Security expert Bruce Schneier isn’t convinced this New York Times piece about Russian hackers collecting 1.2 billion passwords tells the whole story. In a piece published this morning, Schneier points to a Forbes article1 that suggests the Times piece is part of a publicity push on the part Hold Security, the firm that discovered the breach.
More interesting, though, is Schneier’s affirmation that the secure web as we know it is actually working (emphasis mine):
We’re not seeing massive fraud or theft. We’re not seeing massive account hijacking. A gang of Russian hackers has 1.2 billion passwords – they’ve probably had most of them for a year or more – and everything is still working normally. This sort of thing is pretty much universally true. You probably have a credit card in your wallet right now whose number has been stolen. There are zero-day vulnerabilities being discovered right now that can be used to hack your computer. Security is terrible everywhere, and it it’s all okay. [sic] This is a weird paradox that we’re used to by now.
That’s all oddly comforting to me. Anyway…time to change your passwords.2
Schneier quotes but doesn’t link to the article. Forbes has turned into a pretty awful outlet/content farm. They are not above publishing complete bullshit for clicks. That Schneier’s perspective comes from a Forbes piece gives me pause, but I respect his opinion enough to listen up.↩