Zoolander @ dpkonofa @lemmy.world

Posts

1

Comments

920

Joined

2 yr. ago

How much we talking? I’ll take that bet.

This wasn’t a brute force attack, though. Even if they had brute force detection, which I’m not sure if they don’t or not, that would have done nothing to help this situation as nothing was brute forced in the way that would have been detected. The attempts were spread out over months using bots that were local to the last good login location. That’s the primary issue here. The logins looked legitimate. It wasn’t until after the exposure that they knew it wasn’t and that was because of other signals that 23andMe obviously had in place (I’m guessing usage patterns or automation detection).

I guess we just have different ideas of responsibility. It was 23andMe’s responsibility to offer MFA, and they did. It was the user’s responsibility to choose secure passwords and enable MFA and they didn’t. I would even play devil’s advocate and say that sharing your info with strangers was also the user’s responsibility but that 23andMe could have forced MFA on accounts who shared data with other accounts.

Many people hate MFA systems. It’s up to each user to determine how securely they want to protect their data. The users in question clearly didn’t if they reused passwords and didn’t enable MFA when prompted.

I already said they could have done more. They could have forced MFA.

All the other bullet points were already addressed: they used a botnet that, combined with the "last login location" allowed them to use endpoints from the same country (and possibly even city) that matched that location over the course of several months. So, to put it simply - no, no, no, maybe but no way to tell, maybe but no way to tell.

A full investigation makes sense but the OP is about 23andMe's statement that the crux is users reusing passwords and not enabling MFA and they're right about that. They could have done more but, even then, there's no guarantee that someone with the right username/password combo could be detected.

They did. They had MFA available and these users chose not to enable it. Every 23andMe account is prompted to set up MFA when they start. If people chose not to enable it and then someone gets access to their username and password, that is not 23andMe's fault.

Also, how do you go about "preventing compromised credentials" if you don't know that the credentials are compromised ahead of time? The dataset in question was never publicly shared. It was being sold privately.

No, but I didn't consent to give that info to family either. If I was worried about my data getting in the hands of strangers, I wouldn't have shared it with strangers which is what happened here. Unless you count a 4th cousin that you've never met "family", why would you give them access to your data?

There was a button that said "share my data with this account". If that person went and shared that info publicly, how is that any different? The accounts accessed with accessed with valid credentials through the normal login process. They weren't "breached" or "hacked".

Your mom has my contact information. You can ask her.

/pwn3d.

No.

See... it's that easy.

That is not at all what they said.

The only way to stop this would be for 23andme to monitor these "hack lists"

Unfortunately, from the information that I've seen, the hack lists didn't have these credentials. HIBP is the most popular one and it's claimed that the database used for these wasn't posted publicly but was instead sold on the dark web. I'm sure there's some overlap with previous lists if people used the same passwords but the specific dataset in this case wasn't made public like others.

Curious if the brand new ones will last then. I've had a few friends say that the new ones break more easily than their old ones but that is also anecdotal.

I'm seeing so much FUD and misinformation being spread about this that I wonder what's the motivation behind the stories reporting this. These are as close to the facts as I can state from what I've read about the situation:

1. 23andMe was not hacked or breached.
2. Another site (as of yet undisclosed) was breached and a database of usernames, passwords/hashes, last known login location, personal info, and recent IP addresses was accessed and downloaded by an attacker.
3. The attacker took the database dump to the dark web and attempted to sell the leaked info.
4. Another attacker purchased the data and began testing the logins on 23andMe using a botnet that used the username/passwords retrieved and used the last known location to use nodes that were close to those locations.
5. All compromised accounts did not have MFA enabled.
6. Data that was available to compromised accounts such as data sharing that was opted-into was available to the people that compromised them as well.
7. No data that wasn't opted into was shared.
8. 23andMe now requires MFA on all accounts (started once they were notified of a potential issue).

I agree with 23andMe. I don't see how it's their fault that users reused their passwords from other sites and didn't turn on Multi-Factor Authentication. In my opinion, they should have forced MFA for people but not doing so doesn't suddenly make them culpable for users' poor security practices.

They weren't breached. The data they willingly shared with the compromised accounts was available to the people that compromised them.

I doesn't. Sharing that info was opt-in only. In this scenario, no 23andMe accounts were breached. The users reused their credentials from other sites. It would be like you sharing your bank account access with a family member's account and their account getting accessed because their banking password was "Password1" or their PIN was "1234".

In my experience, Dewalt has been the best in terms of balance between reliability, flexibility, and cost. Milwaukee is probably the most reliable but also the most limited. Ryobi are cheap junk. Makita tools I haven't used but I've been told repeatedly that they used to be awesome but are now cheap junk.

All of these companies have at least a few items that are cheap junk (like most of the bluetooth speaker stuff...wtf?) but some are worse than others.

It doesn’t. Everyone is missing the fact that plagiarism requires an intent to mislead. It’s not plagiarism if you cite the authors in the same paper or even paragraph and then don’t quote something they said in a technical summary.

If I find a line in a book that I think is profound and use it as the basis for something I write with modification, it’s not plagiarism unless I’m attempting to pass that off as my own thoughts or attempt to mislead people into thinking that it’s my contribution to the body of knowledge related to the topic. That’s why the board didn’t agree with plagiarism and why none of the authors that were supposedly plagiarized (with one notable, political exception) felt it was plagiarism.

There’s a reason it’s being determined as “negligence” and corrections are being allowed as opposed to plagiarism and malice.

That’s not what I’m saying at all. Either you’re not paying attention or I was right and you’re being dishonest. Plagiarism requires intent to deceive. That’s what’s in question here. Citing someone at the beginning of a paragraph and not repeating the citation later in the same topic or summary is negligent and maybe a little careless but not malicious - and that’s exactly what the review board found and what the people she supposedly plagiarized agree on.

There’s no need to stretch the definition. The definition already includes the idea that the act has to be “to pass of as one’s own work”. That’s not what she was doing. She was using the summaries from the other papers and cited them earlier in the paper.

I agree. They wouldn’t stop. It’s just a shame that that’s enough to derail everything. Why would anyone want that job when the school will just bow to any kind of political pressure as opposed to actual, objective issues with the way she’s performing the job.

See… you’re already wrong. Some of these people are people that she studied under and worked with regularly. Not all but most. Gary King was her senior advisor, for example. The other examples, such as from Lawrence Bobo and Franklin Gilliam, are cited earlier in the paragraph. The later citations should have had quotations attributed but didn’t, hence the negligence and not malice.

This didn’t become an issue until the politics came up and I think you’re being dishonest to suggest that she’s being scrutinized because of some academic standard as opposed to partisan political points.