YOUR IT - Technology for you

No. 1 Story

Mobile operators get fixed price spectrum renewal in $3b Government windfall

The Government has offered Australia's three mobile operators, and vividwireless, renewal of their existing spectrum allocated on 15 year licences in the late 90s and early 2000s at set prices, while the Government expects to rake in $3 billion.

read more

Is Spotify being crucified on a cross of media misunderstanding?

Your IT - Home IT

Let's look at the how first. It would appear that due to some sloppy coding, there was a bug in the Spotify system which meant that it had been possible to access the password hashes of individual users.

The vulnerability was both discovered and fixed on December 19th 2008. However, until that date it meant that it was possible to reverse engineer the Spotify encrypted streaming protocol and potentially brute force weak passwords of known users.

The same vulnerability also potentially exposed, along with the password hashes, full registration information including email address, date of birth, gender, postal code and billing receipt details.

Because credit card payments were not stored, with payments handled by a secure 3rd part payments provider, these were never at risk of exposure. There are several important clues here with which the impact of this breach becomes reduced.

First, it only effects those users with an account created on or before December 19th 2008. Second, only those with weak passwords which were also used for other online sites and services are at any real risk.

Spotify have made it quite clear that it was not the passwords but the password hashes that may have been exposed. These hashes were salted, so the hackers would not be able to attack them using rainbow tables.

However, individual weak passwords could be vulnerable to brute force and dictionary attacks, but not in parallel. The chances of a hacker having got your individual password hash on time, and devoted more time to cracking it just to access a free service is, well, pretty minimal.

So, sure, let's give Spotify a spanking for allowing this to happen but let's not crucify them on a cross of media misunderstanding. Now if you want to get the crown of thorns out for the potential misuse of that other personal information mentioned, that's a different story altogether.

Loading comments ...



- sponsored feature -

The Death of Traditional BI: What’s Next?

How to Make Business Discovery Work for Your Business IP PABX BUYING GUIDE

Business Discovery takes its cues from consumer apps. Like Google, it encourages us- ers to hunt for and explore data without worrying about or even noticing the underly- ing technology. Their entire experience is working within an intuitive interface to get real-time, self-service results with only minimal training. ...more