地址 :重庆市重庆市重庆区预克大楼16号

雅虎向黑客送上厚礼 数据泄露事件影响到10亿多用户

时间:2024-06-07 06:34:01 来源:千亿体育官网登录入口 点击:

本文摘要:Oh, Yahoo, where do I start? We used to be good together back in 2004. 天哪,雅虎(Yahoo),我该从哪里想起呢?2004年我们在一起时曾多次很幸福。But now I’m angry and disappointed. 但如今,我深感既生气又沮丧。 And it’s not me, it’s Yahoo.而问题不出我,是雅虎。


Oh, Yahoo, where do I start? We used to be good together back in 2004. 天哪,雅虎(Yahoo),我该从哪里想起呢?2004年我们在一起时曾多次很幸福。But now I’m angry and disappointed. 但如今,我深感既生气又沮丧。

And it’s not me, it’s Yahoo.而问题不出我,是雅虎。The data breach the company disclosed last week, affecting more than 1bn users, dates back to 2013 — a year earlier than the breach of 500m accounts reported in September. 雅虎上周发布的数据泄漏事件影响到10亿多用户,时间要回溯到2013年,比今年9月报告的5亿账户泄露要早于一年。Whether you use Yahoo or not, disabuse yourself immediately of any notion that this breach is like the last. 不管你否用于雅虎,立刻舍弃这次泄露与上次一样的观点吧。

The implications are worse and reach beyond the company. 其影响更糟,而且影响范围打破该公司。And it’s not just about the number of people affected.这某种程度是有多少人不受影响的问题。This time Yahoo is saying outright that all affected user passwords were stored in a manner that makes your average cyber security bod go nuts at the madness of the world. 这一次,雅虎直截了当地回应,所有不受影响用户的密码存储方式,都会让对网络安全略为有理解的人对世界的可怕跳脚。

Security! experts! slam! Yahoo! management! for! using! old! crypto! ran a headline in The Register, an industry rag, mocking the internet company’s corporate punctuation.行业小报《The Register》的标题是:安全性专家批评雅虎管理层用于原有的加密技术!这里的惊叹号是在嘲讽雅虎这家互联网公司的标识。To understand the frustration, imagine that a password database is like a bike in an area prone to high levels of bike theft — a university town such as Oxford, UK. 要理解人们的沮丧之情,想象一个密码数据库就像在一个自行车被盗风险很高的地方(例如英国牛津等大学城)停放在的一辆自行车。

It matters how securely your bike is stored and also how much it’s rendered unrideable with locks.最重要的是你的自行车存放在方式有多么安全性,车锁在多大程度上使自行车无法被盗用。As Yahoo’s password bike is known to have been stolen (again), it’s the additional locks and how strong they are that now matter. 我们已告诉,雅虎的密码自行车已(再度)失窃,现在的最重要问题是是不是额外的车锁以及它们有多么牢固。In password terms, strength equates to how easy is it to recover the plain-text version of what you type in — such as hansolo81 — from the unusable hashed version that the company stores. 用密码的术语来说,密码强度相等于从该公司存储的无法用于的经过水煮(hashed)处置的版本完全恢复为你键入的纯文本格式(例如hansolo81)密码的更容易程度。A hashed version would look something like: 57dddf57a98dc88c64327fe6bb5b9358. 经过水煮处置的数据看起来像57dddf57a98dc88c64327fe6bb5b9358。

If the thieves can recover hansolo81, they can ride it into your bank account, PayPal — or anywhere else you used this password or predictable variants of it, such as Hansolo81, han$olo81 or hansolo82.如果窃贼可以完全恢复hansolo81,那么他们就能顺藤摸瓜,转入你的银行账户、PayPal或者其他任何你用于这个密码或这个密码的可预测变异形式的地方,例如Hansolo81、han$olo81或者hansolo82。So you’d think Yahoo would deploy chunky chain locks like those that cycle couriers use. 因此你不会以为,雅虎不会用于结实的链条锁住,就像那些骑车的租车员所用的那种。But, actually, it looks as if the company instead tied a ribbon between the front wheel and the frame. 但实质上,该公司样子是用一条丝带把前轮和车架拴在一起。

