go f**k yourself".

Re:compromised

[L4t3r4lu5]

I just learned that there is an average of 6.5 secondary infections of smallpox per primary infection in a community with no natural immune resistance.

That's the difference between us and them. They don't care what "subnet" means. I needed to know what R0 meant.

Re:compromised

[xaxa]

My online banking makes me read "You last logged in on Monday 12th June at 14:34. If this wasn't you, please phone 08000...".

I'm useless at remembering when I last logged in, it would be better for me if they put the IP address as well.

Re:compromised

[ScrewMaster]

Yes, but then it becomes a problem of education. How do you educate users who don't care to read what's on the screen, even if it's for their own good?

Well, stupidity carries its own reward.

Re:compromised

[Zen+Hash]

You smack them on the nose and shout "no" or "bad" until it finally sticks.

Re:compromised

[Zen+Hash]

So Gmail tells me that someone's tried to guess my password - so what? What am I supposed to do with this information? Which part of a hacker would be intimidated by the fact that the IP address of the proxy(s) they are using is logged somewhere?

The part that doesn't want to give their victim the benefits of a warning or notification that their email is being read by said hacker.

Re:compromised

[haruharaharu]

Well, when almost all the activity is from 2 ips - hoe and work - except for the 30 failed logins at 3am from some ip owned by moldova, it shouldn't be too hard to interpret.

Re:compromised

[MichaelSmith]

Well, when almost all the activity is from 2 ips - hoe and...

Spend a lot of time there do you?

Re:compromised

Or even better, put the comparison of the last logged in IP address and the current logged in IP (eg, only indicate if they are different) in addition to last login time. I know dynamic IP assignment might throw up a lot of false positives, but as long as the text isn't too alarmist it should be fine. They could even monitor blocks - so if your last login was from a different ISP/country, make a red/bold warning explaining that "unless you're certain that you logged in from a different location, or recently switched internet providers, you should check your transaction records and/or call the number".

Re:compromised

[muckracer]

> It's not the IP address that matters, it's the fact that a single source
> made 32 attempts to login to your account. This warning might prompt you to
> take additional steps, such as changing your password to something random.

This warning will not prompt most non-geek users to change their passwords,
but to call their bank in panic and BITCH at them why THEY don't do something
about it. And that's why the banks will not disclose that information because
they don't want to have to deal with the fallout and the *image loss* of
'permitting' apparent hacker activity.

Re:compromised

[Zebedeu]

That's pretty cool.

It'd be even nicer if they stated the location (at least the country) of origin of the IP address. One hit from Russia, and I'd be changing my password to military strength.

Re:compromised

[PBoyUK]

+1 offtopic incoming. Regarding your signature, it's somewhat more difficult to find a feature of this nature in Linux as it would be in Windows. Which strikes me as a bit odd. Anyway, what you want to do can be simulated with this apparantly:

http://www.cs.kent.ac.uk/~sm244/Jail.tar.gz

Though if you wanted that functionality for the same reason I wanted it (specifically playing games on a dual-headed Linux using TwinView, your best bet is to start researching adding a extra MetaMode into your X config. It's what I ended up doing instead, since it just turns the other monitor off and allows me to play on my main monitor. Works fine.

Re:compromised

[nahdude812]

What are "3 locations?" 3 different IP addresses? What if my ISP has a load balanced transparent HTTP proxy with different public IP's?

We dealt with problems related to customers having load balanced public IP addresses such that request-to-request their IP address changes, sometimes even across A-class networks.

There is no available metadata that allows us to identify that these two IP's belong to a single physical location. IP and location are only correlated, there is no guaranteed mapping, and nobody (to my knowledge) has the data necessary to map that out.

When you say "3 locations," even relatively technically savvy people might read that as 3 physical locations (since you didn't say "3 C-class networks"). But since you don't have the information to make that call in all cases, it can be more confusing than not saying anything at all.

Besides it's a pretty sure shot most of these places aren't brute forcing passwords; major email providers already have protections in place against that. Instead they'll rely on the ex-spouse's personal knowledge to successfully complete a forgotten password request, etc. The same way Sarah Palin's email was hacked some months back.

Re:compromised

[nahdude812]

I have to wonder why you would wait for someone to start trying to crack your password before you used a strong one?

If you have a hard time with passwords, use some sort of mnemonic, such as lyrics from a favorite song, choose some letters / words to represent as a number instead, and use a symbol to delineate phrases.

Just from the song I'm listening to now: iWu2km!W&tW@Wis#t

Personally for some reason I have a fairly easy time remembering really obscure passwords, so I usually just use the passwd command to generate a completely random one. Some little quirk in my brain learns that the first time I type it, and I never have a problem remembering it perfectly later.

