LinkedIn Passwords Leaked... Congress Immediately Wants To 'Do Something!'

from the grandstanding... dept

As you hopefully have heard already, a ton of Linkedin passwords were leaked online. They were leaked in encrypted forms -- and without associated usernames -- leading some to suggest there was no real threat for users, unless someone also had the full list of usernames as well. However, that doesn't seem quite accurate. Since the passwords were hashed but not salted, it's made it relatively easy for the passwords to be decrypted. Yes, the usernames haven't been released, but some are suggesting that whoever leaked the data probably only released this subset, because they had already decrypted a bunch of easier passwords (and probably had the usernames) and just needed "the crowd" to help decrypt the rest.

Linkedin took its time, but did admit that there was a breach, and reset those passwords. However, Congress is never one to miss an opportunity to grandstand. Rep. Mary Bono Mack was quick to jump up and announce that something must be done!
"How many times is this going to happen before Congress finally wakes up and takes action?" said Rep. Mary Bono Mack, R-Palm Springs, who heads a House Energy and Commerce subcommittee that has looked at online-privacy issues, in a statement. "This latest incident once again brings into sharp focus the need to pass data protection legislation."
Similarly, Senator Pat Leahy jumped in with a similar statement:
"Reports of another major data breach should give pause to American consumers who, now more than ever, share sensitive personal information in their online transactions and networking," Leahy said in a statement provided to The Hill. "Congress should make comprehensive data privacy and cybercrime legislation a top priority.”
First of all, it does appear that LinkedIn wasn't using particularly smart security techniques (no salting? really?). But would a law really change things? And Leahy's claim that we need "cybercrime" legislation, again doesn't seem likely to help "fix" anything. If anything, the "cybersecurity" legislation that's out there might make such data even more vulnerable, by making companies more encouraged to share information.

Yes, these kinds of data breaches are bad. And we should be concerned when we find out that a company as big as LinkedIn still uses such weak security practices. But does that really mean we need a law?


Reader Comments (rss)

(Flattened / Threaded)

  1.  
    icon
    Hephaestus (profile), Jun 7th, 2012 @ 6:49am

    Someone should check to see which cyber security or defense firms Leahy and Mack are getting their re-elections funded by.

     

    reply to this | link to this | view in thread ]

  2.  
    icon
    Jay (profile), Jun 7th, 2012 @ 7:03am

    Re:

    Leahy supports the military. Bono is mainly bought off by the RIAA. I'm not liking their message of more "cybersecurity".

     

    reply to this | link to this | view in thread ]

  3.  
    identicon
    Anonymous Coward, Jun 7th, 2012 @ 7:19am

    I don't think you understand how politics work.

    They don't want to 'Do Something'. They want to pretend they're doing something by talking shit and 'passing' paper in that nice air-conditioned, tax-funded, palace of Mighty Legislature.
    How else will they convince people they matter in the practicality of everyday life? If anybody catches on, they'll lose their cushy, over-paid, government jobs.

     

    reply to this | link to this | view in thread ]

  4.  
    identicon
    Glen, Jun 7th, 2012 @ 7:20am

    The second congresscritters want to "do something", we all lose.

     

    reply to this | link to this | view in thread ]

  5.  
    identicon
    Max, Jun 7th, 2012 @ 7:22am

    Rabble Rabble

    There was another deadly shooting in [insert American city here].

    "How many times is this going to happen before Congress finally wakes up and takes action?" Some Senator says. "This latest incident once again brings into sharp focus the need to pass gun control legislation."

     

    reply to this | link to this | view in thread ]

  6.  
    identicon
    TDR, Jun 7th, 2012 @ 7:24am

    Leahy Skroob: Do something!
    Mack Helmet: Do something!
    Lamar Sandurz: Do something!

     

    reply to this | link to this | view in thread ]

  7.  
    identicon
    Anonymous Coward, Jun 7th, 2012 @ 7:31am

    Hey Gov, how about you first stop collecting all kinds of leakable data yourselves? Then we'll talk. Kthnxbye.

     

    reply to this | link to this | view in thread ]

  8.  
    identicon
    Riptide Tempora, Jun 7th, 2012 @ 7:31am

    Oh, right.

    Congress can't do anything here. People choose their own security measures. Some are retarded, some are sensible.

