Little Pig, Little Pig! Let Me Admin! (Security Thread)

User avatar
Thad
Posts: 5579
Joined: Tue Jan 21, 2014 10:05 am
Location: 1611 Uranus Avenue
Contact:

Re: Little Pig, Little Pig! Let Me Admin! (Security Thread)

Postby Thad » Mon Aug 10, 2015 1:41 pm

Periodic reminder: if your phone has a fingerprint unlock function, don't use it.

User avatar
Büge
Posts: 2512
Joined: Mon Jan 20, 2014 6:56 pm

Re: Little Pig, Little Pig! Let Me Admin! (Security Thread)

Postby Büge » Wed Aug 19, 2015 10:46 am

Mongrel wrote:So the Ashley Madison data breach. It's something hilarious right now, but which will almost certainly take a pretty dark turn later. They've already started to release bits of data in a classic "We'll kill these hostages one by one until you accede to our demands" strategy, so I'm surprised there hasn't been any fallout from that as it is.

Wonder if it really will break the company, one way or another?


Well, the hackers just released the data, so I guess we'll find out, won't we?

User avatar
Lyrai
Posts: 515
Joined: Mon Jan 20, 2014 5:34 pm

Re: Little Pig, Little Pig! Let Me Admin! (Security Thread)

Postby Lyrai » Thu Aug 20, 2015 1:11 am

Josh Duggar, Sir Molest-a-Lot, had two paid accounts. Paid close to a grand to use the site.

User avatar
Sharkey
Posts: 619
Joined: Mon Jan 20, 2014 6:11 pm
Location: Send Lawyers, Guns and Money
Contact:

Re: Little Pig, Little Pig! Let Me Admin! (Security Thread)

Postby Sharkey » Thu Aug 20, 2015 3:51 am

So he's not just an incestuous pedophile who promotes a death worshiping apocalyptic cult for ritual cannibals and campaigns against civil rights, but he also cheats on his wife? You know, I'm starting to think this guy might be an asshole.
Image

User avatar
pacobird
Posts: 487
Joined: Wed Jan 22, 2014 5:25 pm

Re: Little Pig, Little Pig! Let Me Admin! (Security Thread)

Postby pacobird » Thu Aug 20, 2015 10:37 pm

we should all congratulate him on trying to bang women of consenting age to whom he is not related by blood

presumably
Image

User avatar
Thad
Posts: 5579
Joined: Tue Jan 21, 2014 10:05 am
Location: 1611 Uranus Avenue
Contact:

Re: Little Pig, Little Pig! Let Me Admin! (Security Thread)

Postby Thad » Wed Aug 26, 2015 2:13 pm

Say one thing about Ashley Madison: however much they fucked up on protecting their customers' data, they at least knew how to encrypt passwords the right way.

User avatar
beatbandito
Posts: 1565
Joined: Tue Jan 21, 2014 8:04 am

Re: Little Pig, Little Pig! Let Me Admin! (Security Thread)

Postby beatbandito » Wed Aug 26, 2015 3:29 pm

Of course Ashley Madison has a userbase of people that name their kids 'Hunter' and 'Harley'.
Image

User avatar
Mongrel
Posts: 8821
Joined: Mon Jan 20, 2014 6:28 pm
Location: Canadumb

Re: Little Pig, Little Pig! Let Me Admin! (Security Thread)

Postby Mongrel » Thu Aug 27, 2015 10:31 am

It turns out that so few real women were using Ashley Madison, that active accounts held by females amounts to less than a rounding error

Might actually be better in the gender thread, but I figured it would be better to keep all the AM stuff together in case of a threadsplit.
Image

User avatar
Thad
Posts: 5579
Joined: Tue Jan 21, 2014 10:05 am
Location: 1611 Uranus Avenue
Contact:

Re: Little Pig, Little Pig! Let Me Admin! (Security Thread)

Postby Thad » Fri Aug 28, 2015 1:48 am

Ashley Madison owners issuing DMCA takedowns to sites that publish the leaked information; apparently understand copyright about as well as they understand data security.

User avatar
Mongrel
Posts: 8821
Joined: Mon Jan 20, 2014 6:28 pm
Location: Canadumb

Re: Little Pig, Little Pig! Let Me Admin! (Security Thread)

Postby Mongrel » Sun Aug 30, 2015 8:17 pm

Image

User avatar
sei
Posts: 934
Joined: Mon Jan 20, 2014 6:29 pm

Re: Little Pig, Little Pig! Let Me Admin! (Security Thread)

Postby sei » Wed Sep 02, 2015 4:02 pm

Thad wrote:Ashley Madison owners issuing DMCA takedowns to sites that publish the leaked information; apparently understand copyright about as well as they understand data security.

