Please stop commenting whether you are a LastPass user or not. Some of your profiles on HN have an email address and in general all your comments are public so can be mined, plus "rich techies" could be prime targets for more direct and elaborate phishing campaigns.
For all you know, they are bots or shills to encourage actual users to comment.
Remember this?
<Cthon98> hey, if you type in your pw, it will show as stars
<Cthon98> ********* see!
<AzureDiamond> hunter2
<AzureDiamond> doesnt look like stars to me
<Cthon98> <AzureDiamond> *******
<Cthon98> thats what I see
<AzureDiamond> oh, really?
<Cthon98> Absolutely
<AzureDiamond> you can go hunter2 my hunter2-ing hunter2
<AzureDiamond> haha, does that look funny to you?
<Cthon98> lol, yes. See, when YOU type hunter2, it shows to us as *******
<AzureDiamond> thats neat, I didnt know IRC did that
<Cthon98> yep, no matter how many times you type hunter2, it will show to us as *******
<AzureDiamond> awesome!
<AzureDiamond> wait, how do you know my pw?
<Cthon98> er, I just copy pasted YOUR ******'s and it appears to YOU as hunter2 cause its your pw
<AzureDiamond> oh, ok.
Aren't we assuming at this point that the attackers have the complete customer list? I imagine that it would be way easier for them to have a script query that list directly and search for names and emails to find high value targets, rather than reading through HN hoping for a hit.
This is news to me. Was the customer list also stolen? Specifically, customer records linked to individual vaults?
My concern with anyone identifying themselves as being affected by this breach is that a 3rd party would be able to collect a lot of information about the user for a very targeted social engineering attack. Conversations here often disclose personal information such as approximate age, location, past experiences, hobbies, etc. It's a gold mine for social engineering.
> To date, we have determined that ... the threat actor copied information from backup that contained basic customer account information and related metadata including company names, end-user names, billing addresses, email addresses, telephone numbers, and the IP addresses from which customers were accessing the LastPass service. The threat actor was also able to copy a backup of customer vault data ... both unencrypted data, such as website URLs ...
Given how incompetent they've been, it would be safe to assume that the vault data is linked to customer account information. And because website URLs are included in the package, there is already tons of information for spear phishing, and any LastPass user here is probably already doxxed to the bad actor.
In general, you're right, but I really think that in this case the ship has sailed. The attacker has more information than they could possibly sort through by hand, they're not going to resort to reading forum posts.
The main perpetrator in this case - Alexandr Kogan (now Spectre) - is now a tech entrepreneur leading a company with an investment from a US-based accelerator 43 North. That's how we punish them.
I might be remembering the details wrong, but wasn't the main issue that users half-knowingly allowed spying on their friends without any consent required from those friends? Open API isn't the reason this abuse happened IMO - Facebook failed to prevent massive data collection on users who did not give any consent.
The concept of “personal data” with one sovereign owner applies in very limited scenarios like a private Google Doc or unshared Dropbox folder. The vast majority of internet applications in fact represent some kind of sharing or communication. Such applications necessarily either help you to restrict how your counterparties interact with shared data, limiting their freedom, or don’t, violating your privacy. As such it’s hard to see either side of this tradeoff as especially blameworthy.
I am not buying this. It's borderline victim-blaming. An informed consent must be required. Giving access to an app is not the same as sharing your password with them and explicitly allowing them to do anything they want. Saying that, even if you do share your password, the app should not be able to collect data on your friends without their consent.
There is a huge difference between you stalking someone else's friends and a company collecting billions of data points to use for political manipulation. The purpose, the scale, the incentives are different. We need to stop assuming that the rules should be the same for an individual and a business just because they use the same loophole.
While I don't know what the prompt exactly said, I bet it was specific enough. The fact that people just click Accept without reading it shouldn't make it less binding, that would be infantilising users.
>There is a huge difference between you stalking someone else's friends and a company collecting billions of data points to use for political manipulation.
I agree. And that company is not Meta. So I don't understand why Meta is paying. In any case all I said was that this is one of the reasons APIs are closed and everything is a silo.
> While I don't know what the prompt exactly said, I bet it was specific enough.
An informed consent from users who's information is going to be collected. In this case it was the friends of the person signing up. Again, that's the only reason Cambridge Analytica was successful. They didn't have that many users, they collected a ton of data on the users' friends.
> I agree. And that company is not Meta.
Meta had an obligation to protect its users' data. It failed at that.
>An informed consent from users who's information is going to be collected.
That consent was granted the day they accepted/sent the friend request. Once the friendship was established, the other user had access to the profile information. They can do with that information as they please, which includes giving it to a 3rd party. If it's illegal to do so, the parties at fault are the user who accepted the API access request and perhaps the 3rd party, but definitely not the medium.
>Meta had an obligation to protect their user's data. It failed at that.
If I go to your profile and take a screenshot, has Meta failed at protecting your data? What if a friend gives me their password or remote desktop access to their computer and I look at your profile? Should we fine Facebook?
> That consent was granted the day they accepted/sent the friend request. [...] They can do with that information as they please, which includes giving it to a 3rd party.
Hm - no. If I accept a friend request I allow that user to read my profile but I do not authorize any 3rd parties to access it. If you show me any mention of 3rd party access in a friend request - I might change my view.
> What if a friend gives me their password or remote desktop access to their computer and I look at your profile?
You don't seem to make any distinction between a first/second party (me and my friend) and a 3rd party (CA accessing data through an API). In fact there is a difference that's very clearly defined in contract law, user agreements, etc.
Honestly, that's not a great example. Re-evaluating your ethical impact on the world is not the same as understanding the direct consequences of your daily work. Both are important, but really different. After all we are not discussing some more abstract issues of modern software propagating capitalistic values (we are all "the system", etc, etc).
> Honestly, that's not a great example. Re-evaluating your ethical impact on the world is not the same as understanding the direct consequences of your daily work. Both are important, but really different.
Because looking back at the decades of your work while being retired is just a sweet ethical exercise with very few direct personal and financial consequences.
If you are an engineer employing dark UX patterns _today_ you must look at yourself and evaluate the ethics of your work _today_. This will likely have direct personal and financial consequences.
I always took it that Butler underwent an epiphany after years of
believing something else. Maybe it was a case of eyes wide open.
Nonetheless your distinction stands and yes it's very significant. I
wonder how many developers are being hoodwinked and how many are just
not being very honest with themselves.
I might be wrong, but I always lean towards this being the result of prioritization. Most engineers know the difference but prioritize other aspects than ethical. I am not even judging that, just describing. After all, implementing a dark UX pattern that will inconvenience some unknown to you users is not as high priority as providing to your own family.
It's a different mindset. When you're in uniform, under oath, you don't speak out, you salute and do what you're ordered to. When you retire, you take the uniform off and are your own man again.
So then who is the abuser? The users and the developers are the victims. PMs are likely also the victims of their higher-ups, their higher-ups are the victims of the CEO, the CEO is the victim of the shareholders, the shareholders are... the users. So that's a full circle: the users are abusing themselves.
There is an argument to be made that these… micro services were a part of a bigger offering from Google. Maybe by itself Reader wasn’t a billion dollar business, but together with other niche features Reader attracted an influential and wealthy audience.
The comment you are replying to did not say that he should be denied bail. Only that the rules should apply to him too. 10% is the most common requirement, he didn't meet it.
Where are you getting that "10% is the most common requirement"? I think you may be confusing the common _non-refundable_ amount charged by private bail bondsmen for much smaller bails with an actual court requirement for collateral. Is there a published standard you could point to that shows the amount of collateral typically required by US courts for bails of this size?
