Password reset questions and feedback

Pollycat

ScorpiondeRooftrouser wrote: »

She doesn't know there's been no hack! She hasn't been given that information. She clearly said on being questioned that "no hack" was not an official or an authorised response.

Moneyineptitude wrote: »

It's only "helpful" if it's definitely true.

Personally I find it suspicious that this question and numerous others about the second password reset after five days have been roundly ignored by the actual forum team.

I respect Chickabiddybex's attempt to reassure us all that there has apparently been no hack, but I'd prefer such assurances to come from an official source.

You 2 may believe what you wish.
As I will do.

I too would prefer to be assured by official MSE sources that there has been 'no hack' but in the meantime I'll take chickabiddybex's word for it.

ScorpiondeRooftrouser

Pollycat wrote: »

You 2 may believe what you wish.
As I will do.

I too would prefer to be assured by official MSE sources that there has been 'no hack' but in the meantime I'll take chickabiddybex's word for it.

You don't have her word for it. She just means nobody has told her there's been a hack - that's what she meant when she said it wasn't official. She's not claiming any more than that; I am not saying she's lying; I am sure they haven't told her any more than they have told anyone else.

If somebody from MSE had informed her there's been no security breach then that would be official.

jamesd

So, a bit of traditional risk analysis.

1. A significant account compromise risk is MSE not performing encrypted forum logins. While poor practice the same for the infrequent activity of setting a new password is low because it's infrequent, though a 90 day change requirement has substantially increased this risk.

While attacks on those using private wifi are possible, the risk of this for most is low, in practice private wifi for individual homes rather than organisations is good enough. The same is not true for public hotspots. This suggests that different time thresholds for those using hotspots would be appropriate, but far longer for those not using them.

2. A 90 day threshold is reasonably comparable to my corporate VPN change requirement and far more frequent than corporate email or any of my financial accounts. It's inevitable that this will seem excessively short, particularly to those not aware of the unencrypted login risk enhancement. Unless you have data on compromised account frequency to suggest otherwise, perhaps consider five years for accounts seldom using hotspots and one year or six months for regular users, to reflect the big risk difference.

3. I see that MSE is now blocking some mail forwarding services, including the anti-spam forwarding service spamgourmet that I've been using since 2002 (my stats there are 699 address variations, 21k emails forwarded and 240k spams blocked). Blocking the use of anti-spam services won't make friends but you have a worse problem: an outright block is unwise because it's by far the easiest and cheapest to work around:

a. gmail.com is the world's most popular email forwarding service that allows an effectively unlimited address variations to be trivially created. Are you also blocking email addresses using the gmail.com domain, I doubt it? Create an account mseandrea there and m.seandrea, ms.eandrea, mse.andrea+spam1 ... m.andrea+spam40000000 all reach the mseandrea account. I think Apple has a similar capability so prompting spammers to switch to those seems to be the likely result.
b. if you don't block you can use the address as input for other measures. Forwarding email, have the spam button or new post for new account thresholds set lower. By getting the spammer to do more work you've increased their cost.
c. where humans are posting the spam, delayed deletion can increase cost to spammer by encouraging them to think they are undetected but really deleting their posts five minutes after they are made.

If you do want to block gmail and other mail forwarding services, please do it on a risk-informed basis. I doubt that you have any issues with those who use them and have sufficiently old enough accounts with a sufficiently large number of posts, so no point in inconveniencing the users of such accounts by blocking.

Of course the outright block can reduce the success rate of multi-site attacks that don't respond to failures, but you're still helping to train them to be more clever and switch to gmail, which doesn't really seem like a good move.

Pollycat

ScorpiondeRooftrouser wrote: »

You don't have her word for it. She just means nobody has told her there's been a hack - that's what she meant when she said it wasn't official. She's not claiming any more than that; I am not saying she's lying; I am sure they haven't told her any more than they have told anyone else.

If somebody from MSE had informed her there's been no security breach then that would be official.

You are clearly reading the same words as me but interpreting them differently.

How do you know what she means or what she meant?

Chickabiddybex wrote: »

She's rushed off her feet dealing with spam is all I meant. No hack. If you want to hear it from her, you'll just have to wait because it's nearly midnight is all I'm saying!

Chickabiddybex wrote: »

No you have to wait for Andrea for it to be official but I imagine she's asleep.

I get why people are so upset. It's because they care. Just know that we care too, as do the staff. The spammer is the enemy not us. :beer:

The way I read chickabiddybex's posts is that there is 'no hack'.
If you want it said from an official source, you'll have to wait for someone from MSE to state it.

You can - if you wish - put a different interpretation on those words.

[Deleted User]

It's futile arguing about this..

ScorpiondeRooftrouser

Pollycat wrote: »

You are clearly reading the same words as me but interpreting them differently.

How do you know what she means or what she meant?




The way I read chickabiddybex's posts is that there is 'no hack'.
If you want it said from an official source, you'll have to wait for someone from MSE to state it.

You can - if you wish - put a different interpretation on those words.

There is only one sensible interpretation that can be put on it. if she wants to come back and say they definitively told her no security breach, fine. if they want to come back and say no security breach, fine. And if you want to assume that a vague statement from someone who makes no direct claim to have been told anything, and who almost certainly wouldn't be told anything before anyone else - she is no part of the company and this is commercially sensitive - is enough for you, than you are at liberty to do that. Just don't make statements that might make others who didn't read the original posts think something has been said when it hasn't.

I don't think you realise how serious this could be. There is no way MSE would be discussing it with "board guides" if it had happened.

[Deleted User]

ScorpiondeRooftrouser wrote: »

There is no way MSE would be discussing it with "board guides" if it had happened.

I agree.

Commercially sensitive information would not be discussed even in private with people who are not actually employees. The volunteer would be under strict instructions not to divulge any such information in public even if they were privy.

As I said, though, a futile argument-especially if MSE chooses never to make an official announcement on the subject as seems to be likely judging by their continued silence.

jamesd

ScorpiondeRooftrouser wrote: »

There is only one sensible interpretation that can be put on it.

Correct. You can read it here: "We wanted to clamp down on the amount of spam that gets posted to the forum, and one of the many measures taken was to ask everyone to reset their password".

ScorpiondeRooftrouser wrote: »

I don't think you realise how serious this could be. There is no way MSE would be discussing it with "board guides" if it had happened.

We've already seen in the past how MSE handles such things, with prominent announcements so people can act: https://www.moneysavingexpert.com/news/banking/2009/11/all-web-users-urged-to-run-anti-virus-check Not only board guides but everyone who can read a news story that they heavily linked to at the time.

You shouldn't be expecting a "no" hack announcement. That's because MSE is so big that it's effectively certain that there are always some hacked accounts around, just due to password guessing. They have capable technical people who will be well aware of this.

They have told us why they did it and their past excellent disclosure record means there's no reason to worry about more.

ScorpiondeRooftrouser

They have been asked on numerous occasions if there has been a security breach. They refuse to confirm that there has not. You may find that reassuring. I wonder if you extend this degree of trust to every company you deal with.

[Deleted User]

ScorpiondeRooftrouser wrote: »

They refuse to confirm that there has not.

To be fair, they are avoiding answering the question rather than refusing anything.