Gregory's Server@pjohanneson @dko @thomasfuchs have you been to haveibeenpwned lately? The only thing that distinguishes this from a typical day on the internet is that it has the word dna in it and they didn’t even get hacked. Going to save up my outrage ..
|
10 comments
@dko @thomasfuchs @pjohanneson same reason your bank is still using sms for 2fa. people get upset if you force them to do it the right way. and they get outraged if you don’t. This would be the perfect setup for #GWAS on #password and #2fa hygiene  @dplattsf @thomasfuchs @pjohanneson again, who are you arguing for here? companies with shitty policies? companies that leak DNA data? why are you just naming bad practices as if they justify more bad practices? "bad things have happened and unconcerned people are responsible" is not a defense for bad engineering that endangers your users. @dko @thomasfuchs @pjohanneson just trying to understand the outrage and indignation here - again they’re well within the norm for orgs and they also didn’t get any of their systems breached so saying they were hacked is misinformation. They have normal users doing normal bad things. but it’s dna so .. .. .. must be so much worse ? People need recalibration. @dko @dplattsf @thomasfuchs @pjohanneson I work in this field. It was a credential stuffing attack. Google that. There wasn't much they could have done about it. However, Everything they've done after the fact has revealed them to be the shitty corporation that most corporations eventually reveal themselves to be. It's a breach, but not like a breach where there were default creds exposed on the internet (equifax) or some idiot (LastPass). @BigMcLargeHuge @dko @dplattsf @thomasfuchs @pjohanneson You work in what field? There absolutely are many very effective ways to make sure your idiot users do not choose bad passwords. You could for example make them accept an autogenerated one, enforce some sort of second check - perhaps you are familiar with when you get a pin sent to you on your phone? We can already tell their users are people who do not care about their own or their families privacy and so probably warrant extra checks. @dplattsf @dko @thomasfuchs @pjohanneson the bank is using 2fa though, and given the sensitivity of the data, I would think even doing shitty 2fa would have helped. @dko @dplattsf @pjohanneson @thomasfuchs If they cared about their users data, they would have implemented MFA to minimise 'weakest link' vector.  @dko @dplattsf @pjohanneson @thomasfuchs even the basic email challenge 2fa they use now protects users plenty more than they were before |
@dplattsf @pjohanneson @thomasfuchs "People get breached" is not a good argument against getting breached.
And speaking of Troy's site, why didn't 23andme disallow the top 1000 passwords from HIBP or at least rockyou?
why didn't they disallow tons of requests probing passwords?
why didn't they require 2fa?
any of these would likely have prevented this. all of them together would almost certainly have.
who are you helping here? a company that just made millions of people's genomes public with their indefensible policies?
@dplattsf @pjohanneson @thomasfuchs "People get breached" is not a good argument against getting breached.
And speaking of Troy's site, why didn't 23andme disallow the top 1000 passwords from HIBP or at least rockyou?
why didn't they disallow tons of requests probing passwords?
why didn't they require 2fa?