Ars was briefly hacked yesterday; here’s what we know

Readers, please change your passwords.

Read the whole story

 

[WildGunman]

Ever since I started using LastPass to assign randomly generated passwords to all my sites, this sort of thing has become a lot less scary.

 

[epixoip]

seajack0[/url]":19z4bzb1]Why isn't this pinned to the front page? You guys always vilify other companies for allowing themselves to be hacked and smear it all over the front page, only to bury your own site getting hacked in the sidebar. What gives? Also, MD5? What is this, 2004?

It was pinned at the top of the page all day yesterday and this morning, but seems to have been replaced this afternoon by arguably a more important story.

Regarding MD5, you obviously didn't bother to read any of the comments, let alone the featured comments, before posting your own comment.

 

[k84]

At first I thought the email was a phishing email but found this article on the home page eventually. This should have been pinned to the home page but no harm done.

As for Ars using MD5 - it's Ars, not a bank - who cares if they're using MD5? 1, 2048, 100000 iterations... no big deal.

I don't use my Ars password anywhere else so I have nothing to worry about. Password changed.

Thanks for sending the email though. I missed this on the home page.

 

[KateSorensen]

Thanks for the notification. Changed.

 

[JohnnyTheGeek]

Almost better off ditching comments and forums. The hackers are just killing any interaction on the web.
The security has to be so great, it becomes too involved just for a social interaction. I think Ars is about the only site I even comment anymore. Nice exchanging thoughts but hackers ruin it for everyone.

 

[infusednz]

epixoip[/url]":1eh7bm7c]Hi everyone. This is noted password cracking expert and D-list Internet celebrity Jeremi Gosney. You might remember me from here, here, here, here, here, here, or even here or here.

I would like to take a minute to address some of the comments being made about the password hashing algorithm that is used by the forum software Ars is using. Let's have a look at some of those comments.

pk![/url]":1eh7bm7c]MD5, really? After having printed several articles on password cracking I'd have hoped you'd at least have leveraged a stronger hashing algorithm.

Abhi Beckert[/url]":1eh7bm7c]
2,048 iterations is not enough to prevent a brute force attack on MD5.

d0x[/url]":1eh7bm7c]
Seriously? Ars themselves have posted many articles about this very method of encrypted password storage to be easily breakable either via brute force or with rainbow tables.

Threz_[/url]":1eh7bm7c]One the one hand, Ars calls the use of MD5 hashes for storing passwords as "unfortunate and irresponsible", and on the other (above) uses it as a way to argue that the passwords were well-"encrypted." Which is it?

FF22[/url]":1eh7bm7c]
No wonder your server was hacked if you really thought running MD5 multiple thousand times over the password would harden the hashes by any means. If anything, it weakened them.

Wow. Powerful stuff there. Too bad these armchair experts are all dead wrong.

First, when we talk about MD5 being a poor and irresponsible choice for password hashing, we're talking about raw MD5. As in a single, unsalted iteration of MD5. As in md5($pass). And as the keen Ars reader will note, the reason this is a bad choice has nothing to do with any cryptographic weakness in the MD5 algorithm itself. It's simply because MD5 is very fast and very amenable to acceleration.

One of the ways we make an algorithm resistant to acceleration is to salt it and iterate it. And no, iterating a hash does not weaken it, that's utter horseshit. Iterating a hash is what almost all password hashing algorithms do, including all crypt(3) algorithms, PBKDF2, and even bcrypt.

Ars uses phpBB, which uses the Openwall PHPass password hashing algorithm, designed by none other than the venerable Solar Designer himself. PHPass uses salted and iterated MD5 to hash passwords. It is similar to md5crypt with some key differences, and even similar to PBKDF2 to some extent. And while it may not be the best choice for password hashing, it is a solid one.

To see just how solid PHPass is, let's look back at another famous breach which used PHPass: Forbes. Back in February, Forbes had 1,071,961 password hashes dumped by SEA. Out of those 1,071,961 password hashes, 1,071,734 were hashed using PHPass.

Now as the keen Ars reader will recall, normally us professional password crackers can get a public dump 85-95% cracked within a rather short period of time. And indeed, the 227 passwords that weren't hashed with PHPass were 100% cracked in just a few short minutes. But after 10 months, we currently only have the Forbes PHPass hashes 16.19% cracked. Yes, you read that correctly. We've only managed to crack 173,548 -- or 16.19% -- of the Forbes passwords, and most of those were Top 20K passwords.