In the jargon, they used a method involving a function called MD5 — the same poor choice made by adultery website Ashley Madison for some of its users’ passwords, and by music service Last.fm, both of which experienced breaches.用术语来说,他们所用的方法使用了一种被称作MD5的函数,与成人网站Ashley Madison为其一部分用户的密码以及音乐服务公司Last.fm作出的差劲自由选择一样,这两家公司都遭遇信息失窃。Ask tech nerds what they think about MD5 and you’ll hear incredulity that any company (let alone a large, internet-based company) was still using it in 2013, that doing so is outright negligence, that there’s no excuse for it and that it was discredited a couple of decades ago.问问那些科技爱好者他们对MD5的观点吧,你不会听见他们说道,任何公司(更加别提一家大型互联网公司了)如果在2013年仍用于这种方法真是匪夷所思;这么做到是意味著的渎职;回应没任何借口;这种方法在20年前就被驳斥了。

By the time of the 2014 breach, Yahoo had nearly finished a wildly overdue upgrade to its locks, switching to bcrypt. 到了再次发生2014年那次黑客侵略时,雅虎已相似已完成早该展开的对其密码加锁方法的升级,即转用bcrypt加密工具。If well implemented, this makes its password bike unusable to thieves. 如果实行得宜,这将让窃贼无法伪造雅虎的密码自行车。Getting from 57dddf57a98dc88c64327fe6bb5b9358 to hansolo81 would be very unlikely. 从57dddf57a98dc88c64327fe6bb5b9358完全恢复到hansolo81将是近于不有可能的。

So, while that breach endangered users, it was a less epic fail than the more recently reported compromise.因此,尽管那次泄露严重威胁用户,但与最近报导的事件比起,那还是一个不那么相当严重的犯规。It’s worth being clear about the consequences of Yahoo’s incredibly poor security practices as recently as three years ago: the company has probably unleashed the single biggest known data set showing how the world constructs passwords. 有一点具体雅虎在意味着3年前十分差劲的安全性作法的后果:该公司很有可能泄漏了未知单一仅次于数据集,表明世界是如何建构密码的。This is a powerful tool for guessing one’s way into accounts, especially on services that don’t limit such attempts well or offer additional security measures, such as two-factor authentication. 这是依赖猜测入侵账户的强劲工具,尤其是对于没很好地容许这种企图或者没获取额外安全措施(例如二元检验)的服务。

And it’s a gift to malicious actors who increasingly know us better than we know ourselves.这是赠送给那些蓄意黑客的一份厚礼,后者对我们的理解日益多达我们自己。Also, Yahoo can force password resets only on its own service. 另外,雅虎不能强制用户在其网站上重置密码。There is nothing Yahoo can do to make people change identical or similar passwords used on other sites.它无法让用户改动在其他网站用于的某种程度或类似于的密码。

Furthermore, as with the last breach, the company hasn’t disclosed how many security questions and answers were badly stored. 此外,与上次泄露一样,雅虎没透露有多少安全性问题和答案是以差劲的方式存储的。They state only that the data were kept either encrypted or unencrypted — the latter being in readable text. 他们只是声明,这些数据的存储方式有可能加密,也有可能并未加密,后一种意味著可读书文本。How many people can remember whether or not they once had a Yahoo account, let alone what security information they used, and whether they used that same information in their other accounts? 有多少人还能忘记他们否曾多次享有过雅虎账户?更加别提他们用过的安全性信息、以及他们否在其他账户上用于过某种程度的信息了。Where else did you use your mother’s maiden name, first pet, favourite colour, school or teacher?你还在哪里用于过你母亲的娘家姓氏、第一只宠物的名字、最喜欢的颜色、学校或老师的名字?The consequences of organisations’ poor security decisions will come back to haunt us. 公司差劲安全性要求的后果将回过头来后遗症我们。

I only hope Yahoo marks the worst, if not the last.我只期望雅虎标志着最差劲的的安全性实践中,如果不是最后一个的话。