this post was submitted on 16 Sep 2024
228 points (98.7% liked)

Technology

59174 readers
4341 users here now

This is a most excellent place for technology news and articles.


Our Rules


  1. Follow the lemmy.world rules.
  2. Only tech related content.
  3. Be excellent to each another!
  4. Mod approved content bots can post up to 10 articles per day.
  5. Threads asking for personal tech support may be deleted.
  6. Politics threads may be removed.
  7. No memes allowed as posts, OK to post as comments.
  8. Only approved bots from the list below, to ask if your bot can be added please contact us.
  9. Check for duplicates before posting, duplicates may be removed

Approved Bots


founded 1 year ago
MODERATORS
all 38 comments
sorted by: hot top controversial new old
[–] [email protected] 69 points 1 month ago (2 children)

What an absolute failure of the legal system to understand the issue at hand and appropriately assign liability.

Here's an article with more context, but tl;dr the "hackers" used credential stuffing, meaning that they used username and password combos that were breached from other sites. The users were reusing weak password combinations and 23andme only had visibility into legitimate login attempts with accurate username and password combos.

Arguably 23andme should not have built out their internal data sharing service quite so broadly, but presumably many users are looking to find long lost relatives, so I understand the rationale for it.

Thus continues the long, sorrowful, swan song of the password.

[–] [email protected] 0 points 1 month ago (1 children)

Wide-spread adoption of passkeys can't come soon enough.

[–] [email protected] 0 points 1 month ago* (last edited 1 month ago)

I don't think it's going to get much more broadly used than it is now. I work in cyber security and there have been password hacks like this since practically the beginning of the internet. It's called a rainbow table attack, It mostly relies on the victims being complete idiots.

You don't even need to have a particularly secure password to be safe from it, you just have to have a unique one from site to site. Even if in other respects it's relatively weak it will still defeat a rainbow table attack.

The point is this stuff has been going on for decades and people are still making basic fundamental errors, so I can't see how that's going to change in the future. Maybe we should require everyone to take some sort of basic proficiency test before they're allowed online.

[–] [email protected] 19 points 1 month ago (3 children)

Seems like a paltry amount, given what savvy social engineers could do with that data.

If you don't use proper security practices, you should be on the hook for prison time at a minimum.

[–] [email protected] 5 points 1 month ago* (last edited 1 month ago)

It should be $0 because this was a credential stuffing attack (Using breached passwords people reused), and affected people who knowingly shared their data with other people.

23&me didn't leak data, they didn't have any database breaches, their infrastructure wasn't compromised due to negligence...etc The majority share of negligence is in the users here.

Yes, they should have MFA, but also no, most sites and services don't force you to use MFA to begin with, and that's not a regulatory requirement anyways.

This is, for the most part, the fault of the folks using terrible security practices such as refusing passwords and sharing their data with other users. And this is a shitty precedent to set where the technical reasons for this event are thrown out the window in favor of the politics of it.

[–] [email protected] 3 points 1 month ago (2 children)

Who would you jail? How would you decide whos responsible? You can't jail the entire company.

But with a sufficient size fine you can make everyone at the company regret that decision, directly or indirectly.

[–] [email protected] 6 points 1 month ago (1 children)

Who would I jail? The C-officers. Your shit show, your responsibility. If you can't trust your employees, figure out why or do the work yourself.

[–] [email protected] 9 points 1 month ago

I've always been hugely in favor of it. It's the one change that could maybe justify their gargantuan salaries -- if your company causes harm and suffering, the leaders absolutely need to be put on the hook.

[–] [email protected] 0 points 1 month ago (1 children)

You punish everyone in proportion to their responsibility

[–] [email protected] 1 points 1 month ago

But they're not suggesting they be punished at all...

[–] [email protected] 2 points 1 month ago (1 children)

So all the people who actually make the decisions walk away scot-free?

[–] [email protected] 1 points 1 month ago

I didn't say that. However, if delegation is too risky, do the work yourself.

[–] [email protected] 10 points 1 month ago

Didn't even offer a refund it sounds like.

"Hey, I know we just fucked up and let a ton of personal information out into the wild. As compensation how would you like to keep using us?"

[–] [email protected] 9 points 1 month ago* (last edited 1 month ago) (2 children)

How people are so confident in sharing their DNA, something you cannot change, that you will carry on for your entire life, and that can uniquely identify you with just a small sample, to a private, profit-driven company still amazes me

And the worst part is, even if you're careful about it, all that's needed is a relative doing it and now the company can basically tell most of your family tree

And all for what, knowing the parents of the parents of your parents come from some neighboring country? No shit, Sherlock, people move around

[–] [email protected] 2 points 1 month ago

My mom did it and paid for a free test for me too. Had them send it to my address. So even though I didn’t use the test I’m in their system, name and all.

[–] [email protected] 0 points 1 month ago

I guess but if a shadowy company wanted my DNA they could get it easily enough even if I don't hand it over to them so I'm not sure how much point there is in being protective of it. Anyway what are they going to do with it, that a medical company couldn't do?

The government already has my blood from back when they were doing medical testing, so it's all a bit of a moot point anyway. Also an insurance companies took some blood and they did an MRI scan so they have my brain as well. Jokes on them if they choose to clone me, I'm bloody useless.