Obama Administration: $1.5 Million For Sharing 24 Songs Is Perfectly Reasonable

LinkedIn Passwords Leaked... Congress Immediately Wants To 'Do Something!'

from the grandstanding... dept

Thu, Jun 7th 2012 7:07am — Mike Masnick

As you hopefully have heard already, a ton of Linkedin passwords were leaked online. They were leaked in encrypted forms -- and without associated usernames -- leading some to suggest there was no real threat for users, unless someone also had the full list of usernames as well. However, that doesn't seem quite accurate. Since the passwords were hashed but not salted, it's made it relatively easy for the passwords to be decrypted. Yes, the usernames haven't been released, but some are suggesting that whoever leaked the data probably only released this subset, because they had already decrypted a bunch of easier passwords (and probably had the usernames) and just needed "the crowd" to help decrypt the rest.

Linkedin took its time, but did admit that there was a breach, and reset those passwords. However, Congress is never one to miss an opportunity to grandstand. Rep. Mary Bono Mack was quick to jump up and announce that something must be done!

"How many times is this going to happen before Congress finally wakes up and takes action?" said Rep. Mary Bono Mack, R-Palm Springs, who heads a House Energy and Commerce subcommittee that has looked at online-privacy issues, in a statement. "This latest incident once again brings into sharp focus the need to pass data protection legislation."

Similarly, Senator Pat Leahy jumped in with a similar statement:

"Reports of another major data breach should give pause to American consumers who, now more than ever, share sensitive personal information in their online transactions and networking," Leahy said in a statement provided to The Hill. "Congress should make comprehensive data privacy and cybercrime legislation a top priority.”

First of all, it does appear that LinkedIn wasn't using particularly smart security techniques (no salting? really?). But would a law really change things? And Leahy's claim that we need "cybercrime" legislation, again doesn't seem likely to help "fix" anything. If anything, the "cybersecurity" legislation that's out there might make such data even more vulnerable, by making companies more encouraged to share information.

Yes, these kinds of data breaches are bad. And we should be concerned when we find out that a company as big as LinkedIn still uses such weak security practices. But does that really mean we need a law?

Thank you for reading this Techdirt post. With so many things competing for everyone’s attention these days, we really appreciate you giving us your time. We work hard every day to put quality content out there for our community.

Techdirt is one of the few remaining truly independent media outlets. We do not have a giant corporation behind us, and we rely heavily on our community to support us, in an age when advertisers are increasingly uninterested in sponsoring small, independent sites — especially a site like ours that is unwilling to pull punches in its reporting and analysis.

While other websites have resorted to paywalls, registration requirements, and increasingly annoying/intrusive advertising, we have always kept Techdirt open and available to anyone. But in order to continue doing so, we need your support. We offer a variety of ways for our readers to support us, from direct donations to special subscriptions and cool merchandise — and every little bit helps. Thank you.

–The Techdirt Team

Filed Under: congress, data breach, mary bono mack, passwords, pat leahy, security
Companies: linkedin

52 Comments

If you liked this post, you may also be interested in...

Reader Comments

Subscribe: RSS

View by: Time | Thread

Hephaestus (profile), 7 Jun 2012 @ 6:49am

Someone should check to see which cyber security or defense firms Leahy and Mack are getting their re-elections funded by.
[ link to this | view in chronology ]
- Jay (profile), 7 Jun 2012 @ 7:03am
  
  Re:
  Leahy supports the military. Bono is mainly bought off by the RIAA. I'm not liking their message of more "cybersecurity".
  [ link to this | view in chronology ]
Anonymous Coward, 7 Jun 2012 @ 7:19am

I don't think you understand how politics work.
They don't want to 'Do Something'. They want to pretend they're doing something by talking shit and 'passing' paper in that nice air-conditioned, tax-funded, palace of Mighty Legislature.
How else will they convince people they matter in the practicality of everyday life? If anybody catches on, they'll lose their cushy, over-paid, government jobs.
[ link to this | view in chronology ]
- FormerAC (profile), 7 Jun 2012 @ 8:56am
  
