This is a separate discussion, on which tbh I have not a strong opinion. I can understand the risks of children without proper sexual education consuming porn, but I also understand the pointless nature of trying to block it.

In fact I don’t personally agree with doing it here, but I mean, there is no other way to do age verification. There are technically ways that can make sure the only data reaching the end customer (the porn site) is a boolean (minor or not), and the identity verification is generally done by another entity, but ultimately yes I agree, I wouldn’t do it either and I personally think it’s not worth in this case at all (I think proper sex education in school is probably what I would invest on).

There is also another thing to consider though, which is that porn is different from -say- a gambling site (where you have to make identity verification) mostly due to religious/moral stigma on sex. This makes me a little bit conflicted because I would like a society in which sex is freed from stigma and shame, and where “associate yourself with a porn site” is not as bad as it is now. Definitely the age verification is not the way to pursue this objective, but overall this makes me ask questions like "why would I have not a problem doing the same for a gambling site but I would for porn? Does it align with my values or is it coming from cultural pressure I disagree with?

Many appliations do identity verification: financial platforms, crypto scams, roblox, car sharing platforms… It nowadays takes a couple of minutes and it’s done once, associated with your account. I am not saying I agree with the idea of doing it here, but I think that many people wouldn’t care to change platform. And if they do, some other platform will grow and eventually will have to do the same.

Yes, an exploitative thing that mostly consists of free labour for big orgs.

As someone who is being pressured to move to macOS (M1) from Linux for work, I feel you. I was just having a conversation in another thread about trackpads and I feel that Apple really built the workflow around gestures, which leaves people who would rather use keybindings quite out of luck. I know there is rectangle, but it doesn’t even go close to what a good WM gives.

He has not been sentenced already, I hope you know that. I hope you also know the effort that he and his team made to have the trial been done where he was de-facto prisoner, but also the completely lack of flexibility from those who wanted him to simply step out of the embassy to arrest and extradite him.

The timeline and the events are very well narrated in Stefania Maurizi’s book. It’s almost gross how much the rape accusations have been used to try to get to him and how poorly both British and Swedish authorities behaved, probably obeying to the US (colonial power much).

They have literally an explanation for this on their website. You might disagree, but saying “it makes no sense”…makes no sense.

Also, they discontinued the earbuds and still no jack on FP5, so the idea that “they wanted to sell their own buds” doesn’t seem to be likely.

Absolutely agree. Worst 70 euros I spent in quite some time.

Zelensky’s campaign was supported by a Ukrainian oligarch. Not exactly an “absolute outsider”. In fact, during the campaign the supporters of Poroshenko (who tend to be more nationalists) used this as ground to accuse him of being associated with Russia (among other things).

Of course, but I assume elderly people getting familiar with a completely new technology need anyway some kind of personal support and introduction from someone close. I don’t think anybody would plan to throw a Mac at some elderly person and say “if any issue call Apple support”, right?

I get your point though, and I am just saying that there are situations where Linux might work totally fine.

Also, the used market for apple product is not that big where I lived. Nobody in the family had a Mac also, which means she wouldn’t have had anybody to ask for support at all. It’s a specific situation, but my point is that having an official support is not going to help that much in some cases.

I find Mac to be extremely unintuitive in how things are organized tbh, but that’s just me.

Anyway, you are right, but she wanted to spend just 3-400 euros for a laptop, which is incompatible with Apple prices. Obviously this means being there to support if something goes wrong, but with a minimal install and Linux being stable, it doesn’t happen often (I also have my mom’s laptop running mint). I do have a reverse tunnel script configured that allows me to SSH in their machines using a “panic” icon on their desktop.

My great-aunt asked for a PC when she was 85 and her grandchild moved abroad. I installed Linux mint with a few scripts and shortcuts to ease her life, and she picked that up (check email, Skype, nothing super sophisticated ofc). I guess if it’s a new thing, windows does not the advantage of being already familiar, and Linux is more stable in my experience, which leads to less random errors.

Yes, it is a metasearch engine. It’s basically like proxy+aggregator or multiple engines.

This statement makes no sense. Federated search means nothing. Ultimately someone needs to scrape, index, store and retrieve data. At the moment, a handful can do it efficiently, and to have a wide coverage, engines use also other APIs. Kagi does this, for example, by combining Google and others (e.g. brave) with their own indexer.

How do you imagine a “federated” search would be any different? Using multiple APIs is effectively “federating”.

As I said in another comment, to be fully ethical you should not run on any major cloud (owned by Amazon, Google, Microsoft, Oracle and IBM), not run on anything on fossil fuels (few DCs), not use any API of major companies (google, apple, etc.) and so on. So basically if we ever want a new, better, solution (tech) we just need to materialize a few billions of dollars to allow this fully ethical solution with no dependency on immoral parties. Alternatively, the whole market dynamic should be disrupted, because that’s the problem.

