|
anthonypants posted:get ready for more windows xp security updates https://blogs.windows.com/windowsexperience/2017/06/13/microsoft-releases-additional-updates-protect-potential-nation-state-activity/ i'm the windowsexperience seriously disappointing
|
#
?
Jun 13, 2017 22:00
|
|
|
|
| # ? Jun 7, 2024 00:54 |
|
|
infernal machines posted:i'm the windowsexperience
|
|
#
?
Jun 13, 2017 22:12
|
|
|
anthonypants posted:yeah i bet you are NICE!
|
|
#
?
Jun 13, 2017 22:22
|
|
|
infernal machines posted:i'm the windowsexperience
|
|
#
?
Jun 13, 2017 22:25
|
|
|
I'm windows frotz
|
|
#
?
Jun 13, 2017 23:24
|
|
|
anthonypants posted:someone did this with an instagram account and i got the confirmation email so i signed up and changed the password. sorry you lost your username because you don't know what your email address is, idiot
|
|
#
?
Jun 14, 2017 02:49
|
|
|
quote:The UITS staff also discovered that although the center had separate public and private networks, there was a live network jack (going out to the public network) in the closet where the private network systems are kept, raising the possibility that workers could have, at some point, connected the private network systems to the internet. Workers had also installed their own wireless access point in the office—a possible point of entry into networks for attackers. Given all of these findings and the center’s lack of oversight before the breach, critics say it’s not clear that the center’s small staff, some of whom are non-technical students at the university, could be trusted to maintain the integrity of those separate networks. lol
|
|
#
?
Jun 14, 2017 11:17
|
|
|
anthonypants posted:some teen just did this again, but this time the account has a bunch of pictures in it. whoops its dumb as heck that they can even start using the account without confirming the email or i guess maybe they were using an account without email and then added it later (if thats possible??), then its dumb as heck that instagram lets you take over & destroy their account either way its really dumb
|
|
#
?
Jun 14, 2017 11:29
|
|
|
but yeah, always change pw on accounts that idiots set up with your email tho
|
|
#
?
Jun 14, 2017 11:30
|
|
|
Powaqoatse posted:or i guess maybe they were using an account without email and then added it later (if thats possible??), then its dumb as heck that instagram lets you take over & destroy their account what mechanism would you use to prevent that?
|
|
#
?
Jun 14, 2017 11:33
|
|
|
Subjunctive posted:what mechanism would you use to prevent that? idk have the confirmation link in the email challenge with a numeric token that you were told when you enter the email in the app/website at least it would mean you'd have to be logged in to change the email & typos wouldnt risk your account as badly
|
|
#
?
Jun 14, 2017 11:39
|
|
|
Subjunctive posted:what mechanism would you use to prevent that? email a confirmation code which has to be entered along with your username and password to confirm the email?
|
|
#
?
Jun 14, 2017 11:40
|
|
|
yea or that. most of the time, the confirmation link just logs you in & you have full control of the account
|
|
#
?
Jun 14, 2017 11:41
|
|
|
you would lose so many users and orphan so many accounts making people flip between that stuff. a billion users are not going to manage to get through that gate it's not like IG and others are unaware of this issue, it's just better than the known alternatives
|
|
#
?
Jun 14, 2017 11:43
|
|
|
all you need to do is not have the confirmation link automatically log you in. if they still have the cookie from their previous visit when they click the link, fine, if they don't then ask them to log in again. there's no excuse for the emailed confirmation link giving whoever knows it full access to the account. e: obv. you need to not do email password recovery until they've actually confirmed their email address too.
|
|
#
?
Jun 14, 2017 11:46
|
|
|
Jabor posted:all you need to do is not have the confirmation link automatically log you in. if they still have the cookie from their previous visit when they click the link, fine, if they don't then ask them to log in again. there's no excuse for the emailed confirmation link giving whoever knows it full access to the account. but clicking the confirmation link confirms; that's its whole point I have a perhaps-unusual amount of sympathy for this problem from working with the FB login/account access team and seeing how brutally any increase in complexity tanks user signup or recovery.
|
|
#
?
