LinkedIn Passwords Leaked... Congress Immediately Wants To 'Do Something!'
from the grandstanding... dept
As you hopefully have heard already, a ton of Linkedin passwords were leaked online. They were leaked in encrypted forms -- and without associated usernames -- leading some to suggest there was no real threat for users, unless someone also had the full list of usernames as well. However, that doesn't seem quite accurate. Since the passwords were hashed but not salted, it's made it relatively easy for the passwords to be decrypted. Yes, the usernames haven't been released, but some are suggesting that whoever leaked the data probably only released this subset, because they had already decrypted a bunch of easier passwords (and probably had the usernames) and just needed "the crowd" to help decrypt the rest.Linkedin took its time, but did admit that there was a breach, and reset those passwords. However, Congress is never one to miss an opportunity to grandstand. Rep. Mary Bono Mack was quick to jump up and announce that something must be done!
"How many times is this going to happen before Congress finally wakes up and takes action?" said Rep. Mary Bono Mack, R-Palm Springs, who heads a House Energy and Commerce subcommittee that has looked at online-privacy issues, in a statement. "This latest incident once again brings into sharp focus the need to pass data protection legislation."Similarly, Senator Pat Leahy jumped in with a similar statement:
"Reports of another major data breach should give pause to American consumers who, now more than ever, share sensitive personal information in their online transactions and networking," Leahy said in a statement provided to The Hill. "Congress should make comprehensive data privacy and cybercrime legislation a top priority.”First of all, it does appear that LinkedIn wasn't using particularly smart security techniques (no salting? really?). But would a law really change things? And Leahy's claim that we need "cybercrime" legislation, again doesn't seem likely to help "fix" anything. If anything, the "cybersecurity" legislation that's out there might make such data even more vulnerable, by making companies more encouraged to share information.
Yes, these kinds of data breaches are bad. And we should be concerned when we find out that a company as big as LinkedIn still uses such weak security practices. But does that really mean we need a law?
Thank you for reading this Techdirt post. With so many things competing for everyone’s attention these days, we really appreciate you giving us your time. We work hard every day to put quality content out there for our community.
Techdirt is one of the few remaining truly independent media outlets. We do not have a giant corporation behind us, and we rely heavily on our community to support us, in an age when advertisers are increasingly uninterested in sponsoring small, independent sites — especially a site like ours that is unwilling to pull punches in its reporting and analysis.
While other websites have resorted to paywalls, registration requirements, and increasingly annoying/intrusive advertising, we have always kept Techdirt open and available to anyone. But in order to continue doing so, we need your support. We offer a variety of ways for our readers to support us, from direct donations to special subscriptions and cool merchandise — and every little bit helps. Thank you.
–The Techdirt Team
Filed Under: congress, data breach, mary bono mack, passwords, pat leahy, security
Companies: linkedin
Reader Comments
Subscribe: RSS
View by: Time | Thread
[ link to this | view in chronology ]
Re:
[ link to this | view in chronology ]
I don't think you understand how politics work.
How else will they convince people they matter in the practicality of everyday life? If anybody catches on, they'll lose their cushy, over-paid, government jobs.
[ link to this | view in chronology ]
Re: I don't think you understand how politics work.
Actually, what they want is to be "seen" doing something. Whether the something helps the situation or makes it worse, they don't really care, as long as people "see" them doing something about it.
[ link to this | view in chronology ]
[ link to this | view in chronology ]
Re:
[ link to this | view in chronology ]
Rabble Rabble
"How many times is this going to happen before Congress finally wakes up and takes action?" Some Senator says. "This latest incident once again brings into sharp focus the need to pass gun control legislation."
[ link to this | view in chronology ]
Re: Rabble Rabble
There was another public nude flashing incident in [insert American city here].
"How many times is this going to happen before Congress finally wakes up and takes action?" Some Senator says. "This latest incident once again brings into sharp focus the need to pass overcoat control legislation."
[ link to this | view in chronology ]
Re: Re: Rabble Rabble
"How many times is this going to happen before Congress finally wakes up and takes action?" Some Senator says. "This latest incident once again brings into sharp focus the need to pass zombie control legislation."
[ link to this | view in chronology ]
Re: Re: Re: Rabble Rabble
"How many times is this going to happen before Congress finally wakes up and takes action?" Some Senator says. "This latest incident once again brings into sharp focus the need to pass another pay-raise for ourselves."
[ link to this | view in chronology ]
Mack Helmet: Do something!
Lamar Sandurz: Do something!
