>Reddit also stated that there was no evidence the systems used to run Reddit itself and store the majority of data, the primary production systems in other words, was breached.
Ah the classic PR blur. Could mean anything from "all good" to "we don't log - ignorance is bliss".
I think this is overly pessimistic. While there's definitely shady companies out there who will say this while having very poor security practices, it's tricky demonstrating that something didn't happen.
Say you had detailed audit logs for example. What happens if there's a subtle bug in those systems that allowed the hacker to proceed without logs being recorded?
Never trust any company with a PR department at all, they're all opportunistic liars who's priority is limited damage to the company, not telling the truth. They only do the latter when they think it will have the effect of the former.
Really, don't trust corporations at all. Even if the circumstances of life force you to do business with them and hope nothing goes wrong, that's no reason to ever trust them. The bigger the corporation the more true this is, since the structure of corporations makes people feel less personally responsible for the bad things they might do to you, like lying to you about the scope of a data breach. The "just following orders" mentality allows workers to do things they'd never otherwise do to you, and that's just one example.
If any sort of business is safe to trust, it's the one-man-shop owner-operator kind of business and you can only trust those guys insofar as you can trust any other person at all. In that case you have to consider it on a case-by-case basis.
Not trusting corporations is possibly the best advice available. I used to work for the largest insurer on Earth, a "health insurance" company. They quit paying for my insulin, which I need to live. They have enough lawyers they could just pile them physically on my house and suffocate me. They then laid me off due to age. My group of layoffs was 155, and of those 17 were under 40. They did give me a pile of cash not to sue - which I took like the opportunistic bastard I am in the end.
Reddit is a shady company. Doing everything they can on the browser experience including interrupting me while I'm typing to try to shunt me over to the app is shady. I don't want the app. I have clicked 'continue in browser' at least 200 times. My preference ought to be clear and recorded by now.
I'd stop visiting altogether if I didn't have a general problem with compulsive browsing.
Thanks I may look into libredd.it. I intentionally removed the 3rd party apps because they were too good and enabled me to doom scroll too efficiently. I used the website in part because it's a painful experience which will keep me from staying on there too long. A read-only version may help that even more because then I'd have to switch to the full website if I wanted to rage post about how someone is wrong on the internet.
Sure, shady companies exist. And you shouldn’t trust shady companies to self report. But… you already know that, it’s in the name! “Shady”. So I think the idea that you should never trust self reporting is indeed an over reaction.
However, having been at (what I deemed) non-shady companies, there’s still the very human desire to downplay as much as is reasonable. Shady companies overstep reasonability on purpose.
Yup, I don't trust spez, I don't trust reddit's management (even less after the Chinese investments). This is a case to be cynical, reddit is not transparent and their leadership has been riddled with stupid politics, including the whole weird saga they did with Ellen Pao.
>Yup, I don't trust spez, I don't trust reddit's management (even less after the Chinese investments)
I think you (and many other people) are overestimating how much chinese influence there is on reddit, considering that they have < 10% stake (according to wikipedia they "led" a funding round that raised 10% of valuation, and since then there was another funding round that presumably diluted their stake).
Above 0 is too much. Could 10% buy you mod spot over a large major subreddit? Maybe get reddit to look the other way for your astroturf campaigns?
Reddit is just as shady with its Overton Window manipulation tactics & strategies as Twitter has been exposed to be. Remember when Ghislaine Maxwell was revealed as a mod of r/Worldnews? I'm convinced any relevant PR company worth its salt has infiltrated moderator teams of every major subreddit. Whats stopping them? Or anyone else for that matter
>in 2005. Condé Nast Publications acquired the site in October 2006. In 2011, Reddit became an independent subsidiary of Condé Nast's parent company, Advance Publications.[11] In October 2014, Reddit raised $50 million in a funding round led by Sam Altman and including investors Marc Andreessen, Peter Thiel, Ron Conway, Snoop Dogg, and Jared Leto.[12] Their investment valued the company at $500 million then.[13][14] In July 2017, Reddit raised $200 million for a $1.8 billion valuation, with Advance Publications remaining the majority stakeholder.[15] In February 2019, a $300 million funding round led by Tencent brought the company's valuation to $3 billion.[16] In August 2021, a $700 million funding round led by Fidelity Investments raised that valuation to over $10 billion.[4]
What type of shadowy agenda are entities like Jared Leto or Fidelity Investments trying to advance? Or should we assume that they're acting altruistically because they're not Chinese?
> What type of shadowy agenda are entities like Jared Leto or Fidelity Investments trying to advance? Or should we assume that they're acting altruistically because they're not Chinese?
None, they might just really believe that Reddit might be profitable one day and they want a share of the pie. Snoop Dogg also invested in Klarna, for example.
On the other hand I have lots of reservations about the motivation of the likes of Sam Altman and Peter Thiel in this, Marc Andreesen is not such a wildcard, might be just stupid with money as the latest plays of a16z seems to making them be.
