Quora User Data Compromised(blog.quora.com) |
Quora User Data Compromised(blog.quora.com) |
Nothing insightful. I'm just here to kick them while they're down.
If you want anonymity there are other platforms for that, stackexchange for example.
Ask MetaFilter is a much better Yahoo Answers, but I can be pseudonymous there. Also, my pseudonym is much closer to a real identity than what's on my driver's license.
I don't have any real reason to fear sharing my "real name" with Quora. I'm lucky. But I'm not the only person in the world. Good thing I'm not trans or a religious dissident. Good thing the only thing stopping me from contributing to Quora is my ornery nature. I would hate to for the world to miss out on my Quora contributions for a good reason.
Good thing Quora doesn't have my "real name" is all I'm saying. I have an interest in privacy, even though I use the same pseudonym as my identity on LinkedIn, Twitter, Facebook, and Instagram. And Ask MetaFilter. And so many other places. I shouldn't have to beg to use my preferred name on Quora's bulletin board, regardless of my reasons. It's none of their business.
There's nothing about a "real names" policy that automatically turns a shitposter into a quality contributor. There are plenty of reasons not to wear a target on your back and self-doxx. Today's misadventure is one very good reason.
Your name just didn't provoke their Real Name Gestapo.
I think part of their reasoning is "hey, we have prominent users! Let's make sure everyone knows it!" But Ask MetaFilter has famous users. They are in no way diminished by my pseudonymity.
Plus I know how to change my name. I can spend $100 at the courthouse, and get an ID that would force Quora to let me use my preferred name. My point is, Quora doesn't get to be the impetus for my legal name change. I don't need Quora's permission to call myself what I prefer to be called.
Conclusion
It is our responsibility to make sure things like this don’t happen, and we failed to meet that responsibility. We recognize that in order to maintain user trust, we need to work very hard to make sure this does not happen again. There’s little hope of sharing and growing the world’s knowledge if those doing so cannot feel safe and secure, and cannot trust that their information will remain private. We are continuing to work very hard to remedy the situation, and we hope over time to prove that we are worthy of your trust.
Even though I have been a heavy quora user (reader and contributor), I would be really happy if it died a really painful and stupid death
Also, it's implausible to me that selling the data wouldn't come out eventually. As we saw with Cambridge Analytica, even pretty obscure uses of data can eventually turn into giant media exposure for privacy breaches. The brand damage is is very expensive. Facebook's market cap is down something like $100 billion; there's no way they could have made that kind of money from trying to quietly sell copies of their data.
There's an example that just happens to be the greatest knowledge platform ever built in world history. Wikipedia allows non real name contributions. Plainly next to that, Quora has no legitimate excuse for requiring real names to ensure quality. It's for one reason: $$$. They have to figure out how to reach a $3b valuation at some point so their VC owners can get a reasonable exit. It guarantees an inevitable disaster for a knowledge service. The conflict between quality and always needing more and more junk content to slap ads on and allowing for abusive business practices to reach for that fat exit for the VCs. And if you don't do it, they'll put someone in charge that will. Unless you can find another business model as Stack Exchange did, stay private & small/lean (so you don't have to try to pretend to be a $3b company when your business model will never legitimately get you beyond 1/20th that), or go the donation Wikipedia route.
Edit: I don't have any affiliate etc association with them.
Genuine question - not sarcasm. I would love to know how the attackers got in in the first place.
Usually when I hear about a breach, my first reaction is “yeah, I would have covered that from the start,” but if there’s something to be learned here, I’m all for it...
I worked at Quora, and totally unrelated, at my current company, had the opportunity to source and be point on multiple penetration tests. At my current company, I work with some people I consider extremely competent at SQL, and in particular PostgreSQL, but that didn't stop the pentesters from finding SQLi in our code. It sneaks in, and all it takes is one fuck up for a hacker to go to town.
I think that most startups don't understand the value of dropping 20-30k on an engagement with a competent pentest company, and this can propagate even longer into an org to the point that they never bother to get outside testing. Don't fall into that trap. Having a third-party with eyes on your org is worth every cent. If you run a startup or aspire to, I highly recommend you consider getting a pentest when you have ~5M ARR, and continue to do a yearly engagement to make sure your shit is covered until you can afford a full time security staff.
Many companies seem to use intentionally vague wording to suggest you might not have to worry.
Quora encrypted passwords instead of hashing them? FAIL.
Anyone remember the glory days of facebook , when real names were "revolutionary" and all the rage? Quora followed that cargo cult (founded by facebook people, after all) and the consequences of that choice are due today. We really need to introduce the concept of "expiring data" on the internet, personal or not. After a reasonable amount of inactivity, identities shuold be anonymized.
Just be a nihilist, guys.
I would love to punch the CTO of this company in the nose with passion.
Was it hashed AND encrypted or another case of people not understanding the difference?
"Ah, they were ENCRYPTED so I don't have to worry"
The thruth is they are most likely already reversed.
To me it seems its going the way of Yahoo Answers, if it already hasn't. It might be gaining some traction in developing countries but the ratio of signal:noise seems really low at this time, coupled with terrible UI.
I hope they mean hashed, not encrypted.
They can rightfully say "encrypted" to a lay audience because the definition of encrypted is not so strict as to require decryptability, but why would they say that the password might be exposed?