     

    reply to this | link to this | view in thread ]

  9.  
    icon
    Cory of PC (profile), Jun 7th, 2012 @ 7:34am

    Once again, the always classic lines of: "Should we do something?" "We should do something!" comes up and nothing will ever come out of it. Rinse, lather, repeat. Next!

     

    reply to this | link to this | view in thread ]

  10.  
    icon
    Brent (profile), Jun 7th, 2012 @ 7:34am

    This is another example of how backwards our system works these days. As Congress should know, issues like this one are easily controlled by our free market system: LinkedIn already took a hit from users on this issue in terms of cancelled accounts and/or removal of apps from devices. If this happens again to LinkedIn they will become another MySpace that slowly fades away. LinkedIn knows it and will spend the money to ensure the problem doesn't happen again. Wow, the market can fix itself, crazy. This is why we don't need laws that are completely unenforceable, especially in the digital world.

     

    reply to this | link to this | view in thread ]

  11.  
    icon
    G Thompson (profile), Jun 7th, 2012 @ 7:35am

    This is a story about four people named Everybody, Somebody, Anybody, and Nobody. There was an important job to be done and Everybody was sure that Somebody would do it. Anybody could have done it, but Nobody did it. Somebody got angry about that because it was Everybody's job. Everybody thought Anybody could do it, but Nobody realised that Everybody wouldn't do it. It ended up that Everybody blamed Somebody when Nobody did what Anybody could have done.


    ie: Secure the freaking passwords as they should be ie: Salt em.. Cyber-laws will not stop this sort of stupidity. And the passwords are non identified and therefore meaningless for anything other than rainbow tables (look them up).

    The only thing that needs to be tightened maybe is consumer negligence laws that if a company knowingly does not allow reasonable and industry standard security policies they are absolutely liable for any and all problems that occur... including statutory fines of a % of revenue (equitable then)

     

    reply to this | link to this | view in thread ]

  12.  
    icon
    Josef Anvil (profile), Jun 7th, 2012 @ 7:36am

    I'm confused

    Isn't hacking an system and stealing data already illegal? Are they going to pass a new law that makes it more illegal?

    Cybercrime? These people must moonlight at the patent office where if you slap cyber or internet in front of a word and it magically becomes some strange new thing that is almost impossible to understand.

    smh

     

    reply to this | link to this | view in thread ]

  13.  
    identicon
    Anonymous Coward, Jun 7th, 2012 @ 7:40am

    Re: I'm confused

    I'm with you Josef, i was under the impression that there already was legislation to make this illegal. Too bad the politicians are so clueless they don't realize this.

    Scariest words ever. "I'm from the government and I'm here to help."

     

    reply to this | link to this | view in thread ]

  14.  
    identicon
    Ryan Duff, Jun 7th, 2012 @ 7:41am

    You can't legislate stupid...

     

    reply to this | link to this | view in thread ]

  15.  
    identicon
    Anonymous Coward, Jun 7th, 2012 @ 7:50am

    Clearly, if companies are unwilling to protect users of their own accord, perhaps a law would be the best way to settle the issue. It's not so much about requiring the passwords to be complicated, but rather requiring companies to store the passwords in some other manner than "in the clear". It's pretty scary when you realize that passwords are too easily accessed.

     

    reply to this | link to this | view in thread ]

  16.  
    identicon
    Another AC, Jun 7th, 2012 @ 7:51am

    Re: Rabble Rabble

    Yay! A game I can play too!

    There was another public nude flashing incident in [insert American city here].

    "How many times is this going to happen before Congress finally wakes up and takes action?" Some Senator says. "This latest incident once again brings into sharp focus the need to pass overcoat control legislation."

     

    reply to this | link to this | view in thread ]

  17.  
    identicon
    Michael, Jun 7th, 2012 @ 7:52am

    "Yes, these kinds of data breaches are bad. And we should be concerned when we find out that a company as big as LinkedIn still uses such weak security practices. But does that really mean we need a law?"

    Every new law either creates a new crime and/or further enhances government power. Can anyone name a single law which resulted in crime reduction?

     

    reply to this | link to this | view in thread ]

  18.  
    icon
    Cory of PC (profile), Jun 7th, 2012 @ 7:54am

    Re:

    Really? If that's true, then there should be some laws banning all forms of stupidity in this country and the world, even get rid of the stupid people!