Ehh. Spez being human makes me inclined to trust him a little more. I’m neutral in politics, but editing those comments was objectively funny. Stupid, yes — astonishingly so. But it finally broke the illusion that users own their comments. That’s all it ever was: an illusion.
I don’t trust authority in general. But given the choice between spez and musk, I’d take spez any day. He’s at least not hopped up on drugs running around making crazy decisions.
And in terms of Reddit’s trustworthiness, it makes even less sense that editing comments would be of any consequence. If they detect a hacker and have the logs to prove it, they’d gain nothing by modifying the logs. And if they don’t, they gain nothing by fabricating the logs. So it seems reasonable to conclude that they just don’t have the logs.
Which is also reasonable. When I was hacking into systems at Matasano, it always made me uncomfortable just how undetectable I was. I wasn’t trying particularly hard to conceal myself, but a few well-chosen bash incantations and opening things in vi means all anyone sees is that a vi process is running.
Obviously this is an unpopular opinion, but I think you're right about spez. Editing those comments in his AMA was dumb, but pretty obviously not malicious in the way that's being suggested here. I think a fair analogy would be if he gave a speech in a clown wig, and was then accused of having tried to disguise himself.
Having worked professionally in security and incident response for 15+ years now, this take is not just spot on, but might be overly optimistic.
I can't tell you how many large, well known companies I have worked with that either intentionally mislead, downplay, obscure or straight up lie in these types of notifications.
I have had legal teams tell me that they don't have to notify customers of a breach because an event happened on their test/dev systems, or a developer was compromised and not their actual service.
I have had companies intentionally not give information (like what an attacker was able to exfiltrate from a particular set of customers) that would been extremely helpful to inform or assess their risk. Instead they put out a generic "sophisticated attacker compromised our system, but no credentials or PII from our application were stolen".
There's no regulation with teeth to hold companies accountable for breaches, by and large, and therefore this is exactly the appropriate amount of pessimism.
The difficulty of verifying the claim is not somehow a justification for making it - quite the opposite, in fact.
As it happens, there is something that would help, though if and only if they can do it: Explain what evidence they would have if the breach had occurred.
Maybe I missed that - did they misreport anything? I know they royally fucked up, put they didn't really hide the fact that the (encrypted) vault data was stolen.
After their initial announcement, they updated the same post after months as they had since discovered it was worse. And in some cases it turns out the vault data was not as encrypted as they had ever said. Here's one of the better write-ups I've seen: https://palant.info/2022/12/26/whats-in-a-pr-statement-lastp...
>While Reddit also suggests that updating passwords every couple of months is a good idea, as well as using a password manager, that's not advice most security professionals would currently condone. Changing passwords regularly, that is, not password manager usage.
What inelegant phrasing.
Another option is to treat online accounts as throwaway wherever possible. As much as Reddit would like to sell you gizmos for your profile, there's no benefit to the user to have an old account with lots of karma. Just keep re-rolling with strong random passwords and you have nothing to lose.
> treat online accounts as throwaway wherever possible
I don't need to know who you actually are, but over time interacting with other people here I've started to get a feel for several hundred accounts. This makes HN more pleasant because I have some sense of what sort of person they are to talk with, and what is likely to go well or poorly. When there have been subreddits I was really into, I would start to get a sense for the more prolific commenters there too.
If I regularly attended some sort of social club and it was common for people to replace their faces I would find it frustrating as well.
Interesting. Here I am thinking one of the best things about HN is how the usernames being a lighter shade makes them easy to ignore entirely and focus only on what's being said instead of the speaker.
On the contrary, it makes it harder to immediate spot and ignore shitposters or people who consistently make really stupid posts on certain kinds of thread, of which sort there are several very active posters. It's a big part of why a certain kind of trolly posting thrives on HN in a way that it doesn't some other places with sigs or user images or otherwise more-prominent user ID.
That's what makes it so awesome when you start recognizing the same username on comments where you subconsciously bother to check the name because it was so interesting
One big reason I care about who wrote things is expertise. Ex: I've consistently seen informed and sensible security-related commentary from tptacek, so I would pay more attention to security-related advice with his name on it than if it was a name I didn't recognize.
I guess it wouldn't if one didn't value people. YMMV, but I think people are kind of cool — so if I hear a great song I want to know who the artist was. It helps me build a mental model of what I might be able to expect from them. I'm kind of shocked that this might not be obvious to everyone, TBH.
There is also the aspect of upvoting/downvoting that completely skews honest opinion.
Instead of acting like a bullshit filter, upvote/downvote tends to act like a dog getting petted for echoing back a popular opinion to the group or the dog being scolded for echoing an unpopular opinion. Dogs like to get pats on the head and don't like being yelled at.
It is really one of the dumbest ideas of the last 30 years. Total disregard for human behavior and total disregard for the truth considering how often the truth is an unpopular opinion at a specific moment in time.
Throwaway accounts to me are a small protest to this ridiculous system.
Of course Reddit lets is political allies doxx and harass Reddit's political enemies without reservation, so this will likely affect those accounts more so.