If you want to put this into "OL Hashcat" terms, a single R9 290X can pull ~ 12.2 GH/s on raw MD5, but only 3 MH/s against PHPass. Divide that by 1,071,734 unique salts, and that means our effective speed is only 2.86 H/s. That's beyond properly slow. Multiply that by 100 GPUs and that's still only 286 H/s. We can't do very much with that, and that's why this list is only 16.19% cracked.

So obviously PHPass is pretty good at what it does, and Ars has done absolutely nothing wrong by using this algorithm. It is perfectly suitable for what this site is. I've said before that password hashing is like an insurance policy, and Ars has bought you ample time to change your passwords.

And that's the way it is.

Very good post.

 

[dbosley]

Thanks for the 'abundance of caution' and letting us know quickly.

 

[somini]

viatori[/url]":mlvh2836]If they spent $10^17 they could crack my 16 character password

It gets worse. They could demand all the money in the world or they would reveal it, to get some return on their investment.

 

[eddy15]

my old password was 123456 please change for me...

 

[Deleted member 441963]

eddy15[/url]":1y13607i]my old password was 123456 please change for me...

214365. There you go. GTBOS.

 

[leexgxreal]

unless it has changed ars has a hidden char limit at 32 when you Login or was it 30 as i had it set to 30 after i worked it out last time, i assuming to protect from code injection via login box, funny thing is it lets you set a 100+ password when you change it but you can't use it as the login box is limited to 32 (this Bug on changing your password but not limiting it to 30-32 chars has still not been fixed i reported like 1-2 years ago)

one other note food for thought you unlike 99% of websites on the internet ars does Not limit it to type able words only (most sites only let you use (letters and numbers) no spaces or special chars, you can use the Full ANSI set (expands it to 255 chars to pool from) to make your password (saves perfectly fine in chrome and keepass),

i probably did not need to change my password as not sure how long it would take to get something like Ðlï®cÝ?:Ü«ç?w?ô???Þ¼G2Ä_B®&?EH from MD5 at 2k

another issues is it let me change my password without proving i own the account, it should of sent me a one time reset token to email address (site probably does not support force password reset)

and for gods sake Do Not switch to Lithium forums as it lacks proper mobile support when posting comments (it uses on the fly Text to HTML in the post message boxs copy and pasting text is iffy as you have to press Ctrl+Shft+V to make it paste it plain text)

 

[Deleted member 441963]

leexgxreal[/url]":1inynx2o]
i probably did not need to change my password as not sure how long it would take to get something like Ðlï®cÝ?:Ü«ç?w?ô???Þ¼G2Ä_B®&?EH from MD5 at 2k

You should have attended basic calculus sober and not high as Mount Everest. Then you would have known that your password offers little advantage if none over 'ohbaithooyohf8ohCo9Oix9Eecei0oocho' or 'effect hung noted represent whiskey'.

 

[akterdekk]

infusednz[/url]":1kernw6o]

epixoip[/url]":1kernw6o]Hi everyone. This is noted password cracking expert and D-list Internet celebrity Jeremi Gosney. You might remember me from here, here, here, here, here, here, or even here or here.

I would like to take a minute to address some of the comments being made about the password hashing algorithm that is used by the forum software Ars is using. Let's have a look at some of those comments.

pk![/url]":1kernw6o]MD5, really? After having printed several articles on password cracking I'd have hoped you'd at least have leveraged a stronger hashing algorithm.

Abhi Beckert[/url]":1kernw6o]
2,048 iterations is not enough to prevent a brute force attack on MD5.

d0x[/url]":1kernw6o]
Seriously? Ars themselves have posted many articles about this very method of encrypted password storage to be easily breakable either via brute force or with rainbow tables.

Threz_[/url]":1kernw6o]One the one hand, Ars calls the use of MD5 hashes for storing passwords as "unfortunate and irresponsible", and on the other (above) uses it as a way to argue that the passwords were well-"encrypted." Which is it?

FF22[/url]":1kernw6o]
No wonder your server was hacked if you really thought running MD5 multiple thousand times over the password would harden the hashes by any means. If anything, it weakened them.

Wow. Powerful stuff there. Too bad these armchair experts are all dead wrong.

