German telco hit with fine for lax login protections
Today's a good day.
Here's your Register security roundup of infosec news about stuff that's unfit for production but fit for print. Yet another OpenBSD bug advisory Another week, another OpenBSD patch. You're not having deja vu. This time, it's CVE-2019-19726, a local elevation of privilege flaw that could let users grant themselves root …
I do feel a bit bad for Ring here. It seems every few months a company is hurt by widespread media coverage due to credential stuffing that isn't really their fault. Spotify comes to mind as one who regularly gets reported as being "hacked" when really it's just reused leaked passwords. But because the media don't understand security, Ring gets a load of bad press in a period I'm sure they were relying on sales in because of end user error. Yes what these idiots have done is horrible but that doesn't mean Ring is to blame (for once)
Apparently they do offer it. It's bad publicity for Ring, not wholly deserved. It's possibly awkward to force 2FA since not every OAP with a doorbell also has a mobile phone.
But really the best way to ensure users choose secure passwords and don't re-use ones from elsewhere is to generate them for the user, rather than allow them to be chosen. That way complexity/length requirements can be enforced.
If more providers did this, it would also force people into adopting password managers.
While many insist on sticking with land-lines for telephony, I know a few that have been dragged into the desktop PC realm, or perhaps accepted an iPad, not all of which have cell/SMS service. Can still get access to footage, I would assume.
There may not be many, but enough to prevent 2FA being made mandatory.
... if you can work out how to deploy tokens to techphobic retail customers that don't even have smartphones (so that's their level of tech sophistication) and not bring down a complete storm of tech support hell. A lot of old folks will just stick the token in a drawer and plead ignorance when they complain the first factor (e.g. a password) isn't enough to let them in.
Anyway, Internet access is a given in this scenario, since remote access compromise is what they're trying to protect against.
Ring support 2FA (albeit SMS only) but rely on end users to activate it. Mandating it on end users isn't a great option currently and if they forced you to provide a phone number, you would get a number of people complaining about that instead!
Yes, though I'm not sure "deserve" is the word. They're enablers. But, some company would've fallen into this role one way or another. Either way, it's time to scare the crap out of people. Maybe, lawsuits are needed here. Maybe some kind of legislation. But, there's a dysfunctional relationship between consumers and corporations that needs a serious wake up call, or this shit is going to cascade into some seriously bad... The bile still rises in the back of my throat every time I imagine how bad it could get.
Anyone else think Ring is creepy as fuck? Like, literally how can you think it's a good idea to allow a global corporation owned by an evil rich guy who's also really into the media, to put millions of spy cameras pointing everywhere always recording and feeding back into Amazons giant data banks? What when the latest models have multicameras for photogrametric distance estimation? Real time seamless reconstruction in a virtual environment from that data? 24/7 complete and utter godlike strategic overview of everywhere that has a Ring camera and what people are saying and how they're moving and flowing and communicating and associating? YUK. Why would you let that happen? RESIST. Later will be too late :V
YES and I BET these things have an extra wifi antenna or circuit or timeslice and are CONSTANT sniffing and listening and pinging and recording and feeding that back to amazon too, you can COUNT on it
Hmm it should ping bluetooth beacons containing its best estimated position of an IR led so other Rings within its field of view can triangulate and fix their location really well too, report all that back to the mothership along with enough pics and eventually they'll have mm precision on everything so long as a Ring can see other Rings hmm
This post has been deleted by its author
I love that NordVPN has released that bug bounty program, people now will use it out of spite and get payed. In addition, NordVPN is going to be only a better company because of it. Really a great choice. also WHO still uses the same password for every account? If you do, don't blame companies for your mistakes
All upgrades these days have security issues, go back to Windows 3.11 or XP if you want a really secure and safe environment, there's virtually nothing out there that can hack these system because all the hacks have been upgraded too.
Note that Putin browses with an XP machine, doesn't that tell you something?