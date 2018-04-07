Security: Storing Passwords, Updates, and FUD Another day, another breach: At what point does storing passwords in plaintext become criminally negligent? News of the Finnish breach (Google Translate) arrived yesterday, and while there isn’t a lot of details, we learn two important things: the leak was relatively big (the third largest in Finland), and cleartext passwords with usernames leaked, because they had hundreds of thousands of passwords stored in cleartext. …and they had passwords stored in cleartext. This is so bad security, it should not exist anywhere, period. It should not even be taught in a coding class as an intermediate step on the way to how to do it the right way. You don’t store passwords in cleartext because of two reasons combined:

Storing passwords in cleartext: don't ever This year I've implemented a rudimentary authentication server for work, called Qvisqve. I am in the process for also using it for my current hobby project, ick, which provides HTTP APIs and needs authentication. Qvisqve stores passwords using scrypt: source. It's not been audited, and I'm not claiming it to be perfect, but it's at least not storing passwords in cleartext. (If you find a problem, do email me and tell me: liw@liw.fi.) This week, two news stories have reached me about service providers storing passwords in cleartext. One is a Finnish system for people starting a new business. The password database has leaked, with about 130,000 cleartext passwords. The other is about T-mobile in Austria bragging on Twitter that they store customer passwords in cleartext, and some people not liking that. In both cases, representatives of the company claim it's OK, because they have "good security". I disagree. Storing passwords is itself shockingly bad security, regardless of how good your other security measures are, and whether your password database leaks or not. Claiming it's ever OK to store user passwords in cleartext in a service is incompetence at best.

One-Fifth of Open-Source Serverless Apps Have Critical Vulnerabilities

Canonical Releases Major Linux Kernel Update for Ubuntu 17.10 for Raspberry Pi 2 Canonical released a major Linux kernel update for Ubuntu 17.10 for Raspberry Pi 2, addressing various security vulnerabilities that were previously patched for 64-bit and 32-bit architectures earlier this week. The security advisory mentions a total of 21 security vulnerabilities fixed for linux-raspi2, the Linux kernel for Raspberry Pi 2 on Ubuntu 17.10 (Artful Aardvark) operating systems, including a race condition that could lead to a use-after-free vulnerability in Linux kernel's ALSA PCM subsystem, and a use-after-free vulnerability in the network namespaces implementation. The update also addresses a race condition in Linux kernel's OCFS2 filesystem and loop block device implementations, as well as a null pointer dereference in the RDS (Reliable Datagram Sockets) protocol implementation. Most of these flaws could allow a local attacker to crash the vulnerable system by causing a denial of service or possibly execute arbitrary code.