Re: Status of Recent User Information Leak

in reply to Status of Recent User Information Leak

I just wanted to throw out a big thank-you to the PM Gods for the time and effort they've spent responding to this situation. Maintaining the site is a thankless job on a good day, and the last few days have been more thankless than most. Just trying to shift the karma the other way a little bit.

I have donated $$$ to PM several times in the past, and now is a good time to do so again. This is a resource that I value and I encourage everyone to look past this unfortunate incident and look towards the future.

As for the whole "hashed/unhashed" debate this doesn't bother me at all. "Convenience" and "Security" are at opposite ends of a continuum and PM is not a bank. I do not blame the Devs for choosing convenience over security... anyone who did not reuse their PM password has lost exactly nothing in this incident, and anyone who did reuse their PM password on another site deserves what they get. (Anyone who used their PM password on something that matters, like a bank account, a root server, or a database, should be publicly humiliated with extreme prejudice.) This is not/should not be a big deal.

Thanks again for your time and professionalism.

Gary Blackburn
Trained Killer

Comment on Re: Status of Recent User Information Leak

Replies are listed 'Best First'.
Re^2: Status of Recent User Information Leak by Argel (Prior) on Aug 03, 2009 at 00:45 UTC
When developers and designers continue to ignore how people actually behave then said developers and designers are the ones at fault. Studies have shown over and over that people write complicated passwords down, reuse passwords, etc. What we really need is a decent and inexpensive two-factor auth solution. And if you want to play the "professional" card then you might want to avoid saying things like "[certain people] should be publicly humiliated with extreme prejudice". Elda Taluta; Sarks Sark; Ark Arks	[reply]
Re^3: Status of Recent User Information Leak by Trimbach (Curate) on Aug 03, 2009 at 01:29 UTC
When developers and designers continue to ignore how people actually behave then said developers and designers are the ones at fault. Studies have shown over and over that people write complicated passwords down, reuse passwords, etc. Yes, people do dumb things. And they use their birth date for their ATM pin. The natural (and even universal) tendency to do dumb things doesn't absolve users from taking responsibility for their actions. What we really need is a decent and inexpensive two-factor auth solution. Sure. And maybe (maybe) we'll get one of those someday, but until then the game is all about risk mitigation. The risk for me for a security breach at PM is zero. So therefore I don't care what PM does or does not do to secure my information. YMMV. And if you want to play the "professional" card then you might want to avoid saying things like "certain people should be publicly humiliated with extreme prejudice". No, if I wanted to play the "professional" card I'd use much harsher terms, like "fired." Any professional, who has been trained in IT security procedures, and who is fully aware of the risks and hazards of password security, who nevertheless uses the same same password on PM that they use on a server or a bank account deserves much more punishment than mere humiliation. Gary Blackburn Trained Killer	[reply]
Re^4: Status of Recent User Information Leak by Argel (Prior) on Aug 03, 2009 at 02:20 UTC
I think we are well past the time where just blaming the users is acceptable or professional. The actual studies are often just ignored and blaming the victim has just become an excuse. Not exactly a recipe for innovation, eh? The problem at this point is with the industry. Elda Taluta; Sarks Sark; Ark Arks	[reply]

In Section Perl Monks Discussion