Would be nice if websites measured user activity and could 'lock out' or otherwise release their data if they never use the site; at least, confirm with said user via email if the account is needed.
But in this era, I'm sure companies would prefer to keep whatever data they can get.
However, in this case, there is no credit card information to muddle up or confuse a case. It's only a users personal information--private messages, moderator requests, reports against other users--that has been compromised because they didn't collect credit card info. And there's an enforced "real names" policy that makes it identifiable.
I wonder if some had their details reset altogether? Either way, this looks like a major breach considering the value of people who have signed up with Quora.
And then this happens!
>"We recently discovered that some user data was compromised as a result of unauthorized access to one of our systems by a malicious third party."
"Some user data"
Then goes on to say:
>"For approximately 100 million Quora users, the following information may have been compromised:
Account information, e.g. name, email address, encrypted (hashed) password, data imported from linked networks when authorized by users Public content and actions, e.g. questions, answers, comments, upvotes Non-public content and actions, e.g. answer requests, downvotes, direct messages (note that a low percentage of Quora users have sent or received such messages)"
Wouldn't this be closer to "all user data was compromised"?
It seems absurd for them to state "some user data was compromised." That's seems like a pretty comprehensive list of user data. What else would there be?
This is a company that for years forced account sign up and obscured user generated content even for users who just wanted to browse unless you created an account. Seriously fuck Quora.
I think of it as something like a reverse password manager; instead of "here's a website, what's my data", it's "here's a bit of information about myself, who has it?"
It's a pain keeping that list updated but at this point I'm so hooked on being able to see my personal info leak out into the world bit by bit that the friction is worth it.
I'm still trying to figure out what I should do with the data I have on myself, if anyone has any suggestions.
[1] That situation seems sketchy seeing it written down like that, so just want to explain that it's because I moved to a different country (address, phone, credit cards) and away from gmail at the same time.
No, that's what made OpenID awful. Your accounts all go down if one those "points of trust" get taken down for whatever (or no) reason.
No details on the hashing scheme used though, so we don't really know how easy it'll be for the attacker to brute force the password hashes.
In a way this is a great example of why you shouldn’t collect data Willy nilly.
I really really really hope we get some sort of a law where companies are seriously liable for data breaches.
US has a ton of tech companies but very little regulation that protects the customer.
Why is this so easy? Is it impossible for a well-funded company to keep it's user information private? If so, can we act like it?
According to my trusted Password Safe (https://pwsafe.org/) I call about 400 accounts my own - each one with a unique random password.
I hope lesson should be learned: don't force users to register just because you can
Even though I didn't explicitly set up an account, it seemed to have done it for me already. I just assumed it was one of those shitty content aggregation platforms like the sorts that steal all the posts from Stackoverflow and rebrand them.
How likely it is your password gets brute forced really depends on the hash function used. If it's md5... all but the strongest password could be broken. (though at least the passwords were salted). If they're using something like bcrypt with a work factor of 10+, it's a different story and only the weakest passwords are at serious risk.
The fact that details on the hashing scheme aren't shared makes me assume it's not great...
The first rule of Web 2.0 is still true: if you are not paying for the product you are the product.
I get that this is not their main business model, and that their customers that they bundle and sell consumer data to are more valuable. But end users, in this case, are still customers. They still pay money and get a service in return. Contrasted with e.g. Google services, it's a different scenario.
One new development is that you used to be able to get your invoices mailed via snail mail. Then that disappeared and you got your invoices mailed via email. Then that disappeared and now you have to create an account on some portal so that you can download your invoice. So that's one userid/password combo per business relationship or service that you use privately. Healthcare, HOA, insurance, payroll etc., every bloody two bit player requires you to log-in to their oh-so-secure service rather than that they send you your stuff. Which requires a ton of overhead and - sure enough - sooner or later they get hacked because by then the amount of data they hold on to is more valuable than their security could reasonably be expected to defend.
For example, the water company. I know the water bill is usually $50 or less, so I set the limit to $60/mo. As it turns out, they did get breached. I got an alert about someone who isn't the water company trying to hit the card for 80 cents. Most card runners use amounts under $1 because most credit card spending alerts have a $1 minimum. But privacy.com warned me, so I warned the water company, who was very thankful. Turns out their 3rd party provider had been breached and they were grateful for the alert too. Ended up saving a few thousand of my neighbors a lot of headache.
A few weeks ago I saw bitwarden finish their third party security audit and took the opportunity to jump. Couldn't be happier. Autofill fails less, the "copy password" menu works, the mobile experience isn't intentionally broken to sell an app, and export->import went without a hitch. Better, actually: it is the first time I have done an export/import and had the resulting data immediately work better in the second app. There's also the hope-springs-eternal factor of bitwarden giving me the option to host the sensitive stuff myself once I get off my butt and set up that server I've been meaning to for a while now.
If you're thinking about lastpass, save yourself the trouble and try bitwarden first. Or something else, but bitwarden has been good to me and lastpass, well, hasn't, to put it politely :)
I'm certain none of those 3rd-party connections are necessary and yet... like muscle-memory... devs continue to thoughtlessly invite tracking.
I’m using two personal domains fo host my own email. One domain is purely for registration/junk purposes and it forwards *@junkemail.com —> junk@myemail.com.
The same server uses nextcloud for calendar/contacts/webdav
I use the password manager Enpass which can sync via webdav across my devices.
