Well that didn’t take long.

2012 got interesting pretty quickly.

Zappos’ database was breached, leading to the exposure of 24 million customer records.

The database contained userames, email addresses and “cryptographically scrambled” passwords.  The worst scenario is that the passwords were simply hashed (instead of hashed and salted).

Someone with access to those database values can run a common password list through the different hash algorithms and probably crack a large percentage of those 24 million records in minutes.

They then have an email address and password, and the first thing they do?

Try to log into that email account with that password.

This is why password reuse is very dangerous.  Especially when combined with weak passwords.


Then we had the SOPA/PIPA blackout, which thankfully stalled any congressional action on these poorly thought out bills.

As written, that legislation would have circumvented the rollout of DNSSEC.  The secure implementation of DNS (DNSSEC) adds signature verification to the normal DNS function of mapping a human-readable name to an IP address.  When DNSSEC is able to be widely adopted, it will substantially curtail DNS hijacking attacks. (wherein an attacker seizes a users DNS request to get the IP address for, say http://www.mybank.com, and returns an IP address where the attacker has set up a fake server to harvest credentials/install malware/etc.)

Immediately following the SOPA blackout, the FBI took down the file sharing site Megaupload.com.  I happen to believe this is merely coincidental, unlike some conspiracy-minded folks on the Internet.

Naturally, this provoked a DDOS from Anonymous, briefly taking down the webpages of the DOJ and Universal Music Group and accomplishing nothing.