Jun 14, 2017 12:07
|
|
|
Subjunctive posted:but clicking the confirmation link confirms; that's its whole point which it does just fine, if you're signed in (e.g. if you're using the same device you created the account on) if you're not signed in then all you need to do to confirm is sign in again, which isn't a huge burden since it's something you're going to have to do at some point anyway
|
|
#
?
Jun 14, 2017 12:20
|
|
|
Jabor posted:all you need to do is not have the confirmation link automatically log you in. if they still have the cookie from their previous visit when they click the link, fine, if they don't then ask them to log in again. there's no excuse for the emailed confirmation link giving whoever knows it full access to the account. do this & gently caress the users who are too dumb to do even that
|
|
#
?
Jun 14, 2017 12:20
|
|
|
Subjunctive posted:I have a perhaps-unusual amount of sympathy for this problem from working with the FB login/account access team and seeing how brutally any increase in complexity tanks user signup or recovery. but not signing up for FB is a good thing?? Powaqoatse posted:do this & gently caress the users who are too dumb to do even that also this
|
|
#
?
Jun 14, 2017 12:22
|
|
|
Jabor posted:which it does just fine, if you're signed in (e.g. if you're using the same device you created the account on) that doesn't hold at all for a mobile app -- they work fine without a password until you set one and happen to log out (minority of users, but if they do it's very high odds they will want to recover), because all mobile platforms have built-in identifier, and "same device" isn't detectable between browser and app.
|
|
#
?
Jun 14, 2017 12:47
|
|
|
Subjunctive posted:that doesn't hold at all for a mobile app -- they work fine without a password until you set one and happen to log out (minority of users, but if they do it's very high odds they will want to recover), because all mobile platforms have built-in identifier, and "same device" isn't detectable between browser and app. the app can sign itself up as the handler for that particular site's confirmation urls just fine
|
|
#
?
Jun 14, 2017 12:52
|
|
|
just redirect to the app on mobile.
|
|
#
?
Jun 14, 2017 12:53
|
|
|
Jabor posted:the app can sign itself up as the handler for that particular site's confirmation urls just fine that substantially fucks the user experience if the browser is meaningful on the site have you tried this and measured it? every confirmation pop up you put in people's way carves off percentage points of users, and percentage points of users is millions in revenue at IG's scale FB runs a half-dozen login/signup experiments at any given time, for the main site and IG/WA. the results are consistently stacked against more steps
|
|
#
?
Jun 14, 2017 12:57
|
|
|
i'm still not clear on what the "extra step" you think is happening here actually is the user experience is you create an account, confirm your email address, and then at some later point you look at your email on the same device, press the confirmation link, and you end up on a page (either in the browser, or the app, depending on which one you're logged in on) congratulating you on figuring it out. i.e. exactly the same thing that happens under your proposal. in the only other case, they're looking at their email on a different device, and getting them to log in on that device too is actually a good thing for most metrics you care about. -- and this is all ignoring the "let's have a broken security model just to try and scrape up a few more users". is the next step to crib from tiny bug child and send plaintext password resets because that gives you measurably better user retention rates?
|
|
#
?
Jun 14, 2017 13:07
|
|
|
Truga posted:but not signing up for FB is a good thing?? yeah sabotaging facebook from the inside through subtle manipulation of stuff like this seems like a great way to get yourself off the short list for a guillotine'in when the revolution starts
|
|
#
?
Jun 14, 2017 13:11
|
|
|
so why should someone be allowed to sign up for an account with an email that they don't own?
|
|
#
?
Jun 14, 2017 13:12
|
|
|
Chris Knight posted:so why should someone be allowed to sign up for an account with an email that they don't own? there's no good reason, so decent sites that don't cater to droves of non-technicals who die thinking of email have implemented a preverification on registration procedure. you enter email and say age, and confirmation link sent takes you to the registration form
|
|
#
?
Jun 14, 2017 13:14
|
|
|
the extra step is "Open in Instagram?", and equivalent (but more terribly worded) on Android, for which the cancel rate is non-trivial in other scenarios it's the same broken model used by every site on the web, assuming they bother to confirm at all. the failure mode here is loss of a new, low-value-to-user account. the failure mode of a more complex system is more users locking themselves out of older, high-value-to-user accounts because they didn't complete confirmation I will pass your thoughts on to the account access team, though, so you can save the world with untried approaches!
|
|
#
?