  Re: I don't think you understand how politics work.
  "They want to pretend they're doing something"
  
  Actually, what they want is to be "seen" doing something. Whether the something helps the situation or makes it worse, they don't really care, as long as people "see" them doing something about it.
  [ link to this | view in chronology ]
Glen, 7 Jun 2012 @ 7:20am

The second congresscritters want to "do something", we all lose.
[ link to this | view in chronology ]
- Atkray (profile), 7 Jun 2012 @ 8:22am
  
  Re:
  I agree the more "gridlock" we have in Washington the better off We the People are.
  [ link to this | view in chronology ]
Max, 7 Jun 2012 @ 7:22am

Rabble Rabble
There was another deadly shooting in [insert American city here].

"How many times is this going to happen before Congress finally wakes up and takes action?" Some Senator says. "This latest incident once again brings into sharp focus the need to pass gun control legislation."
[ link to this | view in chronology ]
- Another AC, 7 Jun 2012 @ 7:51am
  
  Re: Rabble Rabble
  Yay! A game I can play too!
  
  There was another public nude flashing incident in [insert American city here].
  
  "How many times is this going to happen before Congress finally wakes up and takes action?" Some Senator says. "This latest incident once again brings into sharp focus the need to pass overcoat control legislation."
  [ link to this | view in chronology ]
  - Almost Anonymous (profile), 7 Jun 2012 @ 9:25am
    
    Re: Re: Rabble Rabble
    There was another face chewing incident in [insert American city here].
    
    "How many times is this going to happen before Congress finally wakes up and takes action?" Some Senator says. "This latest incident once again brings into sharp focus the need to pass zombie control legislation."
    [ link to this | view in chronology ]
    - Berenerd (profile), 7 Jun 2012 @ 10:11am
      
      Re: Re: Re: Rabble Rabble
      There was another political scandal in [insert American city here].
      
      "How many times is this going to happen before Congress finally wakes up and takes action?" Some Senator says. "This latest incident once again brings into sharp focus the need to pass another pay-raise for ourselves."
      [ link to this | view in chronology ]
TDR, 7 Jun 2012 @ 7:24am

Leahy Skroob: Do something!
Mack Helmet: Do something!
Lamar Sandurz: Do something!
[ link to this | view in chronology ]
Anonymous Coward, 7 Jun 2012 @ 7:31am

Hey Gov, how about you first stop collecting all kinds of leakable data yourselves? Then we'll talk. Kthnxbye.
[ link to this | view in chronology ]
Riptide Tempora, 7 Jun 2012 @ 7:31am

Oh, right.
Congress can't do anything here. People choose their own security measures. Some are retarded, some are sensible.
[ link to this | view in chronology ]
Cory of PC (profile), 7 Jun 2012 @ 7:34am

Once again, the always classic lines of: "Should we do something?" "We should do something!" comes up and nothing will ever come out of it. Rinse, lather, repeat. Next!
[ link to this | view in chronology ]
- Anonymous Coward, 8 Jun 2012 @ 10:10am
  
  Re:
  Hey Congress good to see that you want to do something. Jobs Legislation and rebuild the infrastructure should be first on the list. John Jobs Jobs Jobs Boehner said that Jobs would be first on the table two years ago. What the hell does Abortion legislation have to do with jobs? Or Linked in....
  [ link to this | view in chronology ]
Brent (profile), 7 Jun 2012 @ 7:34am

This is another example of how backwards our system works these days. As Congress should know, issues like this one are easily controlled by our free market system: LinkedIn already took a hit from users on this issue in terms of cancelled accounts and/or removal of apps from devices. If this happens again to LinkedIn they will become another MySpace that slowly fades away. LinkedIn knows it and will spend the money to ensure the problem doesn't happen again. Wow, the market can fix itself, crazy. This is why we don't need laws that are completely unenforceable, especially in the digital world.
[ link to this | view in chronology ]
- Anonymous Coward, 7 Jun 2012 @ 9:05am
  
