I'm also not quite sure about the circumstances where that would be relevant, but on the StackExchange a sibling comment found there is this further explanation:
> > I know I'm probably stupid but... how is this different from a dictionary attack? Instead of trying a list of known passwords, you try their md5s. If the md5 hasn't been cracked before, chances are that the password is strong enough to resist being cracked now. – nobody Jul 17 '20 at 14:55
> Because there are plenty of MD5s in the wild that A) just happen to not have been cracked yet because they weren't interesting enough to stand out, but B) once an attacker can figure out that that MD5 is inside a really interesting, high-value-target bcrypt, they might spend a lot more effort to crack that MD5. So it's not just a dictionary attack; it's a dictionary attack of passwords that are currently unknown but might be crackable with additional effort. And that effort is much less than trying to crack that password if it was only inside a pure bcrypt. – Royce Williams Jul 17 '20 at 15:00
So the assumption is: There is a breach A of an low-interest target with MD5 hashes and a breach B of a high-interest target with BCrypt(MD5) hashes. As A is not interesting enough, people don't invest the time to crack A's MD5s. But as B is super interesting they will use A as a dictionary source to then know on which MD5s they should invest a high amount of time, as it will help them crack the high-interest target B. Note that no specific user association takes place, like in the presentation about password shucking by Sam Croley (above Youtube link), where usernames/emails of A and B are correlated.
I think this is a bit more plausible than Croley's take on it. Because if I have identified a high interest individual, I would already invest a lot time to crack the MD5 password.
And yes, what you said bears repeating: All of this attack lives in the small space where the password is too strong to be cracked from a simple MD5 hash when you are mildly interested but not strong enough to prevent cracking when you are deeply interested – for varying degrees of mildly and deeply interested. Overall I would like to read about real world examples where this made the difference and how that password happened to fall into that region.
It's a very interesting attack, highly specific to the high-number of breaches, high password reuse environment we're in that enables at-scale password cracking.
I don't think it invalidates this advice completely. You should watch the talk and eventually add a global pepper (assuming it does not leak), and of course do the final bcrypt(md5(pass)) -> bcrypt(pass) migration upon user login.
I wonder if adding a random salt for each account would help in that situation?.
bcrypt(md5(password) + salt) + salt
the problem with password shucking would be that they just do a bcrypt(md5) over the list of md5 hashes they have and check if they exist in your database.
but if each hash is salted they would need to run every their complete md5 hash list through bcrypt for each account instead of once per database.
No that wouldn't help because you'd need to store the random salt along the hashes. So you can still do: bcrypt(other_leaked_md5 + salt) to shuck it (i.e confirm if both are the same, and skip the bcrypt on your stronger service). The defense is a global "pepper" that would be in the code but not the DB, assuming only the second one leaks.
I visited Istanbul a couple of weeks ago, and the amount of ads in TV, media and billboards advertising dozens of different crypto companies were mesmerising. More interestingly, for a "culture" so gold focused.
Older handhelds had also their quirks! The original gameboy boot bios would load the Nintendo logo from the cartridge ROM and would run a "checksum" of the logo data, to compare it with a constant value stored in the Bios itself - it the logo in the cartridge is the copyrighted Nintendo logo, it would start the game.
With that Nintendo wanted to be sure that any cartridge would require a copyrighted logo so a License would be technically required.
SEGA also did this! The so-called trademark security systems. Completely insecure, but violating it gave the console manufacturer the perfect excuse to sue the violator.
Lawsuits involving this system had really interesting results. In one case, the judges not only ruled that the trademark infringement was fair use, they said that SEGA made the trademark infringement necessary in order to produce compatible games due to their own security system. The infringement was SEGA's own fault!
The world used to be great before DMCA criminalized even the attempt to cricumvent these things.
You might also be interested in the Bleem and Virtual Game Station lawsuits. They're notable because they involve commercial emulators, nobody settled out of court and it clearly demonstrates how large and rich companies abuse the legal system to put their smaller competitors out of business.
I'm not a lawyer so I don't fully understand the laws here. I found they were quite easy to read though.
Sony complained that Connectix copied their copyrighted code during the reverse engineering process. This is obviously necessary in order to reverse engineer the code, access the unprotected ideas embodied in it and produce compatible products. It was ruled as fair use.
Sony complained about their use of screenshots of copyrighted games in advertising. This is comparative advertising intended to show that the emulator performs as intended, which is obviously good for consumers. It was ruled as fair use.
Despite this precedent, I still see companies issuing DMCA claims to emulator developers whenever they find some screenshot on an emulator website! It makes me wish some judge would award the developers millions just to punish the audacity of these companies. They're wrong but they know the developers won't ever take it to court so they take advantage of the situation.
Also, at no point is the legality of emulators ever disputed. It's not even a gray area. Emulators are competitors. They compete directly with the original hardware. They even try to argue that these competing products will tarnish their trademarks!
Sony lost all lawsuits yet they won in the end, because judges granted injunctions which prevented the smaller companies from selling their emulator software. That led to their ruin and the discontinuation of their emulator development. This was their goal all along. Their arguments are clearly insane, they just wanted some shoddy excuse to take their competitors to court and burn their money. In a just world, the judges would calculate the amount of lost profits caused by Sony and make them pay with interest.
I think you are assuming someone else should have created that email address without the dot because you are getting emails addressed to someone else.
The reality is it is more likely that someone who hasn't created that email is using it as their address because they don't really understand how email and email addresses work
I don't follow the development of this game but I can imagine they have plans to allow user-generated content to be added to the game through some kind of system. And if they don't have plans, they should.
They have a plan for users to buy content. And yes, you can buy news-ships for some game mechanic that is not even in pre-alpha.
The only time there was talk about user-generated content was when they had a "design a ship"-contest. Designer teams jumped on it, designed a ship that you could visit in the hangar instance but it's gone now...because they needed to rework things there. I wonder what because that ship was never playable....This is SC for you.
