Little Pig, Little Pig! Let Me Admin! (Security Thread)

[Thad]

Periodic reminder: if your phone has a fingerprint unlock function, don't use it.

[Büge]

So the Ashley Madison data breach. It's something hilarious right now, but which will almost certainly take a pretty dark turn later. They've already started to release bits of data in a classic "We'll kill these hostages one by one until you accede to our demands" strategy, so I'm surprised there hasn't been any fallout from that as it is.

Wonder if it really will break the company, one way or another?

Well, the hackers just released the data, so I guess we'll find out, won't we?

[Lyrai]

Josh Duggar, Sir Molest-a-Lot, had two paid accounts. Paid close to a grand to use the site.

[Sharkey]

So he's not just an incestuous pedophile who promotes a death worshiping apocalyptic cult for ritual cannibals and campaigns against civil rights, but he also cheats on his wife? You know, I'm starting to think this guy might be an asshole.

[pacobird]

we should all congratulate him on trying to bang women of consenting age to whom he is not related by blood

presumably

[Thad]

Say one thing about Ashley Madison: however much they fucked up on protecting their customers' data, they at least knew how to encrypt passwords the right way.

[beatbandito]

Of course Ashley Madison has a userbase of people that name their kids 'Hunter' and 'Harley'.

[Mongrel]

It turns out that so few real women were using Ashley Madison, that active accounts held by females amounts to less than a rounding error

Might actually be better in the gender thread, but I figured it would be better to keep all the AM stuff together in case of a threadsplit.

[Thad]

Ashley Madison owners issuing DMCA takedowns to sites that publish the leaked information; apparently understand copyright about as well as they understand data security.

[Mongrel]

Wired: Spotify's new privacy policy, um, isn't.

Pirates, as always.

[sei]

Ashley Madison owners issuing DMCA takedowns to sites that publish the leaked information; apparently understand copyright about as well as they understand data security.

Using bcrypt put them heads and shoulders above the shit we hear about places like Sony.

Anyway.

https://haveibeenpwned.com/PwnedWebsites

[Thad]

Using bcrypt put them heads and shoulders above the shit we hear about places like Sony.

That's a low bar, both because Sony is terrible and because Sony's security requirements are -- short of trade secrets and unreleased films -- lower than a site like Ashley Madison's.

For most sites, protecting users' names is somewhat important, passwords is more important, credit card numbers more important than that. But a site like Ashley Madison, by its nature, should treat its customers' names as sensitive data.

I mean, assuming people who signed up to cheat on their wives deserve to have their privacy respected.

[Mongrel]

The US government is currently pursuing a court case to see if it can compel US-owned companies (in this case, Microsoft) to provide data held in foreign data centres.

What this would boil down to is that there would be no legal protections for foreign customers using US-owned cloud data storage. This is huge stuff - we're talking about the integrity of stuff like Gmail, Hotmail, and other core Internet commercial data services or services that incorporate data storage in any way.

We may be looking at a Pyrrhic victory on a grand scale for the US Government on this one. Microsoft has lost twice on appeal and has even dared contempt of court charges on this, so crucial is victory to their data and cloud business, $8 billion, according to the article. And that's just Microsoft.

To say nothing of how other countries would feel about having their sovereignty regularly casually violated.

[Thad]

What this would boil down to is that there would be no legal protections for foreign customers using US-owned cloud data storage. This is huge stuff - we're talking about the integrity of stuff like Gmail, Hotmail, and other core Internet commercial data services or services that incorporate data storage in any way.

I'm not sure how Gmail and Hotmail play into it, to be honest; the E-Mail protocol stack is completely broken. The US government doesn't need compliant hosting companies to snoop E-Mail; your shit's already being sent in cleartext, and there's a good possibility that your password is too.

(There are exceptions -- if I'm not mistaken E-Mails sent from a Gmail address to another Gmail address are encrypted by default -- but that's a pretty small slice of E-Mail traffic.)

