I feel like the people who calculate that it's more cost effective to deal with the hit from a security breach vs spending money on good security have won.
I have gone from feeling outraged to completely numb to these kind of disclosures and have pretty much just assumed that my information will inevitably be leaked somewhere by someone.
Does anyone else feel this way? I just keep a close eye on my financial statements and hope for the best.
It’s time for attorney generals to hold permanent identity monitoring pots and funds.
The idea that someone can lose all your data and then pay for two years of identity monitoring is absurd. The people with the data can see that and can just wait two years to sell it. Social security numbers don’t reset after two years.
If you lose data, you pay a data breach tax forever. Over time, your competitors will be able to run with lower margins if they stay secure. As companies die out, the remaining breaches ones are responsible to keep footing the bill.
It also incentivizes holding as little personal data as possible and increases the probability of coordinated adoption of systems[1][2][3][4][5] of identification/verification that minimize collateral damage.
Further cementing this broken idea of "identity" as something that can be stolen is most certainly not what we need! Rather we need AG's to start going after companies that attempt to collect negligently verified and other fake debts for the outright brazen fraud that it is, and a law that allow victims to procedurally recover triple damages for time/money spent defending against these companies and helping the companies clean up their own messes. Separately, we need a law like the GDPR that lets individuals audit, control, and opt out of the surveillance records being kept on us.
Exactly. The whole idea that end users are responsible for their stolen "identity" is absurd.
It was a successful tactic used by banks and credit bureaus to shed their responsibility of proper verification when opening lines of credit or other accounts.
I would go one step further, saying that proper verification is prone to fraud because of failure in government (in the US; not sure about other countries). It still baffles me that identification typically comes down to two things: social security card and driver's license, and both are managed by agencies whose primary objective is not identification. IMHO, it's time for a single agency at either the fed or state level that's in charge of just identification. That's it. Fund that agency and let them do it properly. However, inevitably someone will scream "Big Brother!", and we'll end up back where we started, with this Rube Goldberg system that basically leaves individuals to fend for themselves.
I'll go yet another step further, and say that the main opposition to having a better technical system of government identification is because we're lacking a comprehensive privacy law akin to the GDPR. As it stands if the government started say issuing smart cards for identify verification, then every business would gradually force their customers to identify themselves, for helping the commercial surveillance industry track everything they do. This is the current dynamic with mobile apps, phone numbers, and existing static identifiers, and it's only held back because one can feign not having them and/or being worried about giving out that info. Whereas with actually secure technicals, that friction basically disappears. And so the only way to prevent this dynamic (and make it so better identification isn't itself a security vulnerability) is by gaining the legal right to inspect/audit/reject the collection, use, and storage of such information in the first place.
It feels like the people who literally believe this as an actual political concern is a vanishingly small contingent, especially given that the ship has already sailed with SSNs and the like, making this more of a partisan talking point strawman. Of course I do respect that the relevant political party has made their whole platform one of stirring up such tempests in teapots instead of focusing on substantive policy. But still regardless of the possible superstitious narratives that objections may end up taking, the best way to eliminate objections is to address the actual practical concerns. And that is chiefly the myriad of ways in which existing identifiers are being abused.
Digital identification can be done correctly, i.e. give business one time pseudonym maybe with one time email pseudonym. Then businesses won't ask for such identification :)
Or it can require ATM, which is not frictionless.
Businesses already ask for phone numbers anyway. Can it become worse?
Phone numbers are bad, but of course it could be worse. Phone numbers have both escape hatches (VOIP, shared number burner services, or your own psuedonymous SIM + device ID), and friction (people are wary of businesses spamming them).
Pseudonyms don't work for the topic under discussion, issuing credit. And for the general case, since credit issuers would be able to require you to do a non-psuedonym identification, then any other entity can require this as well, unless there were a privacy law.
Strong disagree that such a responsibility exists. I should be able to open a bank account with _nothing_, save perhaps a _de minimis_ initial deposit (one penny, or similar).
