Don’t look now, but Microsoft is surprising in the cloud

No doubt Microsoft will cling to on-premises until the bitter end, but it’s become a very successful cloud provider.

Conventional wisdom says that a revolutionary company in one segment usually can’t make the leap to the next, especially if the next revolution comes at the expense of the technology built by that initial company. Ergo, companies built on selling on-premises software should be abject failures at moving to the cloud, right?

Well, Microsoft isn’t failing at the cloud. It’s getting it better than anyone could possibly have expected, and while everyone beats up Windows 8 and defines the company by that hairball, what’s going on in other parts of the company are nothing short of remarkable.

First, there’s Azure. A whole lot of commotion was made over Microsoft’s claim that it had reached $1 billion in revenue from Azure because it happened so quickly in comparison to others. It’s still running a distant second to Amazon Web Services and there’s a hot competitor not many are watching called Softlayer, but to be sure, Azure is doing great business for Microsoft. It has 20% market share and could reach 35% by next year, according to Forester Research.

Then there’s Skype. A whole lot of people scoffed at the crazy sum Microsoft paid in 2011 – $8.5 billion. But it’s starting to pay off in market share. A third of the world’s voice calls are done through Skype, according to telecom market analysis firm TeleGeography.

Microsoft has integrated Skype with the new Outlook.com platform, along with Google Chat and Facebook chat, and Microsoft is claiming 400 million users of that platform. It’s even running TV ads touting the service. In February, Microsoft announced Skype and Lync sales had reached $2 billion in annual revenue and continues to grow.

Then there’s Office 365, which has already passed the $1 billion annual revenue mark just months after its launch. A rather burdensome end-user license agreement for Office 2013 probably helped, but you can’t deny the service has racked up good reviews.

These growing businesses join the Dynamics ERP & CRM systems and Sharepoint product line to reflect a company that really does seem to get the cloud and is doing a really good job of integrating its many assets and providing a one-stop shop for productivity applications on-demand.

All of these groups in total account for about $7 to $8 billion in revenues for Microsoft, about 10 percent of total sales. That’s going to continue to tilt as more people go on-demand and fewer go on-premises. It won’t be without challenges, especially in the IaaS market for Azure. Google is just now wading into the pool with its Compute Engine offering. And if Dynamics wants a piece of the ERP and CRM business, it will have to rumble with Salesforce, and we all know how much Marc Benioff loves a good fight.

Still, with double-digit growth projections for these markets, Microsoft can ride them to considerable revenue and market share and be the cloud success story no one thought it would be, and without Ray Ozzie, either.

Maybe the Azure team should run Windows.

 


MCTS Training, MCITP Trainnig

Best Microsoft MCTS Certification, Microsoft MCITP Training at certkingdom.com

 

 

Google’s latest Penguin update lets you squeal on spammy websites — as well as anyone else

Penguin 2.0 makes large-scale algorithm changes, affecting 2.3% of U.S.-English results

The latest version of Google’s sophisticated anti-spam algorithm, dubbed Penguin 2.0, was announced yesterday in an official blog post from the company’s well-known webspam czar, Mike Cutts.

The 2.0 label was applied, according to Cutts, because the update is a major one — it includes changes to the underlying algorithms used to evaluate whether a website is spammy or not, not just the dataset Google uses. About 2.3% of queries in U.S. English will be visibly affected by the changes.
Credit: Wikimedia Commons/Felipe Micaroni Lalli

Cutts also posted a link to a webspam report page, where anyone can flag sites they consider spam for the attentions of Google’s engineers. The form doesn’t ask for any identification by the reporting party, requiring only a copy/pasted URL.

While this appears to present a golden opportunity for abuse — as several Twitter responses to the announcement noted — Cutts noted on Twitter that Google has always had an extensive array of options in place to report spammy sites, and that “we’ll listen to feedback and look for ways to improve results.”

Search Engine Land Editor Barry Schwartz wrote that this is actually the fourth major generation of Google’s current anti-spam algorithm. However, its effects have been wider-ranging than all but the initial release of Penguin, which reached 3.1% of queries.

