This is why I hate companies that force you to sign up to gain access to content. I do not want that relationship. Sooner or later those systems will be legacy and then maintaining them will be a pain. Bitrot will set in and sooner or later there will be a breach.
One new development is that you used to be able to get your invoices mailed via snail mail. Then that disappeared and you got your invoices mailed via email. Then that disappeared and now you have to create an account on some portal so that you can download your invoice. So that's one userid/password combo per business relationship or service that you use privately. Healthcare, HOA, insurance, payroll etc., every bloody two bit player requires you to log-in to their oh-so-secure service rather than that they send you your stuff. Which requires a ton of overhead and - sure enough - sooner or later they get hacked because by then the amount of data they hold on to is more valuable than their security could reasonably be expected to defend.
I use privacy.com and Lastpass to help with this problem. Any time there is a service I have to have a business relationship with that I don't trust to keep my info secure, I use a unique password and a unique credit card number with a tight limit. What's nice is that they tie the card to a single vendor too.
For example, the water company. I know the water bill is usually $50 or less, so I set the limit to $60/mo. As it turns out, they did get breached. I got an alert about someone who isn't the water company trying to hit the card for 80 cents. Most card runners use amounts under $1 because most credit card spending alerts have a $1 minimum. But privacy.com warned me, so I warned the water company, who was very thankful. Turns out their 3rd party provider had been breached and they were grateful for the alert too. Ended up saving a few thousand of my neighbors a lot of headache.
Lastpass has been going downhill with every acquisition and had gotten to the point where autofill failed on the majority of sites and the "copy password" menu item disappeared, bringing clicks-to-login from 1 to ~10.
A few weeks ago I saw bitwarden finish their third party security audit and took the opportunity to jump. Couldn't be happier. Autofill fails less, the "copy password" menu works, the mobile experience isn't intentionally broken to sell an app, and export->import went without a hitch. Better, actually: it is the first time I have done an export/import and had the resulting data immediately work better in the second app. There's also the hope-springs-eternal factor of bitwarden giving me the option to host the sensitive stuff myself once I get off my butt and set up that server I've been meaning to for a while now.
If you're thinking about lastpass, save yourself the trouble and try bitwarden first. Or something else, but bitwarden has been good to me and lastpass, well, hasn't, to put it politely :)
LastPass is one of my least liked most used tools. Everything about the implentation feels second rate; slow, unreliable login capture, unreliable form fill, occasional inability to edit records, buried password copy, clunky UI, inappropriate modal nagging in browser and app... Most times I use it I am cursing it.
I tried to switch to pass, and I'm not sure if it was something to do with how I imported but it didn't list my passwords and the browser plugin was clunky and didn't work. Anyone had success with pass/gopass.
Bitwarden seems like a happy Medium, I'd rather not do my password ops. The pricing seems fair (and rather optional). I'll try it, thanks.
It is puzzling. My feeling is that for quite some time they had a lead on features (cross-platform, browser overlay, secret sharing) - particularly the combination of features whereas competitors always seemed to have a subset. That's what reluctantly kept me with them. The software quality does just seem quite bad though.
Check out Keepass! Rather than syncing directly into a Cloud, it allows you to store a database file into any location. It supports MFA (e.g. by combining a password with a secret file, or a Yubikey). And everything is open-source.
I like the model a lot, because it solves the "database ownership" issue, where your Password provider (be it LastPass, 1Password, etc) becomes in itself a weak link.
I used to use KeePass but the lack of a proper crossplatform UI eventually broke it for me; KeePassX on linux looked and performed terribly, the Android app was just bad, etc etc etc.
I switched to 1password which - at least at the time - offered a web-based fallback hosted from your own dropbox. Plus at the time you owned the data and were responsible for storing and syncing it. Dropbox support came out of the box but if you want you can use a local file.
Yeah you're right, I believe it's based on .NET so on Linux you'll have to use Mono. For the plugin ecosystem, that's suboptimal because you'll have to rebuild a lot of plugins from scratch.
I used to be a 1password user, but they were pushing their premium, cloud-based offering a lot and lacked Yubikey support so I switched away.
I'm in the same boat. The user experience on it is terrible now.
The worse thing that happens to me is if I generate a password, and then Lastpass doesn't save it! It feels like a 50% shot it will actually save the generated password.
I have nearly 1000 passwords stored in it now, so it's going to be a huge pain to migrate.
This is by far the worst. I have LP set up with a shortcut + fingerprint tap on my MBP, which works great until I'm generating a password, which never gets saved. I have to remember to get my vault page open ready to fill in before I generate the password, because if I generate one from the toolbar dropdown I'll never see it again. Ugh.
LastPass Mobile UI seems to be intentionally crippled ( https://vgy.me/9r29bm.jpg ) I assume because they want you to download the app, pushing you to purchase their license.
If you load the same site using "load desktop site" the UI gets fixed.
Bitwarden is best. I hope they will not get bankrupt from free users. Its funny it is cheapes but also works the best out off all managers i tried. Dashlane is good but its so much more expensive. Bitwarden will slowly kill most of the managers if they keep up the great work.
I will add this to my password manager binge (because I know how to party). I did find the NPM build a bit frightening though - module 956/1xxx built...
Also that site looks like it should be selling something but I see no money hole - should I be worried?
We have a tendency to compare opaque with transparent and balk at what we find, but I question what you would feel if you could see through the opaque.
That is true, but at least they have code review and multiple people ;) I'm just estimating from my experience that after a certain point, most companies start writing automated tests.
And if you look at their jobs page, one of the job description points is "Create unit tests for existing code to run faster and more reliably.": https://1password.com/jobs/droid-builder/
They might even have a few QA people AFAIK!
I understand why the single founder / engineer of bitwarden doesn't have tests. When you're a startup not writing tests can speed you up significantly. But after a certain point they are going to need automated testing, especially for something as vital as this.
For me, the lack of open source in 1p has been a sticking point, and I was planning to migrate after the audit. But seeing no tests, 1p documenting their security model and bitwarden not being good enough compared to 1p in UI has me sticking to 1p for now. I have high hopes that bitwarden will get to that maturity point one day.
I found the same thing with their client apps, should have checked core to see if there weren't any there as well.
I switched over about a week ago and find it pretty solid, but it's missing alot of the quality of life features that last pass had. You can't just hit command + c whilst on a entry and have it copy the password, they haven't implemented the new ios 12 features that make password managers much better on ios.
I'm running them both right now as I'm not fully committed to the switch over, but I'll see how the features get added over time.
I moved from LastPass to 1Password recently. Had been using LastPass for several years, but filling failures, the lack of copy password in FF (and no binary workaround for Linux), and generally unhelpful support when I contacted them prompted me to move.
Very happy with 1PasswordX (the browser-only version) - filling is much better, copy is supported out of the box, support have been very helpful when I've reached out. Much better customer experience.
I was a 1Password fan for many years, until the big push to go subscription. For now I'm just using Apple's keychain until I decide what tool to use next. If you're in Apple's ecosystem, keychain actually works pretty well.
You can still purchase a standalone license, even for v7. Sure they want you to rent access to your data, but that's not the only path. I also recently taught KeePassXC to read the 1P on-disk vault format, so you can continue to use 1P even in Linux, and even if AgileBits goes under.
I have been using Pass [0] with passff [1] and been pretty happy about it. Simple and offline password management where passwords live in gpg encrypted files. Additional features I like are tracking changes with git, bash completion and copying passwords to clipboard for few seconds temporarily, and a few very useful extensions.
Pass is awesome. I use it in combination with a YubiKey to store the pgp key. Because every password is stored in an independent encrypted file and every decryption needs a press on the YubiKey even a stolen database and keylogger does not provide access to all passwords.
I use pass with keyboard Maestro on the mac it just gets a autofill input for the password I want, them opens a terminal and asks for the master password if needed and puts in the clipboard. Very friendly way to use it.
Yep, I use KeePass synced over my selfhosted nginx server. But you can use Dropbox/Google Drive/etc. just as easily.
I would like to also recommend the Firefox extension 'Kee' for autofill. On Android there is the 'Keepass2Android' app. Both are open source and work well.
I also recommend the KeePass plugin 'Yet Another Favicon Downloader'. It downloads favicons from websites for your password entries.
Also 'Keebuntu' is a plugin that makes 'minimize to tray icon' work for me on Linux.
I've thought about setting up a personal NAS for this purpose.
But I'm concerned about having a single point of failure/loss in the event of a house fire or burglary.
Any chance you've addressed this risk in your implementation?
I'm also a happy Bitwarden customer. I especially like that it is all Free Software (combination of GPL 3 and AGPL across various parts), which to me is important for security and privacy related software. I've also had good experiences with Bitwarden support from Kyle, the lead developer and founder.
I tried that on Win10, and it didn't work for me. It was the last straw. Honestly, why on earth do they need it anyway? HTML5 has had a Clipboard API for a while now.
I've used both extensively and Bitwarden is just a dramatically higher-quality app it's not even funny.
I recall that the initial release of the Web Extension support was a bit threadbare, and/or that they had to change the extension ID or something of that sort, but it's also possible it was left out for existing design reasons/as a cudgel. In either case this whole thread has been useful for alerting me that I should re-evaluate if Lastpass is the optimal solution for me.
I switched to LastPass from 1Password because I hated their whole mobile sync thing where you had to be on the same wifi and start your Mac app to sync etc. I understand that it's more secure that way, but that trade-off was not worth for me. Has that changed in the meantime?
I migrated over from Lastpass to Dashlane a few years ago. Couldn't be happier. It integrates with everything and as far as I understand their encryption is better than Lastpass, although I couldn't say how.
I do love lastpass but since switching to Firefox 100% away from Chrome, the lack of copying a password to the clipboard without seeing it first really stings. What if someone is sitting next to me, or someone is grabbing screenshots or streaming my screen? It's like having this super secure electrified iron door installed but neglecting to lock it.
