Well, this doesn't sound too bad. Primarily I have to wonder why they still had an (unencrypted) backup from 2007 sitting around. The scary part is probably for people that have accounts/data in...
Well, this doesn't sound too bad. Primarily I have to wonder why they still had an (unencrypted) backup from 2007 sitting around. The scary part is probably for people that have accounts/data in that, but have deleted the accounts in the following 11 years and assumed that data was gone. Did I have an account on reddit 11 years ago? Did I vote on some embarassing things or send some compromising private messages with it? I'm not even totally sure.
It'll make a good high-profile example to pull out for explaining why SMS-based 2FA is a bad idea though.
I wasn't even aware of issues with SMS-based 2FA, so the incident has been a little eye opening for me. Now I get to crawl through hundreds of accounts and make sure they're all token-based, on...
I wasn't even aware of issues with SMS-based 2FA, so the incident has been a little eye opening for me. Now I get to crawl through hundreds of accounts and make sure they're all token-based, on top of worrying about whatever disposable account I was using back then.
Overall though, this could have been far worse, and kudos to Reddit for letting us know the extent so we can cover our asses if need be. Not so much for waiting a month and a half to clue us in, but c'est la vie I guess.
I was equally shocked to learn that people were still using SMS-based 2FA. I though that era ended ca. 2010 in the places that ever trusted the technology at all. My banks/places of work and so on...
I wasn't even aware of issues with SMS-based 2FA, so the incident has been a little eye opening for me.
I was equally shocked to learn that people were still using SMS-based 2FA. I though that era ended ca. 2010 in the places that ever trusted the technology at all.
My banks/places of work and so on have always used physical devices for 2FA prior to apps. We've been told never to send anything remotely close to confidential per SMS because of how insecure it is...
So the fact that my old, deleted email accounts got wholly and totally leaked years after deletion, was dwarfed by the shock that tech companies still use SMS-2FA
Thanks. It looks like while SMS is certainly far from optimal, it's still significant additional security and takes a nontrivial amount of effort to intercept. Obviously, 2FA methods like Google...
Thanks. It looks like while SMS is certainly far from optimal, it's still significant additional security and takes a nontrivial amount of effort to intercept.
Obviously, 2FA methods like Google Authenticate are better, but how does a push notification compare to an SMS message. I have some accounts do 2FA with push notifications.
The security of push notifications would depend on the specific app that gives out those notifications. If the app works when you're in airplane mode, it's sure to generate the codes locally and...
The security of push notifications would depend on the specific app that gives out those notifications.
If the app works when you're in airplane mode, it's sure to generate the codes locally and not somewhere externally. That's one sign that guarantees interception is difficult.
There are ways of doing this under various circumstances. They're technically not called "push notifications" but "local notifications" They look exactly the same on your phone. For simplicity's...
There are ways of doing this under various circumstances.
They're technically not called "push notifications" but "local notifications"
They look exactly the same on your phone. For simplicity's sake I therefore used the term people generally use instead of being super precise.
Would these be the notifications Google sends to my phone when I sign in from an unknown device? It pops up saying, "Was this you? Yes or no." If my phone is offline then it says that's...
Would these be the notifications Google sends to my phone when I sign in from an unknown device? It pops up saying, "Was this you? Yes or no."
If my phone is offline then it says that's unavailable and I can use my normal authenticator app.
Here's a pretty good twitter thread about it that was just made in response to the reddit breach: https://threadreaderapp.com/thread/1024714909395824640.html
Jesus, those comments on the r/announcements thread. We just learned the website had a massive data breach and all the top comments are the lame, usual, repetitive jokes. This is why Tildes is...
Jesus, those comments on the r/announcements thread. We just learned the website had a massive data breach and all the top comments are the lame, usual, repetitive jokes. This is why Tildes is necessary.
Yeah, it's awful. All announcements threads are like that now, just people rushing to post memes because they know they'll get a lot of karma since the thread will get a ton of views. It certainly...
Yeah, it's awful. All announcements threads are like that now, just people rushing to post memes because they know they'll get a lot of karma since the thread will get a ton of views. It certainly doesn't help that the admins encourage it by replying to a lot of them and even throwing out a ton of gildings on them.
Well they would rather the most-seen comments consist of jokes and memes instead of actual negative criticism. Plus it's great PR to be guilding them and joking right along side of them.
Well they would rather the most-seen comments consist of jokes and memes instead of actual negative criticism. Plus it's great PR to be guilding them and joking right along side of them.
To be fair, they're not totally ignoring the more critical comments – they confirmed that the passwords were hashed with SHA-1 until 2011. Would have been nice if that had been in the original...