    If not, is there anything that could cure stupidity or did the congress critters put some legislation that banned scientists from studying stupidity? I need to know!

     

    reply to this | link to this | view in thread ]

  19.  
    icon
    Cory of PC (profile), Jun 7th, 2012 @ 7:56am

    Re: Re:

    I think I got myself backwards there... I blame my own stupidity sometimes...

    Maybe there should be a law.

     

    reply to this | link to this | view in thread ]

  20.  
    identicon
    Another AC, Jun 7th, 2012 @ 7:57am

    Re:

    I think they want to legislate smarts, but the point stands :)

     

    reply to this | link to this | view in thread ]

  21.  
    identicon
    Anonymous Coward, Jun 7th, 2012 @ 8:02am

    Re:

    21st Amendment?

     

    reply to this | link to this | view in thread ]

  22.  
    identicon
    Anonymous Coward, Jun 7th, 2012 @ 8:04am

    is anyone surprised at the response from the thick f*****s in Congress? what a gift for all in favour of CISPA and similar bills. non of these will have the slightest impact on the likes of LinkedIn, eHarmony or similar or it's customers but will be used as good reason for the government to introduce legislation allowing them to spy on everyone! mind you, perhaps some Senators use it themselves to try to get a date? wouldn't want any info about them released. dont matter that the world and his wife will know about every other person!

     

    reply to this | link to this | view in thread ]

  23.  
    icon
    jjmsan (profile), Jun 7th, 2012 @ 8:04am

    Re:

    Assuming a law is needed, any law will initially cause an increase in crime because it is making a behavior criminal which was previously not criminal. Once that barrier is passed it would be enforcement of the law that mattered.

     

    reply to this | link to this | view in thread ]

  24.  
    icon
    Atkray (profile), Jun 7th, 2012 @ 8:22am

    Re:

    I agree the more "gridlock" we have in Washington the better off We the People are.

     

    reply to this | link to this | view in thread ]

  25.  
    identicon
    Anonymous Coward, Jun 7th, 2012 @ 8:22am

    The problem kind of solved itself didn't it? LinkedIn is dumb and now people won't trust them anymore. Another service will be used.

     

    reply to this | link to this | view in thread ]

  26.  
    identicon
    Anonymous Coward, Jun 7th, 2012 @ 8:41am

    Surely it would be prudent to reset all affected passwords to be on the safe side, pain in the ass, but affective?

     

    reply to this | link to this | view in thread ]

  27.  
    identicon
    Flyfish, Jun 7th, 2012 @ 8:54am

    What Congress is likely to do is pass legislation mandating a "standard" internet ID for all US citizens. They'll probably want to tie it to the SSN. That will make everything more secure. Or not. It's about control, the facade of action but not about fixing anything.

     

    reply to this | link to this | view in thread ]

  28.  
    icon
    FormerAC (profile), Jun 7th, 2012 @ 8:56am

    Re: I don't think you understand how politics work.

    "They want to pretend they're doing something"

    Actually, what they want is to be "seen" doing something. Whether the something helps the situation or makes it worse, they don't really care, as long as people "see" them doing something about it.

     

    reply to this | link to this | view in thread ]

  29.  
    identicon
    Anonymous Coward, Jun 7th, 2012 @ 8:58am

    salt goes on steaks not on LinkedIn passwords

     

    reply to this | link to this | view in thread ]

  30.  
    icon
    PlagueSD (profile), Jun 7th, 2012 @ 9:00am

    So tell me, what happens when CISPA passes and the Government servers get hacked with all this data on it's citizens that it aquired via "spying" gets leaked? It's not like we can change our identities as easily as changing our password.

     

    reply to this | link to this | view in thread ]

  31.  
    identicon
    Anonymous Coward, Jun 7th, 2012 @ 9:05am

    Re:

    Exactly, linkedln can very well fix this on their own, without government influence

    Its the job of the individual companies to keep their systems up to date and protected to all known threats, if your gonna put legislation on anything, that would be a start, nothing more nothing less, direct and to the point without the flowery description.

     

    reply to this | link to this | view in thread ]

  32.  
    identicon
    Anonymous Coward, Jun 7th, 2012 @ 9:07am

    I dunno...how about set a minimum standard for password security. If company X is found not to use that minimum standard, company X execs are fined/jailed/flogged/quartered/etc.