Is anyone aware of a technical reason that copy to clipboard is absent in Firefox, or is just laziness? If laziness, I'll dump them tomorrow.
I'm using lastpass with firefox nightly and I don't have this issue. copying the password to clipboard without seeing it works out of the box using the browser extension.
I've never used any other password manager but just wanted to say I love Lastpass. It very rarely fails on autofill for me, it saves all my passowords nicely, has secure notes, organizational sharing for teams. I find it to be really great.
Hmmm, I have been using the Keepass + Dropbox combo. Wanted to change to a more streamlined experience. The current choices of 1Password, LastPass and Dashlane didn't seem to attract me.
This is what I do too. Biggest complaint is the lack of official apps for mobile devices. I’ve used MiniKeePass in the past but am hesitant because there doesn’t seem to be much active development and I don’t see the source code anywhere.
Do you access kbdx files on mobile devices? If so, what do you use?
The biggest problem with MiniKeePass, in my opinion, is that it doesn't support the new iOS autofill API and that it doesn't support even basic syncing. You always have to make a manual copy of the database file and you can't really create logins on mobile because of that.
There's a fork of MiniKeePass called KeePass Touch, but they don't publically host the source code anywhere. You have to email them to ask for a copy of the source code, which is technically GPL-compliant, but a bit annoying.
+1 for bitwarden. Not a security professional, but it seems to be a good tradeoff between security and usability. Definitely better than lastpass on both counts.
I've been looking into password managers for my team/department, and bitwarden has some good looking stuff, but they seem to only invoice in USD, which creates constant friction for recurring IT bills at my company.
I looked over privacy.com - specifically their security page[0] which reads impressively. As I looked at my "dashboard" I couldn't help but notice (according to uBlock Origin) that privacy.com, ironically, connects to facebook (.net) and google (fonts, apis, gstatic).
I'm certain none of those 3rd-party connections are necessary and yet... like muscle-memory... devs continue to thoughtlessly invite tracking.
I've seen people include such tags on the logged in areas for cancer patients in medical websites without batting an eye and wondering why that's a bad thing.
Haven't looked very closely, but how do you think they make money by offering virtual credit cards for free? I bet they will track all your purchases and resell them for marketing later.
Fonts and other stuff from google and facebook is just a small piece of the puzzle.
I use keepassx, a local password manager. I don't trust centralized online password managers with browser extensions. Huge attack surface. I copy and paste usernames and passwords.
Same. Where do you keep the db file? Mine's in the cloud and I can't help but think it reduces security, but then I need access to this data from various locations.
I worry about this too. I store the database itself in Dropbox, and I also use a keyfile alongside the password to open it. I can easily recreate the keyfile on any computer, but it never goes anywhere near the internet.
In addition to that, for my really critical "gatekeeper" accounts, I don't put the full password in the database. Just a reminder that this is a "special" password, which needs to be combined with another bit of info in order to work.
I just live with the fact that I can't use this system on my phone, and for my usage patterns, that's fine. There's nothing I need to do that's so urgent that it can't wait until I'm back in front of my computer.
I use BitWarden, and they let you self host the service if you want. I haven't done it yet, but I'm definitely considering it. However, passwords are encrypted on your machine then uploaded, so it's a bit more secure than them managing everything on the server.
I also do that (almost, keeweb + dropbox) and copy paste logins, but a serious problem is that you need to clear the clipboard after, otherwise any other site you visit can read it.
Its unfortunate that privacy.com is only for US residents. Does anyone know of a similar service that's available for Europeans as well? Specifically the virtual card feature. Most of the services that I've seen to offer something like this are for EEA residents only. This seems to be a new restriction imposed by Visa/MasterCard.
What makes you trust LastPass that they won't sell/leak/expose your passwords from some backdoor or under the table deal? I'm asking because this is not a public company or an entity that can be held responsible in any way for such an act. It's just another startup obligated to make their investors 10X returns. I haven't read their agreements but I'm pretty sure any lawyers of such companies have enough clause to absolve them of any such acts.
They do store your "vault" on their server. It's encrypted though using key that doesn't leave your computer. However I can easily imagine deliberate as well as innocent "mistakes" in browser plugins and other weak links in architecture that would expose the master key and hence your vault.
They don't, officially. Nothing is stopping them from updating the client to siphon your passwords or the encryptuon key, though. This is a problem all password managers have.
It would be nice to have some kind of communication protocol that could be provably restricted from passing whatever the company wants.
I’m using two personal domains fo host my own email. One domain is purely for registration/junk purposes and it forwards *@junkemail.com —> junk@myemail.com.
The same server uses nextcloud for calendar/contacts/webdav
I use the password manager Enpass which can sync via webdav across my devices.
Everything selfhosted and emails/credit cards disposable
What bank/card allows you to create unique credit cards with separate limits? The one I was using (Swedbank/visa/mastercard) stopped providing this service last year.
Privacy.com allows you to create virtual credit cards once you connect a source of payment to your account. Can be bank or debit card. I personally create one credit card for every paid subscription I have with the limit set on the amount that's supposed to be debited (eg. Monthly limit on Tidal charging $20).
Privacy is a game changer for online transaction security imo. An additional benefit is the ability to subscribe to "try free for a month but oh wait we need your credit card info first so when you forget to cancel we'll keep charging you". Simply create a virtual card with single time spend limit $1 less than the monthly subscription charge, and you can rest assured that your one month trial is a one month trial.
In order to use Payment Services, you must be at least 18 years old. You confirm that you are either a legal resident of the United States, a United States citizen or a business entity authorized to conduct business by the state(s) in which you operate and that you are an authorized signatory for the business you represent.
Citibank offers virtual credit cards. Once they are used by one merchant, they can not be used by any other merchant. On top of that, you can optionally give them money and time limits.
I rather like this feature from CitiBank. I hate the interface, but the feature is great. I can use it to sign up for monthly services that I'm unsure about. If I don't want to go through the hassle of canceling the service, I just don't renew the cards.
I also use it with sites I don't necessarily trust, like a random auto parts store. If it were a tad easier to use, I'd use it for nearly everything.
Revolut standard account (w/o monthly fees) gives you a Virtual Card which I use when I don’t trust the site I’m buying from and after the purchase I just freeze it.
With the premium cards on top of other perks there’s also Disposable Cards which creates a virtual card for every transaction you want and as soon as that card gets used, it’ll destroy it and create one brand new.
For separating limits you can create multiple virtual cards each with limits once met will freeze the card.
LastPass is not helping you with privacy here. From their tos
tos:
> You may use our Services only as permitted in these Terms, and you consent to our Privacy Policy at https://www.logmeininc.com/legal/privacy, which is incorporated by reference.
pp:
> When you use our Services, we receive information generated through the use of the Service, either entered by you or others who use the Services with you (for example, schedules, attendee info, etc.), or from the Service infrastructure itself, (for example, duration of session, use of webcams, connection information, etc.) We may also collect usage and log data about how the services are accessed and used, including information about the device you are using the Services on, IP addresses, location information, language settings, what operating system you are using, unique device identifiers and other diagnostic data to help us support the Services.
> Third Party Data: We may receive information about you from other sources, including publicly available databases or third parties from whom we have purchased data, and combine this data with information we already have about you. We may also receive information from other affiliated companies that are a part of our corporate group. This helps us to update, expand and analyze our records, identify new prospects for marketing, and provide products and services that may be of interest to you.
> Location Information: We collect your location-based information for the purpose of providing and supporting the service and for fraud prevention and security monitoring. If you wish to opt-out of the collection and use of your collection information, you may do so by turning it off on your device settings.
> Device Information: When you use our Services, we automatically collect information on the type of device you use, operating system version, and the device identifier (or "UDID").
and
> Some specific examples of how we use the information:
> * Conduct research and analysis
> * Display content based upon your interests
> * Market services of our third-party business partners
and
> 4. Information Sharing
> ... We may share your personal information with (a) third party service providers; (b) business partners; (c) affiliated companies within our corporate structure and (d) as needed for legal purposes.
and
> Examples of how we may share information with service providers include:
The traditional pitch from security experts is "Using a password manager is better than reusing the same password on lots of sites, or using low entropy passwords, or saving your passwords in an excel spreadsheet, which is what you were probably doing before"
Apart from shoulder-surfing wouldn't an encrypted spreadsheet be equivalent (not Excel, as I imagine MS might randomly send that data home, eg of there's a crash)?
In both cases once there's physical compromise, if they have the "master" password you're screwed?
I presume they use clipboards for the pasting, or do typing that could be captured bya keylogger.
I have a hard time trusting _any_ of the password services that host my passwords.
Single point of failure. Even if they claim they're "encrypted so that even THEY can see them", it's so easy to mess up encryption, it makes it a single point of failure.
I still share passwords between my devices though, but instead I use KeePass along with the Android app. For less critical passwords I let Chrome keep them; I _mostly_ trust Google, and non-critical passwords are exactly my level of trust of Google.
And I also trust Google to share my (encrypted) KeePass file with my devices. But now it's two points of failure: Someone would have to break into a private Google Drive, get my KeePass file, and break the KeePass encryption.
And I trust _both_ KeePass _and_ Google more than I trust Lasspass to get security right.
What about using a completely segregated secondary account? I have a Simple account, and that's all I use it. I only ever have a couple hundred in there at any time.
You also hit on a very easy solution to for those who aren't going to go to those extremes: be sure your notifications are set up. Getting an email within minutes of every purchase or paid bill has been great.
Interesting. I literally don't care if my CC information is stolen from a merchant -- I have zero liability for fraudulent use on all of my cards. Why do I want the friction of privacy.com?
The one thing that is cool, for items that don't have to ship in the mail, is the ability to use any name and address whatsoever with the merchant.
Given the shady things people have found their smart TVs doing, I'd feel about as safe typing a password into a smart TV as I would changing the password to "hunter2".
