[GTALUG] blackmail

D. Hugh Redelmeier hugh at mimosa.com
Sat Aug 4 10:25:29 EDT 2018


| From: ac via talk <talk at gtalug.org>

| no, not really. by the time you receive the type of email you have, it is way too late.

Probably.  But the information that a site was hacked should still be
useful to the site.

| How sure are you that it was Canada Computers? Are you saying that that
| was the only place you used that password?

Yes.  (I said that in my original posting.)

| And, is it a current
| password (dollars to donuts says: no...)

It was.  No longer.

| and with Google hacked, Yahoo
| hacked, Microsoft hacked, it matters very little anyway... Change your
| passwords every 30 days (or less)

I find that too much bother.  Experts have waffled on this policy.

| and never use the same password
| twice (or even anywhere else) - If they sent me my google/yahoo/etc
| password - I would even be able to tell you from which week it came :)

For real security, use something other than passwords.  But that
doesn't seem to be in place for most sites.

Single-sign-on makes multi-factor authentication more feasible.  I don't
trust the monopoly power of single-sign-on providers.  And I don't
trust the resulting "one compromise to rule them all" ecosystem.  And
I'm not attached at the hip to a mobile phone (SMS is the usual second
factor for consumers).

I can imagine that client certificates for TLS could help, and I
assume that the TLS supports this feature.  But I don't know that
any important sites expoit them.  And the certificate hierarchy
provides for monopoly abuse.


More information about the talk mailing list