Re:compromised

[darthflo]

You're obviously right about the definite mapping of an IP address to a location, but one could take an educated guess.

There's several geolocation services, all of them will more or less accurately tell you the location of an IP address. Usually that'll be one of your ISP's termination points; so while it won't be broken down to your city it tends to hit the right state/region and (save proxies and dirty tricks) will get the country right. IMO that wouldn't be necessary:

I'd simply go for the assigned netblock. One netblock is one location. That'll take care of ISPs distributing their traffic throughout their assigned /8; but still catch twi different /24s as different nets.

Alternatively, counting multiple blocks owned by the same person as one might provide better results. Time (and by time I mean log files of high-traffic sites) would tell.

In the end, the techies are going to click [details] where they'll get a list of login attempts, time and originating IP address. Judging about the meaning is up to them.

About the brute forcing: I never understood why would answer the "forgotten password" questions truthfully. Security-wise, it's suicide (I also never got why services would add that feature). Offer your users a nice sheet of paper with all the important details to print, (delete,) lock away in a safe location, but don't compromise the fragile security that's offered by a password.

Re:compromised

[Zebedeu]

I have to wonder why you would wait for someone to start trying to crack your password before you used a strong one?

I knew this was comming :-)
My passwords are what I'd consider "safe enough" -- no dictionary words, some characters in upper case, and there are some numbers involved.

On the other hand, they tend to be short (~8chars), and I don't mix too many upper case letters and numbers in order to simplify typing, which is where I'm kind of trading security for convenience.

Now, if I knew that someone was actively trying to crack my password, It'd be the motivation needed to start using longer, more randomized passwords.

Just from the song I'm listening to now: iWu2km!W&tW@Wis#t

I couldn't dream of having to type that every time I wanted to long in to my server to restart some service (which happens quite often -- crappy iguanaIR drivers and deluge daemon).
Make that twice for each restart: logging in to the SSH server + sudoing.

Re:compromised

[nahdude812]

You should consider setting up an SSH keypair for authenticating against SSH. Then you don't actually need to type your server password. If passwordless authentication bothers you (someone compromises your key by accessing your local home folder or whatever), you can put a password on the keypair which is different from your actual authentication password.

However, I agree, the example I gave is much too long for convenience; it's more of a root password than an every day password. Mostly it was just an example of the sort of incredibly complex password you can create that's also super easy to remember.

Re:compromised

I used to have it set up as a keypair in a past configuration. I haven't done it in this one because I've been meaning to buy a new machine and the current configuration is temporary.

Actually, after 1 year waiting to buy the Perfect Server(TM), I guess that "temporary" is relative.

Oh well.

Re:compromised

[moonbender]

Hey, thanks for the reply, and that's pretty much exactly why I need it. I'd prefer not to change the display resolution or turn the second monitor off, I really want to run it windowed and confine the cursor until I alt-tab or something. I think the Jail application only confines the movement to one screen (in an X multi-screen setup), but maybe I can modify it to confine it to a window...

Re:compromised

[ScrewMaster]

You smack them on the nose and shout "no" or "bad" until it finally sticks.

I think having the speakers shout "Yo, Bitch ... check dis out!" might grab their attention.

Text of the Article

Password Hackers Are Slippery To Collar

By Tom Jackman
Washington Post Staff Writer
Monday, September 7, 2009

When Elaine Cioni found out that her married boyfriend had other girlfriends, she became obsessed, federal prosecutors say. So she turned to YourHackerz.com.

And for only $100, YourHackerz.com provided Cioni, then living in Northern Virginia, with the password to her boyfriend's AOL e-mail account, court records show. For another $100, she got her boyfriend's wife's e-mail password. And then the passwords of at least one other girlfriend and the boyfriend's two children. None had any clue what Cioni was doing, they would later testify.

Cioni, however, went further and began making harassing phone calls to her boyfriend and his family, using a "spoofing" service to disguise her voice as a man's. This attracted the attention of federal authorities, who prosecuted Cioni, 53, in Alexandria last year for unauthorized access to computers, among other crimes. She was convicted and is serving a 15-month sentence.

But such services as YourHackerz.com are still active and plentiful, with clever names like "piratecrackers.com" and "hackmail.net." They boast of having little trouble hacking into such Web-based e-mail systems as AOL, Yahoo, Gmail, Facebook and Hotmail, and they advertise openly.

And, experts said, there doesn't appear to be much anyone can do about it.

"This is an important point that people haven't grasped," said Peter Eckersley, a staff technologist for the Electronic Frontier Foundation in San Francisco. "We've been using e-mail for years, and it's been insecure all that time. . . . If you have any hacker who is competent and spends the time and targets you, he's going to get you."