Using bcrypt put them heads and shoulders above the shit we hear about places like Sony.

Anyway.

https://haveibeenpwned.com/PwnedWebsites
Image

User avatar
Thad
Posts: 5579
Joined: Tue Jan 21, 2014 10:05 am
Location: 1611 Uranus Avenue
Contact:

Re: Little Pig, Little Pig! Let Me Admin! (Security Thread)

Postby Thad » Wed Sep 02, 2015 10:43 pm

sei wrote:Using bcrypt put them heads and shoulders above the shit we hear about places like Sony.


That's a low bar, both because Sony is terrible and because Sony's security requirements are -- short of trade secrets and unreleased films -- lower than a site like Ashley Madison's.

For most sites, protecting users' names is somewhat important, passwords is more important, credit card numbers more important than that. But a site like Ashley Madison, by its nature, should treat its customers' names as sensitive data.

I mean, assuming people who signed up to cheat on their wives deserve to have their privacy respected.

User avatar
Mongrel
Posts: 8821
Joined: Mon Jan 20, 2014 6:28 pm
Location: Canadumb

Re: Little Pig, Little Pig! Let Me Admin! (Security Thread)

Postby Mongrel » Wed Sep 09, 2015 12:27 pm

The US government is currently pursuing a court case to see if it can compel US-owned companies (in this case, Microsoft) to provide data held in foreign data centres.

What this would boil down to is that there would be no legal protections for foreign customers using US-owned cloud data storage. This is huge stuff - we're talking about the integrity of stuff like Gmail, Hotmail, and other core Internet commercial data services or services that incorporate data storage in any way.

We may be looking at a Pyrrhic victory on a grand scale for the US Government on this one. Microsoft has lost twice on appeal and has even dared contempt of court charges on this, so crucial is victory to their data and cloud business, $8 billion, according to the article. And that's just Microsoft.

To say nothing of how other countries would feel about having their sovereignty regularly casually violated.
Image

User avatar
Thad
Posts: 5579
Joined: Tue Jan 21, 2014 10:05 am
Location: 1611 Uranus Avenue
Contact:

Re: Little Pig, Little Pig! Let Me Admin! (Security Thread)

Postby Thad » Wed Sep 09, 2015 2:26 pm

Mongrel wrote:What this would boil down to is that there would be no legal protections for foreign customers using US-owned cloud data storage. This is huge stuff - we're talking about the integrity of stuff like Gmail, Hotmail, and other core Internet commercial data services or services that incorporate data storage in any way.


I'm not sure how Gmail and Hotmail play into it, to be honest; the E-Mail protocol stack is completely broken. The US government doesn't need compliant hosting companies to snoop E-Mail; your shit's already being sent in cleartext, and there's a good possibility that your password is too.

(There are exceptions -- if I'm not mistaken E-Mails sent from a Gmail address to another Gmail address are encrypted by default -- but that's a pretty small slice of E-Mail traffic.)

Short of setting up a cumbersome client-side encryption mechanism, and having your recipient do the same, you're honestly more secure sending E-Mail through Facebook than through SMTP.

Mongrel wrote:We may be looking at a Pyrrhic victory on a grand scale for the US Government on this one. Microsoft has lost twice on appeal and has even dared contempt of court charges on this, so crucial is victory to their data and cloud business, $8 billion, according to the article. And that's just Microsoft.

To say nothing of how other countries would feel about having their sovereignty regularly casually violated.


There are easy technical solutions to this problem -- don't store any data you don't have to, encrypt all data that you do have to, so that only the end user can access it and even you yourself can't -- but they're directly at odds with these companies' current business model. Lots of politicians have been squawking about Apple and Google setting their phones to encrypt data by default, but while Google may encrypt the local data on a device, it's never going to encrypt your search data in a way that it doesn't hold the keys to, because it would have to find a new line of work.

Firefox is trying to reinvent itself as the browser that protects your privacy. It'll be interesting to see how many companies try to go that route in the next few years.