The TV should display (or maybe email) a link that I would visit with my primary web browser and grant it permissions - or ask for a password as a very last resort for users who have no computer/phone but somehow have Netflix.
Plex and Roku do this. They give you a simple one time URL like plex.tv\U23SL
That URL asks you to log in (on your computer) and once it's authorized, the Roku or Plex on your TV gets the signal and continues. Easier than typing on a TV device.
Haven't had to do that yet. My uh-oh case is VR. I just typed 5 chars at a time in the headset and then looked at my phone. The occasional cost is worth it though, only adding ~30 seconds
On my Android TV, I can use my phone as a remote keyboard and copy/paste. But there are some apps which design their own inputs incompatible with the remote keyboard. When this happens I can plug in my physical keyboard directly to the TV.
You could just use a normal Citi or BoA or any other card that generates virtual card numbers and that'll also lock it to that vendor after the first charge. So that they couldn't even hit it for $0.80 if they wanted to.
Last time I checked, both Citi and BofA give me virtual card numbers via a Flash plugin. I really have no desire to run Flash any more. Has that changed?
That's one good reason, another is probably pushback from merchants. Having these virtual cards completely shuts down the "free-trial-we-hope-you'll-forget-and-let-us-ding-you-for-a-month-or-two" business model that's so popular for online services.
Not sure you need merchant pushback there - if it leads to unexpected charges then it's more likely to lead to inability to pay, or short payment, which gives the credit card companies their chance to feed off the client.
Wouldn't the bank still know your full purchase history (since they know what numbers are tied to you)? So they'd in fact get a leg up on the competition, who get a more distorted view?
Unless they work with an analytics system that mastercard, visa & amex participate in to link card numbers to invoices for better advertising & affiliate data.
I know FB & Google purchase something like that from one or two credit card companies, so I wouldn't be surprised if merchants were in to it too.
Capital One gives virtual card numbers via a Firefox or Chrome extension, which you use on the check out page of the site where you want to use the virtual card. It is quite convenient.
The virtual cards don't have separate spending limits, though, so it is not quite as good as BofA or Citi for use with questionable sites.
the real feature of privacy.com is the ability to use any address. who cares if your CC is compromised? get one just for recurring balances and another for everything else.
I don't follow your argument. Yes, any merchant is going to get hacked. My argument is, I don't care a whit about my CC being stolen. My liability is zero and I can just get a new card. The only thing I care about is the hassle of setting up a new card for recurring balances. Hence, why I need at least 2 cards.
OTOH I do care about my name, address, and other PII being stolen. That is where privacy.com is a help. But not because it protects me from CC loss.
Was the water company thankful enough to compensate you for the $X,000 consulting services you provided because they didn't set up their own security monitoring?
Given their lack of security, I’m guessing they have no idea of the value that I provided.
It’s all good though. Knowing I helped thousands of my neighbors is compensation enough. Besides, if they gave me a credit, they’d have to hike everyone’s bill to compensate!
I guess the money diesn't matter to you personally at all, but they could pay a bonus from profits, or by cutting executives wages (if they're a non-profit). It's not like the only means of paying is gouging customers.
Yep! You can create "burner" cards that become invalid after one use. I actually never use that feature, because sometimes vendors screw up and have to put the charge through a second time or whatever. Instead I set a lifetime spending limit $1 higher than the purchase I'm making.
> This is why I hate companies that force you to sign up to gain access to content
I always found Quora's use of dark patterns and baiting you in from search engines then blocking the content particularly egregious. Always made me surprised anyone held that site to such a high standing and I can only imagine it's because the advocates never knew how awful the experience was without an account.
This is exactly what has me excited about the new content model for the web Eich proposes. I just commented in another thread [1] but essentially:
1. enable donations / tips / subscriptions to sites using a browser-native crypto wallet
2. use ZKP anonymity
This enables a publisher / subscriber business model of 'dollars without data'. Which should really be the Minimum Viable Product for a publisher.
PII data for marketing is the icing on the cake for publishers, but the bar is high (and getting higher) around sharing that, and many of us want to support sites, but don't want to go through N+1 payment gateways and digital identity forms just to read some content.
From this perspective I see Brave and BAT as enabling a very old model: I give you a quarter, you give me your newspaper. End of story.
I'm very excited about Sovrin and other Self-Sovereign Identity solutions. As one of the engineers at Mainframe (we're building decentralized, unstoppable apps that keep data and relationships in control of the user) I think what you're talking about is one of the top two value-adds for decentralization for western societies.
Brave and BAT are attempting the same thing from a slightly different direction than we are--they are attempting to bring privacy to partially-decentralized apps; however, I don't think this will ultimately succeed--privacy is broken by the weakest link. As soon as you allow some connection to some server somewhere that's exfiltrating your interests, you now have advertisers lining up to buy that data and exfiltrate more. As far as I understand the "hybrid decentralized app" model, where DNS and web2.0 are allowed, you permit these weak links to exist.
Companies hate users who don't want to sign up. They do not want that relationship. So it's a win-win if you dont' sign up. Why would companies feel obligated to generate content for free?
If their systems get hacked and they have your snail mail address, they get your snail mail address as well. Email doesn't change that story.
Yes. The strategy is to generate SEO for every possible question someone could ask on Google and then link it to Quora.
It had amazing content in the early days and still has great answers but the sheer number of nonsensical or slightly tweaked but endlessly repeated question is driving away writers. Paying people to post these questions is just backwards.
Snail mail is already gotten. I get junk mail from 8 different past tenants at my unit, and I'm sure I'm still getting junk mail at all my old addresses. Google your name right now, and I guarantee you will find your address and other personal info on one of those dime a dozen background check sites, because companies have operated under the philosophy that your phone numbers and physical addresses are public facing information that you could find in a phone book, and are free to sell or pass along.
If your main concern is the sheer number of username/unique password combos, pick a good password manager that works well across the devices you use. I’ve literally stopped caring about this aspect of my family’s online life thanks to 1Password. That iOS 12 added OS level integration for the service was the icing on the cake for me.
Using a password manager (which I do) is a valid coping mechanism, but does not fix the root concern: for 90% of these cases, one shouldn't even need an account. I don't want personalization. I don't want some new identity to manage. I don't want a relationship with your service. I just want to browse the goddamned web! How did we get to this point where in order to use the Internet you have to sign up for all these free accounts and generate all these ridiculous username/password combinations?
Oh, and OAuth is a similar coping mechanism. You shouldn't need to log in to something to browse the web!
How did we get to this point where in order to use the Internet you have to sign up for all these free accounts and generate all these ridiculous username/password combinations
We stopped using sites built by amateurs in their spare time and demanded "beautiful user experiences" that we didn't pay anything for. That costs money, so people who wanted to solve that "pain" looked for business models that meant they could deliver what people want without charging directly. Hence we have an Internet driven by advertising and privacy violation.
I propose the alternative view: we did no such thing.
We didn't demand shit. We only chose from what was available. People trying to make money on-line have, over time, perfected both the design and the business models. At every step of the way, we had a choice between status quo and this new service that's prettier and offers more, for free, with user-hostile monetization scheme that wasn't immediately apparent. Step by step, we've been had, like the frog in the boiling frog fable.
Worth noting that they encrypted end-to-end encrypted. So they would have to get their storage system hacked as well as push out malicious clients to collect secret keys in order to obtain your passwords.
Agreed. I never would have thought that the problem that motivated Persona would have been solved this way... but the combination of TouchID/Face ID and 1Password has made account setup/maintenance sufficiently frictionless.
Quora does not only want you to sign in, they want you to show your real identity instead of a handle or another pseudonym. For a simple online service, it should never be necessary to use your real identity, if only as a privacy-enhancing measure.
As a reminder: Last year, Quora moved to 'new anonymity', i.e., no more anonymity. I had received the following message on 16 March 2017:
Hello! We will be moving to the new anonymity on Quora experience very soon. If you would like to edit or delete your existing anonymous content in the future, please provide your email here before March 20, 2017. You are receiving this message because we have not yet received an email from you. Please note that if you do not provide your email by March 20, 2017, you will need to contact us using our Contact Form and selecting “I need help with my account.”
Suggestion: If you want to prevent the next leak from affecting your personal data then close your account (if you have one) and send them a GDPR Erasure Request: https://opt-out.eu/?company=quora.com#nav
Just last week I wanted to look up how much I bought some appliance for, five years ago. In the e-mail I see a link that is supposed to let me download the invoice... which of course no longer works because they have updated their ordering/billing system.
For that reason they normally provide download/print links. Sending invoices/statements/pii through 3rd-party corporations through email is a privacy concern. Companies need to be able to control the entire loop to ensure privacy, which is why they are moving to the portal model with email alerts.
I got an email that included “personalization data” in the list of data types that were stolen. The help page also says that information on “actions” was stolen.
Does this mean that every question or answer I’ve viewed is now in the hands of the attacker?
Very likely. They had really poor privacy practices. At one point, a 'feature' was displaying in a sidebar who all were looking at a given question. Great for people looking for resources on gay rights, domestic violence etc. /s
That's because a few years ago a website that let you login meant it was a "real" website. Look at phone systems. Every one you have to deal with says please listen carefully as our menu options have changed. Then they lead you through an audio menu with the same bullshit that turns a 15 second interaction into one that could last hours over multiple phone calls.
My point is people do cargo cult everything. Could the service be BETTER without forcing the user to sign up? Inconceivable! Everyone knows you should force users to sign up.
Use a social login. If you for example use gmail for email, then it makes no sense to create a password as opposed to just logging in with your google account instead.
> One new development is that you used to be able to get your invoices mailed via snail mail. Then that disappeared and you got your invoices mailed via email. Then that disappeared and now you have to create an account on some portal so that you can download your invoice. So that's one userid/password combo per business relationship or service that you use privately.
It's annoying being on the other end of this: management deciding, for cost reasons, that snail mail is out and email is in.
Somebody else then worries about the risks of emailing documents that contain private information.