Federal law prohibits hacking into e-mail, but without further illegal activity, it's only a misdemeanor, noted Orin Kerr, a law professor at George Washington University and a former trial attorney in the Justice Department's computer crime section.

"The feds usually don't have the resources to investigate and prosecute misdemeanors," Kerr said. "And part of the reason is that normally it's hard to know when an account has been compromised, because e-mail snooping doesn't leave a trace."

Every state has laws roughly similar to the federal computer laws, Kerr said, and rate the offenses as misdemeanors.

Not long after Gov. Sarah Palin of Alaska was named the Republican nominee for vice president last year, someone hacked into her personal Yahoo e-mail accounts. And as the election neared, someone at George Mason University hacked into the e-mail of the school's provost and sent a schoolwide e-mail saying the election date had been changed.

"Web Based email password hacking or cracking is one of our all time favourite and unique hobby," write the folks at YourHackerz.com. It's not clear where YourHackerz.com is located, but experts suspect that most of the businesses are based overseas. "We will provide you with the original Passwords. No questions asked whatsoever. Payment only after you are CONVINCED. 100% guarantee of Cracking. Total privacy of your information. No legal hassles."

At SlickHackers.com, they boast, "We are professionals interested in helping serious people for whom an email password would mean saving their marriage, knowing the truth, preventing a fraud, protecting their family/job/interests only when conventional ways and normal procedures do not work."

All the services advertise that they will e-mail a screenshot of the target's in-box or even send an e-mail from the target's e-mail as proof that they've cracked the password. The customer then sends payment. One service, whose fee is only 20 British pounds (about $33), then responds with the script from a scene from a Shakespeare play, with the stolen password hidden in the copy.

E-mail inquiries to several of these services did not elicit any responses.

The FBI cannot police the Internet, a spokesman said. "The FBI is aware of these illegal services," spok

Re:Text of the Article

[Marcos+Eliziario]

mod parent funny.
Oh no. Mod TFA funny.
No! mod Elaine Cioni funny (didn't find the 'freak' mod option)

Re:Ex-lovers?

[selven]

Once you lose trust to that extent, you're done.

Moo, moo.

[girlintraining]

Yeah, well I'd say it's a big reason why I get phone calls. I hung my shingle out a long time ago about being a computer geek. People usually come to me for one of three reasons: First, their computer's suddenly running slow. "But I've tried everything." Malware is the main reason. Second is "It won't turn on anymore." Coffee spill on laptop, or HDD failure without error message. And the third most common reason: "I want to ruin someone's life! You're a hacker, right?"

Of course, these are my friends, not strangers. I usually oblige them by asking if they knew what common passwords their ex used, any websites they frequented, the full spelling of their name, date of birth, and social security number. And the strange part is: They usually know all of these things. You know what I do then? Nothing. Not a damn thing. I sit down and have a long talk with them about personal security and how just like we don't go out alone at night (I'm a girl. Most of my friends are girls -- I know most of you are dudes and don't think about it much), we also need to take precautions online! This is usually said while saying what a bastard the guy was. And I give them a pat on the head, some candy I keep around for this purpose, and send them on their way.

I'm a white hat (eh, most of the time). But a lot of people just like me know this about others because they've hung their shingle out too and announced they're a geek. And not all of them are going to have an ethical hangup about sucking up all your personal data, hacking your accounts, and leaving "I have a small penis" written to all your friends. Because really... The average person if you do go through all the effort to get them access just sits there feeling all powerful for a minute and then does something incredibly juvenile that'll make you wish you'd done your laundry instead of wasted two hours at the keyboard.

My advice to you people: Love your partner. But do not give them the root password!

P.S. Only once ever have I done a spot of sleuthing that I felt was worth it -- when I discovered a friend-of-a-friend was dating a terrorist. No, I don't mean the fluffy-bunny kind that the media portrays either (everything is terrorism these days). No, I mean the guy came overseas, setup shop over here, and was doing serious criminal enterprise and had cases open with a half-dozen agencies. A few days later, a police officer informed her that if she valued her life, she should cease contact with him immediately. Fun times. Everything else though? Boring as shit.

Re:Moo, moo.

Funny how I never had any friend asking me to hack into an "ex"s puter.
Either I have friend with high morals, or I have friends that think I would never go so low as helping them out with juvenile actions (well, ok, or I have friends that do not trust me as a hacker).
I only once did voluntarily snoop on someone else's account, and it actually was beloved one - in a period of sentimental turmoil.
But maybe these different patterns relate to the fact that I am male?

Re:Moo, moo.

[girlintraining]

But maybe these different patterns relate to the fact that I am male?