We're in a crisis of trust. "You have nothing to lose" is wrong. You and the community both have something to lose if identity is not valued. A throwaway is indistinct from a bot paid for by some rich mustache-twirling billionaire or state actor trying to control narrative.
The internet was always about judging the content and quality of user's posts/comments, while being unaware of their race, sex, origin, religion, and any other traits they didn't explicitly mention.
Nowhere else can you have in-depth technical discussions about the implications of Humean Projectivism on p2p network architecture, with a cybernetic dragonfly, a flying squirrel, and with distracting interjections by a literal fantasy troll. A bit of personal QA/QC, and individual filtering options, are all you need. Anything else is just censorious control of the narrative.
A discussion, maybe. But you can't have a conversation if you're not even sure that your conversational partner is the same person you replied to.
I know that there's a difference between spinning up a new account every few months, and for every reply. But long-term relationships in communities matter.
Eh in many ways that is not how humans work. We tend to build close in groups with higher trust level, because not trusting everything any anyone is physically and mentally exhausting. If you met a person that behaved in this manner in real life most people would conclude they had a mental illness or were an abuse victim.
Interacting with accounts in a huge, pseudo-anonymous social media sites based on discussion with voting systems is quite different from interacting with people in real life. For big sites like HN and most subreddits, the users may as well be anonymous. HN goes a step further and deemphasizes usernames a bit by making them lighter in color and smaller compared to the black body text. How do you build a "close in group" on a site this big with not a lot of emphasis on who you are? I've been on smaller message boards where you can actually get to know people and have an avatar and some public info about yourself attached to every post. It's a different experience in that case, for sure.
You wanna talk about how humans work - strangers in real life also don't just walk up to you and start talking about Reddit account security out of the blue! We also don't trust a talking head on TV or on the radio just because they're human. Relationships are built over time & higher trust has to be earned. Even if you're referring to the fact that most of us probably live in a relatively high trust society, that doesn't mean we trust our neighbors' opinions on strong passwords (or whatever) just because we trust them as our neighbor!
It would be nice for everyone to achieve the platonic ideal of having a gapless empirical understanding of the world from root to stem. It is not possible for a single person to do that, let alone everyone. At some point it becomes necessary to trust if we are going to provide and consume information remotely.
Ideas do not exist without context. Arguably the context is more essential than individual ideas. Judging ideas without context is not a useful exercise. It's easy to fall into a local minimum that's actually quite bad. Eugenics is a common example. Eliminating genetic disease sounds great as long as you don't have the context of genocide or humanism.
When it comes to political discussions or any kind of politically biased graphic, particularly if it is something I disagree with, I assume it is astroturf/agitprop. When misinformation and propaganda are mainstream, why can I trust some random account on the internet for facts?
It's interesting; with many sites I'd agree with you, but on Reddit, I don't look at usernames much. I recognize a few usernames in most of the subreddits I visit, just from repeated exposure, but I don't value my own accounts or the karma they accumulate. I use different accounts for different subsets of subreddits the way I wear different clothes for different occasions. If I lost an account I'd sign up for a new one like buying a new outfit. I wonder why it's different.
We are in a crisis of trust, but I'm not sure the solution involves stronger identities. I've used Reddit for well over a decade at this point. I hate that my high school opinions are just out there permanently on the internet. It's much more damaging to communities for people to feel like they can't participate for fear of leaving a permanent record. If you were at a party, would you feel comfortable knowing you were being recorded the entire time? I think the same thing applies to digital communities.
We need some way of verifying that a real human is on the other end, but we don't necessarily need to know who that person is.
Trusting an anonymous redditor because they have lots of "karma" is extremely foolish. For one, they probably got those internet points by reposting other people's cat pictures and now you're in a conversation with them about something that has nothing to do with the subject of stealing cat photos, so why should the internet points they earned doing that count for anything?
Secondly, it's easy to farm up these internet points and sell the account to somebody else who's keen on exploiting the tendency of people like you to think that the internet points confer trustworthiness.
All of these trust systems and platforms are a centralized target for the behavior you describe. It makes it easier for those with bad intentions to rinse and repeat. Naive users may be left behind by those who have optimized their strategy.
Strawman. I never said anything about karma. A user's entire post and comment history is one click away during a discussion. That can be skimmed to build a decent picture quickly. That too can be faked, but the bar is much higher.
If a website or platform doesn't have sufficient measures, technological or otherwise, to deal with bots, spam, low effort posting, astroturfing, advertising, etc, it's the platform that shouldn't be trusted. If a platform could deal with bots entirely, or associate accounts with a real identity, it still doesn't mean that the platform or the user can be trusted, as identity and trust are not the same thing.
When millionaires, state actors, politicians, corporations, etc, switch from using bot farms to manipulate public opinion to paying influencers to do the same thing, people whose identity is inherently valued and trusted, you end up in the same position as we're currently in.
Even if I don't want to throw my reddit account away as such, it's hard for me to imagine ever thinking I'd care more about its security than I would about not giving Reddit my phone contact!