Short of setting up a cumbersome client-side encryption mechanism, and having your recipient do the same, you're honestly more secure sending E-Mail through Facebook than through SMTP.

We may be looking at a Pyrrhic victory on a grand scale for the US Government on this one. Microsoft has lost twice on appeal and has even dared contempt of court charges on this, so crucial is victory to their data and cloud business, $8 billion, according to the article. And that's just Microsoft.

To say nothing of how other countries would feel about having their sovereignty regularly casually violated.

There are easy technical solutions to this problem -- don't store any data you don't have to, encrypt all data that you do have to, so that only the end user can access it and even you yourself can't -- but they're directly at odds with these companies' current business model. Lots of politicians have been squawking about Apple and Google setting their phones to encrypt data by default, but while Google may encrypt the local data on a device, it's never going to encrypt your search data in a way that it doesn't hold the keys to, because it would have to find a new line of work.

Firefox is trying to reinvent itself as the browser that protects your privacy. It'll be interesting to see how many companies try to go that route in the next few years.

[Mongrel]

I'm not sure how Gmail and Hotmail play into it, to be honest; the E-Mail protocol stack is completely broken. The US government doesn't need compliant hosting companies to snoop E-Mail; your shit's already being sent in cleartext, and there's a good possibility that your password is too.

(There are exceptions -- if I'm not mistaken E-Mails sent from a Gmail address to another Gmail address are encrypted by default -- but that's a pretty small slice of E-Mail traffic.)

Short of setting up a cumbersome client-side encryption mechanism, and having your recipient do the same, you're honestly more secure sending E-Mail through Facebook than through SMTP.

You're thinking like a logical IT professional. Anyone with half a brain knows email isn't secure for a whole host of reasons. This article is more about business impact, which is where things like nominal legal status and perception matter more, at least in this case anyway.

The idea that the US government can look at your emails any time it wants won't make much of a difference to criminals or people already engaged in questionable shit, but it will make a difference to the average person or foreign business who could get really uncomfortable with that notion. Microsoft doesn't care about losing the business of a relative handful of experienced criminals, but it certainly cares a whole lot about losing huge chunks of their regular foreign userbase.

[Thad]

This article is more about business impact, which is where things like nominal legal status and perception matter more, at least in this case anyway.

Nominal legal status is that if the government can get a warrant, it doesn't need Microsoft's permission to snoop your E-Mail. It may not even need the warrant.

The idea that the US government can look at your emails any time it wants [...] will make a difference to the average person

The past two years since the Snowden leaks say otherwise.

[Mongrel]

Nominal legal status is that if the government can get a warrant, it doesn't need Microsoft's permission to snoop your E-Mail. It may not even need the warrant.

Domestically.

The past two years since the Snowden leaks say otherwise.

I think there's a significant difference in perception between the NSA doing secret snooping and the regular government as a whole. "Well, I'm not a terrorist." is an easy rationalization that becomes a lot more difficult once the allowable snooping boundaries are dramatically expanded.

Google, Microsoft and a host of other major businesses seem to see this as a real, even existential, threat. The response might not necessarily be for a mass panicked migration the day after SCOTUS hands down a ruling, but I wouldn't just glibly dismiss their fears offhand. The damage could be as simple as foreign business customers migrating due to a fear of potential liability issues in their home countries.

[Thad]

Nominal legal status is that if the government can get a warrant, it doesn't need Microsoft's permission to snoop your E-Mail. It may not even need the warrant.

Domestically.

Huh? You seem to be suggesting that domestic surveillance is less restricted than foreign surveillance, which is...pretty much the opposite of every legal justification that's ever been made for every wiretapping program of the last 15 years.

I think there's a significant difference in perception between the NSA doing secret snooping and the regular government as a whole. "Well, I'm not a terrorist." is an easy rationalization that becomes a lot more difficult once the allowable snooping boundaries are dramatically expanded.

If you think the "Well, I don't have anything to hide" rationalization only applies to foreign surveillance, well, again, that sounds an awful lot like you haven't been paying attention for the past 15 years.