More likely it's that girls have a lot more aqaintances and casual contacts than men do... And that we gossip so that people who know of us extends beyond a few close friends and coworkers but into the friend-of-a-cousin-of-a-friend's boyfriend scope. That, and most guys just want to be done with the drama and suffer in silence when it ends. Girls don't usually skip the part of the process that entails great amounts of fire and brimstone. Of course, in the end it's all a tempest in a teapot, but that doesn't stop them from beating a path to my door and getting Lecture #46.

Re:Moo, moo.

I would think all the sexual stereotyping would be beneath you.

Re:Moo, moo.

what i find funny is that it is said that women are more mature than men.....
and yet they are prone to petty and dramatic behaviour.......

Re:Moo, moo.

[Runaway1956]

Don't tell anyone the unknown fact that most people use the same password for everything. I was interested in a certain female, so I gained physical access to a machine that person used, booted with a Live-CD, and sent the log-in files to a networked hidey hole. John the Hacker later cracked the password for me. The same password logged me into 3 different webmails, Yahoo, Myspace, and some sex-for-sale sites, as well as a couple gay sites. Of course, IE's and XP's handy log features had already told me which sites to visit.

The whole exercise was educational. At my age, few things surprise or shock me, but I was surprised at how ACTIVE this individual was! More than half the activity was substantiated with some "casual" observation and interviews. All of this just made me want to beat the crap out of the young man who was foolish enough to get involved with the skank, but that's another story......

Re:Moo, moo.

[bickerdyke]

That, and most guys just want to be done with the drama and suffer in silence when it ends.

we save that for the next common cold...

Re:Moo, moo.

[Bacon+Bits]

It's not a stereotype if it's her observed reality. Anecdote is not data, but personal experience is not stereotype.

Re:Moo, moo.

[Nathrael]

As sad as it is, there is quite a lot of truth to gender stereotypes. Sure, they have changed in time, but there still is typically male and typically female behavior (hey, don't look at me, I'd love to see female engineers and scientists just as much as you do).

Re:Moo, moo.

when I discovered a friend-of-a-friend was dating a terrorist. No, I don't mean the fluffy-bunny kind that the media portrays either (everything is terrorism these days). No, I mean the guy came overseas, setup shop over here, and was doing serious criminal enterprise and had cases open with a half-dozen agencies. A few days later, a police officer informed her that if she valued her life, she should cease contact with him immediately.

Damm I wish I thought of that way to dump a crazy x and her crazy hacker friend.

Re:Moo, moo.

Its a trap!

Re:Moo, moo.

[girlintraining]

(hey, don't look at me, I'd love to see female engineers and scientists just as much as you do).

Then stop treating them as sex objects when they show up for work!

Re:Moo, moo.

[access.name]

You say you would like to see female engineers and scientists, (as if there were none?). Why? It shouldn't matter to you if there is female, male, queer or transgendered engineers and scientists.

Re:Moo, moo.

[Virtual_Raider]

(hey, don't look at me, I'd love to see female engineers and scientists just as much as you do).

Then stop treating them as sex objects when they show up for work!

That is actually a lot harder than people realize. We The People are animals first and foremost, and then everything else. Whenever most people see a person of the opposite gender, the first thing they see is that they are of the opposite gender. This is biology, at which most people have more experience than at their culture, education and work ethics.

The better and broader your education and culture, the faster they kick in to cushion the action of pure animal instinct, but do not be fooled, its there and most men will first see the woman and then the co-worker. Some times it comes naturally and some times it takes actual conscious effort to completely remove the message "I'm talking to a woman" from the "I'm talking to a co-worker" equation. That is in no way a justification for being a pig, but hopefully its an insight on the mechanics. Of course this is /. so others will disagree =)

Re:Moo, moo.

Nobody's treating them as sex objects.

It's been shown numerous times that fewer girls have the passion for math and science that is necessary to do well in engineering and science. The ones that do have the passion do very well, there just aren't enough.

Guys aren't all hornballs all the time.

Trivial.

[fiendishfish]

I am pretty sure they just utilise the 'recover your password' function, as the spouses/relations probably know what the answers are. I seriously doubt they'd even consider bruteforcing/dictionary attacking Hotmail or the like.... As they have a limited amount of attempts to use. It'd be interesting to see how they'd hack an account with a ridiculously long password like: '>AFD,!21)£"($£$3La57~}{' and with a bogus answer to a secret question. I think not 'YourHackerz'. Also, has the website suffered the wrath of the 'Slashdot effect'?

Re:Trivial.

[lastomega7]

a ridiculously long password like: '>AFD,!21)£"($£$3La57~}{'

That's amazing. I've got the same password on my luggage!

Re:Trivial.