  Re:
  Exactly, linkedln can very well fix this on their own, without government influence
  
  Its the job of the individual companies to keep their systems up to date and protected to all known threats, if your gonna put legislation on anything, that would be a start, nothing more nothing less, direct and to the point without the flowery description.
  [ link to this | view in chronology ]
  - Anonymous Coward, 7 Jun 2012 @ 9:08am
    
    Re: Re: ^^^^^^^
    edit : when user information is concerned at the very least
    [ link to this | view in chronology ]
G Thompson (profile), 7 Jun 2012 @ 7:35am

This is a story about four people named Everybody, Somebody, Anybody, and Nobody. There was an important job to be done and Everybody was sure that Somebody would do it. Anybody could have done it, but Nobody did it. Somebody got angry about that because it was Everybody's job. Everybody thought Anybody could do it, but Nobody realised that Everybody wouldn't do it. It ended up that Everybody blamed Somebody when Nobody did what Anybody could have done.

ie: Secure the freaking passwords as they should be ie: Salt em.. Cyber-laws will not stop this sort of stupidity. And the passwords are non identified and therefore meaningless for anything other than rainbow tables (look them up).

The only thing that needs to be tightened maybe is consumer negligence laws that if a company knowingly does not allow reasonable and industry standard security policies they are absolutely liable for any and all problems that occur... including statutory fines of a % of revenue (equitable then)
[ link to this | view in chronology ]
- BeeAitch (profile), 7 Jun 2012 @ 12:53pm
  
  Re:
  The only thing that needs to be tightened maybe is consumer negligence laws that if a company knowingly does not allow reasonable and industry standard security policies they are absolutely liable for any and all problems that occur... including statutory fines of a % of revenue (equitable then)
  
  This is all that needs to be done. Unfortunately, it makes corporations look bad (and punishes them), whereas the type of legislation currently proposed diverts the blame from same corporations (i.e. campaign contributors) and still makes legislators look good.
  
  Nevermind that the current legislation won't solve the problem and will result in collateral damage; at least the corporate sponsors are safe from blame, and the representatives can say to their constituency: "Look, we're doing everything in our cyber-power to cyber-solve this cyber-problem!".
  [ link to this | view in chronology ]
Josef Anvil (profile), 7 Jun 2012 @ 7:36am

I'm confused
Isn't hacking an system and stealing data already illegal? Are they going to pass a new law that makes it more illegal?

Cybercrime? These people must moonlight at the patent office where if you slap cyber or internet in front of a word and it magically becomes some strange new thing that is almost impossible to understand.

smh
[ link to this | view in chronology ]
- Anonymous Coward, 7 Jun 2012 @ 7:40am
  
  Re: I'm confused
  I'm with you Josef, i was under the impression that there already was legislation to make this illegal. Too bad the politicians are so clueless they don't realize this.
  
  Scariest words ever. "I'm from the government and I'm here to help."
  [ link to this | view in chronology ]
- Almost Anonymous (profile), 7 Jun 2012 @ 9:28am
  
  Re: I'm confused
  Sounds like a pretty good meme:
  
  Cybersecurity law passes.
  
  Cybercrime now DOUBLE illegal.
  [ link to this | view in chronology ]
Ryan Duff, 7 Jun 2012 @ 7:41am

You can't legislate stupid...
[ link to this | view in chronology ]
- Cory of PC (profile), 7 Jun 2012 @ 7:54am
  
  Re:
  Really? If that's true, then there should be some laws banning all forms of stupidity in this country and the world, even get rid of the stupid people!
  
  If not, is there anything that could cure stupidity or did the congress critters put some legislation that banned scientists from studying stupidity? I need to know!
  [ link to this | view in chronology ]
  - Cory of PC (profile), 7 Jun 2012 @ 7:56am
    
    Re: Re:
    I think I got myself backwards there... I blame my own stupidity sometimes...
    
