This seems like a good article to read to get a rough understanding of how things generally go in big tech companies. "Large bureaucracy of well-intentioned people who get in each others' way and...
This seems like a good article to read to get a rough understanding of how things generally go in big tech companies. "Large bureaucracy of well-intentioned people who get in each others' way and screw up a lot" is often a better model than "mustache-twirling villains" or "people trying to increase profits at all costs."
(Yes, though I never talked to anyone about it, I assume some teams are trying to increase profits. There are company goals to make numbers go up. But it's not usually treated as an emergency, like, say, an important service going down or a security breach would. The big tech companies are very financially secure compared to startups, or even most other companies.)
This seems like an area where bigger isn't better. The more users, the more problems. A smaller organization (though ideally still financially secure) that isn't dealing with billions of people in many countries worldwide might be able to be in better touch with their users, understand users' cultures better, and therefore handle things better.
I'd say this is broadly true across most things, just that when the latter does occur (bury the evidence, ignore the engineer, fire the unionizer), it's much more impactful in the collective concious.
"Large bureaucracy of well-intentioned people who get in each others' way and screw up a lot" is often a better model than "mustache-twirling villains" or "people trying to increase profits at all costs."
I'd say this is broadly true across most things, just that when the latter does occur (bury the evidence, ignore the engineer, fire the unionizer), it's much more impactful in the collective concious.
Is this for real? "Lockout account logins after X failed attempts" is a good mechanism for internal, protected services...but for a public-facing system? Cmon now...
Here's an example - the system that prevents unauthorised logins stops allowing any logins into an account after a certain number of failed attempts. This affects celebrities more than regular folks. That's why Mark Zuckerberg cannot log into his account on a new device - it looks like just another account compromise attempt. As far as I know, there's no plan to create a system that allows him (and other celebs) to log in easily. Time is better spent on preventing account compromise for regular folks.
Is this for real? "Lockout account logins after X failed attempts" is a good mechanism for internal, protected services...but for a public-facing system? Cmon now...
I understand that to say that it locks out new logins from any device that they don't already use. Presumably, when Zuckerberg or some celebrity under constant attack gets a new device, they have...
I understand that to say that it locks out new logins from any device that they don't already use.
Presumably, when Zuckerberg or some celebrity under constant attack gets a new device, they have a number to call to register it manually, and this is seldom enough that's worthwhile to make it otherwise impossible to take over the account? (Which is under constant attack.)
I imagine it's annoying for people who don't have a number to call, though. These are people who really should be using multi-factor authentication.
Better solution for everyone would be delayed device-side logins (inject added 10s delay with each failed login attempt). Conversely after 3 failed attempts honeypot the attempt into a fake...
Better solution for everyone would be delayed device-side logins (inject added 10s delay with each failed login attempt).
Conversely after 3 failed attempts honeypot the attempt into a fake profile pointed to a sandbox and capture info about attacker.
Facebook is large enough that taking an offensive stance on attacks would probably yield substantial results.
Yes, rate limiting login attempts for one account can help. I would be surprised if they didn't do it. But it seems like it causes the same problem. If the attempt rate is high enough then most...
Yes, rate limiting login attempts for one account can help. I would be surprised if they didn't do it. But it seems like it causes the same problem. If the attempt rate is high enough then most attempts from unknown devices will be blocked, which means that the legitimate owner will also find it hard to log in from a new device. There isn't much difference between "deny most attempts" and "deny all attempts."
I'm specifically saying "delay device from logging in" not "delay account from logging in". If user gets new device, their account won't be blocked from logging in, as that particular device had...
I'm specifically saying "delay device from logging in" not "delay account from logging in".
If user gets new device, their account won't be blocked from logging in, as that particular device had not been making login attempts. But the devices failing account logins get delayed in short order, making brute forcing nearly impossible.
Rate-limiting specific devices often doesn’t work due to distributed attacks. Every login attempt appears to be the first attempt coming from a different, apparently legitimate device. (This can...
Rate-limiting specific devices often doesn’t work due to distributed attacks. Every login attempt appears to be the first attempt coming from a different, apparently legitimate device. (This can be done with botnets.)
Nonsense. One of the largest known botnets is 30 million computers. Even if it was 10x larger, injecting a 10s delay for each device means that the botnet becomes crippled inside a couple of...
Nonsense. One of the largest known botnets is 30 million computers. Even if it was 10x larger, injecting a 10s delay for each device means that the botnet becomes crippled inside a couple of minutes, and the time to brute force even a small 8 character password approaches infinity.
An 8 character password, with juat lowercase and numbers, being attacked by a 300-milllion strong botnet, would require about 5,000 attempts per node on average.
A simple time delay (10 seconds between attempts) means 13 hours of attack. An exponential time delay (1,10,100,1000 seconds) means hundreds of years.
In all honesty I'd be surprised if Facebook didn't have device-based limiting as well. Just account-lockout is a very amateurish way to handle things for a public-facing site.