[PRMan]

ridiculously long password like: '>AFD,!21)ã"($ã$3La57~}{'

No, they just have to visit Slashdot, where geeks brag about their "unbreakable" passwords.

(Note: to avoid any unsightly "whoosh" moments, I know that that isn't really his password. It's a joke, people!)

Re:Trivial.

[bemymonkey]

That's what I'm wondering, actually. As a Gmail user with a relatively long and complicated password, how would these services go about hacking into my Gmail account? All connections in and out are SSL'd, I don't use public WiFi without a VPN, my home WiFi is secured relatively well... Short of e-mailing me a trojan, what options do these guys have?

Re:Trivial.

Heh, you're over estimating the level of skill involved.

There are some interesting discussions of how these services work here:

crackpal.com
crackmails.net

Re:Trivial.

[ninjapiratemonkey]

That's the stupidest password I've ever heard in my life! The kind of thing an idiot would have on his luggage!

Re:Trivial.

[geminidomino]

That's what I'm wondering, actually. As a Gmail user with a relatively long and complicated password, how would these services go about hacking into my Gmail account? All connections in and out are SSL'd, I don't use public WiFi without a VPN, my home WiFi is secured relatively well... Short of e-mailing me a trojan, what options do these guys have?

Your password may be long and complicated, but examine closely at your "security questions." If the client has been lubing your junk, odds are that she knows your dog's name is Archibald and your favorite color is mauve.

"Forgot my password" indeed.

Re:Trivial.

Actually, my favorite colour is 'spaghetti' and my dog's name is 'A Winter's Tale'.

Re:Trivial.

[raju1kabir]

What's the counterpart to "whoosh" for someone who explaineth too much?

Re:Trivial.

[guyminuslife]

*cricket noise*

Re:Trivial.

[mlts]

One system I've thought of for security questions requires a simple app on a cellphone. App asks for a password, then when you type in what it wants for a security question, it SHA-256 hashes the question + the password [1], drops all but the first x characters, and then you use the x (10+ depending on the system, preferably 15-20) amount of characters in the result as the answer.

This way, its easy to have your answer to security questions, you can enter almost anything in for the question, but yet nobody would be able to get the answer without brute forcing your password on your cellphone app.

[1]: For additional security, the program can hash stuff a large number of times to help combat brute forcing.

Re:Trivial.

[mlts]

I keep having people hit up my Gmail account with lost password queries, usually about 3-4 times a week. Even though those mails are routed to a junk mailbox designed for that, all it would take is accidently clicking on one of the recovery links to lose control of the account.

I do wish Gmail would have an option to require someone trying to obtain a gmail password to pass the challenge/response questions before it sends a link to recover. This isn't foolproof, but it will keep Joe Skiddy from being able to blanket gmail with PW requests in hopes someone clicks on a link.

Re:Trivial.

[raylu]

But this makes your password recovery questions worthless in case you actually do forget your passwords, so you might as well enter "ashfiuwafewufiawhf" as your answer.

Re:Trivial.

[mlts]

True. If you forget the "seed" password, then you are cooked. However, if you have the PW and application (which can just be a script that does 'echo "mypasswordmychallengephrase"|md5sum"' (where mypassword is your core password, and mychallengephrase is your challenge question), and paste in the hash), you can pretty much enter anything for the challenge questions and it will be unguessable to an attacker.

Re:Trivial.

[pwizard2]

Heh, it looks like these guys don't even know enough to use captchas. I wonder how many spam requests they get through their order form.

Re:Trivial.

[bemymonkey]

I forgot to mention that I don't use security questions ;)... if an answer is required, I just enter gibberish.

Re:Trivial.

[muckracer]

> As a Gmail user with a relatively long and complicated password, how would
> these services go about hacking into my Gmail account?

Inside source?

Re:Trivial.

[gmprog]

If your favorite color is mauve, you probably don't have a wife/girlfriend to worry about anyway.

Re:Trivial.

[shellbeach]

Your password may be long and complicated, but examine closely at your "security questions." If the client has been lubing your junk, odds are that she knows your dog's name is Archibald and your favorite color is mauve.

"Forgot my password" indeed.

Huh, but gmail allows you to set your own security question. Mine is, "What is the specific string of alpha-numeric characters used to answer this question?"

I'm pretty sure no random junk-luber is going to guess that one any time soon ....

Re:Trivial.

[Uzuri]

When did they change this to not be the case? I got hung up on just that on a shared gmail account because it DID require me to put in the secret question's answer, and I'd forgotten that, too (luckily the person I shared with remembered it). The alternative was some weird form that required you to remember when you'd started the account, and someone you'd recently contacted and a bunch of other things.

And of course, if I can't remember my password or my question, I'm sure not going to remember all that :p

Re:Trivial.