[ link to this | view in chronology ]
[ link to this | view in chronology ]
Oh, right.
[ link to this | view in chronology ]
[ link to this | view in chronology ]
Re:
[ link to this | view in chronology ]
[ link to this | view in chronology ]
Re:
Its the job of the individual companies to keep their systems up to date and protected to all known threats, if your gonna put legislation on anything, that would be a start, nothing more nothing less, direct and to the point without the flowery description.
[ link to this | view in chronology ]
Re: Re: ^^^^^^^
[ link to this | view in chronology ]
ie: Secure the freaking passwords as they should be ie: Salt em.. Cyber-laws will not stop this sort of stupidity. And the passwords are non identified and therefore meaningless for anything other than rainbow tables (look them up).
The only thing that needs to be tightened maybe is consumer negligence laws that if a company knowingly does not allow reasonable and industry standard security policies they are absolutely liable for any and all problems that occur... including statutory fines of a % of revenue (equitable then)
[ link to this | view in chronology ]
Re:
This is all that needs to be done. Unfortunately, it makes corporations look bad (and punishes them), whereas the type of legislation currently proposed diverts the blame from same corporations (i.e. campaign contributors) and still makes legislators look good.
Nevermind that the current legislation won't solve the problem and will result in collateral damage; at least the corporate sponsors are safe from blame, and the representatives can say to their constituency: "Look, we're doing everything in our cyber-power to cyber-solve this cyber-problem!".
[ link to this | view in chronology ]
I'm confused
Cybercrime? These people must moonlight at the patent office where if you slap cyber or internet in front of a word and it magically becomes some strange new thing that is almost impossible to understand.
smh
[ link to this | view in chronology ]
Re: I'm confused
Scariest words ever. "I'm from the government and I'm here to help."
[ link to this | view in chronology ]
Re: I'm confused
Cybersecurity law passes.
Cybercrime now DOUBLE illegal.
[ link to this | view in chronology ]
[ link to this | view in chronology ]
Re:
If not, is there anything that could cure stupidity or did the congress critters put some legislation that banned scientists from studying stupidity? I need to know!
[ link to this | view in chronology ]
Re: Re:
Maybe there should be a law.
[ link to this | view in chronology ]
Re:
[ link to this | view in chronology ]
[ link to this | view in chronology ]
Every new law either creates a new crime and/or further enhances government power. Can anyone name a single law which resulted in crime reduction?
[ link to this | view in chronology ]
Re:
[ link to this | view in chronology ]
Re:
[ link to this | view in chronology ]
[ link to this | view in chronology ]
[ link to this | view in chronology ]
[ link to this | view in chronology ]
[ link to this | view in chronology ]
[ link to this | view in chronology ]
[ link to this | view in chronology ]
Re:
/sarc?
[ link to this | view in chronology ]
I'm tired of waiting for the free market to work...sorry, a regulatory framework can be put in place that doesn't impede on your individual rights. Heck...that's exactly what the constitution is, no?
[ link to this | view in chronology ]
Re:
[ link to this | view in chronology ]
It would have helped if the spammers at LinkedIn...
This wouldn't have stopped the leak of the encrypted passwords, of course -- that appears to be the result of a security hole that has nothing to do with passwords. But it would raise the bar considerably for attackers attempting to decrypt them.
The solution to this problem -- and many, MANY others like it, including the endless stream we see from the federal government -- isn't legislation. It's competence. And as we see on a continuous basis, there is absolutely no IT competence in the United States Congress.
[ link to this | view in chronology ]
[ link to this | view in chronology ]
Re:
[ link to this | view in chronology ]
Re: Re:
[ link to this | view in chronology ]
I'm sorta inbetween. I don't mind good laws being passed requiring a minimal amount of security to protect people's private data. I don't mind punishment to repeat offenders who continuously implement bad security policies that precariously endanger the privacy of its users.
But, at the same time, I know Congress may hastily end up passing a bunch of irrelevant laws that do little to deter and punish poor security measures and do something to serve an entirely different agenda. I think that maybe something needs to be done but it needs to be done very carefully. The laws need to be carefully written and examined by the public before being passed.
[ link to this | view in chronology ]
Re:
[ link to this | view in chronology ]
[ link to this | view in chronology ]
OMG! Someone's going to use my LinkedIn account...
[ link to this | view in chronology ]
[ link to this | view in chronology ]
Implementing..
[ link to this | view in chronology ]
@Congress
[ link to this | view in chronology ]
[ link to this | view in chronology ]