Yep. Looking forward to buying /u/maxwellhill off the dark web, so we can read all those private messages, and finally put to rest all the speculation of it being Ghislaine Maxwell's account (which went dark the day she was arrested).
Yea, you have to precycle effectively and create accounts before hand and let them build at least a small amount of karma.
These days I don't even log into reddit. After wide spread banning from subreddits for random reasons it's not worthwhile. I'll keep browsing old.red as long as it exists but if it goes away I'll DNS block all reddit at the router.
These days it seems you should change your password (and your 2FA token) every now and then not because you are the one getting hacked but the sites you sign up at.
> This. 2FA (implying a phone number which is most likely most important number in your life) for a link sharing web site? You must be joking.
SMS is no longer recommended as a means of 2FA, as it's very vulnerable. Some sites still rely on it, unfortunately. However, it appears Reddit does support TOTP.
Somehow this reminds me of a wise saying: "Every problem in CS can be solved by adding level of indirection. Except for the problem of excessive number of indirections".
That's a good idea and I've thought about it but I think many feel attached to their usernames and account history "15 yeas with.." site X. And sites often balk and say "username or email already has an account here".
It's a bit funny since alias was meant to hide who you were or at least make ire less formal than a person's full name. Then I go and use my name for an alias!
The "don't use your real name on the internet" advice wasn't great. When I set up a Google account as a kid I used a made up handle because all the adults told me to not use my name on the internet.
Decades later and it's still my main account and I often need to either switch accounts to the one with my real name or embarassingly ask people to invite my nickname account to various shared documents, calendars, etc. No way to migrate my YouTube channel either…
Having a disconnected online entity means less-than-pleasant jackasses can't pull something from years or even decades ago, put it out of context, and proceed to troll your life.
Not putting your real life identity on public display for the world to see means you maintain tighter control over how, when, and where your information gets out. Do you really need your real name, face, place of employment, telephone number, email address (with your name in it), and maybe even your home address publicized? More than likely you don't.
Having online identities disconnected from real life means you can use them to safeguard your actually really-fucking-important real life things. Your bank account? Use an email that uses a nickname instead of your real name so any would be hackers have to second guess your email too.
Worst comes to shove and shit hits the fan, you can throw away an online identity and make another one. You can't throw away your real name and face.
There are nothing but benefits by keeping your online and real life identities separate, and if you ask me it's one of the first steps to being truly internet literate.
I assume that Reddit keeps a list of IP addresses and advertising buyers can correlate them with data from other sources to associates accounts with real people.
Presumably, a Reddit leak means even more opportunity to unmask (dox) users who have responded truthfully to threads that say things like "what's the worst thing you ever did". Lots of blackmail opportunities.
It’s worse than this. Reddit, several years ago, introduced outbound click tracking.
All outbound clicks from the site are redirected via out.reddit.com which ties click activity to an individual (username / IP / device fingerprint based). This can only be blocked with aggressive old.reddit script blocking which breaks portions of the site.
The outbound click data is used for profiling and interest based advertising, but the data can be much worse than simply linking comments to identity.
They also tie IP/identity to individuals to serve relevant ads and this is the push to get people installing reddit on phones, where deviceIDs is an easy UUID for ads.
Did that finally go out to all subs, because for a while it was only on certain subs? I don't use Reddit anymore, after they suspended my account for promoting a peaceful protest of the Billionaire's Summer Camp, where the corporate media meets every year to consolidate the industry and plan the years narrative. This, after they allowed me to be harassed, threatened with sexual violence and doxxed. Good times!
To my knowledge, it was broadly rolled out, I don't use anything by old.reddit.com and it's rare, but it doesn't seem limited to a specific sub-reddit. Ads, for reddit is also bought at the reddit.com level, and each sub-reddit is a monetizable segment with unique demographics. There were reps from reddit ad sales that were telling me how excited they were with what they were working on ads/tracking pipeline several years ago, and I've seen more tracking get implemented since.
You can create a new Google account tied to your domain and use that to collaborate with others. You can elect to stop using Gmail and your old nickname, unless I’ve missed something.
That would mean losing everything that cannot be migrated. (Not meaning that it would be gone, but that it would no longer be in the account I use.) I don't want that.
Nothing to lose..? Old and popular reddit accounts are worth more when sold for a reason. If I'm sharing an idea or business update, it's useful to show mods and algorithms that I'm a decade old user and not a bot created this month.
The last time I tried to change the password of a reddit account I lost access to it.
I attempted to change the password, got an error saying something went wrong. I figured I'd try again later. so I also didn't save the newly generated password.
Got logged out, and couldn't log back in with the old password.
And there's no way that I know of to contact anyone at reddit to try and get help.
The email provider that account was tied to doesn't exist anymore, and the domain is taken. I didn't notice until after it happened, so I am not putting all the blame on reddit. It's more of a string of unlucky circumstances. Who knows if I could have even changed it without access to the email account, anyway.
