|
Top-level
 @dplattsf @pjohanneson @thomasfuchs You don't have sequenced DNA lying around all the time. And MFA is a pretty standard guard against credential stuffing that it's a pretty terrifying idea that instead of attempting to use that... they're trying to TOS their way out of liability. 11 comments
@AT1ST @thomasfuchs @pjohanneson users share pretty widely and that doesn’t feel like something sinister they dod People enjoy interacting and learning about relatedness. Feels healthy to me. @AT1ST @dplattsf @pjohanneson @thomasfuchs It’s overblown. On the site I can see lots of DNA relatives and a very tiny bit about them, for those relatives who opted in to letting strangers like me see them appear in that list. If one of my unknown relatives reused passwords, then someone who I don’t know could use the credentials of the relative I don’t know to see a little bit about me. Don’t reuse passwords. @hunterhacker @dplattsf @pjohanneson @thomasfuchs Here's the thing - the information a relative can learn about another relative, to a stranger, is pretty powerful stuff. Could I, hypothetically, learn your mother's maiden name by logging is as one of your DNA relatives, or a stranger's account that was credential stuffed and could see that relative? @hunterhacker @dplattsf @pjohanneson @thomasfuchs (Because I'll note, while I'm pretty sure this is no longer a valid security question in most contexts, that would be information enough to go from "I know this unrelated person's password and username" to "I don't need to know this other person's password, because I know their username, and I can try to reset it instead of breaking it.". Or they can do that with your birthday, etc.) @hunterhacker @dplattsf @pjohanneson @thomasfuchs Which is a long way of saying; TL:DR; don't over share your information with strangers, and enable MFA already on anything you can't afford to lose. @AT1ST @dplattsf @pjohanneson @thomasfuchs Good points. The fact a mother’s maiden name is considered a security secret is crazy. Birthdays too. (But to be safe, I get my Facebook birthday greetings on the wrong day. Everyone should have a real birthday and a social media public birthday.) 🎂 @hunterhacker @dplattsf @pjohanneson @thomasfuchs I mean, part of what likely made one's mother's maiden name a go-to security question is that historically, at least among British/American/Canadian/German culture that I'm aware of, it's effectively destructing information; like DRM, it became harder and harder to find documentation on what it was, especially if you weren't part of the family in question...which still has the name. What's made it less secure is making it more easily traceable - @hunterhacker @dplattsf @pjohanneson @thomasfuchs - not that that's a bad thing, it just...removes the "Something only you or people who have authorization to use your bank account information would likely know." property. @hunterhacker @dplattsf @pjohanneson @thomasfuchs (Though that reminds me of how SINs are social insurance numbers...used to identify you. It wasn't intended to be used that way, but...people did, because it effectively had that same property. "Who else but yourself and people who are authorized to act on your behalf are going to actually memorize that string of numbers?", effectively.) @hunterhacker @dplattsf @pjohanneson @thomasfuchs (On that note, I once put a joke answer as an answer to a security question...and then regretted it when I needed to return the joke answer to the question to the one party that I needed to give it to, because I instead kept giving them the non-joke answer...before realizing "Oh right; you're the people I gave an incorrect answer to that question,my bad, it's this other thing because of this other thing.". I may have repeated that since then.) |
Gregory's Server
@dplattsf @pjohanneson @thomasfuchs Also, while 14K accounts were accessed by credential stuffing...that led to them leaking 5.5 million users information via linked data.
Which meant for every credential stuffed, they made a system that allowed that user to steal ~392 users information.
Whose accounts did they steal to be able to get that much information from the accounts? Continental Administrator Privileges? Prince Charming? Or some guy who was donating to the sperm bank as a full time job?