    Maybe there should be a law.
    [ link to this | view in chronology ]
- Another AC, 7 Jun 2012 @ 7:57am
  
  Re:
  I think they want to legislate smarts, but the point stands :)
  [ link to this | view in chronology ]
Anonymous Coward, 7 Jun 2012 @ 7:50am

Clearly, if companies are unwilling to protect users of their own accord, perhaps a law would be the best way to settle the issue. It's not so much about requiring the passwords to be complicated, but rather requiring companies to store the passwords in some other manner than "in the clear". It's pretty scary when you realize that passwords are too easily accessed.
[ link to this | view in chronology ]
Michael, 7 Jun 2012 @ 7:52am

"Yes, these kinds of data breaches are bad. And we should be concerned when we find out that a company as big as LinkedIn still uses such weak security practices. But does that really mean we need a law?"

Every new law either creates a new crime and/or further enhances government power. Can anyone name a single law which resulted in crime reduction?
[ link to this | view in chronology ]
- Anonymous Coward, 7 Jun 2012 @ 8:02am
  
  Re:
  21st Amendment?
  [ link to this | view in chronology ]
- jjmsan (profile), 7 Jun 2012 @ 8:04am
  
  Re:
  Assuming a law is needed, any law will initially cause an increase in crime because it is making a behavior criminal which was previously not criminal. Once that barrier is passed it would be enforcement of the law that mattered.
  [ link to this | view in chronology ]
Anonymous Coward, 7 Jun 2012 @ 8:04am

is anyone surprised at the response from the thick f*****s in Congress? what a gift for all in favour of CISPA and similar bills. non of these will have the slightest impact on the likes of LinkedIn, eHarmony or similar or it's customers but will be used as good reason for the government to introduce legislation allowing them to spy on everyone! mind you, perhaps some Senators use it themselves to try to get a date? wouldn't want any info about them released. dont matter that the world and his wife will know about every other person!
[ link to this | view in chronology ]
Anonymous Coward, 7 Jun 2012 @ 8:22am

The problem kind of solved itself didn't it? LinkedIn is dumb and now people won't trust them anymore. Another service will be used.
[ link to this | view in chronology ]
Anonymous Coward, 7 Jun 2012 @ 8:41am

Surely it would be prudent to reset all affected passwords to be on the safe side, pain in the ass, but affective?
[ link to this | view in chronology ]
Flyfish, 7 Jun 2012 @ 8:54am

What Congress is likely to do is pass legislation mandating a "standard" internet ID for all US citizens. They'll probably want to tie it to the SSN. That will make everything more secure. Or not. It's about control, the facade of action but not about fixing anything.
[ link to this | view in chronology ]
Anonymous Coward, 7 Jun 2012 @ 8:58am

salt goes on steaks not on LinkedIn passwords
[ link to this | view in chronology ]
PlagueSD (profile), 7 Jun 2012 @ 9:00am

So tell me, what happens when CISPA passes and the Government servers get hacked with all this data on it's citizens that it aquired via "spying" gets leaked? It's not like we can change our identities as easily as changing our password.
[ link to this | view in chronology ]
- BeeAitch (profile), 7 Jun 2012 @ 12:59pm
  
  Re:
  Don't worry, they'll just pass another law if that happens.
  
  /sarc?
  [ link to this | view in chronology ]
Anonymous Coward, 7 Jun 2012 @ 9:07am

I dunno...how about set a minimum standard for password security. If company X is found not to use that minimum standard, company X execs are fined/jailed/flogged/quartered/etc.

I'm tired of waiting for the free market to work...sorry, a regulatory framework can be put in place that doesn't impede on your individual rights. Heck...that's exactly what the constitution is, no?
[ link to this | view in chronology ]
- Berenerd (profile), 7 Jun 2012 @ 10:19am
  
  Re:
  Have you learned nothing over the last couple of years? CEOs and execs don't get jailed or fined. They get a pat on the back and a bonus.
  [ link to this | view in chronology ]
Rich Kulawiec, 7 Jun 2012 @ 9:17am

It would have helped if the spammers at LinkedIn...
...had used the rather well-known technique of salting the passwords -- see, for example Password Security: A Case History (1978). I believe early Unix systems used a 12-bit salt, but contemporary ones should be using at least a 64-bit one, preferably 96-128.