I think a case can be made that some kind of email token login is the simplest solution here: passwords only introduce another attack vector since you can usually reset them by email.
This is an example where they decided their business model trumped user security. It’s hard to monetize an easy to access collection of free data. I hope we can find better ways to fund internet services than by consuming data from the users.
No, it is not. My email account is - obviously to say 'secure' as a binary proposition is inappropriate, but about as secure as anything on the Internet ever gets for most people. Training people to click an email link and type their password into the resulting page, by contrast, basically throws the entire concept of security out the window.
Email can be encrypted. Besides that most of the time these very same services have (broken) password reset processes that rely on that email address anyway so the security improvement is nil in practice.
No medical practice, HOA, etc. is ever going to ask its patrons to fiddle around with PGP. The receptionist is not going to ask my grandmother for her public key before her hip replacement. Email functionally cannot be encrypted unless all parties to the conversation are in a tiny cohort of computer enthusiasts.
Password reset is a noisy, active attack compared to eavesdropping somewhere in the path of an email.
physical mail is hardly more secured than email. 'literally anybody' could is in front of your house and fish all the mails straight from your mailbox while you are at work.
It's more secure in that stealing mail off endpoints requires the physical presence of, and personal risk to, the thief, and it's not scalable short of getting an army. By contrast, email can be stolen in bulk by one person anywhere in the world, from the comfort of their home or office.
In 2013 a quora moderator contacted me and demanded that I provide my real name, and information that my name is real or they would ban my account. I tried reasoning with them, that I just wanted to view content and did not attend to write answers or interact etc, plus, they had a valid email address and facebook profile (also fake name on facebook). They fought back "we actually want proof of your real name like a scan of ID".
I danced around and did not end up giving them a scan of my id, but I changed it to my real name.
Today my information is probably leaked. Information I didn't want to give and that they threatened me for it.
Where is the apology Quora? From all the recent leaks this is the one that pisses me off the most, because it's the one that was forced unto me.
> I tried reasoning with them, that I just wanted to view content and did not attend to write answers or interact etc, plus, they had a valid email address and facebook profile (also fake name on facebook). They fought back "we actually want proof of your real name like a scan of ID". I danced around and did not end up giving them a scan of my id, but I changed it to my real name.
I don't understand why you bothered arguing with them instead, I dunno, creating a new fake account?
This is exactly what I did. I had even provided my real name already, it just didn't fit in the Western firstname-lastname format that they assumed everyone had, and so they disabled my account. I tried showing them that this was the cultural norm here, but they wanted a govt ID scan to "prove" it - all for a glorified social network.
Instead, I created a new email ID, gave a fake name, and registered with that. I gave up on the site soon anyway, but now I'm glad they forced me into registering with fake details.
Can I ask why you wanted to view Quora's content so much? They flood Google search results but I've never seen a single substantial answer on there - it's like an off-brand Stack Overflow with an even worse "I know programming so I'm smart about every subject" problem.
My experience with Quora answers has been that they are blatant ads from people working on different companies.
Just search for anything like "what is an open source alternative to X" and the results will be a lot of people trying to justify why their Y paid option is a good solution for your problem.
In other areas it seems like it's people working on their craft of writing fiction, notably erotic fiction. Questions like "What's the naughtiest thing you've done at work?" generate those kind of responses. Which is fine, just don't expect me to believe it really went down like that.
They have a lot of great anwesers, especially by experts in the field. In the early days around 2011, I would spend hours just reading everything I could on the site.
These days the growth has masked all the good stuff with a layer of spam and general crap that’s hard to get past. Inevitable consequence of growing users but it has been managed poorly.
How did they know? Was your name obviously fake? My favorite feature of DuckDuckGo is that if you search "random name", it will actually generate a random name (e.g. "Marlon Lonzo"). So I use these random unique names on all websites that require one.
1000x this. Nextdoor did this to my parents. It's fairly ridiculous.
The state of personal data regulation in the US is abysmal. Unfortunately, if Cambridge Analytica wasn't enough to spur new regulation, I fear nothing will.
I can understand NextDoor at least. It’s very neighborhood based, and they need some way to verify that you live where you say you live. If people keep seeing membership in their neighborhood has included those who don’t love in their area, the main attraction of NextDoor will disappear.
I think you're trying to start a different conversation than what I had intended to point out by adding another anecdote to the original comment I was responding to.
Right now there is relatively little liability in gathering personal data about customers but huge benefits to doing so. I believe that there should be regulation governing punishments and protections for consumers whose data may be compromised or mishandled by corporate entities.
As it stands right now a company can leak personal data from their customers and face very few consequences. Rather, the negative consequences of customer data leaks are felt by the customer rather than the corporation that mishandles their data. This is a similar externality-effect as pollution, where a bad actor's malfeasance generates a larger negative impact than what is directly born by the bad actor itself.
We could discuss whether or not NextDoor has a legitimate use for personal identification data, but that's a tangential discussion. My point was supposed to be that any firm that gathers personal data should be assuming a greater amount of liability than they currently are.
Repeating this is either willful misunderstanding of the law or parroting of outrage propaganda. We would all be much worse off if not for corporate personhood. There are aspects of it that are debatable (Citizens United ruling, which is the source of this tired meme), but without it you couldn't enforce contracts with a corporation after the employee who signed it left.
I got the same. And when I looked into it and found out the company was founded by former Facebook guys, I knew they couldn't be trusted and knew enough to jump ship.
It's so inconsistent. I was a Quora member for years and wrote a lot of answers as well as participating in a lot of discussions. Despite this I was never asked to confirm my identity!
I deleted my account last year (got cold feet as I was using my real name and picture and people I know IRL had started to stumble across some of my answers) but I'm sure my data is probably involved in this breach somewhow.
Well that is a bit of a disconnect then. My 'name' on Quora was 'Pappy Butthead'[0] since ~2015. In fact, until I got the email from them yesterday, I had no idea I was even a user still, I'd completely forgotten I had jokingly signed up. I'd never gotten any spam from their team that harassed me into providing anything.
[0]not my actual user name, but something similar.
If you have all this documented you have a good standing in court! They failed to provide you reason why they want your ibfi and now its leaked and will cause you damage. File a small claim court this will add then some extra headache that they don’t need right now.
Haha I never give it to them as well. Never put your real name, no matter what. They are ridiculous with these requirements. I'm waiting until the day they'll make a credit check to open an account
Because we will leak your data, but we won't bother designating a responsible spokeperson be it security officer, cto, vp of engineering or principal architect. It will be the all nebulous quora team.
I feel like you're criticising just for the sake of it.
Firstly, this post is signed by Adam D'Angelo, the CEO and co-founder. If you had opened the link you wouldn't even have had to scroll down, it's literally on the second line, right after the headline. So clearly Quora doesn't do what you've accused them of doing.
Secondly, what good does crucifying one person do? I'm sure if they had written it such that one person was responsible for everything, a similar comment would have been written - "why make one person the scapegoat? The entire team should take responsibility!!"
I don't know anything about your experience working in software, but when there's a fuck up like this, it doesn't do any good to pin the blame on one person. You figure out where your systems failed, and fix the system after conducting a blame free review. If you start pointing fingers within the team, you'll never get anything fixed.
The email I received from about my real-name being leaked was signed with "The Quora Team". That's kinda ironic, don't you think?
But still, it is not about finger pointing and blaming one individual. It is about a spokeperson for the public.
The guarantee that things will improve. Someone who will handle announcements and communications with the public and will vouch using their real name and reputation that things will improve. Someone who will explain what went wrong and what actions are taken to ensure this does not happen again. Employee training in place? Tier'ed access of data and information to employees. Stricter policies, eg you can't take a database backup home? etc etc.
Again, no crucifixation required, but pinning an identity can be good, because you know that there is someone and who that someone is that puts all their energy into fixing this mess.
Think of someone like Stamos at facebook. I don't know if his contribution in the end was a net positive or not, but it is good to know that there is someone that is focused on the issue.
Per your second comment, that's fine as long as you have a flat responsibility structure (which usually means a flat pay structure too).
If you have a CEO they get paid more (supposedly) because they take on responsibilities. So, the buck should stop with the highest ranked officer who has responsibility (eg signs off payments/work) in that area.
If you don't assign blame, you can never improve your team, as there's no feedback. Assigning blame might mean retraining, it doesn't have to mean sacking (but could).
I really started hating Quora a while back, probably 3 years ago and stopped collaborating.
Most because "people" were spamming answers with marketing bs...
So many answers start with "I'm Bob, CEO of MyCompany.com, I am an expert in this and that"
Most Quora users are hungry for answers and flood-request you to answer their question just because the system recommends them to do so. No matter how many times you pass, the system still keeps notifying you that "you are needed". Quora doesn't understand a no is a no.
IMHO -> There truly isn't any benefit on providing good answers on Quora, other than stroking your ego, might as well become a micro-influencer on Instagram.
Even worse most questions seem truly 1-Google search away and the answers are low-effort.
Sure you do have some rare gems, and those are truly amazing to read. Alas, that's not often and spamming answers just for the sake of answering has become a reality.
I feel like questions like "Why is <insert my opinion here> true?" have become increasingly common too.
Thats like asking: "Please confirm my opinion, I don't want to learn anything new!"
Wow. If this had happened a couple years ago, before they made all the anonymous entries truly anonymous, this would have been really ugly.
It's a valuable lesson in "don't keep data you don't need".
EDIT: A little backstory for non-Quorans. Until early 2017, anonymous Quora answers and comments were anonymous to the public but not actually anonymous in the database (they were still "your" entries). In early 2017 they (presciently) made all this content fully anonymous, even in the database.
I worked at Quora, but left before this change was made, but I believe it was totally retroactive, mainly because I got emails with information about my previous anonymous answers and a deadline to get the one-time link.
Now... if the emails were logged and in the exploited database, then all bets are off, but there's no indication that happened at all.