To be fair, they're not totally ignoring the more critical comments – they confirmed that the passwords were hashed with SHA-1 until 2011. Would have been nice if that had been in the original post, though...
So were the passwords safe? My account there is 12 years old. I think I used a password I commonly use elsewhere, but have pretty much phased out, but I'm trying to come up with all the places I...
So were the passwords safe? My account there is 12 years old. I think I used a password I commonly use elsewhere, but have pretty much phased out, but I'm trying to come up with all the places I could have possibly use it. Should I be worried? I seriously know very little about encryption.
No, they're not safe. SHA-1 is very easily cracked. Someone I've talked to in the past that has a password-cracking setup is able to try 50 billion SHA-1 hashes per second. The passwords should...
No, they're not safe. SHA-1 is very easily cracked. Someone I've talked to in the past that has a password-cracking setup is able to try 50 billion SHA-1 hashes per second. The passwords should definitely be considered to be compromised.
Between the complete lack of moderation tool upgrades (with the exception of the band-aid on the bullet wound that is Automod), the new mod-mail which promised the moon, but ended up mostly just a...
For all of my criticism of reddit; technically I've always thought of the company as pretty sound.
Between the complete lack of moderation tool upgrades (with the exception of the band-aid on the bullet wound that is Automod), the new mod-mail which promised the moon, but ended up mostly just a reskinned version of the old mod-mail (still waiting on that search functionality), the near weekly outages a few years back (though to their credit that seems to have been mostly resolved)... I can't say I share this impression
Not Deimos, so I cant comment on the servers themselves, but Tildes is now open source, allowing us to dig into the codebase. Just taking a quick look at the source code shows they prevent you...
Not Deimos, so I cant comment on the servers themselves, but Tildes is now open source, allowing us to dig into the codebase.
I havnt dived into the actual services, but it looks like Tildes is using Redis, Postgres and Rabbitmq. I would hope that the connections to these services are secured.
Argon2, with 16 byte salt, parameters are currently a "time cost" of 4 iterations and "memory cost" of 8092 kibibytes. This is the relevant file in the Tildes code, used both for storing password...
Argon2, with 16 byte salt, parameters are currently a "time cost" of 4 iterations and "memory cost" of 8092 kibibytes.
Currently, backups are kept encrypted on the production server itself as well as a copy off-site. As mentioned in the privacy policy, they're not kept for more than 30 days. The server has a...
Currently, backups are kept encrypted on the production server itself as well as a copy off-site. As mentioned in the privacy policy, they're not kept for more than 30 days.
The server has a pretty restricted firewall, and I connect to it over SSH on a non-standard port, with password authentication disabled (only SSH keys).
That sounds good to me! I suppose part of the issue with reddit is that they need to provide means for authentication to many different users. If tildes is still at the...
That sounds good to me! I suppose part of the issue with reddit is that they need to provide means for authentication to many different users. If tildes is still at the single-administrator-and-one-public-key stage, I don't see what could go wrong short of you distributing your private key.
Well, this doesn't sound too bad. Primarily I have to wonder why they still had an (unencrypted) backup from 2007 sitting around. The scary part is probably for people that have accounts/data in that, but have deleted the accounts in the following 11 years and assumed that data was gone. Did I have an account on reddit 11 years ago? Did I vote on some embarassing things or send some compromising private messages with it? I'm not even totally sure.
It'll make a good high-profile example to pull out for explaining why SMS-based 2FA is a bad idea though.
I wasn't even aware of issues with SMS-based 2FA, so the incident has been a little eye opening for me. Now I get to crawl through hundreds of accounts and make sure they're all token-based, on top of worrying about whatever disposable account I was using back then.
Overall though, this could have been far worse, and kudos to Reddit for letting us know the extent so we can cover our asses if need be. Not so much for waiting a month and a half to clue us in, but c'est la vie I guess.
Oh yeah, TOTP 2FA with the authenticator apps and the barcodes is pretty much the only really good easy way to do 2FA
yup! was just about to add physical U2F keys are great as well. though service support definitely has room to improve
I was equally shocked to learn that people were still using SMS-based 2FA. I though that era ended ca. 2010 in the places that ever trusted the technology at all.
My banks/places of work and so on have always used physical devices for 2FA prior to apps. We've been told never to send anything remotely close to confidential per SMS because of how insecure it is...
So the fact that my old, deleted email accounts got wholly and totally leaked years after deletion, was dwarfed by the shock that tech companies still use SMS-2FA
Why is this? Do you have a link handy I can read more about this?