[Uzuri]

Well well... I stand corrected. Out of curiosity I tried the process, and it just let me send the email.

I think gmail just likes to harass me periodically :p

Re:Ex-lovers?

[linhares]

divorce dollars?

Go to jail AND lose your divorce case

[davidwr]

Sure, you may uncover evidence of unfaithfulness in your divorce case, but your winnings in divorce case will be offset when you go to jail for computer trespass and the victim [your ex] sues the invader [you] for mega-bucks.

Oh, and if you tell your lawyer where you got the goods, it will trigger HIS ethical obligations. Yes, lawyers have ethical obligations, even those with no ethics.

Re:Go to jail AND lose your divorce case

[girlintraining]

People who go to jail aren't exactly of the "mega-bucks" variety. They're usually of the "I was too poor to buy myself a get out of jail free card."

Oh, and if you tell your lawyer where you got the goods, it will trigger HIS ethical obligations.

Yeah, he'll tell you he can't use it in a civil case. If it were a criminal case, however, he'd present it to the police as a "reasonable suspicion" and get a warrant to get the evidence legally.

Yes, lawyers have ethical obligations, even those with no ethics.

In the case of lawyers without ethics, you can be assured they will state their ethical obligations can be waived for a fee.

Re:Go to jail AND lose your divorce case

Not unless you're being stupid about it. Forbidden knowledge is dangerous, because you can inadvertently reveal how you got it, but it is also power, because when you know what you're looking for, you know where to look in a legal way and find what you already know.

Re:Go to jail AND lose your divorce case

[mlts]

I wonder if in a case like this, the ex can make up where he/she found the info, to hide the real source. For example, it could be claimed that the passwords were gleaned through a keylogger or a hidden camera. Unless the other attorney knows what questions to ask, there would not

Re:Go to jail AND lose your divorce case

[FailedTheTuringTest]

Doesn't matter where the ex got the password -- taped to the monitor or whatever, it's still unauthorized access to a computer system.

Re:Go to jail AND lose your divorce case

The ex will just say that he or she was given the password. This would be word against word, and definitely reasonable doubt in criminal cases. Civil, perhaps too.

Re:Go to jail AND lose your divorce case

[base3]

You use the illegally gotten information to "stumble" upon other evidence legally. The same way the police do it.

Password hints

[PPH]

What is your girlfriend's name? Let's see the wife try to guess that one.

Re:Password hints

[yoma666]

Euhm she's bound to try the name you moan every night in your sleep? It's what started her off in the first place!

Re:Password hints

[PPH]

I wonder how many people use "ElizaDushku" as a password.

Re:Password hints

[haruharaharu]

What is your girlfriend's name? Let's see the wife try to guess that one.

Her name is Alberta, she lives in Vancouver, she cooks like my mother and, um, other stuff.

Re:Password hints

"Bruce"

Double Standards...

[fiendishfish]

Quite a ingenius scam really. The following link - http://www.complaintsboard.com/complaints/yourhackerzcom-c141692.html [complaintsboard.com] - suggests that they take your 'hard earned money' and then blackmail you. Saying that they will tell the person you are trying to 'hack' if you don't send them $1000. It made me lol.

How to secure against this

[MaraDNS]

There are two ways an advisory can obtain one's password:

• They can have a machine on the same LAN sniff their password
• The advisory can use dictionary attacks, based on the person's personal information, to obtain the password.

The first attack can be countered by using Gmail with things set up to always use https for connections (near the bottom of the "settings" page).

The second attack can be countered by using a secure password that is easy to remember but hard to guess. For example, "MaraDNS.org" would not be a very good password for this account, however "otif10md" ("One time I fell 10 meters down") would be a good password. Or, in my case, I use a secure hashing algorithm where a common secret is concatenated with the name of the website I visit to get a secure password, akin to using the Md5 sum of "This is secret;slashdot.org" to get a password.

Re:How to secure against this

[fiendishfish]

Yes, but you have to take into consideration that if the company was real, they wouldn't be operating locally. They'd be operating remotely. Which pretty much rules the former situation out.

Also, I was convinced that SSL was the de-facto standard for GMAIL and other web-mail services...

As I said in my previous post, it has been reported that the 'hackers' are merely scamming peoples money (as expected) and not delivering the service.

Re:How to secure against this

[Locklin]

Or, in my case, I use a secure hashing algorithm where a common secret is concatenated with the name of the website I visit to get a secure password, akin to using the Md5 sum of "This is secret;slashdot.org" to get a password.

I'm curious. Assuming your attacker knows that you use a common hash (and can easily guess which one), what do you gain over just using "secretpassword;slashdot.org?" If the attacker was going to use a dictionary attack, it would require the same number of guesses with and without the hash (or perhapse a measily 5 or 10x if the attacker has to try several hashing algorithms).