Everything selfhosted and emails/credit cards disposable
tos:
> You may use our Services only as permitted in these Terms, and you consent to our Privacy Policy at https://www.logmeininc.com/legal/privacy, which is incorporated by reference.
pp:
> When you use our Services, we receive information generated through the use of the Service, either entered by you or others who use the Services with you (for example, schedules, attendee info, etc.), or from the Service infrastructure itself, (for example, duration of session, use of webcams, connection information, etc.) We may also collect usage and log data about how the services are accessed and used, including information about the device you are using the Services on, IP addresses, location information, language settings, what operating system you are using, unique device identifiers and other diagnostic data to help us support the Services.
> Third Party Data: We may receive information about you from other sources, including publicly available databases or third parties from whom we have purchased data, and combine this data with information we already have about you. We may also receive information from other affiliated companies that are a part of our corporate group. This helps us to update, expand and analyze our records, identify new prospects for marketing, and provide products and services that may be of interest to you.
> Location Information: We collect your location-based information for the purpose of providing and supporting the service and for fraud prevention and security monitoring. If you wish to opt-out of the collection and use of your collection information, you may do so by turning it off on your device settings.
> Device Information: When you use our Services, we automatically collect information on the type of device you use, operating system version, and the device identifier (or "UDID").
and
> Some specific examples of how we use the information:
> * Conduct research and analysis
> * Display content based upon your interests
> * Market services of our third-party business partners
and
> 4. Information Sharing
> ... We may share your personal information with (a) third party service providers; (b) business partners; (c) affiliated companies within our corporate structure and (d) as needed for legal purposes.
and
> Examples of how we may share information with service providers include:
> * Sending marketing communications
etc...
Single point of failure. Even if they claim they're "encrypted so that even THEY can see them", it's so easy to mess up encryption, it makes it a single point of failure.
I still share passwords between my devices though, but instead I use KeePass along with the Android app. For less critical passwords I let Chrome keep them; I _mostly_ trust Google, and non-critical passwords are exactly my level of trust of Google.
And I also trust Google to share my (encrypted) KeePass file with my devices. But now it's two points of failure: Someone would have to break into a private Google Drive, get my KeePass file, and break the KeePass encryption.
And I trust _both_ KeePass _and_ Google more than I trust Lasspass to get security right.
The one thing that is cool, for items that don't have to ship in the mail, is the ability to use any name and address whatsoever with the merchant.
I always found Quora's use of dark patterns and baiting you in from search engines then blocking the content particularly egregious. Always made me surprised anyone held that site to such a high standing and I can only imagine it's because the advocates never knew how awful the experience was without an account.
I feel Pintrest is very similar in that way.
1. enable donations / tips / subscriptions to sites using a browser-native crypto wallet
2. use ZKP anonymity
This enables a publisher / subscriber business model of 'dollars without data'. Which should really be the Minimum Viable Product for a publisher.
PII data for marketing is the icing on the cake for publishers, but the bar is high (and getting higher) around sharing that, and many of us want to support sites, but don't want to go through N+1 payment gateways and digital identity forms just to read some content.
From this perspective I see Brave and BAT as enabling a very old model: I give you a quarter, you give me your newspaper. End of story.
Brave and BAT are attempting the same thing from a slightly different direction than we are--they are attempting to bring privacy to partially-decentralized apps; however, I don't think this will ultimately succeed--privacy is broken by the weakest link. As soon as you allow some connection to some server somewhere that's exfiltrating your interests, you now have advertisers lining up to buy that data and exfiltrate more. As far as I understand the "hybrid decentralized app" model, where DNS and web2.0 are allowed, you permit these weak links to exist.
If their systems get hacked and they have your snail mail address, they get your snail mail address as well. Email doesn't change that story.
Oh, and OAuth is a similar coping mechanism. You shouldn't need to log in to something to browse the web!
I felt validated when I received the email from Quora about the hack to a fake email address and addressing me by a fake name.
Hello! We will be moving to the new anonymity on Quora experience very soon. If you would like to edit or delete your existing anonymous content in the future, please provide your email here before March 20, 2017. You are receiving this message because we have not yet received an email from you. Please note that if you do not provide your email by March 20, 2017, you will need to contact us using our Contact Form and selecting “I need help with my account.”
Does this mean that every question or answer I’ve viewed is now in the hands of the attacker?
Your email address and hashed password being exposed is one thing. That information plus your search history is quite another.
My point is people do cargo cult everything. Could the service be BETTER without forcing the user to sign up? Inconceivable! Everyone knows you should force users to sign up.
It's annoying being on the other end of this: management deciding, for cost reasons, that snail mail is out and email is in.
Somebody else then worries about the risks of emailing documents that contain private information.
I think a case can be made that some kind of email token login is the simplest solution here: passwords only introduce another attack vector since you can usually reset them by email.
Are there more elegant solutions to this problem?
- what doesn’t get hacked? Isn’t life a continuous trade-off between risks and chances
- If you’re afraid you’ll expose private information, then just don’t use a platform like that?
- these platforms use user generated content, true. But they provide the platform and the product. I think that is a fair deal.
Today my information is probably leaked. Information I didn't want to give and that they threatened me for it.
Where is the apology Quora? From all the recent leaks this is the one that pisses me off the most, because it's the one that was forced unto me.