I can walk into a shop with a handful of cash, buy an item, and leave without anyone knowing who I was. That should be true of any good or service, including banking, that does not require additional data for direct practical reasons related to the provision of the service, e.g. cleaners need to know where you live. "Prevention of fraud/laundering/terrorism/whatever" is not such a reason.
That is fine for opening a deposit account. The fraud we're talking about is for obtaining credit or future financial obligations. It is wrong to let this be done with so little proof of identity and enforce the obligation in courts.
Banks have notaries of the public. After you have established a relationship with a bank, the notary may have enough evidence to authenticate you for others. If you have continued to use the bank in an anonymous manner, then you should not be authenticated to others.
I'm sympathetic to your comment, but we are talking about the issuing of credit. Surely you see that this idea is a non-starter for a bank issuing credit?
This is further complicated by US bank accounts including an intrinsic bit of credit from writing checks and other ACH debits.
I have had my data pwn3d a couple of times. One was six months', the other was one year, and Experian used that as leverage to unendingly nag me to buy into them.
It should all be free, like getting credit reports is now. We need a robust and accessible way to manage our data personas, assuming that all of the supposed secrets are in fact public data.
As a reminder for any US Citizens, there is an official path to getting this from each of the main three for free[1] is the approved method verified by FTC [2].
This still puts the burden on the consumer of having to verify that their credit file is accurate, not to mention the even bigger burden of trying to correct it.
I think an easier approach would be some sort of mandatory indemnity. Rather than trying to impose specific practices which very well may vary greatly depending on the domain, just levy automatic penalties for breaches and set them high enough to encourage action.
I'm very open to government solutions, but at the same time I'm not sure they have a good track record. Despite that, this service should come from the government because anyone else has misaligned incentives. I specifically would want a privacy and security maximalist approach. What we have right now is completely unacceptable, especially given our current technology level. Though of course, the downside is also that this database becomes a big target (and that's why I want a maximalist approach). I don't know what the solution is, but I'm sure there are security experts here on HN that can lay out better paths and I'm interested in actually hearing what systems I should be advocating for (with more specificity than the generic thing I said).
I do think we should also push back against surveillance capitalism. This has been a disaster. Such data breaches are a result of this system (and clearly it isn't even unique to the western world). I think any government has the power to hold these companies accountable in at least some form or another. Big dogs like US, China, and Germany should be leaders, but clearly they aren't as this stuff keeps happening.
They issue me a single identification number that can be used anywhere at anytime without any verification or notification that it has been used, and it's next to impossible to get a new one issued.
This is madness. A state funded "insurance" system to backstop this mistake is an unworkable hack that seeks to ignore the fundamental problem.
The government only claimed to identify you with that number for one purpose. The motivation for fraud would be a lot lower if that was the way it was still.
The problem is third parties abused that number for their own purposes.
Imagine if some company somewhere started using phone numbers as identifiers, and criminals started defrauding that company by "stealing" other people's phone numbers. Would you blame the phone company for that? Of course not.
The problem is that banks and anyone else using SSNs need to do more due diligence than checking SSNs, but they don't want to because it would be expensive and add friction to signing up for their "products".
They themselves abused it as anyone in military service is well aware. Then they required you to put it on your IRS forms, even though the Social Security Administration is a wholly independent agency. Then they required banks to capture it for any customer.
It goes on.. third parties weren't the worst and they didn't start it and some are required by law.
Imagine if Credit Card companies were as blatantly incompetent and as reckless as the government? The reason they aren't is because they hold most of the liability at all times, and there's a lot of good laws that set them up for huge damages if the make a mistake. The reason the government doesn't care is because no one holds them accountable.
If you have an interest bearing account, you need to provide an SSN, and even though the regulation has since been changed, you needed it for any account for 30 years or so. Anyways, if my SSN suddenly starts being used 12 states away from where it has been the last few decades, _nobody_ notices. The government is the only agency that could and they just don't.
