Crackers tap new sources to uncover "givemelibertyorgivemedeath" and other phrases. by Dan Goodin
Aurich Lawson
Early last year, password security researcher Kevin Young was hitting a brick wall. Over the previous few weeks, he made steady progress decoding cryptographically protected password data leaked from thethen-recent hack of intelligence firm Stratfor. But with about 60 percent of the more than 860,000 password hashes cracked, his attempts to decipher the remaining 40 percent were failing.
The so-called dictionary attacks he mounted using lists of more than 20 million passwords culled from previous website hacks had worked well. Augmented with programming rules that substituted letters for numbers or combined two or more words in his lists, his attacks revealed Stratfor passwords such as "pinkyandthebrain", "pithecanthropus", and "moonlightshadow". Brute-force techniques trying every possible combination of letters, numbers, and special characters had also succeeded at cracking all passwords of eight or fewer characters. So the remaining 344,000 passwords, Young concluded, must be longer words or phrases few crackers had seen before.
"I was starting to run out of word lists," he recalled. "I was at a loss for words—literally."
He cracked the first 60 percent of the list using the freely availableHashcatandJohn the Ripper password-cracking programs, which ran the guesses through the sameMD5 algorithmStratfor and many other sites used to generate the one-way hashes. When the output of a guessed word matched one of the leaked Stratfor hashes, Young would have successfully cracked another password. (Security professionals call the technique an "offline" attack because guesses are never entered directly into a webpage.) Now, with his arsenal of dictionaries exhausted and the exponential increase in the time it would take to brute force passwords greater than eight characters, Young was at a dead end. In the passwords arms race, he was losing. Young knew he needed to compile new lists of words he never tried before. The question was where to find the words.
After cracking 60 percent of passwords leaked in the hack of Stratfor, Kevin Young mined the Internet for longer passphrases.
Kevin Young
A free cracking dictionary anyone can compile
Young joined forces with fellow security researcher Josh Dustin, and the cracking duo quickly settled on trying longer strings of words found online. They started small. They took a single article fromUSA Today, isolated select phrases, and inputted them into their password crackers. Within a few weeks, they expanded their sources to include the entire contents of Wikipedia and the first 15,000 works of Project Gutenberg, which bills itself as the largest single collection of free electronic books. Almost immediately, hashes from Stratfor and other leaks that remained uncracked for months fell. One such password was "crotalus atrox". That's the scientific name for the western diamondback rattlesnake, and it ended up in their word list courtesy ofthis Wikipedia article. The success was something of an epiphany for Young and Dustin.
"Rather than try a brute force that makes sense to a computer but not to people, let's use human beings because people typically make these long passwords based on things that humans use," Dustin remembered thinking. "I basically utilized the person who wrote the article on Wikipedia to put words together for us."
A crotalus atrox, aka western diamondback rattlesnake.
Almost immediately, a flood of once-stubborn passwords revealed themselves. They included: "Am i ever gonna see your face again?" (36 characters), "in the beginning was the word" (29 characters), "from genesis to revelations" (26), "I cant remember anything" (24), "thereisnofatebutwhatwemake" (26), "givemelibertyorgivemedeath" (26), and "eastofthesunwestofthemoon" (25).
Twitter’s public S-1 filing revealed much-awaited metrics about the company’s revenue, monthly active users, growth rate and more. Dispersed throughout the 164-page filing are details on tweet distribution and plans for growing ad revenue through Twitter Amplify and real-time TV ad targeting. These plans and details show how Twitter could take $1 billion dollars in ad revenue from YouTube.
Yes, YouTube is the de facto video distribution provider on the Internet.More than six billion hours of video are watched each month, and its videos reach more U.S. adults between the ages of 18 and 34 than any cable network. It’s because of numbers like these that more than a million advertisers are pouring dollars into pre-roll YouTube advertisements.
However, YouTube’s advertising value is derived from its massive distribution around the Web. Brands generally use YouTube as a vehicle to upload easily embeddable videos, but a brand’s YouTube channel is rarely where it invests and engages with its community in real time.
