Salted Hash: Line Jumping at DEF CON 22

Much people, many lines, wow

Today starts the final phase of Hacker Summer Camp, and Salted Hash will be wandering the halls – albeit a bit slowly – to offer random bits of coverage from DEF CON 22.

First observation, there are way too many people here, just ask anyone who stood in the badge line for more than 5 hours on Thursday.

the line at DEFCON 22

For today's post, we're going to examine various topics of interest from the show, as determined by a single question posed to DEF CON attendees.

The question - "What's in the news lately that has your attention, and what are your opinions on it?" - generated a mix of reactions, some of them that can't be reproduced here, and one I'm sure was an animal noise of some kind.

Trust me I'm Secure:

The most common news item comes from Hold Security and their alleged collection of 1.2Billion usernames and passwords from an unknown number of unknown websites. The story itself is fishy. There is, at least at time this story was written, no proof that such a list exists.

However, the real issue isn't the announcement of a list that may or may not exist, it's the fact that the person who claimed to have discovered it – Alex Holden – used it to kick-off a marketing campaign for a new breach notification service.

On top of that, anyone who wants to check and see of their information is contained within this alleged list, can do so as long as they submit their email address and their password (which is sent to Hold after being hashed within the browser).

"Hold Security has attempted to shine a light on how great they are and lost sight of the thin line separating security research from cybercrime," commented J.J. Thompson, CEO of Rook Security.

"It is completely unethical and unacceptable for a security research firm to obtain [a large] cache of stolen credentials, hold them and participate in major media announcements regarding the data, and monetize the ability of companies and individuals to check to determine if Hold Security is in possession of their stolen data. Surprisingly, Hold Security has continued with this approach despite voluminous feedback from the security community online and through private communications."

In fact, Thompson added, it appears that Hold Security may be violating both Wisconsin state codes 943.20, 943.34 & 134.98 as well as Federal code 18 U.S. Code § 2314 and 2315. While researchers work hand-in-hand with corporations and law enforcement to help victims of crime on the Internet, Hold Security, Thompson added, "holding them hostage."

Yahoo to offer end-to-end email encryption by 2015:

The news, that Yahoo will follow Google and add end-to-end encryption to their mail product by 2015, isn't unexpected. However those who spoke with Salted Hash on the topic were glad that Yan Zhu, from the EFF (also part of the HTTPS Everywhere project) was hired to make the transition happen. And, as expect, there were those who – after having the news item explained – smiled and commented, "You mean people still use Yahoo Mail?"

Salted Hash will be onsite at DEF CON 22 all weekend, with additional updates to follow.

Image Credit: The inset image of the badge line at DEF CON 22 was taken by J. Sokoly.

Copyright © 2014 IDG Communications, Inc.

Microsoft's very bad year for security: A timeline