The Unity forums were hacked, but they say no passwords were taken

yeah they forced a pwd reset. I'm not happy lol...

Quoting: KimyrielleIn the end, my fundamental problem with 2FA that it doesn't really provide any significant additional security for people who use good passwords or service providers that aren't completely inept.

This is, with all due respect but to be totally honest here, not the right attitude. It reminds me a lot of all the companies out there who believes that they are safe from attacks because they got such a modern and secure firewall. Everyone must have mechanics in place that handle an invasion of their network. Just like every user must be prepared to what can happen if their passwords are exposed.

Two layers of security is and will always be better than one. Just think about it: As a service provider you build intricate analysers who scan the traffic for suspect actions, set up tight rules on each layer, from firewall to router to load balancers to application servers, an entire stack of security to stay safe from the wilderness.

And then you leave the main entrance up to the individual users out there, with one tiny little string of characters as the only - ONLY - prevention from someone totally taking over the account on that server, with all privileges that comes with that user. Just one little string, consisting of usually 6-8 characters, often in a clear pattern. One single point of failure. It goes against everything you've ever learnt in computer security.

A temporary token system makes your account safe even if you get a friggin' KEYLOGGER installed on your computer. You are safe(r) from many man-in-the-middle attacks that leaves your password exposed. Or when the service providers database is breached and passwords are not properly protected (this happen ALL the time - it's reality. A scenario where everything is perfect is utopia - you can't use that as a prerequisite). You are safer from a whole stack of attack methods where you - the user - are totally without blame, methods where your personal practise means squat, zero, nill.

Can't you see? It is a layer of security that has other properties than a static password can provide. And that is a Good Thing.

Quoting: KimyrielleBasically 2FA is an attempt to cure stupid.

Yes, that and laziness. Especially laziness.

Quoting: KimyrielleAnd we all know that in the end you can't.

But we have to limit the consequences sa best as we can. We have to, and we do - everywhere.

We have rules for security equipment in dangerous workplaces. Why the hell don't bikers wear a helmet without rules telling them they have to or they will be fined? That's how we cure stupidity there. We cure stupidity absolutely everywhere.

And 2FA is a good cure. one of several cures. The others are done server side. But we have to secure also the client side of things - we can't handle absolutely every scenario server side.

Quoting: KimyrielleFor people who are NOT stupid, it doesn't do anything except making their life more complicated.

Hence, "laziness".

Quoting: KimyrielleBut go ahead and convince me: Tell me how to design a 2FA system that's foolproof regarding people losing their token, WITHOUT compromising its security in the process, that STILL lets people use the system 100% anonymously if they so desire, AND doesn't put any sort of market leverage in the hand of the token provider, despite them having to be a monopoly by definition (we still want to avoid having to deal with more than one token system!)

That is not the topic. The topic is security. Two layers of security are better than one - period.

We can discuss anonymity and the internet another time. Or market leverage or app design.
The topic now is if 2FA provides a more secure regime than one single password. And it does. If you lose your phone or password file or the password to your password file or whatever else, that is a challenge that must be handled. It must be designed a system that can take care of that the best possible way with the least risk involved. Yes, it is a challenge, but as long as we deal with passwords at all, we just need to handle that.

Personally I am against passwords, period, since it's such a pain in the arse either way, and a stupid stupid thing from a security perspective.

I predict that in a decades time we don't have to fool around with these bloody passwords anymore - then there's other systems that's taken over verification.

My password file contains 150 passwords. Count'em: One hundred and fifty unique passwords, and mostly unique usernames too. And many have much more than that. It's complete, plain madness of a archaic system that stems from a time where we all had one account on our LAN. It's one giant ulster of a security challenge that can only be overcome by replacing it with something better.

But until then: Temporary passwords with one usage and then scrapped does negotiate a few of the gaping flaws of static passwords.
That's really all I am hoping to make you, and others, realise. So can we all join in on a complain hymn about the hassle, oh the hassle!, until something better comes along.


Last edited by Beamboom on 3 May 2017 at 1:33 pm UTC

"The Unity team note that no passwords were taken"
---
You cant NEVER say "no passwords where taken", only thing you can say "passwords are taken" if you are sure that they where taken; you must act on presumption that they are taken.
---
Everybody who says "no passwords where taken" dont know a shit about security, Unity team claim is wittingly a LIE (because they cant know that for sure), their security enginering skill is only second to their 3D engine enginering skills.