There are about a hundred other things about this that give me anxiety, but Quora is run by extremely competent people (engineering and otherwise), so I am pretty confident about their ability to be transparent and to know the extent of any issue.
This entire thing is really shitty for everyone involved, but given Quora's tenure (almost nine years!) that this is the first breach is pretty amazing, and that they've done so much work to make it less of a problem is great.
None of the above is meant to diminish the general dissatisfaction others are expressing here.
As a meta point, the word "aggressive" has undergone significant scope creep in tech lately. It's worrisome that lots of people with influence have started to punish messages that, while polite, express explicit, forceful, and direct disagreement. The only remaining option is an indirect approach laden with false pleasantries and ambiguous language that leaves the reader confused about the actual state of agreement. We need to push back against false claims of aggressiveness.
Really? If I dismissed your comment with #ShitHackerNewsSays, you'd say that was a "forceful, direct disagreement"? Maybe you think this is great because "false" pleasantries are cut off, but for me that's aggressive.
I feel that this is becoming a standard narrative. SV company comes up with an idea, decides harvesting lots of user data is how they will monetize. VCs pump in a lot of money and expect their returns, so company is now forced to collect even more data aggressively (the sign-in wall that many others have pointed out is an example of this). VC pressure causes company to "innovate" fast, most likely trading off security for new features in the meantime. As this progresses and they become more valuable, they are then targeted by hackers, which causes some type of compromise of users' data.
Quora is an intimate medium — tied to real names, real and often deep interests. It's especially bad that this happened.
There needs to be a better way to realign incentives in this ecosystem, otherwise this story will repeat.
I'm still amazed to this day that people give real names to their online accounts. I'd never put my real name anywhere online. It works quite well for me and if my data is leaked, I'm still ok. Probably I should use more email accounts to don't be linked, but it's fine anyway.
I think the success of Facebook and Google (being ad businesses) had a lot to do with this, i.e. "you are the product." If the trend to subscription businesses continues, do you think investors will approach how a company should scale differently?
At this point I am operating on the assumption that ALL businesses that have my data are going to inadvertently leak it at some point, and thus I am attemtping to provide individual companies with as little information about me as possible.
The toughest ones here are my online banking and my online health portal, but other than that, I have gotten pretty picky about what information I give any company.
I feel that for every company that self-reports a leak, there are multiple other companies that have leaked your data and either haven't discovered the breach, refuse to disclose it, or flat out sold your data to the highest bidder.
You would be correct. In the US, which I might remind you, does not have a national law on the books regarding data breach notification.
Even at the state levels, it’s varies pretty wildly on top of, most notifications are only required if there is evidence. So here is the challenge: what if I keep no logs, and have terrible security monitoring capability? If I am notified or discover a critical vulnerability on my own, but have inadequate logs to show or detect if it was exploited... am I required to notify? I have been told no (I fervently disagreed; I think suspected breaches, or critical vulnerabilities which may lead to breaches but were inconclusive should still require notification).
>In the US, which I might remind you, does not have a national law on the books regarding data breach notification.
Our federal government is beholden to corporations, so I don't see any legislation ever happening to punish nor place a regulatory significance on breaches.
If the Equifax debacle didn't move the needle, nothing will. How they didn't get a death penalty for not protecting one of the supports of our financial system I will never know.
As the parent said, I've just assumed all my data will be breached eventually. When it occurs I dutifully sign up for the monitoring offered and make sure to review things on a monthly basis.
Your comment on breach notification is spot on. WISH.COM has suffered down line breaches in their process and it is easy to prove by the use of virtual credit card numbers ... numbers that are generated and used at only one site. They have been silent when it is reported to them.
I don't give any real info besides my first name to any site that doesn't have a legitimate reason to need it. If they force me to confirm an email address, depending on the site, I may use one of my main emails, or may go generate a disposable address.
Still, I would have thought it is good practice to notify your users if you leak their data to thieves. Quora did the right thing and should be applauded.
As a counterexample, it seems that Newegg had a massive breach (thieves installed JavaScript that skimmed credit card numbers for weeks) in August, and even though my credit card was likely stolen, I hever heard about it from Newegg.
I somehow got their email a week or so after the event, and after my card's fraud prevention called for suspicious activity, reverted the transactions and cancelled my card. The bank official was not aware of the leak.
Yeah, I tag every email address I give to a vendor, and I have for years. It has helped me discover a number of breaches.
The address I gave Quora isn't in the hands of spammers yet, which is a mildly good sign. But normally it takes a while for an address to get out to the bottom-feeders, so we'll see.
The only way to independently verify a leak is to have a third party create a couple of user accounts with unique passwords and setup a corresponding gmail / facebook honeypot account which would alert them to logins. If my quoraAcct2 password ever gets hacked and used to login to my fake gmail or facebook account, I know that quora was compromised. Works with any site.
Yes, heavily regulated banks and medical providers have wonderful security. You can see that they do whenever they require punctuation (but not spaces or $) in the password, and demand an 8 character password (but reject anything over 16 or 24 characters). /sarcasm
I especially like financial companies that have you login by using symantec VIP[1] which you append to your password. There's no way anyone thought that was a good idea. They did it that way because they had a worthless legacy authentication stack they couldn't rewrite, didn't understand 2FA well enough to implement it themselves, went with Symantec because "nobody ever got fired for contracting $importantfunction to $bigcompany", and the only way they could shoehorn any 2FA auth into their login flow was to concatenate it with the password.
[1] If you haven't had the pleasure of using it, it's a proprietary 2FA app that has a single seed per app install, shared between the app and symantec's database. It generates 6 digit codes that make it look similar to standard TOTP, but it's not TOTP. If you need to use it for multiple websites, you give them all the same seed hash (displayed by the app) which they use to synchronize your auth credentials with your account at symantec. IOW, it doesn't scale securely. There's also no way to have a backup 2FA device with this system; at least the two companies I've used it for haven't let me set up my account with two VIP apps on two different devices. Since normally you'll only have a single 2FA device using this Symantec VIP service, that means you have to go through a manual, insecure identity verification process to get back into your account if your one Symantec VIP device gets lost or broken.
Interesting. So it's just a bunch of obfuscation and 3rd party api crap around a core of TOTP shared secrets between the app and symantec? Why don't they implement it that way, and make it transparent, so that their app can add multiple VIP credentials, rather than obfuscating everything, locking it down to a single shared credential for all sites?
Heavily regulated companies have a lot of Microsoft Word paperwork to fill out and months long approval cycles to wait through to get any work done, but even nastier, more bug- and vulnerability-riddled legacy codebases than the rest. Security is inextricable from software quality. Not exactly something EHR systems are known for.
I work in medical devices and sometimes it feels like we have so much regulation that doing the right thing is too expensive and cumbersome. I wouldn't bet on banks and medical institutions to be extra secure. And Equifax has shown that a massive breach is not really hurting the company.
I have an email address that I've only ever used as my AWS account email since many years ago. Somehow I started getting spam on it last year. It is not an address anyone could guess or somehow generate based on other data points such as name or otherwise.
Many of us who operate our own mail services use a unique email address for every web service we use. You'd be surprised how many of these unique email addresses I've received spam at (and have subsequently blackholed). I would estimate less than 50% of the associated services ever report a data breach event. I figure either there has been an unreported breach or, possibly more likely, the service sold their userlist either directly to spammers or sold it to another group who was themselves breached. The upside, though, is that blackholing an address used for a single service is super simple and satisfying.
I've received recruiter spam to "<my_email>+fuckyouadobe@gmail.com". Turns out when I was forced to signed up for an Adobe account years ago I'd added "+fuckyouadobe" to my email and, of course, Adobe was inevitably hacked. The leaked database had somehow made its way into recruiter software. The recruiter told me their vendor and when I got in touch with them (Aevy.com) they, of course, had no idea how that email got there.
Sadly these days people are probably smart enough to strip out these additions to gmail addresses. I would guess that's what Aevy did after I reached out...
I would guess most companies are not in the business of selling their user email lists, but rather, shared the user's email with a third-party company that provided some service, and that third-party company then sold it.
I used to use this technique for many years, but occasionally ran into issues with form validators rejecting the email address. I finally stopped because I never got spam from those email addresses (even in spam folder). I figured it's trivial for spammers to strip out the extra text, any half-decent spammer should know this trick. Also, I suspected they might change the +text to put the blame on someone else.
Can't the spammer just s/'\+.*@'/'@'/ or something and throw away the + sign and all that follows? Or the company could do this if they were selling your email address.
While we're on the subject, all combinations of dots are equivalent. this.isme and th.isisme and thisis.me, etc. Finite variety, but good enough for a few generic throwaways and never filtered or stripped that I've seen.
I use domain.tld@subdomain.domain.tld combined with a catch-all address for that sub-domain. It gets around various email validation regexes that won't accept +.
Do you have any more info on running your own mail server? I looked at doing so but was promptly steered away because of blacklisting, servers that allow it and redundancy.
Can't recommend FastMail enough- it has aliases which automatically forward mail from xyz@alias.yourdomain.com to your alias@yourdomain.com - This is very similar in practice to the + trick with gmail[1] but with the benefit that your email addresses will pass all stupid Javascript email validation rules.
I'm not sure what the up or downsides would be, but I personally just have all mail sent to *@mydomain.tld forwarded to a single email address. This way I can give each service a unique email address, while preserving the ability to divine whether a particular address has been lost or stolen, by looking at the sent to field.
Well, there's the obvious comfort of having all your mail in one place -- and all the obvious disadvantages that entails, I suppose.
https://blog.quora.com/Quora-Security-Update seems to be misleading, especially the introduction. They start with 'some user data was compromised', however, it seems that for 'approximately 100 million Quora users' – that's basically all users! – all user data was compromised …
In addition, many questions remain open, for example: Which ' leading digital forensics and security firm' is working for Quora?