Cutts didn’t discuss the algorithm changes in detail, so as not to provide too much information to black hat search engine optimization practitioners, but laid out some broad goals that Google is working toward in a video released earlier this month.


MCTS Training, MCITP Trainnig

Best Microsoft MCTS Certification, Microsoft MCITP Training at certkingdom.com

 

 

Windows 8 Update: Microsoft sacks iPad in Windows 8 ad, join forces with NFL

About those lofty Windows Store app numbers…

A new ad from Microsoft mocks iPads by comparing them – unfavorably – to tablets running Windows 8, which receive live updates on their Start screens, run office apps, display two apps at a time and support Microsoft Office applications – things iPads don’t do.

The ad has the hapless iPad acknowledging a string of things it can’t do until it finally asks (in the voice of iPad’s Siri interface) “Should we just play ‘Chopsticks’?”

TIPS: 12 essential Windows 8 keyboard shortcuts

NEW: Linux-based rifle scope lets beginners hit targets a quarter mile away, view results on free iPad Mini

IN PICTURES: 10 more of the world’s coolest data centers

The ad hearkens back to an earlier iPad Mini ad in which a “Chopsticks” duet is played on both an iPad and and IPad mini.

The ad wraps up with a display of the price of an iPad ($699) and the price of a 64G Asus Vivo Tab Smart ($449) the message being that for $250 less, you can get a machine that does more.

It’s interesting that the ad doesn’t use the comparable $899 Surface Pro tablet made by Microsoft as a reference.

Low usage of Windows Store apps

Microsoft says it has more than 65,000 apps in its Windows Store inventory that are designed specifically for use on Windows 8 machines. The catch is that they don’t get used that often, according to a report by Soluto, a Web-based PC-management service provider.

Based on data gathered from 10,848 Windows 8 devices, Soluto found that users were more likely to fire up Windows Store apps if they were working on a tablet or touchscreen laptop than if they were working on a desktop or non-touch laptop (see graphic).
Windows 8

How many times a day will a Windows 8 user launch a Metro App?

Soluto hasn’t crunched the data yet about how often non-Windows Store (Metro) apps are launched, but suspects it is significantly higher, says Roee Adler, chief product officer for Soluto.

What were those apps? The most used was Yahoo! Mail, which was launched on average 26.91 times per week, followed by Social Jogger (25.98), Social Networks (21.19) and Lync MX (9.98).

Most users of desktops, laptops and touchscreen laptops didn’t average launching a Windows Store app even once per day, and 44.38% of tablet users fell into the same category.

What does Soluto make of this? “There’s a consensus in the market that Windows 7 was a good, solid operating system, and it’s unclear why the change to Windows 8 was needed for those who are happy with Windows 7,” the report says. “If you’re pragmatic about using the Windows operating system with a keyboard and mouse – there’s no rush. Wait and see what “Windows Blue” has in store for us before you upgrade.”

Look for Surface tablets on NFL sidelines

Rather than stalking up and down the sidelines referring to laminated play charts NFL coaches may soon use Microsoft Surface tablets.
Microsoft has signed a five-year, contract to pay the NFL $400 million to improve interactive features between football viewing and its new Xbox device. After that, the deal is expected to place Surface tablets in the hands of coaches, according to a story by the Associated Press.

For Microsoft this will primarily serve as a TV showcase for its technology and serve as a kind of advertising for the devices. Microsoft has already engaged Surface product placement, most notably in an episode of the ABC siticom show “Suburgatory” in which the device was actually written into the script as a love interest for the main character.

Microsoft will also place its branding on referees’ instant-replay devices and other areas along the sidelines, the AP says.


MCTS Training, MCITP Trainnig

Best Microsoft MCTS Certification, Microsoft MCITP Training at certkingdom.com

Google, Microsoft and Yahoo are secret backers behind European Privacy Association

The privacy organization has hidden its ties to corporate backers

After being accused of a lack of transparency by an independent watchdog, the European Privacy Association (EPA) has confirmed that Google, Microsoft and Yahoo are backers.