It seldom creates significant inconvenience or financial obligations when someone pays additional taxes in your name. It only becomes a significant problem when the fraudster is obtaining money or services in your name.
The burden of authentication is not on the entity who issued a simple ID number, it is on those who go on to use it as if it is a secret.
I think your trust in credit card companies is misplaced. The only thing that holds them back is consumer protection laws, and they fight those however they can. Jack up rates, check. Grant credit at a sales point of presence with a minimum wage sales clerk doing identification, check. Sell or trade your payment history, check.
In some moral systems, lending money to make money itself is outright wrong. If you maintain a balance on your credit card for day to day expenses, any financial advisor will tell you to stop that.
Until your average American suffers in some clearly identifiable way - which they currently don’t really - ain’t nothing going to change. And probably not even then.
> I feel like the people who calculate that it's more cost effective to deal with the hit from a security breach vs spending money on good security have won.
They do win, unfortunately because they're right. Why spend much on designing security when the inevitable breach costs nothing other than bad press for a few days and then all is forgotten.
The only possible solution is to have significant fines for every data item breached.
Ideally I'd ratchet up the fines for each occurrence. First breach should hurt the company financially a bit but not be too disruptive, offering a learning opportunity.
Subsequent breaches the fines go up, by the fifth breach or so the fines would wipe away the company entirely, since they clearly didn't learn.
Anything short of something like this, companies will never care and leak all your data to the wind every year.
This would be create an incentive to attack a competing company until you breach it 5x, causing its destruction. Competitors would be attacking each other nonstop.
Yep. And if staying in business means keeping your website secure, well, isn’t that the goal?
I think part of the problem is that hacker movies make people think hacking is inevitable. Like you can’t actually protect your site and your data from the average punk on roller skates, so why bother? But that’s not true at all. Gmail has - as far as we know - never been breached by anything short of a nation state attacker. And I’m sure a lot of people have tried. You just need to actually care about security and follow best practices (like doing audits / red team and keep up to date with security patches). But most companies only seem interested in properly investing in security if it’s an existential threat.
I still feel like this is why the penalties for allowing user's data to be leaked should be harsh enough to make it worthwhile for companies take even basic steps to protect other people's data, or even better, to avoid collecting it or keeping it in the first place.
Since that hasn't happened yet, I try to avoid handing my data over when I can.
Agreed, perhaps requiring companies who handle sensitive data to carry insurance and licensing engineers who build those systems, something like the PE.
I can't possibly see it becoming worse. This isn't the 90s any more, computing and the internet are no longer cute novelties but infrastructure just as critical as electricity or airport communication. Software "engineering" has been due for the professional licensure and direct liability that every other serious industry has had for a century.
With email addresses you can use multiple to not be too affected. But phone numbers are less replaceable than email addresses...
And what's annoying is that more and more things now also require phone numbers (like, seriously, in the past an email address was enough but today the simplest thing you want to signup for uses some third party booking platform (which means yet one more party that gets to leak your data) that wants your phone number; even a railway company can't manage its own login anymore. In the mid 2000's I would have thought phone numbers would die and internet would become the new way to communicate but nope, they suddenly became more important instead)
The simplest thing require full name, address, birthdate, age, yes age, mobile phone, fiscal number, last four digits of the credit card, expiration date of credit card, yomama’s maiden name, the middle 8 digits of your credit, your last used password, your pet’s name, the name of the high school you attended, favorite football team, a front and side pictures no smile no hats no glasses, hi resolution scan of government issued ID, and lastly the first four digits.
It's impossible to keep a secret on the internet. You can't secure military technology, bank secrets, crypto tokens or prevent piracy.
Computers were designed to be open by default.
General purpose computing mannufactured across the planet with everybody having a hand in the supply chain has become the betrayal system.
Security follows the traditional Mafia protection scheme racket.
- Some Romanian hacker leaks data from your web server and sells it.
- You pay developers to close the vuln.