I hope for Quora that they met their 72-hour deadline according to the GDPR. Looking at https://www.quora.com/about/privacy, it does not look if Quora was / is GDPR-ready. They do not mention any legal basis for the processing (art. 13 GDPR) and they do not inform about their GDPR data representative in the EU (art. 27 GDPR).
I think at this point it should be standard practice to say what hashing algorithm is used in passwords when disclosing a breach.
The email I got from quota just says “encrypted” passwords, and while the blog post says “hashed”, it doesn’t say what algorithm. For all we know it could be something useless like MD5
It'd be useful in the sense that you'd be able to warn others, but for your own password you should be using a password manager with auto generated random passwords. That way the only thing you need to do is change one password on the leaked site.
That's exactly my point. I use 1password to handle my logins, but most people I speak to use the same password for everything, so knowing how likely it is that other services could be compromised due to this is vital.
So I'm not a security expert, so I ask this in real earnest to learn: what is it that these companies keep doing wrong, and/or why aren't they adjusting to the climate that these types of attacks are increasing over time?
Or are they trying to adjust, and the attacks are getting so sophisticated that the pace of investment in counter-measures is below that of the pace of advancement in the complexity of attacks?
As an example, consider an army attacking a defending army. The defending side is as good as the weakest member, because you can presume the attacking side to be looking for the weakest part and attacking that. On the other hand, the attacking side is as good as the strongest member, and having a few weaker members is ok. It is generally harder to make sure you have uniformly good defense, than getting a few really good people to spend dedicated time attacking.
Of course, this model assumes that as soon as you have penetrated the perimeter, the rest becomes easy. This is the more traditional model. People are increasingly adopting a you-are-already-hacked approach, which makes it harder to move laterally once someone gets in. However, the general challenge still applies.
It’s a whole lot of things, but first and foremost and probably the simplest explanation, security is hard. Incredibly hard.
Once you understand how difficult attack mitigation is, then you can pick and choose from a variety of factors:
- executives may not have a realistic understanding of how difficult attack mitigation is so they don’t allocate the resources for hiring
- incompetent admins overestimating their abilities
- competent admins who are underfunded
- incompetent admins who underestimate the value of the data they’re protecting
- competetent admins who may not have an accurate picture of what data they’re trying to protect so their threat model is flawed due to inaccurate information
- executives who are aware of how difficult mitigation is but don’t place customer data privacy as a priority.
- the current iteration of our growth obsessed corporate models unintentionally results in a race to the bottom in many ways.
- little incentive for companies to factor in social impacts as we don’t yet seem inclined to figure out a way to include impacts on society as one of the many metrics to measure a company’s success or failures.
It’s worth remembering though, even the most responsible, most well funded, most security conscious, and best staffed organizations have been compromised at one point or another—security is hard.
An organization running original software on the internet first needs to be preventing vulnerabilities in its own codebase. Nothing “admins” do is going to help much if the application itself is full of SQL injection and direct object reference. You can have impeccable configuration, firewalls, etc. and not even be playing the game.
Security is not too difficult on a decent network. There are several that meet Federal requirements. The problem is that the Web design was leaky in the first place. The companies that specified it wanted free flowing data above all else with authenication behind the firewall. But the W3c browser is not secure. Tim's comments notwithstanding, this occurred on his watch. We're due for a serious network, not another toy.
Information security is inherently asymmetric in offense vs defense:
Offense needs only one hole, whereas defense needs to plug all, including human behaviors.
When the offensive side finds a new attack, they can often try and see which of the victim is vulnerable, thus the offense can pick and choose among many potential victims, whereas the defensive side needs to defend from all attackers. The information, once leaked, can't be recovered - i.e. once exploit is successful, there's no "recovery" available.
All of those factors combined make defense orders of magnitude more difficult - in terms of careful attention to detail, in terms of manpower, in terms of human training and vigilance, etc. For those reasons, the best defensive strategy is to minimize the information you need to protect.
No harm comes to the company after a breach so from their perspective there is no risk. Since there is no risk there is no need to improve security or reduce retained data.
It’s not really a security issue as much as an incentive issue.
Sadly, security is still hard in a lot of cases, and most everyone (product / developer / customer) is fixated on features and performance. Security is only important when it fails (very much like availability) - and by then it is really hard to retrofit.
In this particular case it doesn't seem too bad. Someone's name and address are not (or should not be) particularly sensitive information. Passwords are, and that's why best practices only keep a one-way function of the password ("encrypted" implies that it can be decrypted to plaintext, which should not be the case).
Luckily you can sign up for Quora with any name and email. You have to assume that no matter how hard a site tries to protect your info, it will get compromised sooner or later. The best they can do is what Quora does: demand as little info about you as they need.
For anyone who missed it in Quora's post, passwords were salted and hashed, which makes it functionally impossible to decrypt en-masse. Targeted attacks (trying to discover a specific user's password) may or may not be feasible, depending on if the salts were retrieved, how many iterations and which hashing algorithm was used, and the processing power available to the attacker.
It's not the companies, it's the internet itself. The internet is only composed of communication protocols, with security as an after-thought. The solution to this is incorporating security at the protocol layer, which is the end game of crypto platforms like Ethereum.
I am not convinced by this narrative. I would rather assume that like any ordinary project, Quora also was developed with zero security in mind. I would bet in a huge amount that noone has ever said during any project meeting that `BTW. I think we should spend 2 more months implementing every detail securely`. Probably security was an afterthought.
Effectively nobody is secure against an insider threat. Whereby I mean a sales agent who clicks offer.pdf.exe. Which allows an attacker to find your internal traffic stats billboard running last years unpatched drupal. Which has MySQL creds for your database sitting on it.
It's genuinely hard to imagine a second-rate question and answer site could have any credentials, or indeed any non-public content, that anyone else could be interested in. From the list of what's been taken, it sounds like it's mostly email and hashed passwords, though I suspect Quora's user base is not entirely populated by people committed to a strict one-off password policy.
The Quora link to more details is a masterpiece of corporate obfuscation. Posing as a FAQ, it presents questions, then proceeds to not answer them (at least, as of a few minutes ago).
Quora is good about responding quickly, which should be appreciated. That the FAQ wasn't fully filled out was just because it was being filled out. I know this can be an awkward experience for someone who immediately sees and responds to the tech news, but a bulk of their users won't be that profile. They got the framework for response laid out immediately, and are working on the responses. This seems pretty solid.
They were already filled out, but with non-answers. For example:
> When did you first learn of the issue? How was it brought to your attention?
> We first learned of the issue on November 30. Upon learning about the issue, we immediately launched a comprehensive investigation and remediation effort.
There is absolutely nothing in there about how this was brought to Quora's attention. Did they see identities for sale on the dark net? Were they approached for a ransom? Did a user inform them? Nothing.
Ah OK – I read this wrong then. My bad. I am confident, or at least optimistic, they will make improvements, if not, then I'll let you know how my foot tastes.
Seems like a complete database exfiltration. Quora advertisers also had info compromised from a separate email notice:
- Account information available on the Ads Manager account settings page.
- The email address provided for notifications about your ad campaigns.
- Campaign structure and setup, including information like budgets, schedule, bids, targeting, and ad information.
- Notifications that were in your Ads Manager, such as ad paused, logo approved, and ad ready.
- Audience setup information available on the Ads Manager audience page such as types and creation date.
- Partial credit card information, including name, expiration date, and the last four digits of the credit card.
No system is breach-proof; security breaches happen. We as engineers should strive to reduce the break-ins and diligently push for high standards nevertheless.
Having said that, this is pretty much a perfect response to the situation.
1. Quick turnaround from the breach to the announcement
2. Concise description of what happened
3. Owning the mistake
4. Update of their mitigation
5. Promise to follow up & actionable items.
6. Additional technical detail for more interested: https://help.quora.com/hc/en-us/articles/360020212652
It sucks that this happened, but for that alone I'd like to applaud Quora team. Yes, it would've been great if they didn't have to force me to sign up from the first place. It would've been great if this breach has never happened. But for the context, they're handling the issue as well as possible.
This is all bullshit. My data is all over the place. At this point I expect none of my personal data to be private. This last few weeks alone my data was stolen from British Airways, Cathay Pacific, SPG/Mariott, Quora.
As users we are completely powerless.
Time for change. Time for intelligent heads to come together and think of how a better internet security architecture needs to look like.
I'm half afraid that some sort of Cambridge Analytica type firm is buying these on the dark-net and merging all the data-sets together trying to put together even more accurate psychological profiles.
I wonder how easy it would be to piece together all these breaches with any degree of accuracy to build a "complete picture" of an individual.
Say your name, email address and social get leaked in one 500m user dump and your email passport number and actual address in another. I've never worked with datasets on this scale hence the ignorance.
Maybe its possible for one person of interest but how complicated would it be to match up everything?
I’ve oftened wondered if I am helped by my practice of using [servicename]@[mydomain.com] for each service I sign up for. I used to do it to help control and track spam, then I stopped when spam stopped becoming an issue. But now I feel like no longer having a single unique key to correlate my data across different leaked data sets might also be a benefit.
Based on what we have learned, some of our users’ information has been exposed, including:
- Account information (e.g. name, email address, encrypted password, data imported from linked networks when authorized by users)
- Public content and actions (e.g. questions, answers, comments, upvotes)
- Non-public content and actions (e.g. answer requests, downvotes, direct messages)
Questions and answers that were written anonymously are not affected by this breach as we do not store the identities of people who post anonymous content.
The following information of yours may have been compromised:
Account and user information, e.g. name, email, IP, user ID, encrypted password, user account settings, personalization data
Public actions and content including drafts, e.g. questions, answers, comments, blog posts, upvotes
Data imported from linked networks when authorized by you, e.g. contacts, demographic information, interests, access tokens (now invalidated)
Non-public actions, e.g. answer requests, downvotes, thanks
Non-public content, e.g. direct messages, suggested edits
Questions and answers that were written anonymously are not affected by this breach as we do not store the identities of people who post anonymous content.