Most Quora users are hungry for answers and flood-request you to answer their question just because the system recommends them to do so. No matter how many times you pass, the system still keeps notifying you that "you are needed". Quora doesn't understand a no is a no.
IMHO -> There truly isn't any benefit on providing good answers on Quora, other than stroking your ego, might as well become a micro-influencer on Instagram.
Even worse most questions seem truly 1-Google search away and the answers are low-effort. Sure you do have some rare gems, and those are truly amazing to read. Alas, that's not often and spamming answers just for the sake of answering has become a reality.
The last time I checked, both my Python & Go open source text books get decent views from Quora & reddit, daily.
That's why I just deactivated it and didn't delete.
It's a valuable lesson in "don't keep data you don't need".
EDIT: A little backstory for non-Quorans. Until early 2017, anonymous Quora answers and comments were anonymous to the public but not actually anonymous in the database (they were still "your" entries). In early 2017 they (presciently) made all this content fully anonymous, even in the database.
> Is content posted anonymously still secure?
> Yes. Anonymous content cannot be connected to user accounts, so content posted anonymously is still secure.
Unfortunately, though, most companies operate under the "keep data you might eventually need" principle.
Quora is an intimate medium — tied to real names, real and often deep interests. It's especially bad that this happened.
There needs to be a better way to realign incentives in this ecosystem, otherwise this story will repeat.
The toughest ones here are my online banking and my online health portal, but other than that, I have gotten pretty picky about what information I give any company.
In addition, many questions remain open, for example: Which ' leading digital forensics and security firm' is working for Quora?
I hope for Quora that they met their 72-hour deadline according to the GDPR. Looking at https://www.quora.com/about/privacy, it does not look if Quora was / is GDPR-ready. They do not mention any legal basis for the processing (art. 13 GDPR) and they do not inform about their GDPR data representative in the EU (art. 27 GDPR).
The email I got from quota just says “encrypted” passwords, and while the blog post says “hashed”, it doesn’t say what algorithm. For all we know it could be something useless like MD5
Or are they trying to adjust, and the attacks are getting so sophisticated that the pace of investment in counter-measures is below that of the pace of advancement in the complexity of attacks?
Or something in the middle?
Happily I get to once again bemoan the disappearance of JCSV, who was astounded that Quora was still a thing five years ago: http://jesuschristsiliconvalley-blog.tumblr.com/post/4896203...
https://help.quora.com/hc/en-us/articles/360020212652
What happened? - not answered in any detail
What kind of user data was affected? - answered!
How do I know if I was affected? - not answered
How was it brought to your attention? - not answered
How many Quora users are affected? - not answered
Quora is good about responding quickly, which should be appreciated. That the FAQ wasn't fully filled out was just because it was being filled out. I know this can be an awkward experience for someone who immediately sees and responds to the tech news, but a bulk of their users won't be that profile. They got the framework for response laid out immediately, and are working on the responses. This seems pretty solid.
> When did you first learn of the issue? How was it brought to your attention?
> We first learned of the issue on November 30. Upon learning about the issue, we immediately launched a comprehensive investigation and remediation effort.
There is absolutely nothing in there about how this was brought to Quora's attention. Did they see identities for sale on the dark net? Were they approached for a ransom? Did a user inform them? Nothing.
The other questions ditto.
- Account information available on the Ads Manager account settings page.
- The email address provided for notifications about your ad campaigns.
- Campaign structure and setup, including information like budgets, schedule, bids, targeting, and ad information.
- Notifications that were in your Ads Manager, such as ad paused, logo approved, and ad ready.
- Audience setup information available on the Ads Manager audience page such as types and creation date.
- Partial credit card information, including name, expiration date, and the last four digits of the credit card.Having said that, this is pretty much a perfect response to the situation.
1. Quick turnaround from the breach to the announcement 2. Concise description of what happened 3. Owning the mistake 4. Update of their mitigation 5. Promise to follow up & actionable items. 6. Additional technical detail for more interested: https://help.quora.com/hc/en-us/articles/360020212652
It sucks that this happened, but for that alone I'd like to applaud Quora team. Yes, it would've been great if they didn't have to force me to sign up from the first place. It would've been great if this breach has never happened. But for the context, they're handling the issue as well as possible.
Time for change. Time for intelligent heads to come together and think of how a better internet security architecture needs to look like.
Say your name, email address and social get leaked in one 500m user dump and your email passport number and actual address in another. I've never worked with datasets on this scale hence the ignorance.
Maybe its possible for one person of interest but how complicated would it be to match up everything?
---
Based on what we have learned, some of our users’ information has been exposed, including:
- Account information (e.g. name, email address, encrypted password, data imported from linked networks when authorized by users)
- Public content and actions (e.g. questions, answers, comments, upvotes)
- Non-public content and actions (e.g. answer requests, downvotes, direct messages)
Questions and answers that were written anonymously are not affected by this breach as we do not store the identities of people who post anonymous content.
---
What information was involved
The following information of yours may have been compromised:
Account and user information, e.g. name, email, IP, user ID, encrypted password, user account settings, personalization data
Public actions and content including drafts, e.g. questions, answers, comments, blog posts, upvotes
Data imported from linked networks when authorized by you, e.g. contacts, demographic information, interests, access tokens (now invalidated)
Non-public actions, e.g. answer requests, downvotes, thanks
Non-public content, e.g. direct messages, suggested edits
Questions and answers that were written anonymously are not affected by this breach as we do not store the identities of people who post anonymous content.