The Corporate Europe Observatory (CEO), which works to expose privileged access in E.U. policy making, said in a complaint Thursday that the European Privacy Association is working to represent industry interests in the debate on data protection in Europe, even though it has not listed any corporate backers on the E.U.’s “Transparency Register.”

The register, which is operated by the European Parliament and European Commission, requires all signatories to disclose their interests, objectives or aims and, where applicable, the clients they represent.

The EPA is listed in the category of think tanks, research and academic institutions and claims to have only 10 private (non-corporate) members. However, EPA managing director Pietro Paganini confirmed to the IDG News Service that Google, Yahoo and Microsoft are members.

CEO campaign coordinator Olivier Hoedeman was not surprised. “A look at EPA’s activities with regard to the ongoing debate on the overhaul of the European Data Protection rules shows that it favors a lighter regulatory touch and until recently the EPA advertised business membership at a cost of a!10,000 per year on its website,” Hoedeman said.

He said that the name of the organization, with its pro-privacy connotations, conflicted with its very pro-industry stance, creating “a confusing, a mismatch.” CEO has described the EPA as an “astroturf organization,” or front group, defending the interests of large IT corporations.

Paganini refuted these allegations, saying that although the EPA listens to its members ideas and concerns, the reports it produces are independent. He claimed the failure to list the companies on the Transparency Register was an oversight.

Joe McNamee of EDRi (the European digital rights organization) said he had brought the issue to EPA’s attention four months ago in January of this year but that nothing had been done. Paganini said that EPA did not know it was supposed to list any corporate members on the transparency register. was unfamiliar with the procedure in Brussels. However, EPA chairwoman Karin Riis Jorgensen is a former elected member of the European Parliament.

CEO says there is also evidence that the EPA has close relationships with two lobbyist consultancy firms, Competere Geopolitical Management and DCI Group, and is working to promote industry-friendly legislation in the new Data Protection Regulation that digital rights organizations say will undermine fundamental civil liberties online.

The CEO has laid out its allegations in a complaint to the secretariat overseeing the transparency register. The secretariat says it will examine the evidence put forward by CEO and by June 7 will announce a decision whether to impose sanctions or require the company to update its entry.

Google had no comment on the issue. Microsoft did not have an immediate comment and Yahoo officials were not available for comment.

 


MCTS Training, MCITP Trainnig

Best Microsoft MCTS Certification, Microsoft MCITP Training at certkingdom.com

 

 

Report: Yahoo board approves deal to buy Tumblr for $1.1B

Rumors that Yahoo might be in talks to acquire the blogging site emerged last week

Yahoo’s board of directors has approved spending $1.1 billion in cash to buy popular blogging site Tumblr, according to The Wall Street Journal.

The plan is for Tumblr to operate as an independent business, the Journal reported on Sunday, quoting anonymous sources.

Asked via email about the Journal’s report, a Yahoo spokeswoman declined to comment. Tumblr didn’t immediately respond to a request for comment.

Tumblr has a solid base of devoted users who are passionate about its creative and community-building power and their fear of the effects of commercialization under Yahoo is palpable, according to Andrew Frank, a Gartner analyst.

“They fear loss of control over the interface, over privacy, and over the freedom of expression in general,” Frank said via email.

Thus, for the acquisition to be successful, Yahoo must strike a balance between keeping Tumblr users engaged and delivering a positive return to Yahoo shareholders through advertising. “It will be a daunting challenge which will shed light on the future of both Yahoo and creative social self-expression,” Frank said.

Rumors that Yahoo might be in discussions to buy Tumblr emerged last week, and on Friday Yahoo called for a mystery press event to be held in New York City on Monday afternoon. Tumblr’s headquarters are in Manhattan.

“Join us as we share something special,” reads the invite, sent to members of the press.

The Journal’s All Things D technology news site had reported earlier Friday, citing anonymous sources, that Yahoo might be interested in partnering with, investing in or outright buying Tumblr.

Adweek, in another report also citing unnamed sources, put the value of the deal at $1 billion.

Yahoo CEO Marissa Mayer is expected to be at the New York City event, according to CNBC.

The blogging and social networking site, founded in 2007, has 175 employees and hosts more than 100 million blogs.

