Interview with Alec Muffett (Originally Posted on Twitter)

Links: Twitter @AlecMuffett

Alec Muffett – dropsafe

alecmuffett (Alec Muffett) – GitHub

I would say “My next guest needs no introduction,” but for those of you who don’t know him, one of Alec Muffett’s claims to fame is the Unix password cracking system Crack – read more about it here.

Muffett also formerly worked for Facebook and developed its Tor hidden service, which can be found at http://facebookcorewwwi.onion. I interviewed him over Twitter recently (so you can see the text there too, but it’s easier to read here). Here’s what he had to say:

Secrets of the Dark: What are some things that the average user can do if they’ve been part of a data breach?

Alec Muffett: If we’re truly talking about “average users” then I would suggest they get a notepad, mug of coffee & some cookies, make a list of every site they use, and change the password for each one, writing the new PW down for each. Stretch goal: find the “log out other sessions” button.

For average users, I would recommend having utterly new passwords — ideally phrases — & have distinct hi/med/low passwords, and assign the new site passwords accordingly. I’d then ask them if they consider themselves “above average” & when they say “yes”, explain @1Password /etc

SotD: Is there a better authentication system than passwords that you think will eventually become the norm?

AM: Not exactly; I think on the backend there will be a bifurcation between sites which consider identity to be an analogue [sic] combination of signals[1] – passwords, cookies, locations, etc — versus those which give up on passwords entirely and leverage other identity solutions.

SotD: Why do you not allow onion-only Tor hidden services on your GitHub list?

AM: There are plenty of lists full of half-assed amateur onion efforts, mostly populated by broken links, and where the content is often crap. I felt it was time for somewhat serious names to be showcased.

SotD: You worked on the original Crack program; what other programs do you think are close to its present-day equivalent?

AM: @hashcat and #JohnTheRipper for literal comparison; but perhaps if you mean in terms of being contentious and profane, we’re in a bit of a lull for that at the moment. Used to be @nmap, @BitTorrent and/or @torproject for instance.

SotD: Tor often gets a bad rap because of the criminal activity associated with it. What are some ways that we can help change its reputation?

AM: Take note that “criminal activity” also happens (and happens chiefly) on the plaintext Internet, often defended by HTTPS; observe that knowing source IP addresses offers little in the way of absolute attribution. Talk about the extra assurance Tor offers as an alternative to IP.

SotD: Do you think that decentralized networks are starting to become the norm, or will be soon?

AM: I think the space of “normal” will expand to encompass them, but not that they will displace traditional-client-server-TCP/IP. They will add a complementary offering.

See also this observation: 2/ if today it is unremarkable to hold billions of dollars of “currency” in a space that is simply a decentralised database distinguished by cryptographic keys, how long before it’s equally normal for a network address to be very much the same?

SotD: Sir Tim Berners-Lee is developing a “new internet” called Solid with Inrupt, in which users store their data on PODs (as opposed to a central server). What are your thoughts on this project?

AM: Meh. I’ve been there and done the talking about this sort of thing, 10 years ago. This is not a “Sir Tim waved a magic wand and everyone was suddenly free of their chains!”-situation. This will be a slog, across many apps and protocols.

SotD: Once your private data has been exposed, is it too late to do anything about it?

AM: Yes, except it’s never too late to realise that other people mostly won’t care, once the salaciousness has worn off.

SotD: There are a lot of cybersecurity and financial companies offering “dark web scans” right now. Is there any value to these, or are they just selling snake oil?

AM: I see these at-best as the cyber equivalent of telling someone that their trouser zipper is undone or their skirt is tucked into their underwear. One can happily replace the phrase “dark web” with “ftp site” and the result is no better.

[Note: an interesting conversation developed on Twitter from this particular question:]

SotD: Organizations like OpenNIC and Blockchain DNS are presenting themselves as alternatives to traditional domain name registries, like ICANN – do you think that if these catch on, they will take the place of the “current” internet?

AM: There are too many vendors of nostrums based upon distributed buzzwords in the hope of churning their rent-seeking centralised architectures. True distribution eschews “centralised trust discovery architectures”, and – onion addresses aside* – we’re not there yet.

Onion addresses, like bitcoin addresses, are absolute; once you have it and connect-to/pay-to it, there is high assuredness of the result. All the trust is in the exchange/bootstrap of the fundamental data (address) required to establish communication.

[A]nd if you still can’t work out how to get a 40..60 character string from one person to another with reasonable assuredness & correctness (ignoring privacy) en-clair, you have a bigger issue. Incidentally: http://facebookcorewwwi.onion http://nytimes3xbfgragh.onion 

They literally fit into tweets.

SotD: What else can the average user do to protect his information (beyond just his password)?

AM: See essay at


Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

This site uses Akismet to reduce spam. Learn how your comment data is processed.