    I'm tired of waiting for the free market to work...sorry, a regulatory framework can be put in place that doesn't impede on your individual rights. Heck...that's exactly what the constitution is, no?

     

    reply to this | link to this | view in thread ]

  33.  
    identicon
    Anonymous Coward, Jun 7th, 2012 @ 9:08am

    Re: Re: ^^^^^^^

    edit : when user information is concerned at the very least

     

    reply to this | link to this | view in thread ]

  34.  
    identicon
    Rich Kulawiec, Jun 7th, 2012 @ 9:17am

    It would have helped if the spammers at LinkedIn...

    ...had used the rather well-known technique of salting the passwords -- see, for example Password Security: A Case History (1978). I believe early Unix systems used a 12-bit salt, but contemporary ones should be using at least a 64-bit one, preferably 96-128.

    This wouldn't have stopped the leak of the encrypted passwords, of course -- that appears to be the result of a security hole that has nothing to do with passwords. But it would raise the bar considerably for attackers attempting to decrypt them.

    The solution to this problem -- and many, MANY others like it, including the endless stream we see from the federal government -- isn't legislation. It's competence. And as we see on a continuous basis, there is absolutely no IT competence in the United States Congress.

     

    reply to this | link to this | view in thread ]

  35.  
    icon
    Almost Anonymous (profile), Jun 7th, 2012 @ 9:25am

    Re: Re: Rabble Rabble

    There was another face chewing incident in [insert American city here].

    "How many times is this going to happen before Congress finally wakes up and takes action?" Some Senator says. "This latest incident once again brings into sharp focus the need to pass zombie control legislation."

     

    reply to this | link to this | view in thread ]

  36.  
    icon
    Almost Anonymous (profile), Jun 7th, 2012 @ 9:28am

    Re: I'm confused

    Sounds like a pretty good meme:

    Cybersecurity law passes.



    Cybercrime now DOUBLE illegal.

     

    reply to this | link to this | view in thread ]

  37.  
    icon
    E. Zachary Knight (profile), Jun 7th, 2012 @ 9:31am

    What is really frustrating about all this is that I have yet to receive any notification from Linkedin that there was a data breech. As a user, I would like the comfort of hearing it from them directly.

     

    reply to this | link to this | view in thread ]

  38.  
    icon
    Berenerd (profile), Jun 7th, 2012 @ 10:11am

    Re: Re: Re: Rabble Rabble

    There was another political scandal in [insert American city here].

    "How many times is this going to happen before Congress finally wakes up and takes action?" Some Senator says. "This latest incident once again brings into sharp focus the need to pass another pay-raise for ourselves."

     

    reply to this | link to this | view in thread ]

  39.  
    icon
    Berenerd (profile), Jun 7th, 2012 @ 10:19am

    Re:

    Have you learned nothing over the last couple of years? CEOs and execs don't get jailed or fined. They get a pat on the back and a bonus.

     

    reply to this | link to this | view in thread ]

  40.  
    icon
    Berenerd (profile), Jun 7th, 2012 @ 10:21am

    Re:

    none of my roomates, or my company's accounts or mine for that matter got a notice about being compromised.

     

    reply to this | link to this | view in thread ]

  41.  
    identicon
    Anonymous Coward, Jun 7th, 2012 @ 10:55am

    When information gets hacked from credit card companies we blame the credit card companies and claim that maybe laws aren't harsh enough on them (and, instead, we should mostly just go after those who hacked the security and leave the credit card companies alone, despite their obvious lack of security). Then this happens and the claim is the opposite, we should do nothing.

    I'm sorta inbetween. I don't mind good laws being passed requiring a minimal amount of security to protect people's private data. I don't mind punishment to repeat offenders who continuously implement bad security policies that precariously endanger the privacy of its users.

    But, at the same time, I know Congress may hastily end up passing a bunch of irrelevant laws that do little to deter and punish poor security measures and do something to serve an entirely different agenda. I think that maybe something needs to be done but it needs to be done very carefully. The laws need to be carefully written and examined by the public before being passed.

     

    reply to this | link to this | view in thread ]

  42.  
    identicon
    Anonymous Coward, Jun 7th, 2012 @ 10:56am

    Laws regulating minimum standard security procedures would sure be nice. Linkedin should salt their passwords, sony's servers shouldn't fall to pieces from sql injection. These corporations should be legally required to have a certain level of security in place.