User avatar
Mongrel
Posts: 8821
Joined: Mon Jan 20, 2014 6:28 pm
Location: Canadumb

Re: Little Pig, Little Pig! Let Me Admin! (Security Thread)

Postby Mongrel » Wed Sep 09, 2015 3:13 pm

Thad wrote:I'm not sure how Gmail and Hotmail play into it, to be honest; the E-Mail protocol stack is completely broken. The US government doesn't need compliant hosting companies to snoop E-Mail; your shit's already being sent in cleartext, and there's a good possibility that your password is too.

(There are exceptions -- if I'm not mistaken E-Mails sent from a Gmail address to another Gmail address are encrypted by default -- but that's a pretty small slice of E-Mail traffic.)

Short of setting up a cumbersome client-side encryption mechanism, and having your recipient do the same, you're honestly more secure sending E-Mail through Facebook than through SMTP.

You're thinking like a logical IT professional. Anyone with half a brain knows email isn't secure for a whole host of reasons. This article is more about business impact, which is where things like nominal legal status and perception matter more, at least in this case anyway.

The idea that the US government can look at your emails any time it wants won't make much of a difference to criminals or people already engaged in questionable shit, but it will make a difference to the average person or foreign business who could get really uncomfortable with that notion. Microsoft doesn't care about losing the business of a relative handful of experienced criminals, but it certainly cares a whole lot about losing huge chunks of their regular foreign userbase.
Image

User avatar
Thad
Posts: 5579
Joined: Tue Jan 21, 2014 10:05 am
Location: 1611 Uranus Avenue
Contact:

Re: Little Pig, Little Pig! Let Me Admin! (Security Thread)

Postby Thad » Wed Sep 09, 2015 3:28 pm

Mongrel wrote:This article is more about business impact, which is where things like nominal legal status and perception matter more, at least in this case anyway.


Nominal legal status is that if the government can get a warrant, it doesn't need Microsoft's permission to snoop your E-Mail. It may not even need the warrant.

Mongrel wrote:The idea that the US government can look at your emails any time it wants [...] will make a difference to the average person


The past two years since the Snowden leaks say otherwise.

User avatar
Mongrel
Posts: 8821
Joined: Mon Jan 20, 2014 6:28 pm
Location: Canadumb

Re: Little Pig, Little Pig! Let Me Admin! (Security Thread)

Postby Mongrel » Wed Sep 09, 2015 3:35 pm

Thad wrote:Nominal legal status is that if the government can get a warrant, it doesn't need Microsoft's permission to snoop your E-Mail. It may not even need the warrant.

Domestically.

The past two years since the Snowden leaks say otherwise.

I think there's a significant difference in perception between the NSA doing secret snooping and the regular government as a whole. "Well, I'm not a terrorist." is an easy rationalization that becomes a lot more difficult once the allowable snooping boundaries are dramatically expanded.

Google, Microsoft and a host of other major businesses seem to see this as a real, even existential, threat. The response might not necessarily be for a mass panicked migration the day after SCOTUS hands down a ruling, but I wouldn't just glibly dismiss their fears offhand. The damage could be as simple as foreign business customers migrating due to a fear of potential liability issues in their home countries.
Image

User avatar
Thad
Posts: 5579
Joined: Tue Jan 21, 2014 10:05 am
Location: 1611 Uranus Avenue
Contact:

Re: Little Pig, Little Pig! Let Me Admin! (Security Thread)

Postby Thad » Wed Sep 09, 2015 4:42 pm

Mongrel wrote:
Thad wrote:Nominal legal status is that if the government can get a warrant, it doesn't need Microsoft's permission to snoop your E-Mail. It may not even need the warrant.

Domestically.


Huh? You seem to be suggesting that domestic surveillance is less restricted than foreign surveillance, which is...pretty much the opposite of every legal justification that's ever been made for every wiretapping program of the last 15 years.

Mongrel wrote:I think there's a significant difference in perception between the NSA doing secret snooping and the regular government as a whole. "Well, I'm not a terrorist." is an easy rationalization that becomes a lot more difficult once the allowable snooping boundaries are dramatically expanded.


If you think the "Well, I don't have anything to hide" rationalization only applies to foreign surveillance, well, again, that sounds an awful lot like you haven't been paying attention for the past 15 years.

Mongrel wrote:Google, Microsoft and a host of other major businesses seem to see this as a real, even existential, threat. The response might not necessarily be for a mass panicked migration the day after SCOTUS hands down a ruling, but I wouldn't just glibly dismiss their fears offhand.


I'm doing no such thing, and I can't imagine how you'd think I don't object to the US government having carte blanche access to customers' private data.