This wouldn't have stopped the leak of the encrypted passwords, of course -- that appears to be the result of a security hole that has nothing to do with passwords. But it would raise the bar considerably for attackers attempting to decrypt them.

The solution to this problem -- and many, MANY others like it, including the endless stream we see from the federal government -- isn't legislation. It's competence. And as we see on a continuous basis, there is absolutely no IT competence in the United States Congress.
[ link to this | view in chronology ]
E. Zachary Knight (profile), 7 Jun 2012 @ 9:31am

What is really frustrating about all this is that I have yet to receive any notification from Linkedin that there was a data breech. As a user, I would like the comfort of hearing it from them directly.
[ link to this | view in chronology ]
- Berenerd (profile), 7 Jun 2012 @ 10:21am
  
  Re:
  none of my roomates, or my company's accounts or mine for that matter got a notice about being compromised.
  [ link to this | view in chronology ]
  - Anonymous Coward, 7 Jun 2012 @ 10:56am
    
    Re: Re:
    odd I got one. Maybe they know whose passwords got jacked?
    [ link to this | view in chronology ]
Anonymous Coward, 7 Jun 2012 @ 10:55am

When information gets hacked from credit card companies we blame the credit card companies and claim that maybe laws aren't harsh enough on them (and, instead, we should mostly just go after those who hacked the security and leave the credit card companies alone, despite their obvious lack of security). Then this happens and the claim is the opposite, we should do nothing.

I'm sorta inbetween. I don't mind good laws being passed requiring a minimal amount of security to protect people's private data. I don't mind punishment to repeat offenders who continuously implement bad security policies that precariously endanger the privacy of its users.

But, at the same time, I know Congress may hastily end up passing a bunch of irrelevant laws that do little to deter and punish poor security measures and do something to serve an entirely different agenda. I think that maybe something needs to be done but it needs to be done very carefully. The laws need to be carefully written and examined by the public before being passed.
[ link to this | view in chronology ]
- Anonymous Coward, 7 Jun 2012 @ 12:00pm
  
  Re:
  Also, I don't necessarily think anything should be done at the criminal level. Perhaps at the civil level laws can be passed that ensure that if I get my data hacked due to precarious security standards I can successfully sue the offending company for enough money to deter further security breaches. Class actions can go forward and gain enough money to prevent further bad security and there is just enough incentive for lawsuits of bad offenses to be initiated.
  [ link to this | view in chronology ]
Anonymous Coward, 7 Jun 2012 @ 10:56am

Laws regulating minimum standard security procedures would sure be nice. Linkedin should salt their passwords, sony's servers shouldn't fall to pieces from sql injection. These corporations should be legally required to have a certain level of security in place.
[ link to this | view in chronology ]
Anonymous Coward, 7 Jun 2012 @ 1:04pm

OMG! Someone's going to use my LinkedIn account...
...to apply for a job in the IP-intensive grocery store industry, on my behalf?
[ link to this | view in chronology ]
Anonymous Coward, 7 Jun 2012 @ 9:53pm

Basically its like having your house robbed and then yelling at the police for not locking your door.
[ link to this | view in chronology ]
I N Observation, 8 Jun 2012 @ 7:49am

Implementing..
Back doors, once they are in place, legislation for more secure cyberspace will be just around the corner.. WE HAVE TO HAVE BACK DOORS!!
[ link to this | view in chronology ]
TurboKitty, 8 Jun 2012 @ 8:11am

@Congress
Congress doesn't need to do anything ... I just change my password when necessary ... I agree it's tedious and irritating however, that's what I do and it doesn't cost me any tax-dollars to do it ... just a new and different keyboard pattern ... Congress SUCKS!
[ link to this | view in chronology ]
Anonymous Coward, 8 Jun 2012 @ 11:32am

Do something! ........ Changes the password.
[ link to this | view in chronology ]