They are using brave search results, like they do with others. Frankly, you could build totally identical arguments (and to be honest, much more serious) for “partnering” with Google and Microsoft, but then the product wouldn’t exist and wouldn’t be as good.

The relationship with the Brave founder is so indirect, that this - to me - feels like an argument from someone who is looking for reasons to get angry. Kagi probably uses AWS (or other clouds), which funds Amazon (known for terrible worker rights), funds Google, fossil fuel industry, etc. It’s a sad reality, but you simply can’t exist nowadays in the moral and ethical way many people would like. You can, only if you are a privileged one. Technologically speaking, Google can probably do it, for example (own hardware, DCs, tech etc.). We can choose to fight those that directly support political agendas we disagree with, or we can damage the smallest players by demanding they will be 100% pure and ethical by not having any relationship with those with those agendas.

In my personal opinion, such unrealistic ethical requirements end up being a reactionary choice as they will ultimately impede new - better - players to emerge and will leave the existing - worse - dominating.

If the accounts were logged into from geographically similar locations at normal volumes then it wouldn’t look too out of the ordinary.

I mean, device fingerprinting is used for this purpose. Then there is the geographic pattern, the IP reputation etc. Any difference -> ask MFA.

It’s so difficult that most companies tend to just defer to large players like Google and Microsoft to do this for them.

Cloudflare, Imperva, Akamai I believe all offer these services. These are some of the players who can help against this type of attack, plus of course in-house tools. If you decide to collect sensitive data, you should also provide appropriate security. If you don’t want to pay for services, force MFA at every login.

Of course this is not a brute force attack, credentials stuffing is different from bruteforcing and I am well aware of it. What I am saying is that the “lockout period” or the rate limiting (useful against brute force attacks) for logins are both security measures that are sometimes demanded from companies. However, even in the case of bruteforcing, it’s the user who picks a “brute-forceable” password. A 100 character password with numbers, letters, symbols and capital letters is essentially not possible to be bruteforced. The industry recognized however that it’s the responsibility of organizations to implement protections from bruteforcing, even though users can already “protect themselves”. So, why would it be different in the case of credentials stuffing? Of course, users can “protect themselves” by using unique passwords, but I still think that it’s the responsibility of the company to implement appropriate controls against this attack, in the same exact way that it’s their responsibility to implement a rate-limiting on logins or a lockout after N failed attempts. In case of stuffing attacks, MFA is the main control that should simply be enforced or at the very least required (e.g., via email - which is weak but better than nothing) when any new pattern in a login emerges (new device, for example). 23andMe failed to implement this, and blaming users is the same as blaming users for having their passwords bruteforced, when no rate-limiting, lockout period, complexity requirements etc. are implemented.

My idea is definitely biased by the fact that I am a security engineer by trade. I believe a company is ultimately responsible for the security of their users, even if the threat is the users’ own behavior. The company is the one able to afford a security department who is competent about the attacks their users are exposed to and able to mitigate them (to a certain extent), and that’s why you enforce things.

Very often companies use “ease” or “users don’t like” to justify the absence of security measures such as enforced 2fa. However, this is their choice, who prioritize not pissing off (potentially) a small % of users for the price of more security for all users (especially the less proficient ones). It is a business choice that they need to be accountable for. I also want to stress that despite being mostly useless, different compliance standards also require measures that protect users who use simple or repeated passwords. That’s why complexity requirements are sometimes demanded, or also the trivial bruteforce protection with lockout period (for example, most gambling licenses require both of these, and companies who don’t enforce them cannot operate in a certain market). Preventing credentials stuffing is no different and if we look at OWASP recommendation, it’s clear that enforcing MFA is the way to go, even if maybe in a way that it does not trigger all the time, which would have worked in this case.

It’s up to each user to determine how securely they want to protect their data.

Hard disagree. The company, i.e. the data processor, is the only one who has the full understanding of the data (sensitivity, amount, etc.) and a security department. That’s the entity who needs to understand what threat actors exist for the users and implement controls appropriately. Would you trust a bank that allowed you to login and make bank transfers using just a login/password with no requirements whatsoever on the password and no brute force prevention?

The fact that they did not enforce 2fa on everyone (mandatory, not just having the feature enabled) is their responsibility. You are handling super sensitive data, credential stuffing is an attack with a super low level of complexity and high likelihood.

Similarly, they probably did not enforce complexity requirements on passwords (making an educated guess vere), or at least not sufficiently, which is also their fault.

Regarding the last bit, it might noto have helped against this specific breach, but we don’t know that. There are companies who offer threat intelligence services and buy data breached specifically to offer this service.

Anyway, in general the point I want to make is simple: if your only defense you have against a known attack like this is a user who chooses a strong and unique password, you don’t have sufficient controls.

Credential stuffing is an attack which is well known and that organizations like 23andme definitely should have in their threat model. There are mitigations, such as preventing compromised credentials to be used at registration, protecting from bots (as imperfect as it is), enforcing MFA etc.

This is their breach indeed.