Re:How to secure against this

[nedlohs]

Because if someone finds that your slashdot password is "25bf4e9796" it doesn't really help them work out that your amazon password is "ebf97d7aa8".

But you only need to remember one password, hopefully a slightly better one than that example...

And of course you would not usually use the actual md5 sum hex output, you'd use an encoding that gives you more than 4 bits per byte and manages meet the usual password restrictions.

Re:How to secure against this

[Cheesetrap]

Or, in my case, I use a secure hashing algorithm where a common secret is concatenated with the name of the website I visit to get a secure password, akin to using the Md5 sum of "This is secret;slashdot.org" to get a password.

I'm curious. Assuming your attacker knows that you use a common hash (and can easily guess which one), what do you gain over just using "secretpassword;slashdot.org?" If the attacker was going to use a dictionary attack, it would require the same number of guesses with and without the hash (or perhapse a measily 5 or 10x if the attacker has to try several hashing algorithms).

Because if you use this password method to create an account on an unscrupulous/insecure site, or manage to get phished, even for a minor account, then they know your 'secret' and can very easily hijack all of your accounts. And yes, there are still plenty of services out there storing in plaintext.

Re:How to secure against this

Also, I was convinced that SSL was the de-facto standard for GMAIL and other web-mail services...

You'd be half-wrong then. GMail (and hopefully all webmail) does authenticate over SSL so password sniffing won't work. After that, however, all your email is transferred is in the open unless you understand to check the box...

Re:How to secure against this

[Corbets]

The first attack can be countered by using Gmail with things set up to always use https for connections (near the bottom of the "settings" page).

Gmail always encrypts your password; that setting only applies to the rest of the connection (i.e. transferring the body of your email and such).

Re:How to secure against this

[muckracer]

> all your email is transferred is in the open unless you understand to check
> the box...

Or simply bookmark as https://mail.google.com/ in which case the entire
session is SSL'ed anyway. The extra setting to "Always use HTTPS" does help to
make sure.

Re:How to secure against this

[Natales]

That's exactly how PasswordMaker works. Simple and clever, and a remarkable improvement over the way people do passwords any way.

ha

The headline implies that the hackers are doing business with THEIR ex-lovers, which didn't make much sense, considering that the average nun has more sex than the average hacker...

Re:ha

Given the news of the past 5 years, that should've read "the average priest has more sex than the average hacker..."

Sounds about high that ...

[lbalbalba]

... some high level expert engineers seriously start thinking about ways we *can* detect e-mail snooping has taken place ...

Re:Sounds about high that ...

[base3]

Email with a link to an unique IMG tag that you make sure to never read. If the web server gets a hit for that image, someone's reading your email. Of course, that fails in the presence of an adversary smart enough to open your mailbox read-only and turn off image loading in the client. Another idea is to put something so juicy in a bogus email that an obsessed ex-lover reading it would be likely to act on the information--say, a fake date at a time and place--if your stalker ex "happens by," s/he is probably reading your email.

Re:Sounds about high that ...

[muckracer]

> put something so juicy in a bogus email that an obsessed ex-lover reading it
> would be likely to act on the information--say, a fake date at a time and
> place--if your stalker ex "happens by," s/he is probably reading your email.

Somebody that obsessed might just kill you if they found something 'so juicy'.

Remember...somebody going so far as to gain unauthorized access to your
account and perusing your mail already has some serious mental problems
(though it will never occur to them as, of course, everybody else, most of all
the partner, is at fault for everything that ever happened to them). Trust
me...seen it. These people can become very dangerous very quickly. Do not
force the issue with something 'juicily' stupid but leave as fast and as far
away as you can from such a person!

How do they work?

If you're curious how these things work, here's a write-up of a typical example of one of these services.

Re:How do they work?

[guyminuslife]

Wow, that's an incredibly lame way to get someone's password.

I'm betting people fall for it, too.

I don't like snoopers!

[Amester]

Some folks really need to get a life, if they feel they have to snoop on their significant other like this.

Re:I don't like snoopers!

[couchslug]

"Some folks really need to get a life, if they feel they have to snoop on their significant other like this."

Pre-emptive snooping is a bit much, but when an SO turns evil then all bets are off. After that, all that matters is self-defense and not the enemy.

Re:I don't like snoopers!

[cffrost]

Sounds like somebody used to use weak passwords...

Re:I don't like snoopers!

[Amester]

I'm not speaking out of direct personal experience. Maybe I've had a sheltered life, but to my knowledge I haven't been spied on by someone I know, and I definitely haven't felt the need to snoop on anyone else.

lemme get this straight

This slut had no problem with the guy having a WIFE, yet when she found out about other bitches he was fucking on the side, that was not acceptable? The mind boggles.

