> it's extremely unusual to see the same email address with multiple different passwords in a legitimate data breach as most systems simply won't let an address register more than once
I've actually built a system which did this years ago, over our initial protestations, and the reasoning went like this:
Our client (this was a white label product) has lots of elderly couples as customers, these are our end users and although they're on the Internet (makes sense, this is after all a web site you've white labelled so if you have customers without Internet that's a red flag right there) they only have one email address between them. So some end users want two accounts, but with one email address.
This made the login procedure a bit hairy and obviously there are scary corner cases for things like change password (Alice decides to use the same password as her husband Bob, now we can't tell their accounts apart!) but we felt that arguing with clients about why they should do Single Sign On (and thus eliminate the separate login for our white label product altogether) was more valuable than trying to change old people's minds about what constitutes a reasonable thing for two people to share.
Microsoft has their notorious "is this account personal or issued by company it department" (or something like that) question when you login. Which is the reason it very often takes two tries and several minutes to get logged in as I never seem to guess the correct answer to that question...
Extra credits for when Azure DevOps Server requires you the other kind of login compared to actual Azure, or for when you log in with one kind and the next time you access the service you are randomly switched over to the other.
Also the fact that when you ask your login to be remembered the will just show you the email at the next login, without telling you if it's the personal or work account.
It is the worst login experience Iv've ever had, bar none, I am constantly amazed how they could ship that and always wonder what hellish dungeon of reasons there must be behind the decision to keep it as it is.
I think the difference is between Microsoft online accounts where you can register an account with them using any email address and Azure AD accounts (e.g. for Office/Microsoft 365). The catch is that you can register for a Microsoft online account using an account that is also in Azure AD - so you end up with two accounts of different types with the same email address as username and (hopefully) different passwords. So hence the question asking which one of your accounts you want to log in with.
That's a confusing and annoying UI, to be sure - but for these systems, the email adress is not the identifier. The (email,account issuer) pair is the identifier.
So you can have two accounts, say for (vimslayer@contoso.com, Microsoft Account) and (vimslayer@contoso.com, Contoso AD) - and there is no collision and no possible confusion on the system end. All the confusion is on the human end.
And there is a lot of confusion on the human end :)
You can create a personal account with Azure or Microsoft more generically with your work email address, eg you@work.com. Because this was set up by you, you could conceivably change it to you@freemail.com.
However your organization may then do a deal with MS for Azure, or MSDN subscriptions, etc. And they’ll issue a login with the same email* address you@work.com — you now have two accounts tied to the same email, one which you created by yourself and one which your IT department created for you. There’s no way for you to change this second one. Typically authentication for the second one will happen via your org’s single sign on.
So the answer to “is this account personal or issued by your IT dept” really means — did you create the account yourself? Or was it provisioned for you by IT?
* Many orgs by default don’t use email to log in. Instead a “username” like jsmith is used instead. However while interfacing with Azure it seems to be a best practice to use email.
And some B2B+B2C SaaS products (Box/Dropbox/etc), when encountering this situation, only let 1 account exist. When the IT department tries to provision a conflict, instead of being provisioned, the personal account goes into an "invited to assimilate" status. The end user gets an email asking them to allow their account, which was created personally, to be converted to one managed by the enterprise admin. The user gets an opportunity, before the IT admin has control, to migrate personal data out (if they want the account converted) or change the email address to something that wouldn't conflict (if they want 2 accounts).
I've also seen it happen when a system changes its email parameters, like switching from considering the TLD to ignoring it. Suddenly john@email.com and john@email.net are sharing the same account, or have two different accounts and usernames linked to the same address.
I had a family tech support session on this exact issue last week. A relative cleared her cookies and found her saved email and password for Facebook were logging her into a profile she'd never seen before. At some point Facebook had decided name@netzero.net and name@netzero.com were the same thing. We got around the issue by logging in using her account name gleaned from someone on her friends list.
The number of websites that prevent me from doing this, because somebody wrote a shitty regex to invalidate most punctuation in an email address, is infuriatingly high.
Not really. I'm assuming the reason you'd share an email is so that you only need to be logged into one account in your mail client.
Easier to remember than a username because it's guaranteed to not be taken, so you can use the same email everywhere: email+name@provider.tld. Where as "alice" probably is taken.
Also should work with any email provider, it's part of the standard.