I don't want every site that I visit sending me an email every time I click on a Google result.
I hit that SPAM button as fast as I could.
Here's a crazy idea, circa 1990's: don't store their personal information! Allow people to browse Quora without using their real names. I'm very happy I deleted my Quora account when I did.
They are hiring people based on leet code questions and school prestige and not based on real technical knowledge about systems. Their business people are top school MBA grads with no security domain expertise. They then proceed to build massive data collection programs using open source tooling that non of them fully understand. Their business model depends on that data and monetizing it in various ways. An so the complexity of their application goes through the roof with regards to user data. Their user facing web apps are the tip of the iceberg for a massive surveillance scheme.
Isn't that true for almost all companies based in the Sillicon Valley?
There is something called the Cybersecurity Bipartisan Caucus in the US Senate.
I have found calling these senators (which I have never done before for any politician about anything) extraordinarily helpful and gratifying. I have even explained that I don't live in their state, and yet they still listen and clearly need the advice from good security/sysadmin people (like asking them why Facebook still doesn't have a CSP Security Header).
It was only 6 days ago that the "International Committee on Privacy", made up of Senators from countries around the globe, met in London to question Richard Allan, VP of Privacy at Facebook. Mark Zuckerberg rejected the request for his attendance.
[1] https://www.warner.senate.gov/public/index.cfm/cybersecurity
[2] https://www.parliament.uk/business/committees/committees-a-z...
- the linked article says the breach included hashed passwords, but makes no mention of salt
- the help page says they're forcing affected users to change their passwords
If the passwords were salted before being hashed and stored, then:
- Why not mention it, so users (especially those who don't use unique passwords on every site) know that it's not trivial for their password to be found?
- Why force people to change their passwords?
> the passwords were encrypted (hashed with a salt that varies for each user)
Looks like the article says the same thing.
encrypted password (hashed)
Now it says:
encrypted password (hashed using bcrypt with a salt that varies for each user)
Personally I'd pay to be able to stop getting snail mail. If it weren't for the one or two rare pieces of semi-important crap that show up, sent by dinosaurs that don't realize we aren't living in the 20th century anymore, I'd quit checking my physical mailbox once and for all. I mean, it's not like 99/100'ths of what comes in there isn't junk catalogs, fundraising letters from politicians I hate, sales flyers from stores I hate, bills that I pay online already, mail meant for the previous residents, etc. But unlike email spam, it actually costs me effort to scrape that garbage out of the box and haul it to the dumpster.
Blech. Personally, I want no part of it.
Would it be possible those logins are more secure?
I don't understand why you bothered arguing with them instead, I dunno, creating a new fake account?
Instead, I created a new email ID, gave a fake name, and registered with that. I gave up on the site soon anyway, but now I'm glad they forced me into registering with fake details.
Just search for anything like "what is an open source alternative to X" and the results will be a lot of people trying to justify why their Y paid option is a good solution for your problem.
These days the growth has masked all the good stuff with a layer of spam and general crap that’s hard to get past. Inevitable consequence of growing users but it has been managed poorly.
The state of personal data regulation in the US is abysmal. Unfortunately, if Cambridge Analytica wasn't enough to spur new regulation, I fear nothing will.
I deleted my account last year (got cold feet as I was using my real name and picture and people I know IRL had started to stumble across some of my answers) but I'm sure my data is probably involved in this breach somewhow.
[0]not my actual user name, but something similar.
Never went back to that site.
Edit: Sorry if stupid question, but that would be throwing major red flags if I got such an email.
Feel better, don't you?
Because we will leak your data, but we won't bother designating a responsible spokeperson be it security officer, cto, vp of engineering or principal architect. It will be the all nebulous quora team.
Now... if the emails were logged and in the exploited database, then all bets are off, but there's no indication that happened at all.
There are about a hundred other things about this that give me anxiety, but Quora is run by extremely competent people (engineering and otherwise), so I am pretty confident about their ability to be transparent and to know the extent of any issue.
This entire thing is really shitty for everyone involved, but given Quora's tenure (almost nine years!) that this is the first breach is pretty amazing, and that they've done so much work to make it less of a problem is great.
None of the above is meant to diminish the general dissatisfaction others are expressing here.
I feel that for every company that self-reports a leak, there are multiple other companies that have leaked your data and either haven't discovered the breach, refuse to disclose it, or flat out sold your data to the highest bidder.
The address I gave Quora isn't in the hands of spammers yet, which is a mildly good sign. But normally it takes a while for an address to get out to the bottom-feeders, so we'll see.
Can you go into detail on this? What exactly do you mean by tagging? Just wondering in case I want to do the same.
I especially like financial companies that have you login by using symantec VIP[1] which you append to your password. There's no way anyone thought that was a good idea. They did it that way because they had a worthless legacy authentication stack they couldn't rewrite, didn't understand 2FA well enough to implement it themselves, went with Symantec because "nobody ever got fired for contracting $importantfunction to $bigcompany", and the only way they could shoehorn any 2FA auth into their login flow was to concatenate it with the password.