- You pay cybersecurity a protection fee to prevent it happening again.
- It happens again.
Developing a real technology that can give secure control back to the owner-operator goes against good business incentives. You can't farm users and share the wealth on a truly secure computing model.
Probably about 10-12 years ago I almost exclusively used +emails so I could determine with pretty high confidence who had breaches and failed to disclose OR identify companies that had sold my data without disclosure. One of the most recent examples was Robinhood Holdings. +emails only got me so far as 50% of sites don’t properly support the RFC5233 subaddressing standard and it ended up being a massive pain when a sign up page accepts the plus sign, stores an improperly escaped version of that and then you can’t login or never get the verification email.
Fast forward to 2021, apple released hide-my-email which I use practically everywhere which forwards to a burner email just in case. Every site gets a unique email, password, two-factor. I’ll never have 0 risk but this limits my exposure so much it lets me sleep at night. I only provide real information if absolutely required by law.
The problem is that as long as there are attackers willing to spend resources, there is no limit to spending money on security, it is adversarial. At some point, security will cost more than what you are securing, and that's when people drop the ball and prefer to deal with the consequences.
Same ideas as with bicycles. Thieves now have sufficiently advanced tools that people stop buying the kind locks that could possibly stop them, and instead just assume that left unattended in the outside, their bike will be stolen eventually, and deal with it. For example by not having nice bikes, or by not biking unless there is a safe place for that bike.
So yeah, leaks will happen. Unless maybe you get a combination of well designed and enforced security standards, harsh penalties for cybercrime, and international collaboration.
100% with you. At this point my data has been breached so many times I don't even know what the point of caring is. I don't have privacy anymore. Like you I just have credit monitoring and watch my financial statements and hope for the best. This world sucks.
Know what? I heard it was illegal in the UK to give websites fake information. But looking at that list of websites justifies what I have been doing for the past 18 years religiously. When a website asks my age, I give it a fake one. When a shop asks for my debit card details I give it my initials J B and then I will confirm the sms security from my bank when the initials flag 30% of the time. Giving every company real data just means it gets leaked. That list of hacked domain names covers just about everyone. Wow.
100% with you. It depends on the site but yeah a lot of my information is fake. I really don't understand why so many websites think they need things like my address or phone number anyway. Good thing I live on 100 YouDontNeedThis Blvd!
The SEC had a disclosure recently which had an effect on the bitcoin market. They turned off MFA and forgot to re-enable it supposedly as well as it was a sim swap attack.
The OPM data breach was bad. So much data on there about the individuals and a few degrees of association away from them. Every security question and answer are there.
I had 4 data breaches last year and one so far this year I just posted about today that I have no idea how they got my information (0). Mail was stolen by a petty theft and identity theft ring which called to try to get more out of me a couple years ago.
Freezing your credit is the best course of action. I don’t really worry about it much anymore.
They win as long as deliberately making this decision, probably so, at a level way beyond what the reasonably competent person the field could do by accident never results in a conviction recorded and jail term against the ceo and board. The individuals need to be charged and have there day in court with consequences that go beyond “business expense” Conviction recorded is just that.
Who will lobby for it because /you/ don’t count? Too poor to matter to law makers.
> I feel like the people who calculate that it's more cost effective to deal with the hit from a security breach vs spending money on good security have won.
and it's not like it wasn't forseeable 20/40/60 years ago. thou the question remains what would be the alternative?
what really bugs me is the fact that it essentially puts all the 'nothing to hide, have my data' folks in the right because, yea, why bother.
Yes. Corporations really do just lose your info and move on as quietly as possible. You can try to not give real info to anyone that isn't the government.
Recently both my mortgage company, who bought my mortgage from another company without any say from me in the matter, had a giant leak. You heard about it. I'm hardly alone .
Then Comcast/Xfinity, same thing. I have 2 options for internet, now, it seems. Comcast or now starlink.
