Sadly, it has been my experience that the kind of people that are easily swayed by their favorite entertainers are usually not the kind of people that would be willing to listen to ANY opposing arguments. I have tried to explain the situation to people using all sorts of different analogies but all they hear is "BIG GOVERNMENT IS TAKING OUR INTARWEBS!".

What I don't get is why so many big businesses (not necessarily "internet companies" like Amazon and Google) have remained silent on the issue. You know that massive B2B e-commerce system that connects you to your suppliers and your customers? It uses the internet. Ever think about how the new FCC regulations will affect you?

As someone who is a customer of both of these companies, I kinda wish they'd spend less time throwing lawsuits at each other and more time providing value to their customers. I'm just sayin'...

I once asked someone about this and how to get around it. Their answer was to take the number of years required in the technology, add 2 and let that be your "years of experience". This will get you past HR and (hopefully) in front of a hiring manager. If the manager points out that your 8 years of Ruby on Rails experience seems unlikely, tell him what you did. If the manager doesn't laugh then you do NOT want to work for him/her.

Which company do you work for? Just curious.

What the hell made Mr. Spiegel of XTS software think that posting this story was a good idea?

If you were one of his customers, how would you feel knowing that the product that you just bought was developed not by the best developers but developers that knew how to play this game? Personally, I would feel more comfortable deploying software if I knew that the developers weren't spending most of their time marketing themselves internally.

Anyone else feel this way?

I agree. To be honest, I was considering buying one a few weeks ago. I understand the issue from the Amazon side, but I would not feel comfortable spending that much money on a device with such strict digital ties to the manufacturer.

The problem that I see is that Amazon has tipped their hand - they not only have the ability to remove content remotely but they also have the will to do it.

There is some SHA1 as well via the download mirrors in TFA.

Though, I agree and wouldn't mind to see some old style mysql hashes for instance. It's amazing how few databases actually use the new form. The new form is SHA1 twice with no salt. (Hey more unsalted fodder for rainbow tables.) I don't know if anything else uses this method but I know bad things (TM) can happen when people just create new schemes like double hashing or double encryption. (3DES was suppose to be 168 bits (56 * 3) but turns out to be only 112 bits of security.)

Yes, the paper is not very clear. The FAQ on freerainbowtables.com comes complete with some diagrams. You are certainly correct that rainbow tables are not just huge precomputed hash databases. Unfortunately, it seems most slashdotters cannot be bothered to actually educate themselves and just like to state that its a term to describe something very basic and old.

AFAIK Vista is the first windows to completely remove LM hashes as the default. Other than that you had to use a password of a certain length to prevent LM hash creation, 16 characters if memory serves me correctly.

"im clients, etc."

Ha! Seems IM clients tend to just store the passwords plaintext so even unsalted MD5 would be an improvement over the status quo.

Unfortunately not. Programmers and sysadmins alike only sort of seem to know what a salt is. Look at how often an application stores passwords plaintext or with a simple md5 and you'll be happier not knowing. For that matter I seem to recall that buffer overflows were discovered decades ago and yet plenty of new code continues to suffer from the flaw.

One very interesting place that unsalted hashes seem to stick around are old LDAP directories. I've seen ones with combinations of: MD5, SMD5, SHA, SSHA, and crypt/des. Also, lets say that the LDAP directory only uses SSHA *but* also provides NTLM hashes for windows authentication such as PDC or BDC, well then who cares about the salted sha1 when you can attack the NT hash much faster.

For that matter only starting with Windows Vista are LM hashes *not* enabled by default. So while 2000, XP, 2003, etc. store the NT hash, storing the LM hash too means no one bothers to crack the NT hash.

One very good use for rainbow tables like md5 and sha1 are to at least get LDAP directories migrated to a salted variant. Good luck getting all your users to change their password or even remember it since they probably just have it saved in a browser.

Please see my comment on the matter of "a new name for it for no reason."

If it was nothing but precomputed hashes then indeed it would not be very interesting as it is nothing new. However, it's quite a bit different as the lookups are probabilistic, not 1:1 look ups for is the hash there yes/no.

For that matter educating people to learn how to use salts with their hash for storing passwords is no where near complete even among savy geeks.

If you just mentally link rainbow table with precomputed hashes then you have missed the point entirely. Rainbow tables are an entirely new approach to the problem. It isn't simply storing every precomputed hash. It has a few advantages such as much less disk space is needed, much faster due to indexes as well as less to load from disk, etc. It's actually probabilistic in nature and does not guarantee 100% that a given hash is found. You may want to spend the time to read through the FAQ if you are interested.

One interesting use involves prebuilt cd and dvd isos for windows LM *and* NTLM password recovery.

With a distributed project like Free Rainbow Tables, it gives people less and less chance to avoid learning what a salt is and I hope will lead to more education of programmers, admins, etc.

No matter how expensive the hash is in terms of computation, nothing beats a good hash that uses salts for storing passwords. Though, I'd like to websites stop storing plaintext passwords that they email to you for a password recovery :(