First, when we talk about MD5 being a poor and irresponsible choice for password hashing, we're talking about raw MD5. As in a single, unsalted iteration of MD5. As in md5($pass). And as the keen Ars reader will note, the reason this is a bad choice has nothing to do with any cryptographic weakness in the MD5 algorithm itself. It's simply because MD5 is very fast and very amenable to acceleration.

One of the ways we make an algorithm resistant to acceleration is to salt it and iterate it. And no, iterating a hash does not weaken it, that's utter horseshit. Iterating a hash is what almost all password hashing algorithms do, including all crypt(3) algorithms, PBKDF2, and even bcrypt.

Ars uses phpBB, which uses the Openwall PHPass password hashing algorithm, designed by none other than the venerable Solar Designer himself. PHPass uses salted and iterated MD5 to hash passwords. It is similar to md5crypt with some key differences, and even similar to PBKDF2 to some extent. And while it may not be the best choice for password hashing, it is a solid one.

To see just how solid PHPass is, let's look back at another famous breach which used PHPass: Forbes. Back in February, Forbes had 1,071,961 password hashes dumped by SEA. Out of those 1,071,961 password hashes, 1,071,734 were hashed using PHPass.

Now as the keen Ars reader will recall, normally us professional password crackers can get a public dump 85-95% cracked within a rather short period of time. And indeed, the 227 passwords that weren't hashed with PHPass were 100% cracked in just a few short minutes. But after 10 months, we currently only have the Forbes PHPass hashes 16.19% cracked. Yes, you read that correctly. We've only managed to crack 173,548 -- or 16.19% -- of the Forbes passwords, and most of those were Top 20K passwords.

If you want to put this into "OL Hashcat" terms, a single R9 290X can pull ~ 12.2 GH/s on raw MD5, but only 3 MH/s against PHPass. Divide that by 1,071,734 unique salts, and that means our effective speed is only 2.86 H/s. That's beyond properly slow. Multiply that by 100 GPUs and that's still only 286 H/s. We can't do very much with that, and that's why this list is only 16.19% cracked.

So obviously PHPass is pretty good at what it does, and Ars has done absolutely nothing wrong by using this algorithm. It is perfectly suitable for what this site is. I've said before that password hashing is like an insurance policy, and Ars has bought you ample time to change your passwords.

And that's the way it is.

Very good post.

 

[akterdekk]

Agreed, But advertisers tend to break over into oscillation if forums are abandoned or significantly diminished. They view interaction as one of those things that draw in readership/repeat visits to a site. This may be correct, or not. It also gets people like me to get off of their dead arses and change passwords.

 

[apbtlvr]

I really appreciated the immediate head's up on this. It was intelligent and responsible.

 

[uhuznaa]

The possibility of hacked passwords is one thing (and easily prevented by changing your password) but username/email-address combinations have leaked. This is a privacy breach. If you don't use unique addresses for accounts with public user names everywhere this means identifying information about who you are has leaked and is now being sold and shared in the alleys of the Internet.

 

[DarthShiv]

Well the login page doesn't appear to be TLS secured. So security is DOA - doesn't matter what hash you use. Secondly, once logged in, you should secure the whole site. Why? Injection attacks. If you are browsing an unsecured but logged in, I can present you with an alternate page (assuming MITM access).

 

[leexgxreal]

gmerrick[/url]":3ofqj27w]

cheriff[/url]":3ofqj27w]When the article states that payment info was not compromised, does that mean for sure nothing at all?

On the account settings page I see my credit card type and last 4 digits being displayed to me. Not that this is any great secret in and of itself, but I'd still appreciate knowing whether this redacted payment info is in the same database as the possibly compromised one.

At the very least I know which statement to keep a closer eye on, just in case.

unless I am mistaken PCI regulations forbid vendors from storing this information in the first place. The only time you should be entering your CC info is when you pay for something online. After the fact, the vendor should not be keeping that information.

never known it to work like that in PCI, you see need the Full card number and CVV code, or if its a Cheap way done then they might have the full card (seen a lot of sites that use SSH for payment page but all it is doing is encrypting the details they put in and sends it to owner of the site so they can Manually process the payment, norm its PGP program you open the encrypted data with, password Plus Cert normally so knowing the password is not enough)

the payment info is stored as a Token as such so when you pay for repeat payment they do not know your card details they just submit token + amount to the payment processor the money can Only be sent to the payment info was setup to pay so you can't redirect it unless you get access to say ars bank account to steal it (its not that simple just simplifying it)

 

[404]

Between this and Ars manufactured gamergate garbage which has lead to nothing more than racism and bigotry against minority gamers in favor of a female oppression false flag. All i want to know is, How do i delete my account from this cesspool?

