Website Hack Tracker 2014

Sorry, I have no interest in keeping or maintaining this at this time.

I am so sick of every fricking place I’m apart of getting hacked. I literally have to change my damn password due to hacks every couple of weeks. How long before these sites start getting fined or sued?

If you can’t keep your site secure, get off the fricking Internet.

It’s just not that simple. There is no magic button you press or product you buy that just makes your internet site/business safe. It does not matter how much money and time they spend on securing their infrastructure, it’s always a game of follow the leader - there is always a new type or style of attack being developed by those that are looking to target them. And many of those attacks have substantial social engineering, rather than technical engineering aspects.

Yep, it’s a pain in the ass alright, but until we hear their security was lacking due to incompetence or negligence, it is hard to be insisting on fines or law suits. If that information does come to light, I am all for punitive measures to discourage future failures.

I’d like to see penalties for losing financial data because of poor quality security. Or, you know, doing things like using reversible SHA-1 hashing.

Any site can be hacked if actually targeted, there’s no way to avoid it. All you can do as a site owner is keep your servers patched so the broad sweeps don’t get you. As consumers, all you can do is use something like Lastpass to maintain different passwords on every single site. And yeah, you will need to change your password on some site or other every couple of weeks. Just how it goes.

Lucky for me, the password I had on Kickstarter was a unique one, but I really do have to use Lastpass or something because this is getting ridiculous.

So what prevents a site like Lastpass from being your single point of failure if you use it? I love the idea, but doesn’t this just put you at tremendous risk if Lastpass gets hacked and your stored passwords are grabbed? I know they are encrypted on your side with your private key, but how secure is that? I will admit ignorance on the latest and greatest in cryptography. Is this system truly unbreakable if they have access to the encrypted file?

The wonderful thing is how this is actually true. I mean, in a mythical sane world, you have one port open, and it talks a protocol that is absolutely iron-clad safe, the server that talks the protocol is painfully verified using formal methods, and you now can simply sneer at intrusion attacks.

But in the real world, a commercial general-purpose OS is running with a hundred ports open that have nothing to do with your application, the OS is too complicated even to test properly much less to verify, the server is communicating using a bunch of complicated protocols, and the server itself is some kind of buggy crap that is either closed-source and mysterious or open-source and far too hairy and huge for anyone to master and control. Then you have your security software and hardware which itself is buggy and suffers from all the same problems as the system that provides your actual service. And for some goddamn reason, it’s still possible to overflow an input buffer a good 40 years after this was first publicized as a problem to avoid.

I think this hacking worry is overblown. I knew people who were running credit card scams before the internet was a thing. I know people today who order home shopping network items using their cordless phone! This is after I told them how easy it is to listen in on cordless phones especially when the one you are using is twenty years old. Yet there they are saying all the credit card info into the cordless phone. Leaving aside the fact that any system a person designs can be exploited by another person, people in general have so many other security risks that putting all the focus on hacking threats sort of misses the big picture.

Nothing. In fact, they were hacked in 2011. They committed to a third-party security audit…which never happened. I for one won’t use them until one is done. Or rather, at that point I’ll probably look at the years since and go…no.

The problem is most major hacks nowadays get published on-line for any criminal to work with, or sold to the highest bidder. So instead of one person trying to gain your identity or steal your stuff, it’s a pool of 100 million. And if someone stole your info over the phone by sitting outside your house, listening in on that 20 year old cordless phone, at least that individual is still in the United States, can be captured, and prosecuted. But now the criminals are more likely to reside in Romania, Russia, China, India, Vietnam, Nigeria, Somalia. We have zero recourse. For those that live there if they’re poor and destitute but have the means, what do they have to lose? Heck, the Chinese government itself through the PLA, works with half a million people to hack American services.

Comixology yesterday.

I’m all in favour of moving back to carrier pigeons. That time might come sooner rather than later?

You’re about 14 years late with experimenting on that one.

Of course, the typical user case is showing how terrible rural “broadband” is…

Then sites won’t get just get hacked, they’ll be eaten!


I spent Saturday going over all my accounts in LasPass, changing every password to be as difficult/complex as possible, eliminating shared passwords (a legacy from my pre-LastPass days), setting up 2-factor authentication with Google Authenticator on everything I could, including LastPass itself. Running the built-in security test, I went from 77th percentile to 95th percentile. There were a handful of sites that are work-related that don’t give me the option of changing the password; they’re issued to me, and they aren’t as complex as they could be. And there are a number of related sites that share login credentials, but LastPass doesn’t know they’re related, so it dings me for those.

Hey, does anyone here use Diceware to generate a really random passphrase?

What if last pass gets hacked again? Is all that work for naught and you have to start all over again?