Fun fact: Reddit for the longest time didn't require an email address to create accounts.
Just create a mutlireddit of your subscriptions by going on https://old.reddit.com/subreddits/ and clicking 'multireddit of your subscriptions' on the right. Bookmark that link and voila, you have a backup of your subreddits for your new account.
That seems like a solvable thing with a 3rd party app/script.
I reroll every time I am banned from a sub I like because that sub notices I play in other subs - that whole “thing” is horseshit to me. So I just reroll to get around that autoban bot.
> Another option is to treat online accounts as throwaway wherever possible. As much as Reddit would like to sell you gizmos for your profile, there's no benefit to the user to have an old account with lots of karma. Just keep re-rolling with strong random passwords and you have nothing to lose.
I (used to, i guess) do the same. I must have 40 accounts in total over the years. Funny enough i didn't even make a strong password - a stupidly bad one, unique for each account, actually. I had almost hoped it was hacked because it would be interesting to be hacked and not care.
Since we’re talking about security and safety, this is a good time to remind you how to protect your Reddit account. The most important (and simple) measure you can take is to set up 2FA (two-factor authentication) which adds an extra layer of security when you access your Reddit account. Learn how to enable 2FA in Reddit Help. And if you want to take it a step further, it’s always a good idea to update your password every couple of months – just make sure it’s strong and unique for greater protection.
Also: use a password manager! Besides providing great complicated passwords, they provide an extra layer of security by warning you before you use your password on a phishing site… because the domains won’t match!
If you use the old/classic Reddit experience and you can't find the option to enable 2FA in your profile, use this URL directly instead: https://www.reddit.com/2fa/enable/
I've actually noticed how _bad_ the writing of some articles can be. I'm not a good writer by any means... but the best I can say is it sounds like an essay cranked out by someone in high school.
Just reminded me of my first "wtf." A journalist for our local university wrote a review for the movie "Hustlers" where they justified sexually assaulting and robbing men in New York because "men in New York were responsible for the 2008 financial crisis." All without missing a beat. Can't believe what passes these days.
When you find out how little these writers are paid you can understand the amount of effort they can put into these articles and still make enough money to eat.
You used to be able to create a reddit account without an email address. If all they can get is a username and password, by and large, who cares? Just create another account and you're on your way. It's way less likely hackers will figure out your creds on other sites if they don't have an email address to act as a key.
Why require email for dumb social media sites? You can talk about password recovery, but emails aren't necessarily required for that, and it could be something to opt in to. It seems like email is required to make data collection, tracking and advertising easier. It sucks that all this creepy data collection is not only an annoyance, but also makes us less secure.
Doesn’t work for me. The Continue button is only enabled once you enter an email address. Furthermore, activating 2FA requires a verified email address.
It works when manually going to https://www.reddit.com/account/register/ (both on mobile and desktop), but it doesn’t work when following the Log In / Sign Up links from the Reddit page, which have additional URL parameters attached. Maybe this is also an A/B testing situation, as the additional parameters have “experimental” in their name.
I might be thinking of old.reddit.com. I know that the mobile version requires an email there but the desktop version asks for it, but if you click continue, it doesn't check if you've entered one.
I think the mods can see if your account has a verified email attached to it though? At least it seems like subs can choose to not let unverified accounts post.
My Reddit account got hacked a few years ago because I created a Reddit account using a throwaway password, since I didn't care much about Reddit when I started. The hacker started using it to promote crypto.
I was able to get the old account disabled, but couldn't get it back because I couldn't prove I'd ever owned it. So I created a new account, and it wasn't a big deal, but I was annoyed that I lost my preferred username. Fortunately I'm not a moderator for any subreddits.
Don't get the privacy concerns. I'm totally fine if people know what I post on Reddit. It's public. I wouldn't want any friends to get confused by private messages sent as me, though.
People who don't care about losing their account probably aren't doing anything they care about with it, and that's okay, but it's not everyone.
> Don't get the privacy concerns. I'm totally fine if people know what I post on Reddit.
Good for you. But for others, pseudonimity is a way of protecting themselves in real life. There are people who cannot express their views on certain subjects without inviting scrutiny, or even danger, in their real lives.
Yes, you are right. Let me correct my post: I fully respect the right of some people to post under pseudonyms for well-known security reasons. I don't get why people assume everyone should do that.
I've never used a private subreddit, but I imagine it might be hard to get back in after your account got hacked?
I’m not following, how did a throwaway password get you hacked? Did they use a common password leak list to guess via bruteforcing? Does Reddit not rate limit login attempts?
Phone verification raises account creation costs to at least 20-30 cents an account (assuming you ban VOIP and only take first world countries, can be lower otherwise), email verification if you still allow yandex rambler outlook hotmail addresses raises it to a cent at max.
>On late (PST) February 5, 2023, we became aware of a sophisticated phishing campaign that targeted Reddit employees. As in most phishing campaigns, the attacker sent out plausible-sounding prompts pointing employees to a website that cloned the behavior of our intranet gateway, in an attempt to steal credentials and second-factor tokens.
