Oh, Yahoo, where do I start? We used to be good together back in 2004.
天哪,雅虎(Yahoo),我该从哪里说起呢?2004年我们在一起时曾经很快乐。
But now I’m angry and disappointed.
但如今,我感到既生气又失望。
And it’s not me, it’s Yahoo.
而问题不在我,是雅虎。
The data breach the company disclosed last week, affecting more than 1bn users, dates back to 2013 — a year earlier than the breach of 500m accounts reported in September.
雅虎上周公布的数据泄露事件影响到10亿多用户,时间要回溯到2013年,比今年9月报告的5亿账户泄密要早一年。
Whether you use Yahoo or not, disabuse yourself immediately of any notion that this breach is like the last.
不管你是否使用雅虎,马上抛弃这次泄密与上次一样的看法吧。
The implications are worse and reach beyond the company.
其影响更糟,而且影响范围超越该公司。
And it’s not just about the number of people affected.
这不仅仅是有多少人受影响的问题。
This time Yahoo is saying outright that all affected user passwords were stored in a manner that makes your average cyber security bod go nuts at the madness of the world.
这一次,雅虎直截了当地表示,所有受影响用户的密码存储方式,都会让对网络安全稍有了解的人对世界的疯狂跳脚。
Security! experts! slam! Yahoo! management! for! using! old! crypto! ran a headline in The Register, an industry rag, mocking the internet company’s corporate punctuation.
行业小报《The Register》的标题是:安全专家抨击雅虎管理层使用旧的加密技术!这里的惊叹号是在嘲弄雅虎这家互联网公司的标识。
To understand the frustration, imagine that a password database is like a bike in an area prone to high levels of bike theft — a university town such as Oxford, UK.
要了解人们的失望之情,想象一个密码数据库就像在一个自行车失窃风险很高的地方(例如英国牛津等大学城)停放的一辆自行车。
It matters how securely your bike is stored and also how much it’s rendered unrideable with locks.
重要的是你的自行车存放方式有多么安全,车锁在多大程度上使自行车无法被盗用。
As Yahoo’s password bike is known to have been stolen (again), it’s the additional locks and how strong they are that now matter.
我们已知道,雅虎的密码自行车已(再次)被窃,现在的重要问题是有没有额外的车锁以及它们有多么坚固。
In password terms, strength equates to how easy is it to recover the plain-text version of what you type in — such as hansolo81 — from the unusable hashed version that the company stores.
用密码的术语来说,密码强度相当于从该公司存储的无法使用的经过加盐(hashed)处理的版本恢复为你键入的纯文本格式(例如hansolo81)密码的容易程度。
A hashed version would look something like: 57dddf57a98dc88c64327fe6bb5b9358.
经过加盐处理的数据看上去像57dddf57a98dc88c64327fe6bb5b9358。
If the thieves can recover hansolo81, they can ride it into your bank account, PayPal — or anywhere else you used this password or predictable variants of it, such as Hansolo81, han$olo81 or hansolo82.
如果窃贼可以恢复hansolo81,那么他们就能顺藤摸瓜,进入你的银行账户、PayPal或者其他任何你使用这个密码或这个密码的可预测变异形式的地方,例如Hansolo81、han$olo81或者hansolo82。
So you’d think Yahoo would deploy chunky chain locks like those that cycle couriers use.
因此你会以为,雅虎会使用结实的链条锁,就像那些骑车的快递员所用的那种。
But, actually, it looks as if the company instead tied a ribbon between the front wheel and the frame.
但实际上,该公司好像是用一条丝带把前轮和车架拴在一起。
In the jargon, they used a method involving a function called MD5 — the same poor choice made by adultery website Ashley Madison for some of its users’ passwords, and by music service Last.fm, both of which experienced breaches.
用术语来说,他们所用的方法采用了一种被称为MD5的函数,与成人网站Ashley Madison为其一部分用户的密码以及音乐服务公司Last.fm做出的糟糕选择一样,这两家公司都遭遇信息被窃。
Ask tech nerds what they think about MD5 and you’ll hear incredulity that any company (let alone a large, internet-based company) was still using it in 2013, that doing so is outright negligence, that there’s no excuse for it and that it was discredited a couple of decades ago.
问问那些科技迷他们对MD5的看法吧,你会听到他们说,任何公司(更别提一家大型互联网公司了)如果在2013年仍使用这种方法简直匪夷所思;这么做是绝对的失职;对此没有任何借口;这种方法在20年前就被否定了。
By the time of the 2014 breach, Yahoo had nearly finished a wildly overdue upgrade to its locks, switching to bcrypt.
到了发生2014年那次黑客入侵时,雅虎已接近完成早该进行的对其密码加锁方法的升级,即改用bcrypt加密工具。
If well implemented, this makes its password bike unusable to thieves.
如果实施得当,这将让窃贼无法盗用雅虎的密码自行车。
Getting from 57dddf57a98dc88c64327fe6bb5b9358 to hansolo81 would be very unlikely.
从57dddf57a98dc88c64327fe6bb5b9358恢复到hansolo81将是极不可能的。
So, while that breach endangered users, it was a less epic fail than the more recently reported compromise.
因此,尽管那次泄密危及用户,但与最近报道的事件相比,那还是一个不那么严重的失误。
It’s worth being clear about the consequences of Yahoo’s incredibly poor security practices as recently as three years ago: the company has probably unleashed the single biggest known data set showing how the world constructs passwords.
值得明确雅虎在仅仅3年前非常糟糕的安全做法的后果:该公司很可能泄露了已知单一最大数据集,显示世界是如何构建密码的。
This is a powerful tool for guessing one’s way into accounts, especially on services that don’t limit such attempts well or offer additional security measures, such as two-factor authentication.
这是依靠猜测侵入账户的强大工具,特别是对于没有很好地限制这种企图或者没有提供额外安全措施(例如二元验证)的服务。
And it’s a gift to malicious actors who increasingly know us better than we know ourselves.
这是送给那些恶意黑客的一份厚礼,后者对我们的了解日益超过我们自己。
Also, Yahoo can force password resets only on its own service.
另外,雅虎只能强迫用户在其网站上重置密码。
There is nothing Yahoo can do to make people change identical or similar passwords used on other sites.
它无法让用户修改在其他网站使用的同样或类似的密码。
Furthermore, as with the last breach, the company hasn’t disclosed how many security questions and answers were badly stored.
此外,与上次泄密一样,雅虎没有披露有多少安全问题和答案是以糟糕的方式存储的。
They state only that the data were kept either encrypted or unencrypted — the latter being in readable text.
他们只是声明,这些数据的存储方式可能加密,也可能未加密,后一种意味着可读文本。
How many people can remember whether or not they once had a Yahoo account, let alone what security information they used, and whether they used that same information in their other accounts?
有多少人还能记得他们是否曾经拥有过雅虎账户?更别提他们用过的安全信息、以及他们是否在其他账户上使用过同样的信息了。
Where else did you use your mother’s maiden name, first pet, favourite colour, school or teacher?
你还在哪里使用过你母亲的娘家姓氏、第一只宠物的名字、最喜欢的颜色、学校或老师的名字?
The consequences of organisations’ poor security decisions will come back to haunt us.
公司糟糕安全决定的后果将回过头来困扰我们。
I only hope Yahoo marks the worst, if not the last.
我只希望雅虎标志着最糟糕的的安全实践,如果不是最后一个的话。