Re:lemme get this straight

[he-sk]

Not really. In her eyes, she was the new-coming upshot replacing his old wife. The other girlfriends were therefore her direct competition.

She might also have, rather suddenly, realized how meaningless all his love-assurances were. That can really hurt.

Re:Ex-lovers?

People forget that having password access to an ex doesn't just give access to E-mails. It gives access to send stuff out as that person. Most judges and juries believe that if mail came from a certain E-mail address, there is no reason why it would not have come from that person, even past reasonable doubt.

So, someone who manages to obtain access can get the true owner of that account into serious felony-hard trouble, serious civil legal trouble, and on a lesser level, destroy that person's relationships.

This goes on in universities, where people out of malice obtain someone else's userID on campus, then drop them from all their courses. Most people wouldn't catch this until profs receive notice the person dropped, but is still in the class. Or someone turning in a bogus paper in the name of their victim to get them to not just fail a course, but fail on account of academic dishonesty.

Crime for profit a misdemeanor?

[JSBiff]

Ok, so I can see how Joe/Jane Sixpack, getting their divorce, might only be a misdemeanor breaking into an email account without profiting from it (maybe just to do something mean to his/her ex, or dig up incriminating emails), but, with regards to these commercial services offering to do the hacking for a fee, isn't there some sort of statute which makes *any crime* which is done *for profit* a felony? I don't care if your hacking an email account is just a misdemeanor, but if you are doing it for hire, that should elevate the crime, seems like, the same way *any* crime committed with a weapon automatically adds felony charges?

Re:Crime for profit a misdemeanor?

And the difference this makes to someone operating out of a woodshed in Novosibirsk is...?

Re:Crime for profit a misdemeanor?

[haruharaharu]

Felonies really belong in the company of rape, robbery, and murder. There's no way you can convince me that doing crime X for profit a felony - hell, a B&E is usually done for profit, as is fraud. Not too many crimes that aren't violent and also aren't done for profit.

Perhaps something like this?

From my gmail account page: "Last account activity: 3 minutes ago at this IP (###.###.###.###). Details"

Sorry to post AC, by my estranged wife and her lawyer don't know I use a gmail account. Only my lawyer does!

Re:Ex-lovers?

[Mashiki]

Revenge? Pettiness? Still in love? Take your pick of anything including 200 other odd reasons. Love is the most dangerous emotion you have to deal with, and it's the same emotion that makes people safe and secure. While making them do stupid, and insane things that will get them locked up for a very long, long time.

Re:Ex-lovers?

[base3]

Love and obsession are easily confused perhaps because they're often paired, but whatever drives someone to spy on his/her ex is most certainly not love.

where yourhackerz.com is located + registrant info

[knacjesus]

YourHackerz.com 94.194.139.145 = [ 94-194-139-145.zone8.bethere.co.uk ] (Asked whois.ripe.net:43 about 94.194.139.145) inetnum: 94.194.136.0 - 94.194.143.255 netname: AVATAR-GB descr: London lwchi Residential Dynamic country: GB admin-c: JPM202-RIPE tech-c: JPM202-RIPE status: ASSIGNED PA mnt-by: MNT-AVATAR mnt-lower: MNT-AVATAR mnt-routes: MNT-AVATAR source: RIPE Filtered person: Jamie Patrick Mcgee address: 260 Bath Road address: Slough address: Berkshire address: SL1 4DX address: United Kingdom phone: 44 (0) 1753 565000

have tried this - it's a scam

when someone died and I needed to contact their relatives. I never heard back after the (british based) company accepted the 'case'. I assume that this means that the whole thing is some kind of scam - they want to know eg friends / lovers names and promise to send a screen shot before you have to pay. Why on earth would they need this info to hack a password? But they *would* need it to photoshop a 'screen shot'. I emailed again to ask if they were still trying or had no luck etc and never got a reply at all, and came to the conclusion that although they couldn't refuse such a legitimate-sounding request (they ask for the reason) without looking suspicious, they wouldn't dare to try to scam someone in such circumstances - and based in the same country - in case I followed up with further action (reporting them to eg trading standards).
Oh, and I didn't manage to find anything saying that this was illegal in britain either, although I assumed that it probably was. I still don't know for sure.

www.candyfusion.com

im always vary on people taking my personal details down! now I know why

Re:Ex-lovers?

[Mashiki]

Not true. Obsession and love go hand in hand, even if one person is still the primary driver for it. There's a term for it, but the name escapes me at the moment. Ah well...it may or maynot come to me, take a wonder through a psychology book it's in there I'm just too lazy.