RE: [outages] facebook slow
My concern against using FB for authentication is this: Does using FB login give the site read access to my profile, friends, etc? My profile is set to private to keep advertisers at bay. In the early years Facebook warned users that clicking on an external link would grant such access. matthew -Original Message- From: NANOG [mailto:nanog-boun...@nanog.org] On Behalf Of valdis.kletni...@vt.edu Sent: Friday, November 30, 2018 1:12 PM To: Keith Medcalf Cc: nanog@nanog.org; Brian Ladd Subject: Re: [outages] facebook slow On Fri, 30 Nov 2018 13:16:31 -0700, "Keith Medcalf" said: > Why don't you just write all your password on big sheets of > construction paper and put them on the front of the building or in the > nearest Starbucks? I'm going to go out on a limb and say that with all the problems inherent in using a social media account as an authenticator, for 95% of sites it's still more secure than if they attempted to create their own authentication system. Having even less security expertise than Facebook, they will probably get wrong (possibly in a subtle fashion that gets quietly exploited for years, and possibly in a spectacular fashion that makes it on the evening news). There's the additional factor that security is always about trade-offs - for many sites, the dangers of using social media logins are *far* outweighed by being able to just have a big shiny "Log in using Facebook" button instead of making the user set up an account, pick a password, send them a verification e-mail, then they have to read their e-mail and click on the link. Do that, and they just left for another site. Doesn't take many people leaving for another site before any added "security" added by doing authentication yourself is outweighed by lost traffic.
Re: [outages] facebook slow
On Fri, Nov 30, 2018 at 04:12:27PM -0500, valdis.kletni...@vt.edu wrote: > I'm going to go out on a limb and say that with all the problems inherent in > using a social media account as an authenticator, for 95% of sites it's still > more secure than if they attempted to create their own authentication system. [snip good analysis] However, there can be little doubt at this point that all major social media sites have long since been thorougly compromised. Of course they have: the attacker budget for doing so is enormous, easily enough to bring to bear advanced cryptanalysis techniques, judicious deployment of exploits including home-grown 0-days, and the assistance of willingly/unwillingly co-opted insiders. Meanwhile, the defenders have shown themselves to be stunningly inept and have accrued a long-term track record of massive data breaches almost too numerous to catalog. (And those are just the ones we know about to date. Surely there are more waiting in the wings.) This isn't really surprising: after all, it's not *their* data, so why should they invest time and money in securing it? Sadly, your point about the difficulty of creating homegrown authentication systems is also accurate. Therefore: we're just screwed. ---rsk ---rsk
Re: [outages] facebook slow
On Fri, Nov 30, 2018 at 04:12:27PM -0500, valdis.kletni...@vt.edu wrote: [...] > There's the additional factor that security is always about trade-offs - for > many sites, the dangers of using social media logins are *far* outweighed > by being able to just have a big shiny "Log in using Facebook" button instead > of making the user set up an account, pick a password, send them a > verification > e-mail, then they have to read their e-mail and click on the link. Do that, > and > they just left for another site. Doesn't take many people leaving for another > site before any added "security" added by doing authentication yourself is > outweighed by lost traffic. What is better for the site could be diametrically opposed to what is good for the end user. (Yet another trade-off.) Personally, the process of setting up a separate account for each site is a hoop I require before I will sign up for/with a service. I don't *CARE* if the individual site is compromised, as long as my other logins are disconnected from it completely. (For me, that means separate usernames and password pairs for each site.) I suspect there is a choir here to which I am preaching...
