LinkedIn Passwords Leaked… Congress Immediately Wants To 'Do Something!'

from the grandstanding... dept

As you hopefully have heard already, a ton of Linkedin passwords were leaked online. They were leaked in encrypted forms — and without associated usernames — leading some to suggest there was no real threat for users, unless someone also had the full list of usernames as well. However, that doesn’t seem quite accurate. Since the passwords were hashed but not salted, it’s made it relatively easy for the passwords to be decrypted. Yes, the usernames haven’t been released, but some are suggesting that whoever leaked the data probably only released this subset, because they had already decrypted a bunch of easier passwords (and probably had the usernames) and just needed “the crowd” to help decrypt the rest.

Linkedin took its time, but did admit that there was a breach, and reset those passwords. However, Congress is never one to miss an opportunity to grandstand. Rep. Mary Bono Mack was quick to jump up and announce that something must be done!

“How many times is this going to happen before Congress finally wakes up and takes action?” said Rep. Mary Bono Mack, R-Palm Springs, who heads a House Energy and Commerce subcommittee that has looked at online-privacy issues, in a statement. “This latest incident once again brings into sharp focus the need to pass data protection legislation.”

Similarly, Senator Pat Leahy jumped in with a similar statement:

“Reports of another major data breach should give pause to American consumers who, now more than ever, share sensitive personal information in their online transactions and networking,” Leahy said in a statement provided to The Hill. “Congress should make comprehensive data privacy and cybercrime legislation a top priority.”

First of all, it does appear that LinkedIn wasn’t using particularly smart security techniques (no salting? really?). But would a law really change things? And Leahy’s claim that we need “cybercrime” legislation, again doesn’t seem likely to help “fix” anything. If anything, the “cybersecurity” legislation that’s out there might make such data even more vulnerable, by making companies more encouraged to share information.

Yes, these kinds of data breaches are bad. And we should be concerned when we find out that a company as big as LinkedIn still uses such weak security practices. But does that really mean we need a law?

Filed Under: , , , , ,
Companies: linkedin

Rate this comment as insightful
Rate this comment as funny
You have rated this comment as insightful
You have rated this comment as funny
Flag this comment as abusive/trolling/spam
You have flagged this comment
The first word has already been claimed
The last word has already been claimed
Insightful Lightbulb icon Funny Laughing icon Abusive/trolling/spam Flag icon Insightful badge Lightbulb icon Funny badge Laughing icon Comments icon

Comments on “LinkedIn Passwords Leaked… Congress Immediately Wants To 'Do Something!'”

Subscribe: RSS Leave a comment
52 Comments
Anonymous Coward says:

I don't think you understand how politics work.

They don’t want to ‘Do Something’. They want to pretend they’re doing something by talking shit and ‘passing’ paper in that nice air-conditioned, tax-funded, palace of Mighty Legislature.
How else will they convince people they matter in the practicality of everyday life? If anybody catches on, they’ll lose their cushy, over-paid, government jobs.

Another AC says:

Re: Rabble Rabble

Yay! A game I can play too!

There was another public nude flashing incident in [insert American city here].

“How many times is this going to happen before Congress finally wakes up and takes action?” Some Senator says. “This latest incident once again brings into sharp focus the need to pass overcoat control legislation.”

Brent (profile) says:

This is another example of how backwards our system works these days. As Congress should know, issues like this one are easily controlled by our free market system: LinkedIn already took a hit from users on this issue in terms of cancelled accounts and/or removal of apps from devices. If this happens again to LinkedIn they will become another MySpace that slowly fades away. LinkedIn knows it and will spend the money to ensure the problem doesn’t happen again. Wow, the market can fix itself, crazy. This is why we don’t need laws that are completely unenforceable, especially in the digital world.

Anonymous Coward says:

Re: Re:

Exactly, linkedln can very well fix this on their own, without government influence

Its the job of the individual companies to keep their systems up to date and protected to all known threats, if your gonna put legislation on anything, that would be a start, nothing more nothing less, direct and to the point without the flowery description.

G Thompson (profile) says:

This is a story about four people named Everybody, Somebody, Anybody, and Nobody. There was an important job to be done and Everybody was sure that Somebody would do it. Anybody could have done it, but Nobody did it. Somebody got angry about that because it was Everybody’s job. Everybody thought Anybody could do it, but Nobody realised that Everybody wouldn’t do it. It ended up that Everybody blamed Somebody when Nobody did what Anybody could have done.

ie: Secure the freaking passwords as they should be ie: Salt em.. Cyber-laws will not stop this sort of stupidity. And the passwords are non identified and therefore meaningless for anything other than rainbow tables (look them up).

