Hopefully this is an indication they'll be willing to release full details of the incident. In contrast, Linode seems to take their image way too seriously and refuses to say anything that might make them look bad. (Of course, not saying anything makes them look worse, but they don't seem to realize that.)
Notice they said "encrypted" passwords not (salted password hashes) passwords.
I don't trust "encrypted" password because my experience with Host Gator: I contacted Host Gator support to reset my password and they were able to send me my previous PLAINTEXT password. I asked them how this was possible and they told me that the passwords were encrypted and only a few people had access to it.
People who also have access to it: Anyone who can see the Host Gator email que and the mail-servers the email passed through.
I also found it interesting how vague they were in "implementing additional security measures". I would hope that they've identified and fixed the core security issue that HTP exploited, and that these extra measures aren't simply asking their customers to change their passwords.
They also only mention personal information theft, while there was also supposedly a risk of configuration changes to domains hosted there.... were they able to track any malicious changes? Or are they confident none happened? Or did they have no idea about the breach until HTP publicized it? More information would certainly help my confidence with them as a registrar.
Encrypted is not the same as hashed. An encrypted password could be secure as long as the means to decrypt the password, for example the key used to encrypt, is not leaked. Sending you passwords over email however is horrible.
If your password is hashed, which it usually should be, then the service would not be able to give it to you. The reason services sometimes instead opt to encrypt instead of hash is for support reasons. Encrypting a password could be ok, as long as they never expose the password over something like email.
Name.com user here. This is the first time one of my registrars gets compromised and I'm not sure I understand the (potential) severity of what has happened.
What would HN suggest doing in a case like this (aside from changing passwords)? Just let it be? Monitor credit card? Change registrar?
The article implies this is the first time they've notified customers, so they've either been unaware (seems unlikely since the FBI had a mole in HTP, who have claimed responsibility) or just not disclosing it? Is that true? I can understand why people are annoyed at Linode and everything, but this seems ridiculous if it's the first time.
It looks like they may have used RSA encryption with a 4096 bit key [1] and as far as I know, if the private key is not compromised; this is pretty darn secure...Can anyone confirm?
What exactly wasn't believable about it before? Linode confirmed that someone cracked into their system on their blog, which I consider as being confirmation enough for everything.
Name.com seems to be on the same path Go Daddy was 8 years ago (sans scantily clad women for marketing).
I wouldn't appreciate the "humor" (Twitter) around this event if I were a customer. My only hope is that if anything like this happens to Gandi that they handle it with, true to style, no-bullshit transparency - spare the crap.
It was back in April, in association with an attack on Linode [1]. See this HN comment by RoboTeddy from yesterday for a great summary of the group's story about these attacks [2].
However, Name.com has not disclosed much information. I don't know if they were aware of the attack until the group released their story yesterday. The systems could have still been compromised.
[+] [-] agwa|13 years ago|reply
"@HackThePlanet Can you just send a postcard next time?" https://twitter.com/namedotcom/status/332304801050271744
"@xDictate Yes. It's been a huge pain in the ass, yet it's hard not to appreciate great technical savvy." https://twitter.com/namedotcom/status/332308994255384577
Regarding elephants: "@BobSnooks Even though it feels like we're getting trampled by them, we still won't shoot." https://twitter.com/namedotcom/status/332232278078001153
Hopefully this is an indication they'll be willing to release full details of the incident. In contrast, Linode seems to take their image way too seriously and refuses to say anything that might make them look bad. (Of course, not saying anything makes them look worse, but they don't seem to realize that.)
[+] [-] blacktulip|13 years ago|reply
https://news.ycombinator.com/item?id=5667027
https://news.ycombinator.com/item?id=5667391
[+] [-] chadscira|13 years ago|reply
[+] [-] edmond_dantes|13 years ago|reply
I don't trust "encrypted" password because my experience with Host Gator: I contacted Host Gator support to reset my password and they were able to send me my previous PLAINTEXT password. I asked them how this was possible and they told me that the passwords were encrypted and only a few people had access to it.
People who also have access to it: Anyone who can see the Host Gator email que and the mail-servers the email passed through.
I promptly closed my account with them.
[+] [-] RKearney|13 years ago|reply
Want to add an SSL certificate to a subdomain? You have to provide them your main account login, which is logged in plain text in their ticket system.
They also took it upon themselves to look through one of my databases because they thought it was taking up too much of my unlimited quota.
[+] [-] 3JPLW|13 years ago|reply
They also only mention personal information theft, while there was also supposedly a risk of configuration changes to domains hosted there.... were they able to track any malicious changes? Or are they confident none happened? Or did they have no idea about the breach until HTP publicized it? More information would certainly help my confidence with them as a registrar.
[+] [-] btipling|13 years ago|reply
If your password is hashed, which it usually should be, then the service would not be able to give it to you. The reason services sometimes instead opt to encrypt instead of hash is for support reasons. Encrypting a password could be ok, as long as they never expose the password over something like email.
[+] [-] kouiskas|13 years ago|reply
[+] [-] carlsednaoui|13 years ago|reply
What would HN suggest doing in a case like this (aside from changing passwords)? Just let it be? Monitor credit card? Change registrar?
Looking forward to your feedback.
[+] [-] chopsueyar|13 years ago|reply
[+] [-] blacktulip|13 years ago|reply
However I still changed my credit card since it was in the Linode database.
I considered changing registrar. But I really can't know to which one I can go. How do you know they won't be (or already are) compromised?
[+] [-] unknown|13 years ago|reply
[deleted]
[+] [-] mcintyre1994|13 years ago|reply
[+] [-] mattwdelong|13 years ago|reply
[1] - https://twitter.com/namedotcom/status/332260201535266816
[+] [-] eli|13 years ago|reply
[+] [-] ceejayoz|13 years ago|reply
[+] [-] dkuntz2|13 years ago|reply
[+] [-] nemothekid|13 years ago|reply
[+] [-] graue|13 years ago|reply
[+] [-] notahacker|13 years ago|reply
[+] [-] unknown|13 years ago|reply
[deleted]
[+] [-] carlsednaoui|13 years ago|reply
[+] [-] sobering|13 years ago|reply
[+] [-] stevesaldana|13 years ago|reply
[+] [-] nthj|13 years ago|reply
[+] [-] jasonlotito|13 years ago|reply
[+] [-] windexh8er|13 years ago|reply
I wouldn't appreciate the "humor" (Twitter) around this event if I were a customer. My only hope is that if anything like this happens to Gandi that they handle it with, true to style, no-bullshit transparency - spare the crap.
[+] [-] xSwag|13 years ago|reply
[+] [-] 3JPLW|13 years ago|reply
However, Name.com has not disclosed much information. I don't know if they were aware of the attack until the group released their story yesterday. The systems could have still been compromised.
[1] https://blog.linode.com/2013/04/16/security-incident-update/
[2] https://news.ycombinator.com/item?id=5667391