Mayer is interested in Tumblr because she believes it can help boost Yahoo’s advertising revenue and give Yahoo a bigger presence in the consumer social media market, according to the Journal.

 


MCTS Training, MCITP Trainnig

Best Microsoft MCTS Certification, Microsoft MCITP Training at certkingdom.com

 

 

Windows 8 isn’t New Coke, says top Microsoft exec; it’s Diet Coke

Frank X. Shaw defends Windows disclosure strategy, denies aping Apple

Microsoft’s head of corporate communications defended his company’s Windows information disclosure strategy Tuesday, denying that Microsoft has adopted Apple’s “cone of silence” approach to imparting news.

“We know we’re not Apple,” Frank X. Shaw, Microsoft’s top communications executive, said in an interview yesterday. “We would love to have control all along the stack, as Apple does. But that’s not the business we’re in.”
Frank X. Shaw
Frank X. Shaw, Microsoft’s Corporate Vice President, Corporate Communication, in a photo he uses on his Twitter account. (Image: Frank X. Shaw.)

Microsoft’s communications strategy, specifically the way it reveals information about Windows to a broad audience — developers, PC makers, enterprise customers, consumers, the press and analysts — has been criticized by several of the latter. Windows 8 suffered because of Microsoft’s penchant for withholding information, those analysts have contended.

Developers were not provided enough information and tools to craft top-quality apps for the October 2012 launch, OEMs were caught short of touch-enabled devices, and enterprises remain confused about why they should adopt the new OS, the arguments go.

Patrick Moorhead, principal analyst with Moor Insights & Strategy, has put it most succinctly when he claimed that Microsoft, seeing the success of Apple’s habit of divulging nothing until a product announcement, copied the strategy. “Microsoft doesn’t make a good Apple,” Moorhead said in an interview Monday.

Shaw wasn’t having any of that. “It’s an easy shorthand for people to use, but it’s not accurate,” said Shaw of the Apple comparison. “We choose our strategy on the needs that we have. There are times when we will be more conservative and times when we will be more open.”

Analysts, some who have requested anonymity for fear of risking their access to Microsoft, have been the most vocal about the relative paucity of information disclosed by the Redmond, Wash. developer, and have compared that strategy to what they saw as a more open communications game plan prior to Windows 7, which shipped in the fall of 2009.

The more secretive approach has been credited to Stephen Sinofsky, who until his ouster last year led the Windows division during development of Windows 7 and the follow-on, Windows 8. Sinofsky was known for keeping things under wraps when he led Office development for several editions, closing out his time on that team with Office 2007.

Shaw acknowledged that Microsoft’s approach to doling out information to the media, analysts, developers and OEMs is different today. “Yes, it has changed, because the world we’re living in has changed,” said Shaw. “If you look at Windows 7 and then look at Windows 8, there were a whole bunch of things with Windows 8 that we wanted to keep more confidential than public. Look at the decision to build Windows 8 on ARM. That was held very closely.

“But I think that’s a hard comparison to make,” Shaw continued, speaking of the contrast between Windows 8 secrets and pre-Windows 7 openness. “Windows 8 represented a significant platform shift, with touch, Windows available on ARM as well as Intel, a new app model and a new store, and a new set of hardware from us.”

In many cases, Microsoft has taken to parceling out information in small bits, a drip-drip-drip strategy that, to outsiders at least, seems to serve little purpose. The best illustration was when the company announced last week that it would release a public preview of Windows 8.1 at its BUILD conference in late June, but said it would provide other information, including pricing, “in a few weeks.” Just seven days later, however, Tami Reller, CFO of the Windows division, said that update would be free.

When asked why Microsoft didn’t simply give customers both pieces at the same time, Shaw did not directly answer. Instead, he said, “There are many options, and this was the one that we chose. We thought that it was the best way to get the information out.”

Microsoft has made other communication missteps recently. Earlier this year, when news broke that it was permanently tying each retail Office 2013 license to the first PC it was installed on, and would not allow users to later move that license to another machine, the company limited the disclosure to the end-user licensing agreement (EULA), which very few people read, then only confirmed the move after several rounds of questions from Computerworld. In March, after a heated reaction from users, Microsoft backtracked from the licensing lock-in.