The only thing that needs to be tightened maybe is consumer negligence laws that if a company knowingly does not allow reasonable and industry standard security policies they are absolutely liable for any and all problems that occur… including statutory fines of a % of revenue (equitable then)

BeeAitch (profile) says:

Re: Re:

The only thing that needs to be tightened maybe is consumer negligence laws that if a company knowingly does not allow reasonable and industry standard security policies they are absolutely liable for any and all problems that occur… including statutory fines of a % of revenue (equitable then)

This is all that needs to be done. Unfortunately, it makes corporations look bad (and punishes them), whereas the type of legislation currently proposed diverts the blame from same corporations (i.e. campaign contributors) and still makes legislators look good.

Nevermind that the current legislation won’t solve the problem and will result in collateral damage; at least the corporate sponsors are safe from blame, and the representatives can say to their constituency: “Look, we’re doing everything in our cyber-power to cyber-solve this cyber-problem!”.

Josef Anvil (profile) says:

I'm confused

Isn’t hacking an system and stealing data already illegal? Are they going to pass a new law that makes it more illegal?

Cybercrime? These people must moonlight at the patent office where if you slap cyber or internet in front of a word and it magically becomes some strange new thing that is almost impossible to understand.

smh

Cory of PC (profile) says:

Re: Re:

Really? If that’s true, then there should be some laws banning all forms of stupidity in this country and the world, even get rid of the stupid people!

If not, is there anything that could cure stupidity or did the congress critters put some legislation that banned scientists from studying stupidity? I need to know!

Anonymous Coward says:

Clearly, if companies are unwilling to protect users of their own accord, perhaps a law would be the best way to settle the issue. It’s not so much about requiring the passwords to be complicated, but rather requiring companies to store the passwords in some other manner than “in the clear”. It’s pretty scary when you realize that passwords are too easily accessed.

Michael says:

“Yes, these kinds of data breaches are bad. And we should be concerned when we find out that a company as big as LinkedIn still uses such weak security practices. But does that really mean we need a law?”

Every new law either creates a new crime and/or further enhances government power. Can anyone name a single law which resulted in crime reduction?

Anonymous Coward says:

is anyone surprised at the response from the thick f*****s in Congress? what a gift for all in favour of CISPA and similar bills. non of these will have the slightest impact on the likes of LinkedIn, eHarmony or similar or it’s customers but will be used as good reason for the government to introduce legislation allowing them to spy on everyone! mind you, perhaps some Senators use it themselves to try to get a date? wouldn’t want any info about them released. dont matter that the world and his wife will know about every other person!

Anonymous Coward says:

I dunno…how about set a minimum standard for password security. If company X is found not to use that minimum standard, company X execs are fined/jailed/flogged/quartered/etc.

I’m tired of waiting for the free market to work…sorry, a regulatory framework can be put in place that doesn’t impede on your individual rights. Heck…that’s exactly what the constitution is, no?

Rich Kulawiec (profile) says:

It would have helped if the spammers at LinkedIn...

…had used the rather well-known technique of salting the passwords — see, for example Password Security: A Case History (1978). I believe early Unix systems used a 12-bit salt, but contemporary ones should be using at least a 64-bit one, preferably 96-128.

This wouldn’t have stopped the leak of the encrypted passwords, of course — that appears to be the result of a security hole that has nothing to do with passwords. But it would raise the bar considerably for attackers attempting to decrypt them.

The solution to this problem — and many, MANY others like it, including the endless stream we see from the federal government — isn’t legislation. It’s competence. And as we see on a continuous basis, there is absolutely no IT competence in the United States Congress.

Anonymous Coward says:

When information gets hacked from credit card companies we blame the credit card companies and claim that maybe laws aren’t harsh enough on them (and, instead, we should mostly just go after those who hacked the security and leave the credit card companies alone, despite their obvious lack of security). Then this happens and the claim is the opposite, we should do nothing.

I’m sorta inbetween. I don’t mind good laws being passed requiring a minimal amount of security to protect people’s private data. I don’t mind punishment to repeat offenders who continuously implement bad security policies that precariously endanger the privacy of its users.

But, at the same time, I know Congress may hastily end up passing a bunch of irrelevant laws that do little to deter and punish poor security measures and do something to serve an entirely different agenda. I think that maybe something needs to be done but it needs to be done very carefully. The laws need to be carefully written and examined by the public before being passed.

Anonymous Coward says:

Re: Re:

Also, I don’t necessarily think anything should be done at the criminal level. Perhaps at the civil level laws can be passed that ensure that if I get my data hacked due to precarious security standards I can successfully sue the offending company for enough money to deter further security breaches. Class actions can go forward and gain enough money to prevent further bad security and there is just enough incentive for lawsuits of bad offenses to be initiated.

Add Your Comment

Your email address will not be published.

Have a Techdirt Account? Sign in now. Want one? Register here

Comment Options:

Make this the or (get credits or sign in to see balance) what's this?

What's this?

Techdirt community members with Techdirt Credits can spotlight a comment as either the "First Word" or "Last Word" on a particular comment thread. Credits can be purchased at the Techdirt Insider Shop »

Follow Techdirt

Techdirt Daily Newsletter

Techdirt Deals
Techdirt Insider Discord
The latest chatter on the Techdirt Insider Discord channel...
Loading...