Re: [outages] facebook slow
On Fri, 30 Nov 2018 13:16:31 -0700, "Keith Medcalf" said: > Why don't you just write all your password on big sheets of construction > paper and put them on the front of the building or in the nearest Starbucks? I'm going to go out on a limb and say that with all the problems inherent in using a social media account as an authenticator, for 95% of sites it's still more secure than if they attempted to create their own authentication system. Having even less security expertise than Facebook, they will probably get wrong (possibly in a subtle fashion that gets quietly exploited for years, and possibly in a spectacular fashion that makes it on the evening news). There's the additional factor that security is always about trade-offs - for many sites, the dangers of using social media logins are *far* outweighed by being able to just have a big shiny "Log in using Facebook" button instead of making the user set up an account, pick a password, send them a verification e-mail, then they have to read their e-mail and click on the link. Do that, and they just left for another site. Doesn't take many people leaving for another site before any added "security" added by doing authentication yourself is outweighed by lost traffic. pgp4twjW2KOqV.pgp Description: PGP signature
RE: [outages] facebook slow
> From what I'm aware of the US is currently experiencing issues >with FB, Instagram and LastPass. The latter is impacting business for >us. Coincidence? Maybe. The root cause will certainly be >interesting. Why don't you just write all your password on big sheets of construction paper and put them on the front of the building or in the nearest Starbucks? That way you won't have it "impacting business" and you passwords will be more secure ... --- The fact that there's a Highway to Hell but only a Stairway to Heaven says a lot about anticipated traffic volume. >-Original Message- >From: Outages [mailto:outages-boun...@outages.org] On Behalf Of Brian >Ladd via Outages >Sent: Friday, 30 November, 2018 08:21 >To: outa...@outages.org >Subject: Re: [outages] facebook slow > >Wouldn't it be faster to create a mail filter to ignore outage >notifications with social media platforms in the subject line than it >would to write up an email complaining about it? Good grief. > >Brian Ladd >Customer Care Manager >Voiceopia Communications > > > > >On Fri, Nov 30, 2018 at 9:28 AM Andrew R. LaPour via Outages > wrote: > > > Gentlemen, some of you complain more than help. To judge the >criticality of a service for other businesses is simply ignorant. An >issue with a service as vast as FB could certainly be related to >carrier services... As you all know, Cloud/SaaS services have >evolved to a degree in which outages have a larger impact on >businesses today than ever before and thus this list, like it or not, >has also evolved. > > From what I'm aware of the US is currently experiencing issues >with FB, Instagram and LastPass. The latter is impacting business for >us. Coincidence? Maybe. The root cause will certainly be >interesting. > > > Andrew LaPour > VP of Information Technology > > Sent from my phone. Forgive the brevity, the typos and the lack >of nuance. > <http://foresightfg.com> > Confidentiality Notice: > > The information transmitted is intended only for the person(s) >or entity to which it is addressed and may contain confidential and >/or privileged material. Any review, retransmission, dissemination or >other use of, or taking of any action in reliance upon, this >information by persons or entities other than the intended recipient >is prohibited. If you receive this in error, please contact the >sender and delete the material from any computer. > > This email has been scanned for viruses and malware, and may >have been automatically archived. > Think Green! Before printing this e-mail ask the question, is it >necessary? > > > > ---- Original Message > From: Outages on behalf of Nick >Pron via Outages > Date: Tue, November 20, 2018 9:38 AM -0600 > To: outa...@outages.org > Subject: Re: [outages] facebook slow > > >Caution: The e-mail below originated from an external source. Please >do not open attachments or click links from an unknown or suspicious >origin. > >Report suspicious e-mails here <http://forms/view.php?id=20485> . >PLEASE, DO NOT FORWARD POTENTIALLY SUSPICIOUS E-MAILS, DELETE THEM >INSTEAD. > > > Just saying that FB is integrated with a lot of applications >with their Connect platform... Knowing it could be down could be >useful for some folks… > > > > Just because you guys dislike/don’t use FB doesn’t mean it might >not be useful to some people > > > > > > Nick Pron | Senior Infrastructure Analyst, Computer Ops > > 1303 Yonge Street, Toronto, ON, M4T 2Y9, Canada > > P: 416-323-6610 ext. 6610 | nick.p...@cineplex.com > > Cineplex.com <http://www.cineplex.com/> > > http://mediafiles.cineplex.com/emailsignature/HomeOffice_Cineple >x_Waterstone_EmailSignature_EN.jpg > > > > > > From: Outages On Behalf Of >Ferullo, Michael J. via Outages > Sent: Tuesday, November 20, 2018 10:25 AM > To: 'Steven McCrory' ; 'Mike Bolitho' >; outa...@ics-il.net > Cc: 'outa...@outages.org' > Subject: Re: [outages] facebook slow > > > > Also much in agreement here. I signed up for this list for >exactly what Mike stated: meaningful business critical services. I’d >suggest someone spearhead the creation of another list for anything >“social media” related. > > > > > > > > Michael J. Ferullo <http://www.hinckleyallen.com> > Systems Administrator > > > > > > Hinckley Allen <http://www.hinckleyallen.com/> > 28