Quoting: BeamboomTwo layers of security is and will always be better than one.

You will hear no dissent from me here. I said a few times already that 2FA looks good on paper.

Quoting: Beamboom

Quoting: KimyrielleBut go ahead and convince me: Tell me how to design a 2FA system that's foolproof regarding people losing their token, WITHOUT compromising its security in the process, that STILL lets people use the system 100% anonymously if they so desire, AND doesn't put any sort of market leverage in the hand of the token provider, despite them having to be a monopoly by definition (we still want to avoid having to deal with more than one token system!)

That is not the topic. The topic is security. Two layers of security are better than one - period.

To me, that IS the topic. That and nothing else is. A security system that increases security (it does, we don't disagree here), but comes with a astonishing number of inconveniences, unsolved design flaws and privacy concerns is UNACCEPTABLE. Yes, even if it otherwise works. Security is not something you can and want to maximize. It always comes paired with secondary concerns. The most famous one being Security vs. Freedom. But convenience is -certainly- one of the secondary concerns, as is privacy, and making the system resilient against single point of failures. 2FA doesn't satisfy ANY of these considerations. It works in some select areas where these concerns do not matter. You named banks, and I agree with that, since they already know my identity anyway and can ask me to show up in person if I lose my token. It works because banking is still at least partially an offline business. Most other areas that need good online security aren't like that.

I do otherwise agree with you that we need something better than static passwords. Unfortunately nobody has ever come up with a great idea what to replace them with. 2FA isn't it, at least not without considerably improving the way it's currently implemented. For the time being, I am rather willing to accept somewhat weaker security than living with the plethora of unsolved issues it comes with. *shrug*


Last edited by Kimyrielle on 3 May 2017 at 9:21 pm UTC

Quoting: KimyrielleI do otherwise agree with you that we need something better than static passwords.

I am however doubtful that you'll like the tech that will replace it, in regards to your privacy concerns. :)

By all means, the privacy concerns regarding internet technology is massive. It can not be overstated. I'm with you there. It's gigantic, and almost impossible to imagine the world will ever be the same again in regards to those questions. But from a pragmatic perspective, I see this as unavoidable.

From a pure security perspective, and from a service providers perspective more than consumer perspective, I'm afraid we just have to realize that the less dependence on user decisions (and with that, privacy) the better. Biometric scans (voice, fingerprint, retina etc) are for example something that I expect will become a lot more common means for identification also for internet services. It's already common on the mobile phones, all that is needed is to extend that usage. And it's in excessive use on modern airports (face recognition).

But yeah - it will become harder and harder to remain anonymous, or to even control the information about you out there. And the morale and ethical questions around this are of course huge.

PS: I never started using Linux "to escape MS's monopoly" - I did it because it's simply the better OS for my line of work. ;)


Last edited by Beamboom on 4 May 2017 at 1:05 pm UTC

Quoting: BeamboomPS: I never started using Linux "to escape MS's monopoly" - I did it because it's simply the better OS for my line of work. ;)

Sysadmin ?

Quoting: razing32

Quoting: BeamboomPS: I never started using Linux "to escape MS's monopoly" - I did it because it's simply the better OS for my line of work. ;)

Sysadmin ?

My guess would have been developer. ;)

And well, Linux is a better OS than Windows in every regard I can think of. The area Windows is ahead is the number of software products available for it, that's really all. Namely games and design software. If we'd be evenly supported by software, nobody in their right mind would still be using Windows.

Quoting: Kimyrielle

Quoting: razing32

Quoting: BeamboomPS: I never started using Linux "to escape MS's monopoly" - I did it because it's simply the better OS for my line of work. ;)

Sysadmin ?

My guess would have been developer. ;)

And well, Linux is a better OS than Windows in every regard I can think of. The area Windows is ahead is the number of software products available for it, that's really all. Namely games and design software. If we'd be evenly supported by software, nobody in their right mind would still be using Windows.

Somewhat related to the 2FA talk you were having :
https://motherboard.vice.com/en_us/article/we-were-warned-about-flaws-in-the-mobile-data-backbone-for-years-now-2fa-is-screwed

And yes , I think with proper support Linux can beat windows. It's just we lack software, drivers in some cases and what most low-tech users want : easy eye candy operation.
(Still , I don't hate windows as an OS on principle. It could be good too if MS wasn't a bunch of dicks.)