“There’s a big continuum,” Shaw said. “At times we are unbelievably transparent, at times we are moderately transparent, and at times we are quiet. What drives this is not a corporate one-size-fits-all strategy, but the demands of the product or service, and the marketplace.”

Shaw also took exception to the point many have made that developers were not kept as informed about Windows 8 as in past iterations of the OS, and that what they did get was much later in the development cycle than in the past. That contributed to the Windows Store’s app tally and the omission, still, of some major apps, such as one dedicated to Facebook, the theory goes.

“We did tons of work with developers and ISVs to get them ready and to train them,” said Shaw, citing the 2011 BUILD conference and follow-on efforts. “The thing that people have to recognize is that until Windows 8 shipped, there were zero targeted devices.”

And sans those devices, implied Shaw, it was no surprise that at launch the app store had relatively few apps. “Developers are rational creatures,” he said, hinting that until they had hardware they could use to test their apps, they took a wait-and-see stance. “We had realistic expectations of what [the app store] would look like at launch. There was never a ‘work-done’ moment for us related to the launch.”

In the interview, Shaw again blasted press coverage of Windows 8.1. Some stories and opinion pieces described the changes Microsoft might make with the update as a retreat from its previous vision for the OS, and compared Windows 8 to the Coca-Cola debacle of 1985, when within months of the introduction of “New Coke,” the beverage giant yanked the reformulated soda.

Shaw’s counter-attack drew criticism of its own, with Moorhead saying it was a sign of weakness for a company as large as Microsoft to be thin-skinned.

Shaw disagreed. “These things stick,” he said of pieces by The Financial Times and The Economist, which he had earlier singled out as examples of what he called “sensationalism and hyperbole.”

“If you don’t do anything about it, it can become perceived wisdom,” said Shaw, explaining why he wrote the Friday post. “If we don’t say anything, then we shouldn’t expect other people to read our minds. So we get our voice out there.”

Speaking of New Coke, Shaw even had a take on the metaphor.

“If anything, Windows 8 is like Diet Coke,” said Shaw. “Diet Coke was a product that mapped an entirely new need expressed by the marketplace, something that tasted just like Coke but had zero calories.”

Diet Coke is the world’s second-biggest soda, behind only Coke itself and ahead of Pepsi, which it passed in 2010.


MCTS Training, MCITP Trainnig

Best Microsoft MCTS Certification, Microsoft MCITP Training at certkingdom.com

Microsoft commits to secure coding standard

Company proclaims it’s compliant with ISO 27034-1

Microsoft says its coding practices and its corporate management structure both comply with an international application security standard to encourage secure software development.

Today at its Security Development Conference the company has issued a declaration of conformity with ISO 27034-1, an international standard that addresses secure coding practices as well as the organizational framework in which code is developed.

SURVEY: Security practices wanting in virtual machine world
Microsoft says its security development lifecycle meets or exceeds requirements of ISO 27034-1, meaning that other organizations that follow SDL are that much closer to ISO 27034-1 compliance. An addendum to the standard cites SDL as a template that can help organizations comply, Microsoft says.

The declaration comes from Microsoft and is not the same as if a separate certification body had reviewed Microsoft practices and declared them compliant.

Software developed in compliance with the standard comes with some assurance that it is less likely to be vulnerable to exploits. In addition, organizations that develop in-house applications in accordance with the standard have some assurance that the investment they make in compliance will put them on a track to what is widely regarded as a proven route to more secure code.

Coding practices could use greater attention to security, according to a survey commissioned by Microsoft last fall. Of 2,726 respondents made up of IT pros and application developers, 37% say their organizations build their products with security in mind. Of the 492 developers in the poll 61% say they don’t take advantage of risk mitigation technologies that already exist such as address space layout randomization (ASLR), Structured Exception Handler Overwrite Protection (SEHOP) and data execution prevention (DEP).

The survey indicates that reasons for failing to use these techniques include convincing management that the cost of employing them is worthwhile.