[1] If you haven't had the pleasure of using it, it's a proprietary 2FA app that has a single seed per app install, shared between the app and symantec's database. It generates 6 digit codes that make it look similar to standard TOTP, but it's not TOTP. If you need to use it for multiple websites, you give them all the same seed hash (displayed by the app) which they use to synchronize your auth credentials with your account at symantec. IOW, it doesn't scale securely. There's also no way to have a backup 2FA device with this system; at least the two companies I've used it for haven't let me set up my account with two VIP apps on two different devices. Since normally you'll only have a single 2FA device using this Symantec VIP service, that means you have to go through a manual, insecure identity verification process to get back into your account if your one Symantec VIP device gets lost or broken.
https://mobile.abc.net.au/news/2018-12-03/commonwealth-bank-...
Oh yeah. Right...
It helped me find out a couple of local companies that are selling my data to spammers.
Anything that can go wrong, will go wrong [0]. Anything that's isn't disallowed by quantum mechanics, will eventually happen [1].
So, if businesses made it cryptographically impossible to leak data, maybe it wouldn't happen, assuming it is even possible to make it impossible...
Of course, this model assumes that as soon as you have penetrated the perimeter, the rest becomes easy. This is the more traditional model. People are increasingly adopting a you-are-already-hacked approach, which makes it harder to move laterally once someone gets in. However, the general challenge still applies.
Once you understand how difficult attack mitigation is, then you can pick and choose from a variety of factors:
- executives may not have a realistic understanding of how difficult attack mitigation is so they don’t allocate the resources for hiring
- incompetent admins overestimating their abilities
- competent admins who are underfunded
- incompetent admins who underestimate the value of the data they’re protecting
- competetent admins who may not have an accurate picture of what data they’re trying to protect so their threat model is flawed due to inaccurate information
- executives who are aware of how difficult mitigation is but don’t place customer data privacy as a priority.
- the current iteration of our growth obsessed corporate models unintentionally results in a race to the bottom in many ways.
- little incentive for companies to factor in social impacts as we don’t yet seem inclined to figure out a way to include impacts on society as one of the many metrics to measure a company’s success or failures.
It’s worth remembering though, even the most responsible, most well funded, most security conscious, and best staffed organizations have been compromised at one point or another—security is hard.
Offense needs only one hole, whereas defense needs to plug all, including human behaviors. When the offensive side finds a new attack, they can often try and see which of the victim is vulnerable, thus the offense can pick and choose among many potential victims, whereas the defensive side needs to defend from all attackers. The information, once leaked, can't be recovered - i.e. once exploit is successful, there's no "recovery" available.
All of those factors combined make defense orders of magnitude more difficult - in terms of careful attention to detail, in terms of manpower, in terms of human training and vigilance, etc. For those reasons, the best defensive strategy is to minimize the information you need to protect.
It’s not really a security issue as much as an incentive issue.
Luckily you can sign up for Quora with any name and email. You have to assume that no matter how hard a site tries to protect your info, it will get compromised sooner or later. The best they can do is what Quora does: demand as little info about you as they need.
In addition to that, attackers only have to get lucky once, the defenders have to check every entryway.
Would be nice to have privacy.com more widely available.
You can have up to 5 non-disposable virtual cards.
Fonts and other stuff from google and facebook is just a small piece of the puzzle.
https://thehackernews.com/2017/02/password-manager-apps.html
You don't have the time to:
- audit the source code
- check every auto-update hash matches the main hash list "just in case" you get a special update just for you
If you turn off auto-update, you will eventually get hacked because of bitrot
It would be nice to have some kind of communication protocol that could be provably restricted from passing whatever the company wants.
Password reset is a noisy, active attack compared to eavesdropping somewhere in the path of an email.
Right now there is relatively little liability in gathering personal data about customers but huge benefits to doing so. I believe that there should be regulation governing punishments and protections for consumers whose data may be compromised or mishandled by corporate entities.
As it stands right now a company can leak personal data from their customers and face very few consequences. Rather, the negative consequences of customer data leaks are felt by the customer rather than the corporation that mishandles their data. This is a similar externality-effect as pollution, where a bad actor's malfeasance generates a larger negative impact than what is directly born by the bad actor itself.
We could discuss whether or not NextDoor has a legitimate use for personal identification data, but that's a tangential discussion. My point was supposed to be that any firm that gathers personal data should be assuming a greater amount of liability than they currently are.
starts removing module cards
It’s all good though. Knowing I helped thousands of my neighbors is compensation enough. Besides, if they gave me a credit, they’d have to hike everyone’s bill to compensate!
I know I'm a cynic, but it takes all sorts of people.
It had amazing content in the early days and still has great answers but the sheer number of nonsensical or slightly tweaked but endlessly repeated question is driving away writers. Paying people to post these questions is just backwards.
We stopped using sites built by amateurs in their spare time and demanded "beautiful user experiences" that we didn't pay anything for. That costs money, so people who wanted to solve that "pain" looked for business models that meant they could deliver what people want without charging directly. Hence we have an Internet driven by advertising and privacy violation.
We didn't demand shit. We only chose from what was available. People trying to make money on-line have, over time, perfected both the design and the business models. At every step of the way, we had a choice between status quo and this new service that's prettier and offers more, for free, with user-hostile monetization scheme that wasn't immediately apparent. Step by step, we've been had, like the frog in the boiling frog fable.
This model doesn't seem bad, advertising without tracking.
It seems to be popular with scammers and they have taken over.