Thanks. It looks like while SMS is certainly far from optimal, it's still significant additional security and takes a nontrivial amount of effort to intercept.
Obviously, 2FA methods like Google Authenticate are better, but how does a push notification compare to an SMS message. I have some accounts do 2FA with push notifications.
The security of push notifications would depend on the specific app that gives out those notifications.
If the app works when you're in airplane mode, it's sure to generate the codes locally and not somewhere externally. That's one sign that guarantees interception is difficult.
I can't imagine how a push notification would work in airplane mode. It would have to know to send a push even if any codes are generated locally.
There are ways of doing this under various circumstances.
They're technically not called "push notifications" but "local notifications"
They look exactly the same on your phone. For simplicity's sake I therefore used the term people generally use instead of being super precise.
Would these be the notifications Google sends to my phone when I sign in from an unknown device? It pops up saying, "Was this you? Yes or no."
If my phone is offline then it says that's unavailable and I can use my normal authenticator app.
Here's a pretty good twitter thread about it that was just made in response to the reddit breach: https://threadreaderapp.com/thread/1024714909395824640.html
Jesus, those comments on the r/announcements thread. We just learned the website had a massive data breach and all the top comments are the lame, usual, repetitive jokes. This is why Tildes is necessary.
Yeah, it's awful. All announcements threads are like that now, just people rushing to post memes because they know they'll get a lot of karma since the thread will get a ton of views. It certainly doesn't help that the admins encourage it by replying to a lot of them and even throwing out a ton of gildings on them.
Well they would rather the most-seen comments consist of jokes and memes instead of actual negative criticism. Plus it's great PR to be guilding them and joking right along side of them.
To be fair, they're not totally ignoring the more critical comments – they confirmed that the passwords were hashed with SHA-1 until 2011. Would have been nice if that had been in the original post, though...
Back in 2006 (maybe even 2007?), they were plaintext.
So were the passwords safe? My account there is 12 years old. I think I used a password I commonly use elsewhere, but have pretty much phased out, but I'm trying to come up with all the places I could have possibly use it. Should I be worried? I seriously know very little about encryption.
No, they're not safe. SHA-1 is very easily cracked. Someone I've talked to in the past that has a password-cracking setup is able to try 50 billion SHA-1 hashes per second. The passwords should definitely be considered to be compromised.
Between the complete lack of moderation tool upgrades (with the exception of the band-aid on the bullet wound that is Automod), the new mod-mail which promised the moon, but ended up mostly just a reskinned version of the old mod-mail (still waiting on that search functionality), the near weekly outages a few years back (though to their credit that seems to have been mostly resolved)... I can't say I share this impression
Is this a good time to ask what Tilde's OpSec looks like? How much effort has been put in to secure the servers?
It should be decent, but it's not really my specialty. Is there anything specific you're wondering about?
What hash function is used for hashing the passwords? Are they salted?
Not Deimos, so I cant comment on the servers themselves, but Tildes is now open source, allowing us to dig into the codebase.
Just taking a quick look at the source code shows they prevent you from using passwords already exposed in existing breaches, passwords must be 8 characters at a minimum, passwords dont contain the username, and that they are using argon2 for password hashing. So at least proper care has been taken to secure users' passwords.
There is also a merge request open for implementing two factor auth.
I havnt dived into the actual services, but it looks like Tildes is using Redis, Postgres and Rabbitmq. I would hope that the connections to these services are secured.
Argon2, with 16 byte salt, parameters are currently a "time cost" of 4 iterations and "memory cost" of 8092 kibibytes.
This is the relevant file in the Tildes code, used both for storing password hashes and email address hashes: https://gitlab.com/tildes/tildes/blob/master/tildes/tildes/lib/hash.py
Edit: oh, @laxative-agent already did a better job of answering.
Well I suppose in light of this topic I'm curious how backups are stored and what it takes to connect to servers with sensitive information.
Currently, backups are kept encrypted on the production server itself as well as a copy off-site. As mentioned in the privacy policy, they're not kept for more than 30 days.
The server has a pretty restricted firewall, and I connect to it over SSH on a non-standard port, with password authentication disabled (only SSH keys).
That sounds good to me! I suppose part of the issue with reddit is that they need to provide means for authentication to many different users. If tildes is still at the single-administrator-and-one-public-key stage, I don't see what could go wrong short of you distributing your private key.
At least almost all redditors from 2007 would have been tech savvy enough to not use the same username and password everywhere.
You...would think that. As one of those people, yeah, not so much.
I wonder if reddit associates the analytics data it collects directly with users. If so, and that data is breached...
Luckily this will never happen to tildes!
Because tildes wasn't around in 2007.