I always found Quora's demand that I make an account merely to read, like Pinterest, extremely rude. I don't think I ever gave in and made an account but I suppose I can find out now.
Interesting (to me, at least) that the regular Quora update emails land in my inbox (or in the Social tab in Gmail, anyway), but the security breach notification was spam filtered...
That's lame, but there is to always remember that information leaks are happening in almost every company out there. The way we build and run systems is no adequate, unless very large efforts (like in the case of Google) are made in order to try to limit the attack exposure, but this is not for everybody cost-wise IMHO. Makes more sense for companies to limit the amount of data they ingest. In this regard it's very bad that Quora or Linked-In force you to login just to see content. As a user, if you want to live under correct expectations, assume that your real name and profile picture, and possibly an hashed password, are always automatically leaked.
> ...there’s little hope of sharing and growing the world’s knowledge if those doing so ... cannot trust that their information will remain private.
Here's a crazy idea, circa 1990's: don't store their personal information! Allow people to browse Quora without using their real names. I'm very happy I deleted my Quora account when I did.
They are hiring people based on leet code questions and school prestige and not based on real technical knowledge about systems. Their business people are top school MBA grads with no security domain expertise. They then proceed to build massive data collection programs using open source tooling that non of them fully understand. Their business model depends on that data and monetizing it in various ways. An so the complexity of their application goes through the roof with regards to user data. Their user facing web apps are the tip of the iceberg for a massive surveillance scheme.
The big companies, Google/Fb/etc hire that way but they also bring on niche experts. Leet code at those companies is for the code monkeys. They hire the people writing the ML/distributed systems/security code out of PhD programs and targeted hiring. Theres more to it, dont feel like typing it all up
One thing I would like to do is have various US Senators send letters to the major corporations, and perhaps even large open source groups (like npm), and ask them, proactively, what they are doing to secure citizens around the world's data.
There is something called the Cybersecurity Bipartisan Caucus in the US Senate.
I have found calling these senators (which I have never done before for any politician about anything) extraordinarily helpful and gratifying. I have even explained that I don't live in their state, and yet they still listen and clearly need the advice from good security/sysadmin people (like asking them why Facebook still doesn't have a CSP Security Header).
It was only 6 days ago that the "International Committee on Privacy", made up of Senators from countries around the globe, met in London to question Richard Allan, VP of Privacy at Facebook. Mark Zuckerberg rejected the request for his attendance.
- the linked article says the breach included hashed passwords, but makes no mention of salt
- the help page says they're forcing affected users to change their passwords
If the passwords were salted before being hashed and stored, then:
- Why not mention it, so users (especially those who don't use unique passwords on every site) know that it's not trivial for their password to be found?
The folks asking for snail mail are joking right? Snail mail is an obsolete relic of a time gone by, and belongs in the dust-bin of history alongside buggy whips, wood fired steam engines, betamax, etc.
Personally I'd pay to be able to stop getting snail mail. If it weren't for the one or two rare pieces of semi-important crap that show up, sent by dinosaurs that don't realize we aren't living in the 20th century anymore, I'd quit checking my physical mailbox once and for all. I mean, it's not like 99/100'ths of what comes in there isn't junk catalogs, fundraising letters from politicians I hate, sales flyers from stores I hate, bills that I pay online already, mail meant for the previous residents, etc. But unlike email spam, it actually costs me effort to scrape that garbage out of the box and haul it to the dumpster.
Probably written this way because this is a release for the general public. I would imagine most people expect passwords to be "encrypted" and don't know what "hashed" means, and they correctly assumed technical people will keep reading for more info
They do indeed, but then for some reason, they also say "this breach may have exposed ... the password you used" [0] which is a statement I think is wholly incompatible with the notion of "hashed with a salt that varies for each user" (but please let me know if I'm incorrect).
They can rightfully say "encrypted" to a lay audience because the definition of encrypted is not so strict as to require decryptability, but why would they say that the password might be exposed?
It's reasonable your password might be exposed since the attacker can now perform an offline brute force attack on the password hashes.
How likely it is your password gets brute forced really depends on the hash function used. If it's md5... all but the strongest password could be broken. (though at least the passwords were salted). If they're using something like bcrypt with a work factor of 10+, it's a different story and only the weakest passwords are at serious risk.
The fact that details on the hashing scheme aren't shared makes me assume it's not great...
If the salts were stored with the passwords, it might be possible to brute-force any single (simpler) password by testing lots of salt+guess combinations. Salting only really protects against rainbow tables (pre-computed guesses for lots of passwords).
Sure, but if youre using a good one you usually say what it is. "Salted and hashed" is usually MD5 or SHA1, both of which provide almost no deterrence to brute forcing.
>I didn’t know I had a Quora account. How is it that my email or information was exposed? You may have signed up for Quora some time ago. While you might not have regularly visited or used Quora, your account remained, and this breach may have exposed some of your information, such as the email address you signed up with, the password you used, or actions you took on Quora.
Would be nice if websites measured user activity and could 'lock out' or otherwise release their data if they never use the site; at least, confirm with said user via email if the account is needed.
But in this era, I'm sure companies would prefer to keep whatever data they can get.
Byond (2d tile/sprite based online gaming platform) does this. After a year of no activity they inactivate your account, and delete the hashed password. You have to reset your password to regain access.
In other cases customers have had trouble filing individual lawsuits for damage because the companies successfully argue that the information--usually credit information--doesn't belong to them, it belongs to the credit card companies.
However, in this case, there is no credit card information to muddle up or confuse a case. It's only a users personal information--private messages, moderator requests, reports against other users--that has been compromised because they didn't collect credit card info. And there's an enforced "real names" policy that makes it identifiable.
From reading the details it looks like almost all user data (and every user's data) is compromised. Using the word ,,some'' should be illegal in this instance.
Is Quora legally liable for compromised data? Making companies legally liable for compromised data might be one way for them to be scrupulous about minimal data retention.
Actually, I was looking at an answer last night and couldn't see it because my account was logged out. This happens on Chrome from time to time, so I didn't think much of it. But, when trying to log back in it said my password was incorrect. This was before the announcement.
I wonder if some had their details reset altogether? Either way, this looks like a major breach considering the value of people who have signed up with Quora.
Valid point. If you're aggressively farming data, so much so that you log them in automatically if they are logged into the google account then you better be careful with data too
>"We recently discovered that some user data was compromised as a result of unauthorized access to one of our systems by a malicious third party."
"Some user data"
Then goes on to say:
>"For approximately 100 million Quora users, the following information may have been compromised:
Account information, e.g. name, email address, encrypted (hashed) password, data imported from linked networks when authorized by users
Public content and actions, e.g. questions, answers, comments, upvotes
Non-public content and actions, e.g. answer requests, downvotes, direct messages (note that a low percentage of Quora users have sent or received such messages)"
Wouldn't this be closer to "all user data was compromised"?
It seems absurd for them to state "some user data was compromised." That's seems like a pretty comprehensive list of user data. What else would there be?
This is a company that for years forced account sign up and obscured user generated content even for users who just wanted to browse unless you created an account. Seriously fuck Quora.
I've started keeping a log of all information I provide to a company: addresses, phone numbers, names, social security number, etc... I started doing it just to keep track of everywhere I need to update next time I change address, phone, cards, and emails at the same time[1], but it's been eye opening to watch the list grow.
I think of it as something like a reverse password manager; instead of "here's a website, what's my data", it's "here's a bit of information about myself, who has it?"
It's a pain keeping that list updated but at this point I'm so hooked on being able to see my personal info leak out into the world bit by bit that the friction is worth it.
I'm still trying to figure out what I should do with the data I have on myself, if anyone has any suggestions.
[1] That situation seems sketchy seeing it written down like that, so just want to explain that it's because I moved to a different country (address, phone, credit cards) and away from gmail at the same time.
How were the passwords hashed? Wait. You know what? At this point it doesn’t matter. Using the same password everywhere is a broken concept and password managers are still unadopted. At this point the only solution is either SSO from a few point of trust (facebook, google, twitter, etc.) or/and password managing+generation by default (safari, iOS)
They clarify that the passwords were indeed hashed and salted. "Encrypted" is just there to help the non-technical audience understand their passwords aren't exactly leaked in plaintext.
No details on the hashing scheme used though, so we don't really know how easy it'll be for the attacker to brute force the password hashes.
This is seriously distressing. This underscores the reasons why you should never use a third party messaging system for any sort of private conversations.
Why is this so easy? Is it impossible for a well-funded company to keep it's user information private? If so, can we act like it?
Several friends and I had our Steam passwords stollen. Lesson I learned was not to have same password to more than one service because gmail account was hijacked too. The perpetrator stopped at changing gmail language to Polish, thank God. But, damage he/she could have done was much greater. It was before "login attempt from unknown location" messages. It was a drag to bring all back but we did it. The lesson also is: joining any online service/site we must accept the risk anything you provide could be stollen at some point and modify our usage phylosophy of these services.
This is another reason why I don't like the "social logins". You give them so much data. They strongly encourage you to use the social login instead of using the regular email sign up.
I received an email from Quora informing me of the breach, but I do not have an account. I even used the "Forgot Password" function to confirm - why did I receive this email?
Bruce Schneier says data is a toxic asset. He's right. There should be (will be?) laws preventing collection of most data, and punitive liability when collected data is breached.
> While the passwords were encrypted (hashed with a salt that varies for each user), it is generally a best practice not to reuse the same password across multiple services, and we recommend that people change their passwords if they are doing so.
According to my trusted Password Safe (https://pwsafe.org/) I call about 400 accounts my own - each one with a unique random password.
It costs me money (past a certain number of freebies) to access Equifax's data on me--to get a credit report.
I get that this is not their main business model, and that their customers that they bundle and sell consumer data to are more valuable. But end users, in this case, are still customers. They still pay money and get a service in return. Contrasted with e.g. Google services, it's a different scenario.
I somehow got added into the Quora ecosystem some time back, without even actually signing up from memory. Just one day I'm getting notifications that someone is talking to me on Quora.