Firstly, this post is signed by Adam D'Angelo, the CEO and co-founder. If you had opened the link you wouldn't even have had to scroll down, it's literally on the second line, right after the headline. So clearly Quora doesn't do what you've accused them of doing.
Secondly, what good does crucifying one person do? I'm sure if they had written it such that one person was responsible for everything, a similar comment would have been written - "why make one person the scapegoat? The entire team should take responsibility!!"
I don't know anything about your experience working in software, but when there's a fuck up like this, it doesn't do any good to pin the blame on one person. You figure out where your systems failed, and fix the system after conducting a blame free review. If you start pointing fingers within the team, you'll never get anything fixed.
But still, it is not about finger pointing and blaming one individual. It is about a spokeperson for the public.
The guarantee that things will improve. Someone who will handle announcements and communications with the public and will vouch using their real name and reputation that things will improve. Someone who will explain what went wrong and what actions are taken to ensure this does not happen again. Employee training in place? Tier'ed access of data and information to employees. Stricter policies, eg you can't take a database backup home? etc etc.
Again, no crucifixation required, but pinning an identity can be good, because you know that there is someone and who that someone is that puts all their energy into fixing this mess.
Think of someone like Stamos at facebook. I don't know if his contribution in the end was a net positive or not, but it is good to know that there is someone that is focused on the issue.
If you have a CEO they get paid more (supposedly) because they take on responsibilities. So, the buck should stop with the highest ranked officer who has responsibility (eg signs off payments/work) in that area.
If you don't assign blame, you can never improve your team, as there's no feedback. Assigning blame might mean retraining, it doesn't have to mean sacking (but could).
The TV should display (or maybe email) a link that I would visit with my primary web browser and grant it permissions - or ask for a password as a very last resort for users who have no computer/phone but somehow have Netflix.
Of course, when you only have one logged in device and it's tied to a different room, it's mildly irritating, but you only do it once.
In both cases once there's physical compromise, if they have the "master" password you're screwed?
I presume they use clipboards for the pasting, or do typing that could be captured bya keylogger.
Privacy is a game changer for online transaction security imo. An additional benefit is the ability to subscribe to "try free for a month but oh wait we need your credit card info first so when you forget to cancel we'll keep charging you". Simply create a virtual card with single time spend limit $1 less than the monthly subscription charge, and you can rest assured that your one month trial is a one month trial.
Because then you can get one from transferwise.
I also use it with sites I don't necessarily trust, like a random auto parts store. If it were a tad easier to use, I'd use it for nearly everything.
With the premium cards on top of other perks there’s also Disposable Cards which creates a virtual card for every transaction you want and as soon as that card gets used, it’ll destroy it and create one brand new.
For separating limits you can create multiple virtual cards each with limits once met will freeze the card.
In addition to that, for my really critical "gatekeeper" accounts, I don't put the full password in the database. Just a reminder that this is a "special" password, which needs to be combined with another bit of info in order to work.
I just live with the fact that I can't use this system on my phone, and for my usage patterns, that's fine. There's nothing I need to do that's so urgent that it can't wait until I'm back in front of my computer.
I can't trust a website to keep all my passwords.
https://www.cyrozap.com/2014/09/29/reversing-the-symantec-vi...
In order to use Payment Services, you must be at least 18 years old. You confirm that you are either a legal resident of the United States, a United States citizen or a business entity authorized to conduct business by the state(s) in which you operate and that you are an authorized signatory for the business you represent.
I am sorry but this is #ShitHackerNewsSays worthy. Let me fix it for you
>given Equifax's tenure (almost 119 years! Since 1899) that this is the first breach is pretty amazing
Better now? Downvote me if you want, but there are no pats in the back for having PII leaks, no matter the years.
Another set of 5 data breaches at Equifax dating back to 2013 (some but not all of these overlap with the Wikipedia reference) (https://www.forbes.com/sites/thomasbrewster/2017/09/08/equif...)
I would not be surprised if Equifax has been "breached" more than a hundred times over its history. Do your research.
I've received recruiter spam to "<my_email>+fuckyouadobe@gmail.com". Turns out when I was forced to signed up for an Adobe account years ago I'd added "+fuckyouadobe" to my email and, of course, Adobe was inevitably hacked. The leaked database had somehow made its way into recruiter software. The recruiter told me their vendor and when I got in touch with them (Aevy.com) they, of course, had no idea how that email got there.
Sadly these days people are probably smart enough to strip out these additions to gmail addresses. I would guess that's what Aevy did after I reached out...
Although many services are getting wise to many of these services and not let you sign up with their domains.
John.smith@gmail.com
Johnsmith+quora@gmail.com
Johnsmith+equifax@gmail.com Etc...
Well, there's the obvious comfort of having all your mail in one place -- and all the obvious disadvantages that entails, I suppose.
[1]: https://www.bankofamerica.com/privacy/accounts-cards/shopsaf...
[2]: http://www.citibank.com/transactionservices/home/card_soluti...
I assume it's because the whole industry prefers data-brokering your purchase history, joined on credit-card # to establish identity.
The virtual cards don't have separate spending limits, though, so it is not quite as good as BofA or Citi for use with questionable sites.
OTOH I do care about my name, address, and other PII being stolen. That is where privacy.com is a help. But not because it protects me from CC loss.