The only mail provider I ever heard of this working with is Google. And if you already support multiple usernames per email address, why not support using the same username for different email addresses? It's not like leaving it blank couldn't be valid, too. After all, it's the combination of email + username that is the actual DB key, just like it is with email+name@provider.tld
If the intent is to allow two people to have independent accounts even while using an email they both control, offloading that to the email protocol seems broken to me. It's the exact same email address from the perspective of security. Anything coming after the plus sign should be ignored for the DB key, but kept around for sending emails, so it can still be used for filtering those emails (for convenience, not security). So they could sign up either as
alice <couple@notgoogle.com>
bob <couple@notgoogle.com>
or as
alice <couple+alice@notgoogle.com>
bob <couple+bob@notgoogle.com>
but that difference should only ever matter for their email filtering, not for identifying them.
They do. I used that "feature" by accident recently. I think one of the accounts was a shopping account, the other started as an AWS account. Both accounts have the same name, same billing address, same credit card.
I think the logical next step is to give them the same password and see how bad my foot hurts afterwsrd.
I did this in the past. Aparently I forgot I had an account, setup a new one, then found my older account, after some email migrations, they ended up on the same email with the same password. I think it was pretty consistent about which account I logged into, but changing the email (or the password, I guess) of that account let me access the otherwise hidden account. They still have no merge feature, but at least they let you change your email address, unlike some sites.
Great analysis on uncovering a credential stuffing attack (using passwords found from a previous breach) disguised as a "MPD hack" by "Anonymous" which Troy also discussed here. [0]
> But anger shouldn't mean throwing logic and reason out the window and I cannot think of a time where fact-checking has ever been more important than now, not just because of the Minneapolis situation, but because so much of what we see online simply can't be trusted. So by all means, be angry, but don't spread disinformation and right now all signs point to just that - the alleged Minneapolis Police Department "breach" is fake.
The above text really does question what we see on the internet since it is very easy to fabricate news and evidence like this. With that being disproved, we should take such news on social media with a grain of salt until the full evidence from each side and analysis is available.
Once we do that we will be less susceptible to being deceived unlike the retweeter at the bottom of the blog post.
My heuristics is, By default, Anything controversial I see on the internet is fake until it's proven to be true. I've been advocating this to my parents and a few others for quite a while. Especially from a country like India where there are people being lynched and killed just based on WhatsApp videos (mostly fake), Skepticism is required more than ever.
This rule means you have to consider almost everything as fake. Like say, a video of police brutality filmed by one person. How do you "prove" it to be non fake?
> a video of police brutality filmed by one person. How do you "prove" it to be non fake?
You might have almost answered your own question. If there are many videos shot by random bystanders in multiple angles of the event, even if one is fabricated, another video can disprove it; making it harder to fake the event.
This would mean that one would have to 'fake' all the videos and angles from other people which is difficult to do, especially if it is live. So with that, it can be proved to 'have happened' but only if the bystanders are un-related to each other. Otherwise it will look 'staged'.
My take: I don't think the government understands how must distrust there is for public institutions. The fact that they keep going on these pressers and lying to the public, only to be discredited after the fact, shows how tone deaf and disconnected from reality the politicians are. What's even more bizarre is all the people who are cheering on the police brutality, and encouraging more violence against unarmed protestors.
There are systemic issues all throughout the government, and as long as cops keep killing people the riots will continue. Maybe they'll temporarily subside, but when the next killing happens it will flare right back up. Cops operate with impunity, and the politicians go on TV apologizing for them because they're afraid of the police too. Just look what happened to de Blasio's daughter, who was arrested by the NYPD under questionable circumstances.
It's crazy watching this all unfold, but if real change isn't implemented soon it will continue to foment. It doesn't help that along with racism, there's significantly economic inequality. Real unemployment is somewhere around 24%[0], food prices keep going up[1], and many still haven't been able to access unemployment benefits.
> What's even more bizarre is all the people who are cheering on the police brutality, and encouraging more violence against unarmed protestors.
There’s lots of people cheering on the violence. The strangest are the white collar professionals, the celebrities, and the executives. I will say, in a few instances it felt good when these Twitter agitators got spooked as the violence they wished upon others neared their own gated neighborhoods (and I don’t say this lightly as my neighborhood is being terrorized right now).
Historically they used to do this for slaves where they would fight each other for entertainment of the elites or upper class people. It seems perfectly in align with that.
> But in a post subsequently removed from Twitter, the NYPD Sergeants Benevolent Association (SBA) accused de Blasio, 25, of “object throwing.”
> The account also posted de Blasio’s internal arrest file, which included her home address (Gracie Mansion, the mayor’s residence), ID number and other personal information.
The government isn't a single person or even consistent entity. Different people and groups are vying for control via control of the government. Some people distrusting the current government and others supporting it is pretty much what politicians want (it's also the natural result of politics).
I don't think this will change much when it comes to governing. Hopefully there will be change with how the police work in the US, but the political play is going to stay the same. Some people might just end up being switched out.