Point is, you can plunk your information into relative bare-minimum of sketchiness -- and you'll still be screwed over.
That’s honestly not very surprising when any company that does this has to suffer the consequences of… crickets?
No consequences at all. It’s no surprise that patching the holes costs them more.
It’s also that all these massive companies are absolutely allergic to any change. Unless legal gets wind of it everything can stay exposed if it means the status quo is maintained.
I'd say it's an inevitable state of affairs. With networked general computers the amount of leaked information tends to 100% of available information over time. Unless you can design, build and run absolutely safe systems.
Cybersecurity is a sham, a bolt on industry extracting rent out of the mobile internet junkies we've become.
We want to have an endless stream of entertainment and trivia so bad we've actually built homes with locks that connect to the internet. You'd think a networked lock defeats its purpose.
I just went through a call with my credit card company. 4 transfers later the only verification I've been asked is the last 4 of my social, my name, and when I was at the "highest level" of security they took the amazing step to... call me back. All because my credit card, which is travel focused, got flagged because I bought a <$300 plane ticket... They claimed I got an email and text message, which I got neither (I'm sure the email got filtered and same with the text message. Thanks Google. I'm glad you filtered those but not the emails addressed to someone else, "from" a hashed domain, and where the header is passed through 5 relay services -- including several .edus. -____-)
You are not alone. It is an __absolute joke__ that my github account is more secure than any banking service I use. How is it that the only 2FA they offer is text message? A method that's been known to be terrible for over a decade now. Where are my OTPs? They give me apps on my phone, why not push verification there? (Vanguard recently started doing this) Why can't I set up hardware keys or public private keypairs? Sure, I get that you still got to service grandma and grandpa, but at least give me something. In today's day and age the two most important services I have are email and banking. The former is impossible to resolve when shit hits the fan and the latter doesn't even implement basic security.
Something is very wrong, and I'm not sure it is even about money (unless short term vs long term). Dinky little websites implement better security than most baking services. Clearly the banks could reduce their spending on fraud detection and resolution if they added some basic security.
I will note that I had a Capital One account that used the card as a 2FA into the phone app. Was neat, other than Capital One was a whole shitshow on its own.
I'm also very surprised at how much spam gets through services like Gmail and Twitter which could be easily detected by Naive Bayes filters. Something is very wrong.
USAA actually does push passcodes using their app.
The banks' understanding of security is so poor that they push people to use voice or fingerprint authentication. My wife constantly fights Wells Fargo about it every time she calls them because they want to helpfully sign her up for their voiceprint service so she doesn't have to use her PIN anymore. She used to work in a retail cellphone store so has heard tons of horror stories of people signing up for the same and then getting their voice deepfaked by a telemarketer to access their accounts.
LOL what a joke. Isn't there even a news story floating around about someone deep faking Biden's voice? I expect banking security to be better than what's in the public lexicon, not worse.
I can log into chase.com with my password in any case. Banking security is an absolute joke.
The interesting part is that if I have to do a 2FA SMS challenge, I am required to re-enter my password. At this point the password checking becomes case sensitive.
The funny thing to me about this title is who brought that term to English in the first place. It came into the vernacular back in 1991 when Saddam Hussein claimed the Kuwait War would become "the mother of all wars". It didn't. It lasted about 24 hours, but the phrase has lasted much longer. It's so weird how language evolves, who has the power to do it, and who doesn't.
So for me, the title means that this breach is only of importance to the people who want it to be. Everyone else will simply ignore it after 24 hours, just like the first Kuwait War.
a hyperbole that has been used to refer to something as "great" or "the greatest of its kind", became a popular snowclone template in the 1990s. The phrase entered American popular culture in September 1990 at the outset of the Gulf War, when Saddam Hussein's Revolutionary Command Council warned the U.S.-led Coalition against military action in Kuwait with the statement: "Let everyone understand that this battle is going to become the mother of all battles."[
It's more than just a bit clickbaity. There are probably dozens of us on HN who've compiled our own combo DB. This is what dehashed, snusbase, and hibp all are.