Our federal government is beholden to corporations, so I don't see any legislation ever happening to punish nor place a regulatory significance on breaches.
If the Equifax debacle didn't move the needle, nothing will. How they didn't get a death penalty for not protecting one of the supports of our financial system I will never know.
As the parent said, I've just assumed all my data will be breached eventually. When it occurs I dutifully sign up for the monitoring offered and make sure to review things on a monthly basis.
Your comment on breach notification is spot on. WISH.COM has suffered down line breaches in their process and it is easy to prove by the use of virtual credit card numbers ... numbers that are generated and used at only one site. They have been silent when it is reported to them.
and then the monitoring company gets breached.
I don't give any real info besides my first name to any site that doesn't have a legitimate reason to need it. If they force me to confirm an email address, depending on the site, I may use one of my main emails, or may go generate a disposable address.
As a counterexample, it seems that Newegg had a massive breach (thieves installed JavaScript that skimmed credit card numbers for weeks) in August, and even though my credit card was likely stolen, I hever heard about it from Newegg.
I know FB & Google purchase something like that from one or two credit card companies, so I wouldn't be surprised if merchants were in to it too.
I tried to switch to pass, and I'm not sure if it was something to do with how I imported but it didn't list my passwords and the browser plugin was clunky and didn't work. Anyone had success with pass/gopass.
Bitwarden seems like a happy Medium, I'd rather not do my password ops. The pricing seems fair (and rather optional). I'll try it, thanks.
I like the model a lot, because it solves the "database ownership" issue, where your Password provider (be it LastPass, 1Password, etc) becomes in itself a weak link.
The worse thing that happens to me is if I generate a password, and then Lastpass doesn't save it! It feels like a 50% shot it will actually save the generated password.
I have nearly 1000 passwords stored in it now, so it's going to be a huge pain to migrate.
If you load the same site using "load desktop site" the UI gets fixed.
Also that site looks like it should be selling something but I see no money hole - should I be worried?
This is kind of yikes for a password manager too: https://github.com/bitwarden/core/issues/399
But it's also pretty much the only polished open source password manager there is out there.
For now I'll be sticking with 1password, but might check out bitwarden again once they have tests and more maturity as a password manager.
We have a tendency to compare opaque with transparent and balk at what we find, but I question what you would feel if you could see through the opaque.
Very happy with 1PasswordX (the browser-only version) - filling is much better, copy is supported out of the box, support have been very helpful when I've reached out. Much better customer experience.
However. Still can't uninstall 1Password. Haven't figured out where to store notes (meta) in Keychain. Stuff like "Name of your first pet?".
[0] https://www.passwordstore.org/ [1] https://github.com/passff/passff#readme
I would like to also recommend the Firefox extension 'Kee' for autofill. On Android there is the 'Keepass2Android' app. Both are open source and work well.
I also recommend the KeePass plugin 'Yet Another Favicon Downloader'. It downloads favicons from websites for your password entries.
Also 'Keebuntu' is a plugin that makes 'minimize to tray icon' work for me on Linux.
I've used both extensively and Bitwarden is just a dramatically higher-quality app it's not even funny.
(Not that this whole thread hasn't had me re-evaluating whether there's a better solution for me now.)
I run a unique password for every site so it doesn't matter if a provider gets rumbled, and I don't reuse passwords or have to remember multiple ones.
The form autofill is pretty awful compared to Lastpass, but I can live with that.
Is anyone aware of a technical reason that copy to clipboard is absent in Firefox, or is just laziness? If laziness, I'll dump them tomorrow.
I will give Bitwarden a try.
Do you access kbdx files on mobile devices? If so, what do you use?
The biggest problem with MiniKeePass, in my opinion, is that it doesn't support the new iOS autofill API and that it doesn't support even basic syncing. You always have to make a manual copy of the database file and you can't really create logins on mobile because of that.
There's a fork of MiniKeePass called KeePass Touch, but they don't publically host the source code anywhere. You have to email them to ask for a copy of the source code, which is technically GPL-compliant, but a bit annoying.
And if you look at their jobs page, one of the job description points is "Create unit tests for existing code to run faster and more reliably.": https://1password.com/jobs/droid-builder/
They might even have a few QA people AFAIK!
I understand why the single founder / engineer of bitwarden doesn't have tests. When you're a startup not writing tests can speed you up significantly. But after a certain point they are going to need automated testing, especially for something as vital as this.
For me, the lack of open source in 1p has been a sticking point, and I was planning to migrate after the audit. But seeing no tests, 1p documenting their security model and bitwarden not being good enough compared to 1p in UI has me sticking to 1p for now. I have high hopes that bitwarden will get to that maturity point one day.
I switched over about a week ago and find it pretty solid, but it's missing alot of the quality of life features that last pass had. You can't just hit command + c whilst on a entry and have it copy the password, they haven't implemented the new ios 12 features that make password managers much better on ios.
I'm running them both right now as I'm not fully committed to the switch over, but I'll see how the features get added over time.
I switched to 1password which - at least at the time - offered a web-based fallback hosted from your own dropbox. Plus at the time you owned the data and were responsible for storing and syncing it. Dropbox support came out of the box but if you want you can use a local file.
On the Mac, KeePass now feels like a better experience than having to pay a subscription for 1password.
I used to be a 1password user, but they were pushing their premium, cloud-based offering a lot and lacked Yubikey support so I switched away.