It doesn't seem to me that much sophisticated, rather "normal", unless they are omitting some relevant details, it sounds a lot like "Action needed urgently, click here to login to ...".
Could be anything from average phishing or some 0-day that happened to be found by gov employee or phishing email, to "a bunch of men kidnapped target and beat them till they gave them access
The sophisticated aspect of these types of attacks typically isn't in the technical aspects, but the social engineering involved.
It usually involves meticulous research on the target, what and who they work with, and have crafted an email that plausibly looks and sounds like an internal email, that talks about company stuff in company language, mentions coworkers and so on.
Add a note of urgency, make it someone who has discovered something isn't right, there's an urgent technical issue or the company or money is missing from the accounts or something, or perhaps it was dressed up as a memo announcing layoffs at reddit. If it's an urgent "threat" you tend to tunnel vision quite hard.
The result is very far removed from how your typical spam emails tend to look.
Cloning an intranet site is also a nice wrinkle that probably trips up a lot of less-tech-savvy employees who are trained to recognize phishing attempts that use replicas of Amazon, Google, Facebook, and other big well-known public web sites, which they mentally categorize as a different thing from their company's internal tools.
It doesn't help companies have so many internal tools. It seems like once a month I'm asking my team if the invite to X service is something we're doing or a phish.
Yep. We had a charming English fellow at NCC Group in charge of doing this for a living. He had it down to a science. Everything from the phrasing to the phishing.
If they have a clone of an intranet gateway, I would have to agree that the phishing attempt is a bit more advanced, so calling it sophisticated is not too far fetched.
Its sophisticated in the sense it sounds targeted. They had to do research, setup a clone of an internal site, etc. That's on the high end of sophistication for phishing, which in general is usually not the most sophisticated of attacks.
Yep, but targeted doesn't have the same meaning as sophisticated, maybe the sophistication relates to obtaining a list of reddit employees, in that sense the sophistication is before and besides the phishing in itself.
I'd say it depends on how much homework was done by an attacker. The company I work for was adding some new services. One of the service setup emails came in and was off just enough that I reported it rather than following it, and yes, it was an internal phishing test, but one I found very valuable because the service providers could be hacked, and the URLs that are used are generally terrible if you're trying to figure out where you're going.
The "sophisticated" term maybe (100% for sure) was meant to save face. As in reddit staff should have known better and were supposed to be IT, social media, Internet culture experts. But fell for it anyway.
That's easier in your private life than in business. A lot of common tools (especially jira, confluence, etc.) have the flimsiest sessions along with just atrocious navigation.
Means almost every other time you're sent a link, you have to log in yet again. And man are you sent jira tickets often in tech.
The setup 2FA advice is kind of weird. I mean its fine in general, but it was an employee who was breached not a user, and there is no indication that the attackers got account data.
10 years ago "use a strong password with all these symbols"
Average person reluctantly moves from 123456 to P@55word!
8 years ago "no passwords such, use a pass phrase"
Average person reluctantly moves from P@55word! to correct-horse-battery-staple
6 years ago "ok but you need to use different passwords on each site"
Average person reluctantly moves to different passwords per site
4 years ago "but you can be phished, you have to use 2FA"
Average person reluctantly moves to SMS
2 years ago "no in some countries it's easy to take over SMS, use TOTP"
Average person reluctantly moves to TOTP
Today "no TOTP is rubbish, you can be phished, use this hardware authenticator"
Normal people don't like new shiny ways of working every year or so. My house's front door lock is broadly the same interface as my great-grandparent's front door lock, but technologists think changing the way things work every couple of years is acceptable.
> My house's front door lock is broadly the same interface as my great-grandparent's front door lock
True, but your house's front door lock is very likely to offer quite poor security. Most house locks are vulnerable to bumping attacks that are almost trivial to pull off. The only reason this is acceptable is the threat model you're dealing with when securing a physical house is very different from securing an internet-connected computer.
Moreover, while the threats against your front door have remained marginally the same as those against your great-grandparent's door, computers and the network they are operating in change extremely frequently. All the security recommendations you're naming were quite reasonable for their time but rapidly became outdated.
If someone _really_ wants in, the windows are an even weaker point. Obvious at a glance breakage probably not even necessary... (those latches seem awfully flimsy).
A similar argument I have with my wife: She insists on only living in gated communities. I'm like, "it's just a PVC pipe that goes up and down, it's not fort knox." But for some reason that gives her peace of mind, and worth the HOA fee of $350/mo.
My God. My condo complex is responsible for all external maintenance. It has steel gates that would stop an f150. They handle water, gas and trash pickup and it only costs $230/mo. It's in a fairly pricey area. I feel like you're getting robbed.
To be fair, there are also metal gates, probably aluminum... but they only close after 8pm. I think it's more for aesthetics really. The communities in Palm Beach County miss the mark on being bad & boujee.