Just think of it this way: almost all of the rioting/protesting is happening in blue areas. They have a Democratic mayor, police chief, state representatives etc. The police are under the control of these local officials, not federal officials. At the same time, many of protestors are angry at Trump and other Republicans on a federal level. So who do they vote for to enact change? Voting for those same Democrats in local ejections keeps the status quo, but at the same time they don't like the opposition (Republicans). They can elect a different federal president, but that isn't going to change the police issue as long as the local status quo remains.
All in all, I would say that politically not much is going to change.
I'm sure some would reject this but it's the human condition, we've all let our guard down at some point and let falsehoods...not just the uncertain or unsubstantiated, but outright intentional lies...gain purchase in our worldview.
For sure. I forget who said it, but there's some quote about the intelligent person having strong opinions weakly held. I'm willing to reevaluate my beliefs on things, but unless I've seen evidence to the contrary, I hold them strongly.
Most often, when the media/pr announces a "sophisticated cyber attack" has happened, what actually has happened is that the password was "123456" or the site ran an old WordPress version, etc
The Cambridge Analytica scandal comes to mind. It was reported in some places as a "hack" when they literally just used Facebook's APIs for their intended purposes.
Sad that nobody recognized this bit of social engineering for what it probably is: another way for the feds to vacuum up IPs for anyone dumb enough to try to log in using one of them. No, they're not going to SWAT your apartment tonight if you violate federal CISA laws. It's simply another data point (of thousands or millions) on you in MAIN CORE to profile you. For what? Who knows. If you already have an 'interesting' profile, maybe they will drop by.
You: "But the password didn't work - I didn't get in!"
Judge: "You and your cellmate Brutus will have, oh... five years or so to discuss the finer legal points of your case... when you two are not 'otherwise' occupied. Baliff, let's not keep Brutus waiting."
Or to create a fake threat against the police to justify further action, maybe? Or maybe a third party actor just doing it to create confusion and a lack of trust? I think a state actor would do a better job, though.
I get the point that's being made here, but the real question is do the passwords work even if they are derivative? Did someone extract anything of value using them?
The other thing I keep seeing is a "leak" of a court filing by "Anonymous" alleging that Trump and Epstein committed various sexual offenses. I think it's unfortunate that the disinformation attributing this to Anonymous is spreading because the court filing has been publicly available since 2016. It seems that two Twitter accounts are parroting this around under the guises on Anonymous which really discredits the actual group.
> under the guises on Anonymous which really discredits the actual group.
This is impossible because Anonymous isn't an "actual group". It's any one who does anything and calls themselves Anonymous (a word that means "unknown name").
You're totally right and I shouldn't have referred to them as one entity. Even so, I think that Twitter accounts "representing" Anonymous spreading misinformation really discredits the work other Anonymous members do.
I don’t think the point of taking up the “anonymous” moniker is to get credit. That’s a fundamental misunderstanding of the underlying meme, which is populist, not meritocratic or whatever. It’s spelled out quite well in V for Vendetta...
Blaming outside instigators is a common tactic for downplaying unrest.
I'm not saying you're wrong, and I agree Russia does run campaigns with the purpose of sowing tensions, but I'm very skeptical of any causality between Russia and the movement, protests, or riots.
#dcBlackout was trending on Twitter last night. How do you explain that? There were _tons_ of accounts I saw (many with Korean/Chinese avatars, which were probably fronts) that were spreading the same misinformation, often were a shrill tone of panic and conspiracy.
Like I said, I'm not arguing that the foreign misinformation campaigns don't exist. I'm just skeptical that the protests and riots wouldn't be happening regardless.
China an Russia have been stirring up American discourse aggressively through the internet for years. They would most certainly seize on an opportunity like this. The incident is ultimately caused in the US, but it's for sure going to have its flamed stoked by foreign actors. They don't build there systems for one off attacks. They have weapons of war.
The US is by far the most likely hostile state actor. They are the ones that benefit from the protesters being seen as more radical and destructive than they are, while Russia or China would be working towards hypothetical future benefits.
The media and the government are both very clear that there are fringe elements (both far-left and far-right) infiltrating the protests and trying to derail the efforts. So everyone is going out of their way to separate protesting from looting.
The only place I see where there is concentrated effort to equate protestors and rioting is on the twitter left.
Luckily it's only those "fringe elements" that are getting tear gassed, attacked with rubber bullets and batons, or being arrested. As both the media and the government have stated they are the problem.
The fringe elements are blending into the crowds. The poor protestors are getting gassed. Let's not create this narrative that the majority of protestors are out to loot and damage property. They're not. And most of the ones who are causing damage aren't black.
>Let's not create this narrative that the majority of protestors are out to loot and damage property.
It doesn't matter who is looting or causing damage to property if their actions are being used to justify retaliation against every protester.