All I see here is someone made a bigger list from multiple other lists from prior breaches. This isn't "the mother of all breaches", this is clickbait. Unless there is some new confirmed breach somewhere that in fact contains 26 billion records ex-filtrated, the only thing this is the mother of is a nothing burger.
I checked for some of my old emails in the list. As far as I can tell, "26B" is due to duplicates and fake data. There were dozens of entries for sites that were never registered for with passwords that were never used. I'd be surprised if it was less than 80% junk.
My first thought was "Is this Troy Hunt's hard drive?" but I'm assuming that more bad actors collect security breach data than security researchers. With cyber crime & scams on the rise and earning billions, the value of all that mineable data for bad actors must be high.
I think you misunderstand their suggestion. If you only gave service providers access to encrypted data (i.e. End-to-end encryption), then neither the service provider nor the leaker would be able to decrypt.
Whether or not that is a generally viable or desirable suggestion is a different question, but it is possible as demonstrated by Signal, Apple, etc.
There's only a limited number of things that can be done that way. Basically point-to-point messaging.
Most things aren't going to work with that model. Can Amazon ship you products without knowing what you ordered? Can you send and receive email on multiple devices without the provider having your email? Can you join public chat groups? Can you view your lab results without the lab having them?
And don't say "the lab can encrypt and send them to you". Your encryption key must be known to the lab, so they can provision a new device for you, in case you lose your phone.
Even the vaunted "WhatsApp and Signal" could actually read all your messages if they wanted to - they have your encryption key after all, all they need to do is deploy a version of their application that copies your messages to them.
> Can Amazon ship you products without knowing what you ordered
Well the whole point of not implicitly trusting third parties would be to remove Amazon from the equation altogether and instead be P2P with the shipper with just a protocol between us. If we need a third party, we can find another peer for that based on the intersection of our trust graphs. It doesn't have to be a global conglomerate with an IT department that we all have to trust implicitly. It could be Jimbob from down the road, who we both trust explicitly--this gets rid of high-value targets altogether.
Particl marketplace is pretty much this (no affiliation, I just like the idea).
Sure, I suppose there's still the possibility that the individual shipper was compromised, but like... Why? It's not exactly a juicy target. There would be no reason to really have a large database of addresses lying around. Print label, ship item, once receipt is acknowledged, delete address.
You replied to basically nothing I said, other than to say: It's better if everything is split up into smaller companies that are not interesting targets.
Nothing you said addressed the uselessness of encryption for this task.
PS. I hope you are aware that Amazon also sells things themselves, they are not just a shipper? And that even if Amazon sells for a 3rd party, you handle returns, etc, via Amazon? So even your singular example demonstrates exactly what I said: this idea would not work.
Not smaller companies. No companies. Individual people. That's a little different than "smaller".
As for returns and such, that's what the explicitly trusted third party is for: Jimbob. He can meditate disputes because both parties trust him in that domain (or they trust someone who...) Maybe that limits the scope somewhat, but global scale is overrated. Transitive trust ought to get you plenty far.
As for encryption, Jimbob need not know either address to fulfill his role. Encryption is for hiding such things from him (and from the operator of any nodes that are needed to for the protocol to function).
As for not having a design ready for every one of your examples. You've got me there. My point is merely that the space of solutions to these problems which do not require implicit trust of somebody's IT department is larger than you presume, and largely unexplored.
Not really news. Most of the article says over and over that much of the data is from previous breaches, but some data may be new, without putting any numbers to it.
Clearly better security is always better but sometimes I think there needs to be a different way of approaching identity validation etc.
Like, maybe we need to assume everyone's records are leaked somewhere all the time?
I'm not sure what that means in practice but I e.g., am not sure that "identity theft" should be a scary thing if the other side of the system is working optimally.
> I'm not sure what that means in practice but I e.g., am not sure that "identity theft" should be a scary thing if the other side of the system is working optimally.