Funnily enough where I live those gated communities have actually ended up being specifically targeted, because funnily enough people assume that if you can afford to live there you probably have stuff worth taking.
At a certain point the walls will be the weak point to a dedicated attacker. Time to dig a moat to scare off the backhoes!
Something I found out recently is that my lockable desk drawer can be thwarted by giving it a sharp shove to the right while pulling the drawer. It juuust about pops the metal locking rod out of the mechanism for a moment, if you're pulling on the drawer it'll just open.. Found it out when I misplaced the key, haha.
I can't really say I've tried, but probably. I 'ran through' a glass storm door once as a kid -- I was locked out in the cold by my grandpa
The safety glass in cars is especially difficult where I expect much less from that in a home.
With the obsession over insulation I suspect they're stronger than I remember, but brute force always works - if not, just use more. Maybe introduce leverage
Very few break-ins are accomplished via defeating a lock with something in the vein of a pick (bumping, pick gun, etc). Most break in are accomplished via a broken window/glass door.
Nobody should ever suggest you use TOTP or SMS 2fa to prevent phishing.
> 6 years ago "ok but you need to use different passwords on each site"
Really the only one that matters in practise. TOTP is basically just a work around to get users to actually do this.
Edit: i would also add this is a corporate environment where its reasonable to be more picky. And webauth really is the best (only?) Solution to phishing.
Well, if you use a compromised device temporarily and your password gets stolen and you have 2FA, it will sort of be ok once you stop using that device.
Depends how long your session cookie lasts for the site. Some high security sites are paranoid, but most of the time they last for like a year.
It also depends on how sophisticated the attacker is. Do they fake log you out so they could capture a second 2fa token in order to change the totp token to a new device and change your email?
And of course, for the most part damage can usually be done in minutes - copying confidential files does not need long term access.
For applications where it really mattered, harware authenticators have long been established. Big companies use smart cards, and my bank has always offered the choice between the 2FA-du-jour (switching from pre-distributed TAN lists to SMS 2FA to various iterations of 2FA apps, currently push tan) or just getting a $20 reader for my existing bank card (which has a chip since forever in europe).
The list you are describing could as well be seen as every service trying to implement the simplest and least disruptive technology, only to find out two years later that it was insufficient and switching to the next best thing, only for the cycle to repeat each time.
Which of course from the users perspective doesn't make a difference, but it gives a different perspective on how to solve it for the future.
The Egyptians has wooden door lock mechanisms. It took thousands of years to develop modern door locks. We went from lever tumbler locks in 1778 to the modern Yale lock in 1861 (which fundamentally still operates on similar principles to the Egyptian wooden pin lock).
I'm sure authentication technology will settle down in a decade or two.
WebAuthn is an UX improvement as well as a security improvement. I sympathize with your point, but in this case it’s easily sellable as the cure to the rest of your list … unless you somehow lose your key.
Not a UX improvement. Most users need a yubikey for the computer unless they have a new Mac. Asking my 65 year old dad to keep up with a yubikey is not just bad UX, it's failing UX. It simply will not happen.
I don't even think it's realistic to get him to use a smartphone for this, he hates the things.
WebAuthn works great for your Web 3.0 startup but as soon as you're talking about the average user, who is likely decades older than the commenters here, and far less interested in keeping up with these things, and far less patient with the hassles... asking them to carry hardware is a nonstarter for so many.
I thought Windows machines just used the TPM to store WebAuthN keys? No yubikey necessary. Just a click on some popup dialog to select your credential for login.
Windows has a service called "Windows Hello" which can work with WebAuthn (otherwise it's hardware keys). It requires your computer to have various biometric or camera technology built in, such as a finger print scanner. I'm sure windows laptops are more equipped for this, but desktops obviously are not, and I'm certainly not advising folks to leave some insecure cheap imported webcam hooked up 24/7 "for security purposes".
I don't know anyone using "Hello" but I suppose it's an option. Most Windows users would likely have to use a hardware key though.
I would be weary of using this, I have been using Windows since Windows 95 and seen enough things go wrong that I wouldn't want to be locked out of my online accounts. For example one thing I noticed is that by simply updating my BIOS in Windows 11 causes havoc and everything gets signed out. A cross-platform hardware token sounds more appealing to me. I could see Hello being something to secure corporate laptops/accounts in an enterprise environment though.
>For example one thing I noticed is that by simply updating my BIOS in Windows 11 causes havoc and everything gets signed out.
That's surprising. As in, the fact that that happens is to be expected from the firmware's point of view - updating the firmware changes the measurements made to the TPM so any secrets can no longer be unlocked. But I would've expected Windows to update the expected measurements before applying the update to prevent that from happening.
The difference is that your door is exposed to the neighbourhood while computers are exposed to the whole planet. Notice how your plain old number password is still sufficient for unlocking your phone.
Ten years ago, everyone got hacked all the time. Today, basically the only way to get you hacked is to hack the actual site you're using. I'd say that's progress.