Separating the "fringe elements is being done by the media and the government to allow more authoritarian responses. It is not being done out of goodwill for the law abiding protesters.
I think it does matter. This is an issue that is affecting black people. White people who are protesting should be doing it to support them, not to hijack their movement and running it how they see fit.
Why would it matter who hijacked a movement the moment before it is forcibly ended? These "fringe elements" don't matter, what's important is what started these protests and what is being done to silence them.
Who in the US wins? Not the people. Not the pols. Maybe nebulous people with agendas...
I mean it doesn’t help Trump. He’s kind taking a hands off approach so far.
But it also doesn’t help Biden. He hasn’t said peep. He’s holed up and keeping quiet.
It would help countries the US is nettling but I’m not sure China has much to gain (maybe tit for tat re Hong Kong) Russia? The whole story was they colluded with Trump... so now they want him to lose to Biden? Whaaaa...
If nothing else, Russia would benefit from the transition period slightly, and may prefer shorter presidential terms to longer ones generally for this reason. However, since Biden has been VP before, he would be able to get up to speed quicker than some.
or you know there is genuine unrest. have you seen some of the videos of US policing in response these protests? no need to Stoke fires when the the US police are doing it for you
I think you're absolutely right. It's easy, too - fake a few Antifa tweets, white suburbia panics (literally happened today), pay someone to break a few windows and run away, cops hit anything that moves.
I don't think you even need a hostile state actor. Almost nobody I've discussed current affairs with that is supportive of the rioters is capable of understanding that the only correct way to compare racial/gender disparities in excessive use of police force is based on per 10,000 arrests per violent crime. You quickly discover that there really isn't much of a disparity and the disparity that exists doesn't even lean in the direction people believes it does.
Is there a problem with excessive use of police force? Definitely. Is it disproportionate with regards to race or gender relative to representation based on a per 10,000 arrests per violent crime basis? No.
So you look at arrests of violent crime and decide that is the only way to asses racial/gender disparities in excessive use of police force?? Why is that a correct way? What about stops by police, arrests of non-violent crime, murders by police?
One reason is because the burden to manufacture crimes is far higher. Every violent crime necessarily has a victim and if the victim survived the encounter they can identify affirmatively the characteristics of their assailant.
The problem with non-violent crimes is that they could be tainted by biases since there isn't always as concrete/reliable an eyewitness.
Someone attacks me and it's a lot easier to trust what I report. I see someone steal something at a distance, and my eyewitness account is less trustworthy.
It's not about fabricating an otherwise nonexistent problem into being.
It is about applying the right pressure in the right place at the right time.
For example: jumping in with some social media accounts to schedule a protest for just before sundown (or finding one that happens to be scheduled that poorly to begin with) and using bot accounts to boost it's visibility, increase turnout, and increase the chances that enough stupid people are in the same place at the same time so that something stupid happens.
Seems quite unlikely to be Putin. Do you think it's a conspiracty theory to wonder aloud if the J. Edgar Hoover Building had any hand in this at all. Mere idle speculation... Because J. Edgar Hoover. after whom the FBI continue to name their building tried to get Dr King to commit suicide using surviellance and blackmail. That we know of. But keep the name on the building. No need to lie about it. Putin probably told them to keep the name because he wants the USA to look bad, right? See how silly all this Putin garbage is? Laugh at it, hard. It's what it deserves and what it has always deserved.
Everything is fine. Where do i donate to his employees sick leave fund again?
Must be the Russians that has everyone angry.
Russians == Saddam's WND until you see hard, overwhelming evidence.
But if you're really not seeing where the anger is coming from, maybe that's a much more significant reason for it than Putin could ever be in his wildest, wettest dreams.
Sounds like the 'hack' wasn't one. From the article:
> So by all means, be angry, but don't spread disinformation and right now, all signs point to just that - the alleged Minneapolis Police Department "breach" is fake.
It's a long article and I thought I could be helpful by summarizing the conclusion; I don't think a person who didn't read it would grasp that from the quotation marks alone.
I've actually built a system which did this years ago, over our initial protestations, and the reasoning went like this:
Our client (this was a white label product) has lots of elderly couples as customers, these are our end users and although they're on the Internet (makes sense, this is after all a web site you've white labelled so if you have customers without Internet that's a red flag right there) they only have one email address between them. So some end users want two accounts, but with one email address.
This made the login procedure a bit hairy and obviously there are scary corner cases for things like change password (Alice decides to use the same password as her husband Bob, now we can't tell their accounts apart!) but we felt that arguing with clients about why they should do Single Sign On (and thus eliminate the separate login for our white label product altogether) was more valuable than trying to change old people's minds about what constitutes a reasonable thing for two people to share.