 

MCTS Training, MCITP Trainnig

Best Microsoft MCTS Certification, Microsoft MCITP Training at certkingdom.com

Microsoft Patch Tuesday targets multitude of Internet Explorer faults

Untreated, Internet Explorer vulnerabilities could lead to remote code execution exploits

Microsoft is issuing critical security bulletins this Patch Tuesday that affect all versions of Internet Explorer and deal with an exploit that attackers are actively working.

Internet Explorer 6, 7, 8, 9 and 10 are the recipients of a patch that can prevent an exploit that enables remote code execution in the browser. This affects all Windows operating systems except XP.

“We always recommend upgrading to the latest version of any software,” says Paul Henry, security and forensic analyst with Lumension, “as that’s typically the most secure. If your system is compatible with IE 10 and you’re not running it already, upgrade now.”

The vulnerabilities being addressed may include one found in IE8 running on Windows XP machines that was dealt with yesterday by a hot-fix patch issued separately to deal with a zero-day attack that was actually being exploited in the wild against U.S. government agencies, Henry says. The same vulnerabilities are rated only moderate for machines running server rather than desktop operating systems.

“The patch will include fixes for other, less critical remote code execution vulnerabilities affecting Office and Lync,” says Lamar Bailey, director of security research and development for Tripwire. “These important vulnerabilities run the gamut, impacting DoS, spoofing, elevation of privilege and information disclosure.”

A second bulleting deals with another IE vulnerability believed to be one disclosed in March at the annual Pwn2Own hacking competition. It raised some eyebrows when the problem was not dealt with on Patch Tuesday last month. “Usually Microsoft releases Pwn2Own bug fixes in April, but this year other bug fixes must have been higher priority,” says Andrew Storms, director of security operations for Tripwire.

The rest of this month’s 10 bulletins are ranked important, a step down from critical, and like the two critical ones, three others address problems that can lead to remote code execution exploits. They affect mainly Office “The most widely installed is probably Bulletin 7, which is for Word 2003 and Word Viewer,” says Wolfgang Kandek, CTO of Qualys. “Bulletin 6 covers the Microsoft Publisher included in Office 2003, 2007 and 2010, and Bulletin 5 is for Microsoft’s instant messaging modules – Communicator 2007 and Lync 2010.”


MCTS Training, MCITP Trainnig

Best Microsoft MCTS Certification, Microsoft MCITP Training at certkingdom.com

 

Windows 8 Update: Gates: Windows 8 is about the iPad

Also, a Windows 8 tablet for less than $400 is a natural for BYOD

Windows 8 is Microsoft’s best effort to catch up with Apple and grab tablet sales away from the iPad by including things iPads just don’t have, according to Microsoft founder Bill Gates.

These things include keyboards and Microsoft Office, Gates says in an interview with CNBC. “With Windows 8 Microsoft is trying to gain share in what has been dominated by the iPad-type device,” Gates says.

He says Windows 8 was designed to wrap PCs into a tablet form, as exemplified by Microsoft’s own Windows 8 hardware Surface PRO and Surface RT.

“So if you have Surface, Surface PRO you’ve got that portability of the tablet but richness — in terms of the keyboard, Microsoft Office — of a PC,” he says. “So as you say PCs are a big market. It’s going to be harder and harder to distinguish products whether they’re tablets or PCs.”

Microsoft sees customers are unsatisfied by limitations of pure tablets with touchscreens and no support for Office. “A lot of those users are frustrated,” Gates says. “They can’t type, they can’t create documents, they don’t have Office there so we’re providing something with the benefits they’ve seen that have made [tablets] a big category but without giving up what they expect in a PC.”
Small, cheap Acer tablet

A product listing for a rumored Acer mini tablet popped up briefly on Amazon.com last week for the surprisingly low price of $379.99 before the item was taken down.

But the specifications listed for the device indicate that it can support a full-blown PC version of Windows 8 on an 8.1-inch tablet.

The low price makes them attractive to consumers and increases the possibility that Windows 8 devices will become a factor in BYOD programs. At the same time these small tablets become more attractive to businesses because they can support all legacy applications that run on Windows 7 including the full version of Microsoft Office.