     

    reply to this | link to this | view in thread ]

  43.  
    identicon
    Anonymous Coward, Jun 7th, 2012 @ 10:56am

    Re: Re:

    odd I got one. Maybe they know whose passwords got jacked?

     

    reply to this | link to this | view in thread ]

  44.  
    identicon
    Anonymous Coward, Jun 7th, 2012 @ 12:00pm

    Re:

    Also, I don't necessarily think anything should be done at the criminal level. Perhaps at the civil level laws can be passed that ensure that if I get my data hacked due to precarious security standards I can successfully sue the offending company for enough money to deter further security breaches. Class actions can go forward and gain enough money to prevent further bad security and there is just enough incentive for lawsuits of bad offenses to be initiated.

     

    reply to this | link to this | view in thread ]

  45.  
    icon
    BeeAitch (profile), Jun 7th, 2012 @ 12:53pm

    Re:

    The only thing that needs to be tightened maybe is consumer negligence laws that if a company knowingly does not allow reasonable and industry standard security policies they are absolutely liable for any and all problems that occur... including statutory fines of a % of revenue (equitable then)

    This is all that needs to be done. Unfortunately, it makes corporations look bad (and punishes them), whereas the type of legislation currently proposed diverts the blame from same corporations (i.e. campaign contributors) and still makes legislators look good.

    Nevermind that the current legislation won't solve the problem and will result in collateral damage; at least the corporate sponsors are safe from blame, and the representatives can say to their constituency: "Look, we're doing everything in our cyber-power to cyber-solve this cyber-problem!".

     

    reply to this | link to this | view in thread ]

  46.  
    icon
    BeeAitch (profile), Jun 7th, 2012 @ 12:59pm

    Re:

    Don't worry, they'll just pass another law if that happens.

    /sarc?

     

    reply to this | link to this | view in thread ]

  47.  
    identicon
    Anonymous Coward, Jun 7th, 2012 @ 1:04pm

    OMG! Someone's going to use my LinkedIn account...

    ...to apply for a job in the IP-intensive grocery store industry, on my behalf?

     

    reply to this | link to this | view in thread ]

  48.  
    identicon
    Anonymous Coward, Jun 7th, 2012 @ 9:53pm

    Basically its like having your house robbed and then yelling at the police for not locking your door.

     

    reply to this | link to this | view in thread ]

  49.  
    identicon
    I N Observation, Jun 8th, 2012 @ 7:49am

    Implementing..

    Back doors, once they are in place, legislation for more secure cyberspace will be just around the corner.. WE HAVE TO HAVE BACK DOORS!!

     

    reply to this | link to this | view in thread ]

  50.  
    identicon
    TurboKitty, Jun 8th, 2012 @ 8:11am

    @Congress

    Congress doesn't need to do anything ... I just change my password when necessary ... I agree it's tedious and irritating however, that's what I do and it doesn't cost me any tax-dollars to do it ... just a new and different keyboard pattern ... Congress SUCKS!

     

    reply to this | link to this | view in thread ]

  51.  
    identicon
    Anonymous Coward, Jun 8th, 2012 @ 10:10am

    Re:

    Hey Congress good to see that you want to do something. Jobs Legislation and rebuild the infrastructure should be first on the list. John Jobs Jobs Jobs Boehner said that Jobs would be first on the table two years ago. What the hell does Abortion legislation have to do with jobs? Or Linked in....

     

    reply to this | link to this | view in thread ]

  52.  
    identicon
    Anonymous Coward, Jun 8th, 2012 @ 11:32am

    Do something! ........ Changes the password.

     

    reply to this | link to this | view in thread ]


Add Your Comment

Have a Techdirt Account? Sign in now. Want one? Register here
Get Techdirt’s Daily Email
Save me a cookie
  • Note: A CRLF will be replaced by a break tag (<br>), all other allowable HTML will remain intact
  • Allowed HTML Tags: <b> <i> <a> <em> <br> <strong> <blockquote> <hr> <tt>
Follow Techdirt
A word from our sponsors...
Essential Reading
Techdirt Reading List
Techdirt Insider Chat
A word from our sponsors...
Recent Stories
A word from our sponsors...

Close

Email This