 

[leexgxreal]

burne_[/url]":2i8y7fxo]

leexgxreal[/url]":2i8y7fxo]
i probably did not need to change my password as not sure how long it would take to get something like Ðlï®cÝ?:Ü«ç?w?ô???Þ¼G2Ä_B®&?EH from MD5 at 2k

You should have attended basic calculus sober and not high as Mount Everest. Then you would have known that your password offers little advantage if none over 'ohbaithooyohf8ohCo9Oix9Eecei0oocho' or 'effect hung noted represent whiskey'.

but i can use ò=Ïo1Óøªx¬K°âÎZ±³eßà¦?qt)¡¥âlÞ if i want to as uj7nXedJy0WuVNXdtwuYBEvImATnml is no way i would type both of them any way (or want to)

 

[DarthShiv]

Melzeebub92[/url]":wwzdfw6r]

Abhi Beckert[/url]":wwzdfw6r]

hashed using 2,048 iterations of the MD5 algorithm and salted with a random series of characters

I hope you're going to change that soon? 2,048 iterations is not enough to prevent a brute force attack on MD5.

Please switch to something "memory-hard" like scrypt.

Nothing is enough to stop brute force. The time to crack gets exponentially longer per character but given time everything will fall to brute force. You can downvote if you like but that is fact.

e.g. a hash that can only be cracked in a billion billion years is "enough" for me to not care about brute force. That's also a fact.

 

[somini]

leexgxreal[/url]":4iv670hv]

burne_[/url]":4iv670hv]

leexgxreal[/url]":4iv670hv]
i probably did not need to change my password as not sure how long it would take to get something like Ðlï®cÝ?:Ü«ç?w?ô???Þ¼G2Ä_B®&?EH from MD5 at 2k

You should have attended basic calculus sober and not high as Mount Everest. Then you would have known that your password offers little advantage if none over 'ohbaithooyohf8ohCo9Oix9Eecei0oocho' or 'effect hung noted represent whiskey'.

but i can use ò=Ïo1Óøªx¬K°âÎZ±³eßà¦?qt)¡¥âlÞ if i want to as uj7nXedJy0WuVNXdtwuYBEvImATnml is no way i would type both of them any way (or want to)

I should make a support group for people who exclusively use the password "ªx¬K°âÎZ±³eßà¦?qt)¡¥"

 

[leexgxreal]

somini[/url]":1dhx3bkc]

leexgxreal[/url]":1dhx3bkc]

burne_[/url]":1dhx3bkc]

leexgxreal[/url]":1dhx3bkc]
i probably did not need to change my password as not sure how long it would take to get something like Ðlï®cÝ?:Ü«ç?w?ô???Þ¼G2Ä_B®&?EH from MD5 at 2k

You should have attended basic calculus sober and not high as Mount Everest. Then you would have known that your password offers little advantage if none over 'ohbaithooyohf8ohCo9Oix9Eecei0oocho' or 'effect hung noted represent whiskey'.

but i can use ò=Ïo1Óøªx¬K°âÎZ±³eßà¦?qt)¡¥âlÞ if i want to as uj7nXedJy0WuVNXdtwuYBEvImATnml is no way i would type both of them any way (or want to)

I should make a support group for people who exclusively use the password "ªx¬K°âÎZ±³eßà¦?qt)¡¥"

vote up just for that post alone

its still a valid password, Most sites do not support more than basic upper and lowercase and numbers (nothing else not even spaces, some even limit to 16 chars or even less so to try Protect themselves from code Injection)

 

[Dark Steve]

DarthShiv[/url]":1rhdul90]a hash that can only be cracked in a billion billion years is "enough" for me to not care about brute force. That's also a fact.

It's also a fact that Scientologists sign multi-billion year contracts. They could be up shit creek due to this breach.