A reluctant move is still a move, and thus beneficial. But we definitely have different ideas of the “average person”. I sincerely doubt the average has moved on from P@55word, and even then only because the website they’re trying to register an account with imposes the rule. I’d be happy to be proven wrong; do we have data on it?
> Normal people don't like new shiny ways of working every year or so. My house's front door lock is broadly the same interface as my great-grandparent's front door lock, but technologists think changing the way things work every couple of years is acceptable.
Your front door doesn't have thousands of anonymous bots a day trying to brute force it.
TOTP uses a publicly known algorithm that you can implement yourself. Most people use an app, but that’s not mandatory. No special hardware is required.
> And this is why we should all adopt webuathn, and get rid of totp based 2fa.
I'd be glad to personally, but if a site supports 2fa at all, then it's mostly likely TOTP. And some require TOTP first and allow webauth only in addition to it.
You know, I used to think the same thing. But then lastpass got hacked and it made me realize password managers have a lot of eggs in those baskets. It might be worth using two separate password managers and keep TOTP in the second one.
No 3rd party is involved. You're localizing the 2nd factor of authentication. Google could burn down tomorrow andb cease to exist, you could still use authenticator. It's a cryptographic verification scheme, not a service.
RSA was a big one that was similar. Not sure if it's still used today but there was a little hardware fob that wasn't connected to the internet or anything, the whole thing works on Time. The only thing that fob needed was a constant battery power, if it died you'd have to replace the battery and call the helpdesk to get it resynced with your account. The only thing your phone needs is a good time source like GPS or network time. I believe authenticator app works even if your phone doesn't have service. You could be on a landline in a remote region with no Internet, talking to your significant other on the other side of the world, have them log in to your account and give them the code displayed by the authenticator app and they could send that important email you forgot.
RSA SecurId - big problem with that was RSA had the tokens’ seeds, as well as their customers. Recalling all their customers’ tokens after getting hacked back in 2011 must have been expensive.
This was my first thought after OP edit, lol, good luck doing this all yourself under the time limit. OP needs to educate themselves on 2FA methods.
Google authenticator exists, but I'm trying to get google out of my life. I think Bitwarden has one. I'm only using Authy because it was among the first to offer a backup/restore solution that I stumbled on.
Have a look at Yubikey's - there, the seed is stored on the key itself, the calculation done on the key itself, and all the app does is read it all via NFC.
I just spent a minute and I'm having trouble wrapping my head around TOTP challenges with yubikey. Like scanning the QR to get the key in it, how do you query it to answer the challenge etc. Must be an app involved?
Yes, you use the Yubico Authenticator app, but it's entirely local only (runs fine with all networking switched off).
It's available for Mac, Linux and Windows, as well as Android and iOS. On computers your key needs to be inserted into a USB port. For Android and iOS I use the NFC key and I just scan it against the phone after launching the app.
This hack was very sophisticated and targeted ("plausible-sounding prompts pointing employees to a website that cloned the behavior of our intranet gateway") but wasn't after the easily monetizable stuff (user emails, which in combination with their most used subreddits would be very valuable for targeted spam), but instead went for data on employees and business partners. This sure seems like a setup for attacking a more valuable target.
You've been downvoted, but of course it's reasonable to think 'not a coincidence'. But I'd actually say that it's not a particularly interesting observation given how many nation state backed intelligence (or even crime, assuming a difference) groups there are that do frequently hack large companies and government agencies. The pertinent thing here is that we simply don't know, and there are also plenty of boring criminal groups that also hack.
I don't know if you are implying that it's related to the war or something. Sadly, I am more of the belief that it's a trend. I think we will see much more of it.
I suppose you're trying to make a point about the relative attention devoted to Ukraine vs other conflicts, but in this case there really is only one war with large state actors who have the motive and cyberwarfare ability for mass hacking campaigns.
It's feasible it's related to layoffs. I dunno if it is actually related but no time like the present if everyone's on edge.
Want to phish someone in 2023? Send an email saying they've been laid off. Link to an article (which requires auth to read, of course) for full details of their redundancy payout.
Definitely a coincidence and not a conspiracy of spooks working for the NSA (and similar) breaching servers in order to con you into getting a government spying device (cell phone).
No 2FA, no muting/blocking or following, non-transparent moderation using long-discredited techniques, security through obscurity. For a site devoted to discussing the latest tech, the site itself is curiously stuck in the 90s and the grognards like it that way.
At least it has kept the nice 90s atmosphere too. Generally HN users are high value targets - how little spam or trolling there is to be found here by outsiders is incredible considering the lack of safeguards you mentioned.
I'd love to see the source code and compare it to the open source code, before they went closed source. I bet there are some real fun things in there, from an attack surface standpoint.
> Reddit recommends users set up 2FA to protect accounts
How about Reddit follows their own recommendation and forces 2FA for their employees?
Those kinds of attacks are 100% avoidable. Nobody with my company username and password can do ANYTHING, unless they have physical access to my computer...
Ah the classic PR blur. Could mean anything from "all good" to "we don't log - ignorance is bliss".