Even though I didn't explicitly set up an account, it seemed to have done it for me already. I just assumed it was one of those shitty content aggregation platforms like the sorts that steal all the posts from Stackoverflow and rebrand them.
From now on, I will assume all my user-data will be compromised, we need a new way to store the user-data, it will be a balance of convenience and security, but more importantly, it needs to be temporal, i.e. the use-data shall not be static anymore, something like a virtual and temporarily generated password for each session?
It's quite obvious that Quora doesn't care a lot about user data. Just for looking at the website, you need to login with Facebook and in fact other users could at some point even see which parts of the site you browse to without informing you. Kind of sucks, luckily deleted my account half a year ago.
Genuine question - not sarcasm. I would love to know how the attackers got in in the first place.
Usually when I hear about a breach, my first reaction is “yeah, I would have covered that from the start,” but if there’s something to be learned here, I’m all for it...
Yes it is, when you have the surface area of a company like Quora, or even a much smaller company.
I worked at Quora, and totally unrelated, at my current company, had the opportunity to source and be point on multiple penetration tests. At my current company, I work with some people I consider extremely competent at SQL, and in particular PostgreSQL, but that didn't stop the pentesters from finding SQLi in our code. It sneaks in, and all it takes is one fuck up for a hacker to go to town.
I think that most startups don't understand the value of dropping 20-30k on an engagement with a competent pentest company, and this can propagate even longer into an org to the point that they never bother to get outside testing. Don't fall into that trap. Having a third-party with eyes on your org is worth every cent. If you run a startup or aspire to, I highly recommend you consider getting a pentest when you have ~5M ARR, and continue to do a yearly engagement to make sure your shit is covered until you can afford a full time security staff.
What's bad about Quora website is that, whenever you see Answer notification, when you click on it, instead of a popup for quick review, the website will go to new url for the answers.
That's why i don't use Quora much these days due to the stupid UX.
Feels good to have left Quora and gotten confirmation that they'd wiped my account shortly after they hit mainstream. (Cannot remember exactly what happened but I think they defaulted to showing every question I visited in my public timeline or something.)
The game of large numbers: so hackers obtain a million passwords. How with they decide to waste their time on any of them? In Quora's case that requires real identities and institutional affiliations will they go after the cream of the crop then?
Clearly this is well orchestrated and professional. I'm wondering what could be the motivation for such an attack. There is no monetary benefit whatsoever. Perhaps some AI company wanting to acquire solid data to train their models?
I didn't even know I had a quora account. Never continuously registered one. Got the e-mail though. Tried to log in, had to "complete my account" before I could go on.....wtf....
I deleted my account now, tho.
I knew I had an account but it was via oauth and I had to create a "real" quora account in order to delete it. The notice that they were storing contacts from other social networks was the part that pushed me over the top towards deletion.
No mention of hashing algorithm for passwords, so until they provide that info, I would just assume they hashed with unsalted md5 or sha1 or even crc, and treat it as if they had stored them in plain text.
I think we’re at a point where it’s safe to assume most of our data can be collated into a frighteningly thorough profile of our lives for anyone on the internet to see.
Not gonna shed a tear for the self-important people who wanted to slap their wisdom on everyone signed with their real name. It's as much a failure of quora as it is their own.
Anyone remember the glory days of facebook , when real names were "revolutionary" and all the rage? Quora followed that cargo cult (founded by facebook people, after all) and the consequences of that choice are due today. We really need to introduce the concept of "expiring data" on the internet, personal or not. After a reasonable amount of inactivity, identities shuold be anonymized.
I am angry at myself for signing up for this stupid quora. Nothing but advertising of offshore "web developers" explaining how their "product" can solve the "question" they asked with their fake accounts.
I would love to punch the CTO of this company in the nose with passion.
Yes, but they also allow organization accounts now, and they're rather slow at dealing with spam so around half the people you see are using fake names.
Seems like "encrypted" is in there for laymen and "hashed" being a clarification for more technical people. In the post they say: "... the passwords were encrypted (hashed with a salt that varies for each user) ..."
Can anyone explain how is Quora still relevant? How did they raise the $85M for their series D only last year?
To me it seems its going the way of Yahoo Answers, if it already hasn't. It might be gaining some traction in developing countries but the ratio of signal:noise seems really low at this time, coupled with terrible UI.
I believe you're being cynical, because this forced name policy allows for answers to be of higher quality, which is basically their entire selling point - being a better yahoo answers.
If you want anonymity there are other platforms for that, stackexchange for example.
Ask MetaFilter is a much better Yahoo Answers, but I can be pseudonymous there. Also, my pseudonym is much closer to a real identity than what's on my driver's license.
I don't have any real reason to fear sharing my "real name" with Quora. I'm lucky. But I'm not the only person in the world. Good thing I'm not trans or a religious dissident. Good thing the only thing stopping me from contributing to Quora is my ornery nature. I would hate to for the world to miss out on my Quora contributions for a good reason.
Good thing Quora doesn't have my "real name" is all I'm saying. I have an interest in privacy, even though I use the same pseudonym as my identity on LinkedIn, Twitter, Facebook, and Instagram. And Ask MetaFilter. And so many other places. I shouldn't have to beg to use my preferred name on Quora's bulletin board, regardless of my reasons. It's none of their business.
There's nothing about a "real names" policy that automatically turns a shitposter into a quality contributor. There are plenty of reasons not to wear a target on your back and self-doxx. Today's misadventure is one very good reason.
> That's a false dichotomy. Ask MetaFilter is a much better Yahoo Answers, but I can be pseudonymous there.
There's an example that just happens to be the greatest knowledge platform ever built in world history. Wikipedia allows non real name contributions. Plainly next to that, Quora has no legitimate excuse for requiring real names to ensure quality. It's for one reason: $$$. They have to figure out how to reach a $3b valuation at some point so their VC owners can get a reasonable exit. It guarantees an inevitable disaster for a knowledge service. The conflict between quality and always needing more and more junk content to slap ads on and allowing for abusive business practices to reach for that fat exit for the VCs. And if you don't do it, they'll put someone in charge that will. Unless you can find another business model as Stack Exchange did, stay private & small/lean (so you don't have to try to pretend to be a $3b company when your business model will never legitimately get you beyond 1/20th that), or go the donation Wikipedia route.
It's not that hard to be as anonymous as you like on Quora. It's been a while since I contributed, because I got tired of their schizophrenic moderation, but I don't recall that mobile text authentication was necessary. Unlike say, Twitter. And even that isn't all that hard to get around, using hosted SIMs.
It's impossible for me to be as anonymous as I like on Quora, because they require a government ID with the name I want to use. Which isn't even that weird! It's my legal last name, plus my childhood nickname for a first name.
Your name just didn't provoke their Real Name Gestapo.
Can you elaborate on the hosted SIMs thing? More and more websites are starting to ask for SMS verification and blocking VOIP numbers like google voice and it is getting really annoying.
Yes. Within hours of registering my account, Quora emailed to let me know that my name sounds fake and that I have to prove my identity with government ID, or I can't use Quora on an equal basis with other users. It really burns me!
I think part of their reasoning is "hey, we have prominent users! Let's make sure everyone knows it!" But Ask MetaFilter has famous users. They are in no way diminished by my pseudonymity.
Plus I know how to change my name. I can spend $100 at the courthouse, and get an ID that would force Quora to let me use my preferred name. My point is, Quora doesn't get to be the impetus for my legal name change. I don't need Quora's permission to call myself what I prefer to be called.
Not saying I agree with them (honestly Quora should die and burn in hell), but if you really need the service can't you just give them a middle finger in the form of a fake ID? Best case scenario it works, worst case scenario they still don't reopen your account. Either way you don't lose anything.
I've got this meta schadenfreude seeing things succeed that HNers hate. The new MacBook Pro and any unicorn startup that posted a Show HN. It's cute how HNers actually think that they're relevant.
Just got my email from Quroa...Who writes this drivel:
Conclusion
It is our responsibility to make sure things like this don’t happen, and we failed to meet that responsibility. We recognize that in order to maintain user trust, we need to work very hard to make sure this does not happen again. There’s little hope of sharing and growing the world’s knowledge if those doing so cannot feel safe and secure, and cannot trust that their information will remain private. We are continuing to work very hard to remedy the situation, and we hope over time to prove that we are worthy of your trust.
Some poor peon at the bottom of the ladder instead of the engineers/managers actually responsible for the mistake. The great thing about being at the top is being able to delegate away blame. After all, it's your job.
Doesn't seem like every breach warrants someone to get fired. The Equifax breach makes sense, there was an obvious lack of due diligence to protect user's data. But we should wait to see the reason for the breach. Mistakes can happen even if the company was trying to protect user's data.
Zhihu (Chinese offshoot of Quora) does the exact same shit on mobile as a way to force users to download their app (which pushes a ton of ads plus other frills). Looks like they got their full playbook from Quora.
Barely a month back in the facebook data breach thread in HN, I was downvoted and my comment removed when I said that it has become a fashion for the top 500 web/e-com companies to come one day and announce data breach and walk away. I said there that it all looks to me as part of a conspiracy theory where they hide behind a breach to sell data/ buy data en masse for marketing purposes.
I don't think large companies have much interest in selling data. It's a long-term asset. The real money is in renting. E.g., Google and Facebook make a lot of money renting access to you based on the data they have. That's far more lucrative than selling the raw data once.
Also, it's implausible to me that selling the data wouldn't come out eventually. As we saw with Cambridge Analytica, even pretty obscure uses of data can eventually turn into giant media exposure for privacy breaches. The brand damage is is very expensive. Facebook's market cap is down something like $100 billion; there's no way they could have made that kind of money from trying to quietly sell copies of their data.
Selling the data outright is not worth anything. Public identities can be scrapped and bought very easily already. Most companies with personal and contextual data like this sell access to it, usually in the form of ads.