 

[somini]

leexgxreal[/url]":39skpdv4]

somini[/url]":39skpdv4]

leexgxreal[/url]":39skpdv4]

burne_[/url]":39skpdv4]

leexgxreal[/url]":39skpdv4]
i probably did not need to change my password as not sure how long it would take to get something like Ðlï®cÝ?:Ü«ç?w?ô???Þ¼G2Ä_B®&?EH from MD5 at 2k

You should have attended basic calculus sober and not high as Mount Everest. Then you would have known that your password offers little advantage if none over 'ohbaithooyohf8ohCo9Oix9Eecei0oocho' or 'effect hung noted represent whiskey'.

but i can use ò=Ïo1Óøªx¬K°âÎZ±³eßà¦?qt)¡¥âlÞ if i want to as uj7nXedJy0WuVNXdtwuYBEvImATnml is no way i would type both of them any way (or want to)

I should make a support group for people who exclusively use the password "ªx¬K°âÎZ±³eßà¦?qt)¡¥"

vote up just for that post alone

its still a valid password, Most sites do not support more than basic upper and lowercase and numbers (nothing else not even spaces, some even limit to 16 chars or even less so to try Protect themselves from code Injection)

It should be possible to put it as your mom's maiden name...

 

[Paddleless]

leexgxreal[/url]":zymmuqjg]

somini[/url]":zymmuqjg]

leexgxreal[/url]":zymmuqjg]

burne_[/url]":zymmuqjg]

leexgxreal[/url]":zymmuqjg]
i probably did not need to change my password as not sure how long it would take to get something like Ðlï®cÝ?:Ü«ç?w?ô???Þ¼G2Ä_B®&?EH from MD5 at 2k

You should have attended basic calculus sober and not high as Mount Everest. Then you would have known that your password offers little advantage if none over 'ohbaithooyohf8ohCo9Oix9Eecei0oocho' or 'effect hung noted represent whiskey'.

but i can use ò=Ïo1Óøªx¬K°âÎZ±³eßà¦?qt)¡¥âlÞ if i want to as uj7nXedJy0WuVNXdtwuYBEvImATnml is no way i would type both of them any way (or want to)

I should make a support group for people who exclusively use the password "ªx¬K°âÎZ±³eßà¦?qt)¡¥"

vote up just for that post alone

its still a valid password, Most sites do not support more than basic upper and lowercase and numbers (nothing else not even spaces, some even limit to 16 chars or even less so to try Protect themselves from code Injection)

I don't think it's fair to say that most sites limit you to letters and numbers. I normally include non-alphanumeric characters from the set available on a standard US keyboard in my passwords, and I have only two accounts out of about 40 where they are not permitted.

 

[unitron]

adfad666[/url]":30e4a3md]My password was dMSXQmpTRfsN3h5HHvEY and I only know that because I just looked it up in Chrome's password manager.

Now that I've set a new one I can safely forget it again.

Darn! I was going to use that one!

 

[Deleted member 1]

Good lord. This year alone I have had all of my debit cards/credit cards canceled and resent to me by my bank TWICE because of Target and Home Depot, which of course has required that I type in new numbers into tons of various websites and payments... online bills, google play, Ventra for Public Transportation, Digital Ocean, AWS etc etc... and this whole password thing. Ars isn't the only one. I use Last Pass now and even that has turned into such a hassle because any app I want to use on my phone or tablet requires at least two steps of authentication IF the lastpass password is actually synced. My Windows 8.1 password to just log into the desktop is now this 11 character random string that I am always like WTF!!!! It's just annoying to use networked devices now.

What can you do? The internet seemed like a good idea there for about 3 weeks in 1994 and after that it has been a steady stream of disgusting porn, trolls, hacks and a thousand little inconveniences. I am about to go unibomber on this shit.

I kid. Thanks for letting me know. Luckily after the whole Ars thread about how the Dred Pirate Roberts had his silkroad passwords set to his cat's name I learned that I should always have TWO cats and kill one on monthly basis. So I am pretty sure I am hack proof on this one. I just got a new kitten last weekend and his name is id_rsa.pub. Hack THAT! Wait. Crap.

 

[Dark Steve]

Dolores Haze[/url]":avld4b5l]But anyhow, I have changed my password just like you asked me to.

You only registered 15 minutes ago to make this one post. Why on Earth would you change a password that was only added to the system post-breach? Why would you have been asked to change a password that didn't yet exist?

 

[DarthShiv]

Dark Steve[/url]":ijuojzra]

DarthShiv[/url]":ijuojzra]a hash that can only be cracked in a billion billion years is "enough" for me to not care about brute force. That's also a fact.

It's also a fact that Scientologists sign multi-billion year contracts. They could be up shit creek due to this breach.

Just pointing out that the fact that anything can be brute forced <> compromised. Brute-forcable doesn't win an argument in encryption. It's a meaningless metric on it's own.