Google, Microsoft and a host of other major businesses seem to see this as a real, even existential, threat. The response might not necessarily be for a mass panicked migration the day after SCOTUS hands down a ruling, but I wouldn't just glibly dismiss their fears offhand.

I'm doing no such thing, and I can't imagine how you'd think I don't object to the US government having carte blanche access to customers' private data.

I just think E-Mail is a pretty small piece to fixate on. Yes, this case is about access to an E-Mail account, but do you really think that's all it's about?

The damage could be as simple as foreign business customers migrating due to a fear of potential liability issues in their home countries.

It's already happening -- hell, Germany is trying to build its own private Internet.

The foreign policy and foreign trade ramifications of the US government's spying apparatus are not lost on me. All I'm saying is, if a bad actor wants your E-Mails, it's already got them.

I suspect that's true in this case, too, that the government doesn't really need MS's cooperation to get what it wants, and probably doesn't even need MS's cooperation for the information it's already gathered to be admissible in court. I think DoJ is just covering its bases.

[Grath]

I think there's a significant difference in perception between the NSA doing secret snooping and the regular government as a whole. "Well, I'm not a terrorist." is an easy rationalization that becomes a lot more difficult once the allowable snooping boundaries are dramatically expanded.

If you think the "Well, I don't have anything to hide" rationalization only applies to foreign surveillance, well, again, that sounds an awful lot like you haven't been paying attention for the past 15 years.

This is when I remind everyone that via me you're all two hops from a suspected terrorist and the NSA is presumably watching everything we do, right?

[Mongrel]

Nominal legal status is that if the government can get a warrant, it doesn't need Microsoft's permission to snoop your E-Mail. It may not even need the warrant.

Domestically.

Huh? You seem to be suggesting that domestic surveillance is less restricted than foreign surveillance, which is...pretty much the opposite of every legal justification that's ever been made for every wiretapping program of the last 15 years.

I think there's a significant difference in perception between the NSA doing secret snooping and the regular government as a whole. "Well, I'm not a terrorist." is an easy rationalization that becomes a lot more difficult once the allowable snooping boundaries are dramatically expanded.

If you think the "Well, I don't have anything to hide" rationalization only applies to foreign surveillance, well, again, that sounds an awful lot like you haven't been paying attention for the past 15 years.

Google, Microsoft and a host of other major businesses seem to see this as a real, even existential, threat. The response might not necessarily be for a mass panicked migration the day after SCOTUS hands down a ruling, but I wouldn't just glibly dismiss their fears offhand.

I'm doing no such thing, and I can't imagine how you'd think I don't object to the US government having carte blanche access to customers' private data.

I just think E-Mail is a pretty small piece to fixate on. Yes, this case is about access to an E-Mail account, but do you really think that's all it's about?

The damage could be as simple as foreign business customers migrating due to a fear of potential liability issues in their home countries.

It's already happening -- hell, Germany is trying to build its own private Internet.

The foreign policy and foreign trade ramifications of the US government's spying apparatus are not lost on me. All I'm saying is, if a bad actor wants your E-Mails, it's already got them.

I suspect that's true in this case, too, that the government doesn't really need MS's cooperation to get what it wants, and probably doesn't even need MS's cooperation for the information it's already gathered to be admissible in court. I think DoJ is just covering its bases.

So the mistake I was making was thinking your replies were meant to apply to all data services when you were only picking at email very specifically?

I think there's a significant difference in perception between the NSA doing secret snooping and the regular government as a whole. "Well, I'm not a terrorist." is an easy rationalization that becomes a lot more difficult once the allowable snooping boundaries are dramatically expanded.

If you think the "Well, I don't have anything to hide" rationalization only applies to foreign surveillance, well, again, that sounds an awful lot like you haven't been paying attention for the past 15 years.

This is when I remind everyone that via me you're all two hops from a suspected terrorist and the NSA is presumably watching everything we do, right?

I thought that was me.