Jun 14, 2017 13:17
|
|
|
cinci zoo sniper posted:there's no good reason, so decent sites that don't cater to droves of non-technicals who die thinking of email have implemented a preverification on registration procedure. you enter email and say age, and confirmation link sent takes you to the registration form can you give me an example of a mobile app that does this? I'd like to try the flow
|
|
#
?
Jun 14, 2017 13:18
|
|
|
you don't need to ever click "open in app" at all. you click on the confirmation link. that opens the app (if it's installed), or the browser (if the app is not installed). the app can redirect to the browser if the user is not signed in on the app. and if we're talking failure modes, it's more like "a malicious person has access to that email address, and uses the access to the account that you've given them to steal private information that the user has given to you in confidence". but hey, if "growing your userbase" is more important than being a good custodian of people's private data, keep on keeping on i guess.
|
|
#
?
Jun 14, 2017 13:27
|
|
|
One of my old email addresses (a gmail with a particularly popular name amongst a small group of people) became associated with a randos new Facebook account a while back. I did not have to click a link to verify the address for them, and I now get Facebook notifications meant for them.
|
|
#
?
Jun 14, 2017 13:35
|
|
|
Subjunctive posted:but clicking the confirmation link confirms; that's its whole point
|
|
#
?
Jun 14, 2017 13:44
|
|
|
bobfather posted:One of my old email addresses (a gmail with a particularly popular name amongst a small group of people) became associated with a randos new Facebook account a while back. I did not have to click a link to verify the address for them, and I now get Facebook notifications meant for them. yeah, I argued loudly against dropping confirmation there
|
|
#
?
Jun 14, 2017 13:45
|
|
|
Subjunctive posted:can you give me an example of a mobile app that does this? I'd like to try the flow
|
|
#
?
Jun 14, 2017 13:54
|
|
|
Subjunctive posted:yeah, I argued loudly against dropping confirmation there Was the thinking "if the user has multiple email addresses, they should add them ALL to their facebook account so we can have even more info about each of our consumers?"
|
|
#
?
Jun 14, 2017 13:55
|
|
|
no, multiple emails are for pymk purposes the confirmation dropping was just friction reduction, afaik e: the change predates custom audiences, but I guess it's useful for that now too
|
|
#
?
Jun 14, 2017 13:57
|
|
|
Jabor posted:but hey, if "growing your userbase" is more important than being a good custodian of people's private data, keep on keeping on i guess. You must be new here. Hello, welcome to the tech industry in Volmarias fucked around with this message at 14:00 on Jun 14, 2017 |
|
#
?
Jun 14, 2017 13:58
|
|
|
Different topic: How much room is there in the password manager space? My sense is "not very much", but the enterprise offerings seem weak so maybe. Pitch I got: quote:[product] is an enterprise solution and the only password manager that encrypts and stores passwords offline on a smartphone while automating logins on any device. Nothing is ever stored in the cloud, giving convenience and peace of mind to the user and firm. The application uniquely turns a smartphone into a FIDO U2F certified token that only can be authenticated by the user / biometrics. Biometrics doesn't thrill me but I'm sure it's in demand. Cloudless is going to appeal. E: I get a lot of security pitches ("hardware entropy as a service for quantum crypto"), let me know if there's interest in sharing them in the general case
|
|
#
?
Jun 14, 2017 14:04
|
|
|
maybe on phone you could streamline something like sms code auto confirmation to prompt further registration, but that neither is reliable nor have i thoroughly read the preceding discussion
|
|
#
?
Jun 14, 2017 14:15
|
|
|
|
| # ? Jun 7, 2024 00:54 |
|
|
i used a well know UK energy switching site the other day and after going through its setup stuff it created me an account on their service which weirdly required no password, turns out what they do is just link your account to your email address then when you want to login send you a one time(i assume) link with a token in it. i cant decide if this is good or bad. its something you'd use once a year maybe and this does make signup and login easier as you don't need to remember a password, just generate a 1 time link then forget about it
|
|
#
?
Jun 14, 2017 14:33
|
|