There are a lot of giant lists of leaked passwords these days, so arguments based on naive brute-force attacks don't work as well as they used to. Most users who actually pick passwords themselves...
There are a lot of giant lists of leaked passwords these days, so arguments based on naive brute-force attacks don't work as well as they used to. Most users who actually pick passwords themselves (rather than relying on a password manager) don't pick passwords entirely randomly, and because of the lists, attackers have a better idea of the probability distribution than they used to have. So I'd guess that one million tries might sometimes be enough to get into some accounts, if the password is kind of weak and the guesses are chosen intelligently.
(Also, varying both the device and the account being attacked makes it easier for an attacker to break into some account, if they're not picky about which account they get.)
More generally, you're making an argument that Facebook is naive and somehow ignored a simple fix. But they have lots of security experts, so I doubt they're quite that naive? We have only a few hints about what they do, based on a blog post that might not be entirely accurate. So it's more likely that we've misunderstood what they're doing, or that the simple fix isn't as feasible than it looks, for some reason.
(Though, since we don't know what they do, that doesn't entirely rule out them making a simple mistake.)
This seems like a good article to read to get a rough understanding of how things generally go in big tech companies. "Large bureaucracy of well-intentioned people who get in each others' way and screw up a lot" is often a better model than "mustache-twirling villains" or "people trying to increase profits at all costs."
(Yes, though I never talked to anyone about it, I assume some teams are trying to increase profits. There are company goals to make numbers go up. But it's not usually treated as an emergency, like, say, an important service going down or a security breach would. The big tech companies are very financially secure compared to startups, or even most other companies.)
This seems like an area where bigger isn't better. The more users, the more problems. A smaller organization (though ideally still financially secure) that isn't dealing with billions of people in many countries worldwide might be able to be in better touch with their users, understand users' cultures better, and therefore handle things better.
I'd say this is broadly true across most things, just that when the latter does occur (bury the evidence, ignore the engineer, fire the unionizer), it's much more impactful in the collective concious.
Is this for real? "Lockout account logins after X failed attempts" is a good mechanism for internal, protected services...but for a public-facing system? Cmon now...
I understand that to say that it locks out new logins from any device that they don't already use.
Presumably, when Zuckerberg or some celebrity under constant attack gets a new device, they have a number to call to register it manually, and this is seldom enough that's worthwhile to make it otherwise impossible to take over the account? (Which is under constant attack.)
I imagine it's annoying for people who don't have a number to call, though. These are people who really should be using multi-factor authentication.
Better solution for everyone would be delayed device-side logins (inject added 10s delay with each failed login attempt).
Conversely after 3 failed attempts honeypot the attempt into a fake profile pointed to a sandbox and capture info about attacker.
Facebook is large enough that taking an offensive stance on attacks would probably yield substantial results.
Yes, rate limiting login attempts for one account can help. I would be surprised if they didn't do it. But it seems like it causes the same problem. If the attempt rate is high enough then most attempts from unknown devices will be blocked, which means that the legitimate owner will also find it hard to log in from a new device. There isn't much difference between "deny most attempts" and "deny all attempts."
I'm specifically saying "delay device from logging in" not "delay account from logging in".
If user gets new device, their account won't be blocked from logging in, as that particular device had not been making login attempts. But the devices failing account logins get delayed in short order, making brute forcing nearly impossible.
Rate-limiting specific devices often doesn’t work due to distributed attacks. Every login attempt appears to be the first attempt coming from a different, apparently legitimate device. (This can be done with botnets.)
Nonsense. One of the largest known botnets is 30 million computers. Even if it was 10x larger, injecting a 10s delay for each device means that the botnet becomes crippled inside a couple of minutes, and the time to brute force even a small 8 character password approaches infinity.
An 8 character password, with juat lowercase and numbers, being attacked by a 300-milllion strong botnet, would require about 5,000 attempts per node on average.
A simple time delay (10 seconds between attempts) means 13 hours of attack. An exponential time delay (1,10,100,1000 seconds) means hundreds of years.
In all honesty I'd be surprised if Facebook didn't have device-based limiting as well. Just account-lockout is a very amateurish way to handle things for a public-facing site.
There are a lot of giant lists of leaked passwords these days, so arguments based on naive brute-force attacks don't work as well as they used to. Most users who actually pick passwords themselves (rather than relying on a password manager) don't pick passwords entirely randomly, and because of the lists, attackers have a better idea of the probability distribution than they used to have. So I'd guess that one million tries might sometimes be enough to get into some accounts, if the password is kind of weak and the guesses are chosen intelligently.
(Also, varying both the device and the account being attacked makes it easier for an attacker to break into some account, if they're not picky about which account they get.)
More generally, you're making an argument that Facebook is naive and somehow ignored a simple fix. But they have lots of security experts, so I doubt they're quite that naive? We have only a few hints about what they do, based on a blog post that might not be entirely accurate. So it's more likely that we've misunderstood what they're doing, or that the simple fix isn't as feasible than it looks, for some reason.
(Though, since we don't know what they do, that doesn't entirely rule out them making a simple mistake.)