 

[mnhsty]

"Out of an excess of caution, we strongly encourage all Ars readers—especially any who have reused their Ars passwords on other, more sensitive sites—to change their passwords today."

I suppose it is obvious, but changing your Ars password now after the hack leaves those other sites still vulnerable to whoever got your old Ars password. You should change your password on any site where you used the same password you used on Ars.

 

[Dark Steve]

Dolores Haze[/url]":28lp9kmj]Because!
You can't be too careful!
So I registered and then I read this crazy message about hacking!
So what am I like, supposed to do?
I do WHAT THESE GUYS ask! My mother taught me this, before she got killed inn a car accident.
What IS YOUR PROBLEM? Can't I be a little more careful?
And like, wtf is a "centurion"? Are you some sort of two-bit Russell Crowe, stuck in an cheesie online version of "Gladdy-Ate-Her"?
Go jump a kangaaroo, you insensitive outbacher!

Welcome to my ignore list.

 

[Dark Steve]

DarthShiv[/url]":j3yxu1nz]

Dark Steve[/url]":j3yxu1nz]It's also a fact that Scientologists sign multi-billion year contracts. They could be up shit creek due to this breach.

Just pointing out that the fact that anything can be brute forced <> compromised. Brute-forcable doesn't win an argument in encryption. It's a meaningless metric on it's own.

I completely agree, and I wasn't having a go at you. I was simply taking advantage of the opportunity to mock the deeply held belief-systems of the lunatic fringe

 

[schizomilkman]

Maybe you'll reconsider letting us delete our account and post history now. lol, nevermind, what was I thinking.

 

[CraigJ ✅]

Jensen G[/url]":ta0g4ctf]Why would you only "encourage" readers to change their passwords, instead of forcing a password reset on all accounts to ensure that accounts do not get compromised?

Because that's overkill. A lot of us have strong passwords that we only use on ars. Assuming they crack it, what's the worst that could happen? They gonna log in and comment for me? Besides super strong passwords randomly salted with 2048 iterations is gonna take a while to crack. Meh. Not concerned.

 

[WpgGuy]

"It is a bit shocking how many commenters went from "I have seen md5 mentioned in prior articles a few times" to "I am an expert on cryptography and clearly Ars, phpBB, et al. don't know what they're doing and don't take security seriously.""

Don't go blaming readers for the incorrect knowledge transmitted by your articles.

You're not a mass media publication, you've got a technical audience.

You should be transmitting technically correct information in your articles.

 

[WpgGuy]

On arm chair criticism, you guys are over-sensitive and it comes across as hypocrisy.

Seeing a journalist, reporter or columnist complain about arm chair critics is a bit like seeing police complain about arm chair critics.

These two groups of people earn their livings largely by second-guessing and arm chair critiquing what other people are doing, in both cases often doing under pressure.

Articles on politics, hardware, software, pretty much anything written by someone who isn't actually in the field doing it under commercial and organizational pressure themselves, its all arm chair criticism when its done by journalists, reporters or or columnists.

And that another thing, it is one thing to be able to create something in a slow paced simple academic setting, but in a commercial or government environment one has all these other factors that even individual researchers working in the field, but on their own, have no first hand expertise on.

If you can't your own handle arm chair critics you shouldn't be working for an outfit that earns most of its living by armchair critiquing others.

But we all do arm chair criticism. You do. We do.

Changing occupations from journalism to something else would merely mean doing less of it. You'd be an occasional amateur armchair critic rather than a full-time professional arm chair critic.

So lighten up.

 

[dimhue]

WpgGuy[/url]":zvvyfxx4]"It is a bit shocking how many commenters went from "I have seen md5 mentioned in prior articles a few times" to "I am an expert on cryptography and clearly Ars, phpBB, et al. don't know what they're doing and don't take security seriously.""

Don't go blaming readers for the incorrect knowledge transmitted by your articles.

You're not a mass media publication, you've got a technical audience.

You should be transmitting technically correct information in your articles.

What "incorrect knowledge" was in the relevant Ars articles? Please be specific.

 

[Aye-ess-four-hundred]

I'm not convinced that they are clean yet. The protocol they described involves best practices but the size of the data and it's innate complexity pretty much spells out that everything is still compromised. Ars? What you say?

 

[Kharnellius]

Will you post on the main page? I didn't see any article warning people. I was hesitant to believe the email as I was worried it was a spoof. Then I get to Ars and there is no mention of it.