A separate version of Windows 8 — Windows RT — is designed for tablets that are based on ARM processors, but they only run Windows Store applications and a truncated version of Office. Windows RT devices also can’t join domains.

The Acer product in question is the W3-810-1600, pictured below in a photo that was posted two weeks ago by the French website minimachines.net but taken down at Acer’s request.

The screen resolution is 1280×800 pixels is the low end of minimum requirements for Windows 8 devices set by Microsoft, according to specifications posted by The Verge.

While it’s OK to build devices to that spec, it’s not without ramifications. The devices can’t support snap screens, which is a feature that displays two applications at once — one small and one large — and to reverse which one is bigger with a simple touchscreen swipe.


MCTS Training, MCITP Trainnig

Best Microsoft MCTS Certification, Microsoft MCITP Training at certkingdom.com

Why you should take hacked sites’ password assurances with a grain of salt

Beware of e-mails that play down the ease of cracking your leaked passcode.

Reputation.com, a service that helps people and companies manage negative search results, has suffered a security breach that has exposed user names, e-mail and physical addresses, and in some cases, password data.

In an e-mail sent to users on Tuesday, officials with the Redwood City, California-based company said the passwords were “highly encrypted (‘salted’ and ‘hashed’),” a highly vague description that can mean different things to different people. “Although it was highly unlikely that these passwords could ever be decrypted, we immediately changed the password of every user to prevent any possible unauthorized account access,” the e-mail added unconvincingly.

It’s unfortunate that companies make such assurances, because they may give users a false sense of security. As Ars has been reporting for nine months, gains in cracking techniques means the average password has never been weaker, allowing attackers to decipher even long passwords with numbers, letters, and symbols in them. Even Ars’ own Nate Anderson—a self-described newbie to password cracking—was able to crack more than 45 percent of a 17,000-hash list using software and dictionaries he downloaded online.

Jeremi Gosney, a password cracking expert with Stricture Consulting Group recently explained in an Ars forum post that it’s highly unusual for a leaked password list to go uncracked, as suggested by the Reputation.com e-mail.

“It definitely depends on the specific leak we’re talking about, but generally speaking, your average security expert/penetration tester/casual password cracker is probably only going to be able to recover at most 50-60% of passwords in any given leak,” he wrote. “Seasoned password crackers will likely recover 70-75%; and truly exceptional password crackers will recover 80% or more.”

Adding cryptographic salt to passwords is crucial to the safe storage of passwords because it forces password cracking programs to guess the plaintext for each individual hash, rather than guessing passwords for thousands or millions of hashes all at once. (Yes, it also thwarts rainbow-table attacks, but no one uses this method anymore.) But it’s easy to overstate the benefits of salting. It in no way slows down the cracking of a single hash, so if an attacker locates the hash belonging to a particular high-value Reputation.com user, the measure does nothing to thwart the cracking of that hash. The security value of salting alone only slows down cracking of large lists by a multiple of the number of unique salts, so that value decreases with each hash that is decoded.

A far more meaningful security measure is the type of algorithm that’s used to convert plaintext passwords into cryptographic hashes. If the company used SHA1, SHA3, MD5, or any number of other “fast” hashes, it’s extremely likely that at least some of the leaked password data has already been cracked. If, on the other hand, the company used bcrypt, scrypt, PBKDF2 or another “slow” algorithm specifically designed to hash passwords, the chances are significantly lower. Reputation.com makes no mention of the algorithm it used, so users should presume the worst. Anyone who used their Reputation.com password to protect one or more accounts on other sites should change those passcodes immediately. Passwords should be randomly generated by a password-manager, contain a minimum length of 11 characters, and include numbers, letters, and symbols. They should also be unique to each site.

For a deeper dive into the benefits of salting and hashing, see last Saturday’s story about the password breach that hit LivingSocial.com. Some of the user comments are especially illuminating.


MCTS Training, MCITP Trainnig

Best Microsoft MCTS Certification, Microsoft MCITP Training at certkingdom.com