I just think E-Mail is a pretty small piece to fixate on. Yes, this case is about access to an E-Mail account, but do you really think that's all it's about?

Mongrel wrote:The damage could be as simple as foreign business customers migrating due to a fear of potential liability issues in their home countries.


It's already happening -- hell, Germany is trying to build its own private Internet.

The foreign policy and foreign trade ramifications of the US government's spying apparatus are not lost on me. All I'm saying is, if a bad actor wants your E-Mails, it's already got them.

I suspect that's true in this case, too, that the government doesn't really need MS's cooperation to get what it wants, and probably doesn't even need MS's cooperation for the information it's already gathered to be admissible in court. I think DoJ is just covering its bases.

User avatar
Grath
Posts: 1408
Joined: Mon Jan 20, 2014 7:34 pm

Re: Little Pig, Little Pig! Let Me Admin! (Security Thread)

Postby Grath » Wed Sep 09, 2015 6:16 pm

Thad wrote:
Mongrel wrote:I think there's a significant difference in perception between the NSA doing secret snooping and the regular government as a whole. "Well, I'm not a terrorist." is an easy rationalization that becomes a lot more difficult once the allowable snooping boundaries are dramatically expanded.


If you think the "Well, I don't have anything to hide" rationalization only applies to foreign surveillance, well, again, that sounds an awful lot like you haven't been paying attention for the past 15 years.

This is when I remind everyone that via me you're all two hops from a suspected terrorist and the NSA is presumably watching everything we do, right?

User avatar
Mongrel
Posts: 8821
Joined: Mon Jan 20, 2014 6:28 pm
Location: Canadumb

Re: Little Pig, Little Pig! Let Me Admin! (Security Thread)

Postby Mongrel » Wed Sep 09, 2015 6:53 pm

Thad wrote:
Mongrel wrote:
Thad wrote:Nominal legal status is that if the government can get a warrant, it doesn't need Microsoft's permission to snoop your E-Mail. It may not even need the warrant.

Domestically.


Huh? You seem to be suggesting that domestic surveillance is less restricted than foreign surveillance, which is...pretty much the opposite of every legal justification that's ever been made for every wiretapping program of the last 15 years.

Mongrel wrote:I think there's a significant difference in perception between the NSA doing secret snooping and the regular government as a whole. "Well, I'm not a terrorist." is an easy rationalization that becomes a lot more difficult once the allowable snooping boundaries are dramatically expanded.


If you think the "Well, I don't have anything to hide" rationalization only applies to foreign surveillance, well, again, that sounds an awful lot like you haven't been paying attention for the past 15 years.

Mongrel wrote:Google, Microsoft and a host of other major businesses seem to see this as a real, even existential, threat. The response might not necessarily be for a mass panicked migration the day after SCOTUS hands down a ruling, but I wouldn't just glibly dismiss their fears offhand.


I'm doing no such thing, and I can't imagine how you'd think I don't object to the US government having carte blanche access to customers' private data.

I just think E-Mail is a pretty small piece to fixate on. Yes, this case is about access to an E-Mail account, but do you really think that's all it's about?

Mongrel wrote:The damage could be as simple as foreign business customers migrating due to a fear of potential liability issues in their home countries.


It's already happening -- hell, Germany is trying to build its own private Internet.

The foreign policy and foreign trade ramifications of the US government's spying apparatus are not lost on me. All I'm saying is, if a bad actor wants your E-Mails, it's already got them.

I suspect that's true in this case, too, that the government doesn't really need MS's cooperation to get what it wants, and probably doesn't even need MS's cooperation for the information it's already gathered to be admissible in court. I think DoJ is just covering its bases.

So the mistake I was making was thinking your replies were meant to apply to all data services when you were only picking at email very specifically?

Grath wrote:
Thad wrote:
Mongrel wrote:I think there's a significant difference in perception between the NSA doing secret snooping and the regular government as a whole. "Well, I'm not a terrorist." is an easy rationalization that becomes a lot more difficult once the allowable snooping boundaries are dramatically expanded.


If you think the "Well, I don't have anything to hide" rationalization only applies to foreign surveillance, well, again, that sounds an awful lot like you haven't been paying attention for the past 15 years.

This is when I remind everyone that via me you're all two hops from a suspected terrorist and the NSA is presumably watching everything we do, right?

I thought that was me.
Image

Who is online

Users browsing this forum: No registered users and 3 guests