This weakness is Twitter’s opportunity: Tweets are just as easily embeddable as YouTube videos, with news stories and blogs regularly including embedded tweets of reactions to recent events. Embedded tweets are slowly becoming as ubiquitous as embedded YouTube videos across the Web.
According to the filing, tweets have been embedded on more than one million third-party websites. During the second quarter of 2013, embedded tweets yielded an estimated 30 billion online impressions. A study conducted this year by Arbitron Inc. and Edison research found that almost half (44 percent) of Americans hear about tweets through media channels other than Twitter almost every day.
As a result, if Twitter continues to grow into the de facto public social network, it could easily start taking millions (and perhaps billions) of valuable ad dollars from YouTube.
In fact, Twitter is well positioned over the video distribution provider in the very place where video content is king: Television. Turn on your favorite show, and you are likely to see a hashtag or Twitter handle to extend your experience. This extension puts Twitter in an incredible spot to encourage more video content to be available on the network.
All Twitter needs to do is host long-form video, and it’s off to the races. The filing hints that this could be on the horizon: “We plan to continue to build and acquire new technologies to enable our platform partners to distribute content of all forms.”
What This Means for Ad Dollars
In a world with long-form video on Twitter, the next time a video advertiser wants to catch the attention of ABC’s “Scandal” audience, that advertiser will have a plethora of options for its ad buying, including YouTube, Facebook, Twitter, ABC and more. But think about the benefits that Twitter presents to an advertiser. All it needs to do is to post a tweet with the video, which will reach its followers for free, and then promote that tweet to people watching “Scandal” during its airing (which generates2,200 tweets per minuteand can be targeted via Twitter’s TV targeting). That video tweet will end up being more valuable than pre-roll on YouTube, as it’s targeting users watching “Scandal” across a variety of platforms, such as cable, Web and satellite, and it is ridiculously easy to embed across the Web. What started as a tweet to your followers ends up giving you hyper-targeting that reaches Twitter’s highly engaged audience in real time and has unlimited distribution via the rest of the Internet.
This advertising opportunity doesn’t have to be just through a traditional promoted tweet. Advertisers might eventually have the chance to run pre-roll ads on tweets as well. Just look at the co-branded video content that has been produced for Twitter’s hot new program, Twitter Amplify, whichjust inked a major deal with the NFL. With Twitter Amplify, a brand hosts its content on Twitter, and another brand sponsors the promotion of that content. On top of that,Twitter makes sure the content is promotedto users who might not know about the featured content to ensure greater efficiency. Twitter kicked off the program a few months ago with deals with BBC America, FOX, Fuse and even MTV, whose video tweet during the VMAs was promoted by Orbit Gum. When users hit play, they see a short still advertisement for Orbit Gum, and then the MTV video of Jimmy Fallon begins.
In addition to its one-up with television, Twitter has a big step ahead of YouTube when it comes to direct engagement. Brands successfully engage with their communities in many different ways on Twitter. Major brands have customer service monitoring Twitter 24/7. They share updates, interact with fans, comment on Super Bowl power outages and more through the social network. Each brand’s account essentially turns into the public persona for that brand on the Internet.
Although Twitter Amplify and promoted video tweets are still in their early stages, the example of the Orbit/MTV campaign is just one of many instances we’ll begin to see of advertising dollars going to Twitter that only a year ago would have gone to YouTube. The filing cited Twitter Amplify as part of its growth strategy, so we can only expect to see more use of this strategy. It’s the beginning of Twitter’s transition to a global video ad powerhouse, but it’s far more engaging than 140 characters at a time.
James Borow is the co-founder and CEO of SHIFT, a real-time marketing platform of choice for top global advertisers. SHIFT has raised $14 million to date and is backed by Lerer Ventures, Thrive Capital, Founder Collective, Rincon Venture Partners, Baroda Ventures and Crosscut Venture Partners.