For that, the US needs to follow what virtually all EU member states have done, and provide every citizen with a government-issued ID card with NFC that can be used to authenticate against a website (e.g. a bank), and browsers would need to agree on a web standard allowing interfacing with such cards (there is Web NFC but it's by far not enough).
The problem is, this is politically untenable in the US for a bunch of reasons - the right wing complains about "big government" and fears a "nanny state" that tracks everyone and everything, and the left wing complains because ID cards cost money and would exclude people without proper documentation.
Additionally, passports don't store your residential address and people don't necessarily want the government to know said address, which means they are useless to banks as a factor proving "person X lives at address Y".
Question that sounds idiotic but is quite serious: how do I make it illegal to lend money to me without confirmation via Keybase? (edit: or some similar cryptographic identity proof)
The only reason to keep my name/address/SSN secret is that companies will lend money to a person who has that info, and then try to make me liable for it regardless of whether that person was me. That's a problem, but the solution isn't for me to keep my identity secret, it's for companies to stop doing that.
I should be able to march into some government office, prove my identity to their satisfaction, and give them a private key. Then, if Wells Fargo lends money to someone who can't prove ownership of that key, that's Wells Fargo's problem. Keybase does this fairly well, and is essentially abandonware since the founders were (if I remember right) acquihired by Signal. So, can we just nationalize it or build something similar, declare it to be SSNv2, and move on with our lives?
Or scour through these breaches, thinking of how to embarrass the lawmakers with info you find in them. Maybe when it affects the fancy people, they will start making laws to protect themselves, and hopefully include us in it.
I don't have enough time left on this Earth to explain the concept in a way that politicians could implement, I'm in my 40s. In my preferred alternate universe, Keybase was sold to a benevolent billionaire. Or more realistically, a normal billionaire who intended to run it at a loss until he could leverage it to effect world domination, but managed to mess it up somehow and get it nationalized. Or something. I can dream...
Ignore anything about “locking” your credit, because this made up term is not the one that has been defined by Congress. “Freezing” your credit is the real action, and it also must be free of charge. The direct links are useful, because the CRAs definitely want to mislead you into purchasing unnecessary services.
Speaking of Keybase, is it still supported? I just launched mine after a multi-week hiatus, and I'm getting an error: "x509: certificate signed by unknown authority" Hmmm.
I'm not sure? Mine still works but I've had to manually upgrade it a few times. For a scheme like this we'd probably need to reimplement it (just the public keyring and challenge proofs on social media platforms, not the crypto cruft). Helpfully I think the client is FOSS.
Is there any technology solution that authenticates via biological signature.. so even if my ssn is public (which is true and unsettling) then I don’t need ssn to be private
Casual reminder that in some languages the American English trillion (10^12) is called a billion. It confusing but might explain the mistake. https://en.wikipedia.org/wiki/Billion
If you've followed other large / individual leaks, all this data is already there. If you just want a download for convenience, go to the black forums. Or check haveibeenpwned if you're curious for your own company / identity.
Meh... keep your passwords in an offline password manager and generated for each site. Don't store payment info anywhere, but if you do, make sure it's a generated CC number. Never link your checking or savings account to anything. Sure you'll miss out on some convenience, but you'll have your money and sanity.
It's unethical, but technically any pressed key or input while on a website could be saved to the site's servers or any servers it ever interacts with, even if you don't save it. So, in addition to your guideline, try to limit the number of websites you input any PII into. IN ADDITION to that, you need to limit the number of people who will take your information in real life and input your information into a system, for example, at a grocery store, gym, bank, dentist, insurance form, or any other service like that.
In a way, it's miraculous if one's identity HASN'T been used in nefarious ways without their knowledge, yet.
I have gone from feeling outraged to completely numb to these kind of disclosures and have pretty much just assumed that my information will inevitably be leaked somewhere by someone.
Does anyone else feel this way? I just keep a close eye on my financial statements and hope for the best.