That leading sentence
'An Anonymous cadre has hacked into major oil corporations' computers to protest against drilling in the Arctic.'
A few annoying, unemployed oiks hacked some oil company databases to draw attention to themselves.
FTFY
An Anonymous cadre has hacked into major oil corporations' computers to protest against drilling in the Arctic. The attack, dubbed OpSaveTheArctic, has led to the lifting of email addresses and encrypted password hashes for about 500 email accounts at five leading oil exploration corporations: Exxon Mobil, Shell, BP, Gazprom …
"I'd pay actual real money* to go to an illegal backstreet hippy vs hacker cage fight and watch them beat the shit out of each other."
Na not worth it. Hippies are all love and peace so won't fight and the hacker will be cowering in the corner because their not use to leaving their bedrooms. You'd have to spike their jolt cola/hash brownies with steroids and gorilla juice just to get any sort of action.
Why are they encrypting their password hashes, or is it the passwords that are encrypted then hashed?
The Reg seems to be confusing encryption with hashing quite a lot lately. Encryption results in a ciphertext that you can later decrypt, hashing results in a digest/checksum/hash code that is useful for checking that a given value matches the value that was originally hashed. Confuse the two and your encrypted cache of state secrets/porn collection/secret santa shopping list will turn out to be a set of completely useless (but conveniently smaller and easier to store) codes...
Encryption is a flawed security solution. If you only encrypt your passwords they are not secure from man in the middle attacks. Even if you use a double ROT13 scheme it's no barrier to a determined attacker. You might as write "password123" on a postit note, stick it on your forehead and walk around the office asking if anyone has seen your password. That's literally how (in)secure encryption is these days.
Real professionals avoid encryption altogether and instead hash, generate checksums, and write down the resulting ciphertexts on one timed pads. Trust me I have worked in the IT security consultancy arena for 7 years so I know what I am talking about.
no I said *double* ROT13. ROT13 alone can be cracked in log(n) time with modern hardware. Double ROT13 is only vulnerable to quantum attacks and only the government have access to quantum computers (*as far as we know).
Then again the best way to secure data is always the simplest: hide it in the last place an attacker will think of looking. Many years ago before the dot com bubble burst I worked for a small upstart web firm as Head of Security. The company had some backup disks on site they wanted secured. Instead of buying an expensive $ safe I recommended the CEO just hide the disks in the trashcan. No-one would think the company critical data was in the trashcan! Unfortunately a few weeks later a new cleaner threw them out, but I mention that as an aside, the system worked it was the fault of our cleaning technician. Not part of my responsibilities.
After that we uploaded the files to an old machine and hid them in the recycle bin (same trick!)
He said *double* ROT13... so rot13 your text and then rot13 it again and just try and guess how that might relate to the original unencrypted data. Actually I believe he is a person who works in security, as double rot13 is kind of a "trick" of the trade these days.
I admire the pedantry; we do know the difference between encryption and hashing. But the word 'encrypted' by the dictionary simply means to 'conceal information or data' and it's there to hint to new readers, or the less technically able, what hashing means without having to bulk up every story with a detail description of how one-way functions work.
If you know what a hash is, brilliant. We've told you the passwords were hashed (quite possibly MD5d). If you don't, then 'encrypted' will help you out.
C.
They are worried about an oil spill in the Arctic.
What would happen if they didn't drill there?
The oil may eventually come to the surface anyway, like the tar pits in California, and be even more of a disaster as there would be no way of syphoning off the oil or stopping the leak...