Did Skeptical Science Deserve to be Hacked?

I’m not sure anybody deserves to be hacked, but I am sympathetic to the argument, “If you make it so easy to break in, you deserve whatever happens.” Maybe Skeptical Science was bringing this upon themselves.

My last post highlighted a couple stupid things said by Bob Lacatena, the author of a recent 2,500 word Skeptical Science post ostensibly explaining how Skeptical Science got hacked. There are a lot more. Today I’m going to discuss the one I find most troubling. In an inline response to a comment, he said:

I just looked at the code, and passwords are decrypted in the “Forgot your password” function — but that doesn’t represent much of a security hole, because it can’t be used to breach the system, and it can only be used to steal passwords if you already have the password and so can change a user’s e-mail, or otherwise have access to that person’s e-mail.

Either way, that particular flaw doesn’t represent a pressing issue, at least compared to the effort it would take to correct.

lucia commented on one problem with sending passwords like this. There are many others. No reputable business would ever do it. It’s stupid in every way. I’ll give a couple examples then discuss the major, conceptual problem.

Imagine you went to the bathroom at a restaurant and left your phone at the table. Somebody picks it up and has a couple minutes access to your phone. They go to Skeptical Science, click “Forgot your password,” get an e-mail with your password, memorize it then delete the mail. Would you ever know? Probably not. There would never be any way for you to know someone accessed your information.

That’s idiotic. No competently built security system would ever give someone an existing password. There’s no reason to. It easy to just send out a new password or allow the person to change the old one. Either way, a hacker won’t learn what passwords you like to use, and you’ll know something is wrong the moment you try to log into your account.

To add to the stupidity, look at Skeptical Science’s password retrieval page. It requires you input either a username or e-mail address. User names are publicly displayed whenever you comment. That means anyone can make Skeptical Science do this to you:

SkS_spam

That’s right. You can make Skeptical Science spam people with e-mails. All you have to do is input their publicly displayed username, click a button then hit Refresh a bunch of times. Or if you don’t want to spam people, you can just frighten people by inputting name after name. Suddenly, a ton of people will worry they’ve been hacked.

But it gets worse. Suppose you knew my username but didn’t know my e-mail address. Obviously Skeptical Science should not help you get that. It does. Here’s what happens if you try to guess my e-mail address:

SkS_wrong_guess

Skeptical Science tells you when you’re wrong. That means you can try to guess my e-mail address over and over until you get it right. That’s stupid.

But the biggest problem is something we can’t see for ourselves. Remember, Bob Lacatena said:

passwords are decrypted in the “Forgot your password” function

That shouldn’t be possible. No server in the world should be able to decrypt the password you store on it. The entire point of encrypting passwords is so anyone who gets access to a password file can’t decrypt the passwords in it.

It’s called one-way encryption. You input a value (password), and you get some long string of characters. There’s no way to go back from that string of characters to the password. Instead, you verify a password someone gives you by running it through the same encryption and comparing the outputs. If they match, the password is right.

Practically every login system in the world uses that. Nobody uses two-way encryption. Why would you? Why would you make it so the encrypted password file can be decrypted? Why would you ever need to be able to extract someone’s password? There is no reason to. All you’re doing is making it so anyone who gets your password file can decrypt it in its entirety by guessing the single “password” you used to encrypt it.

And this isn’t just a matter of combating hacking. If Skeptical Science can decrypt your password, that means they can view your password whenever they feel like. John Cook can choose to look at the password of anyone who signs up to his site. That’s dangerous.

Think about it. Bob Lacatena said there is an “active war against Skeptical Science.” Skeptical Science knows your e-mail address, and it can find out whatever password you used to sign up with them.

Heaven forbid you also used that password for your e-mail account. If they think they’re in a war, who knows what they might do with it?

Advertisements

One comment

  1. Oh. But it’s worse.

    If I had the time, and for any site that I set up from scratch, salts are easy and painless. Working with a site that’s been in existence for 7 years, and has evolved considerably over that time, however, presents a much greater coding problem.

    WordPress has been using salts since 2008.
    http://www.cydeweys.com/blog/2008/03/29/wordpress-finally-discovers-salted-passwords/
    Note the “finally”? And that was in 2008.

    But somehow, in 6 years, SkS didn’t get around doing it with whatever software they use. They have now many volunteers? Most hobby bloggers have 0 volunteers.

    And worse: SkS did have their database go public and believes themselves to be constantly under attack. (Sounds like conspiratorial ideation to me. But…well…. I’m sure they’d say somehow that doesn’t count.)

    But given how long salting has been around, how freaking many volunteers they have, how “concerned” they are about being constantly attacked and the fact that they actually did have a database leak, why didn’t SkS switch to salted passwords sometime in the last 6 years? Mysterious.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s