
Security Update - taspeotis
https://stackoverflow.blog/2019/05/16/security-update/
======
9nGQluzmnq3M
Serious question: what sensitive user data is there on Stack Overflow anyway?
Questions, answers and comments are all public, the content is Creative
Commons licensed and even available in handy downloadable & queryable form:
[https://data.stackexchange.com/](https://data.stackexchange.com/)

As far as I can see, the primary sensitive user data they have is e-mail
addresses, but (unlike, say, Reddit) most StackExchange forums don't deal with
personally embarrassing material and many of if not most StackExchange users
post with handles easily associated to their real names.

~~~
smelendez
And passwords. In particular, probably some people reuse passwords between
Stack Overflow and GitHub, and keep other credentials in files in private
repos.

~~~
9nGQluzmnq3M
I would like to hope Stack Overflow of all companies doesn't store passwords
in plaintext, but you never know.

~~~
bredren
I work on an enterprise infosec tool that just demonstrated 48 trillion MD5s
per second using AWS GPUs.

Hashed passwords are cracked so easily it is a minor obstacle at this point.
It is a question of when not if a hash table is fully cracked.

~~~
dhritzkiv
MD5 is one thing as a password can be retrieved from a hash table. But pulling
out passwords from a hashed + salted value (e.g. via bcrypt) is many orders of
magnitude more infeasible, no?

~~~
bredren
I would be impressed if SO's user password table is in bcrypt.

~~~
dhritzkiv
What makes you say that? bcrypt's been the defacto best practice for user
password "storage" for probably 10 years now. MD5's been known to be
inadequate for much longer.

Even if they had a legacy implementation in MD5, gradually migrating from
storing MD5 hashes to storing bcrypt hashes is trivial to do.

~~~
bredren
From what I understand, many systems do not choose to implement strong hashing
algos.

~~~
cyphar
Even PHP's hash_function uses scrypt. Yes, some people explicitly decide to
hash everything with sha1 but nothing you or I do will ever be able to stop
them.

------
rlt
> We have not identified any breach of customer or user data.

As usual, this is a meaningless statement. It could mean they have full packet
captures they've completely audited, or it could just as easily mean "we don't
keep logs of any kind so we have no fucking clue".

~~~
msemar
I take it to mean that they've looked into their logfiles and accesses to
their resources as closely as they can and so far haven't spotted anything.
So, not exactly meaningless, but also not entirely reassuring.

At any rate, I still have some degree in trust in the people running things
over there to tell us if the reality is different.

------
chairleader
What tends to be the first indication of breaches? It's one thing to do a
forensic analysis after learning of a breach, and it's another to detect it in
the first place.

~~~
nerdbaggy
I worked at a company that logged every single SQL query and made a rule set
based on that. May not of been the most efficient but it worked great. There
was basically a whitelist of sorts and if the query structure wasn’t in there
then action taken. Also worked by knowing what queries came in what order when
doing certain things.

~~~
xfitm3
What tooling did you use to audit queries?

~~~
dboreham
Not parent but it reads like they wrote their own (presumably driven by DB
server log data with query logging enabled).

------
plasma
Reflecting on this, I wonder if a PaaS solution that is a "vault" of
confidential information would be a good thing.

Similar to how Stripe handles payments with a token, we could all store tokens
for User information (eg the Id) and query the vault (or operate on the vault,
eg, validate login, or return email, etc) using keys.

The service could be hardened (like Stripe) to ensure the data is stored
securely, and detect ex-filtration attempts (eg, queries for multiple
customers at once being abnormal) and automatically block that.

~~~
bigiain
You've just invented from first principles Single Sign On, OAuth, SAML, and
Identity Providers.

You can rent it from AWS, of course. It's called Cognito.

[https://aws.amazon.com/cognito/](https://aws.amazon.com/cognito/)

You can also offload that responsibility for user data/credentials to
Google/Facebook et al as you see many places with "Login with Facebook",
making your users pay in privacy-invasion instead of bearing the burden of
properly securing your user's PII yourself...

~~~
jimbo1qaz
Mozilla Persona was deaigned so "the identity provider does not know which
website the user is identifying on." But it did nto catch on.

As a user, it seemed like "so i need to login to Google on Mozilla.org... it's
just a wrapper for my Gmail and/or Mozilla account?"

------
jtdev
Interesting that this message is being delivered by the VP of Engineering
rather than a VP of Security or another more security focused counterpart with
a sufficiently senior title. Wonder if SO has an in house security team with
management and executive representation?

------
falcor84
I wonder why they are disclosing this so early, with so little information.

~~~
bastawhiz
Would you prefer that they didn't?

~~~
falcor84
I think I would prefer to wait until they have something more specific to
disclose. The current update gives me absolutely nothing to go with.

It's as if a prison disclosed that the front gate was left unlocked for
several minutes and they're still counting the prisoners. I would much prefer
to hear about it after they have learned whether anyone escaped.

------
philliphaydon
Probably a really stupid question... but how do people detect an intrusion
like this?

~~~
lucb1e
It's not, but it might have been smart to read a few of the other comments and
notice an identical question with two or three answers (depending on your
exact time of writing):
[https://news.ycombinator.com/item?id=19935443](https://news.ycombinator.com/item?id=19935443)

~~~
philliphaydon
Thanks. I was reading on my phone on the train, comments on the app aren't
always easy to follow.

------
joelthelion
Oh oh... More than ever now, don't copy paste blindly from SO answers!

~~~
keyle
You'd have to copy/paste a serious chunk of code you don't understand to
really cause any damage. I think this comment is either taking the pun or
misguided.

~~~
erichurkman
Q: "How do I recursively set ownership of folders in Linux?"

A: [http://thejh.net/misc/website-terminal-copy-
paste](http://thejh.net/misc/website-terminal-copy-paste)

~~~
justwalt
Reader mode exposes the full text of the command, if anyone is wondering and
doesn’t feel like doing exactly what the post is telling you not to do.

------
rhamzeh
I think we've reached a point where it's safe to say that if you're using a
service - _,any_ service - assume your data is breached (or willingly given)
and accessible to some unknown third party. That third party can be the
government, it can be some random marketer or it can be a malicious hacker.

Just hope that you have nothing anywhere that may be of interest or value to
anyone, anywhere.

Good luck.

~~~
kuzimoto
I've made it a point to start self hosting anything that's particularly
sensitive that I don't want third parties to have access to. KeePass and
SyncThing probably have my most important information, and it's all owned by
me.

~~~
StavrosK
Plus, both are great software. KeePass2Android is the best Android password
manager, bar none.

~~~
shpx
I like Chrome/Chromium's password manager. You just login the first time you
open it and it autofills passwords. Don't have to install any additional
software or configure anything, and it'll also autosuggest passwords you saved
on websites in Android apps.

The only thing I miss sometimes is you can't manually add passwords.

~~~
hellcow
Last I checked, Chrome on desktop stores all your passwords in plaintext on
disk. Unless something's changed... I wouldn't use that.

Firefox at least offers you the ability to set a master password to encrypt
all the rest.

~~~
butteroverflow
Well, on Windows Chrome does use the system crypto API and encrypts, I
believe, your whole profile, but only if you have a password set on your
system account.

------
blackflame7000
Security through obscurity is undervalued.

~~~
NicolaiS
No.

~~~
blackflame7000
Yes. It's about minimizing attack surfaces. You can't hack what you can't
understand.

------
nick_kline
I'm glad it was a 'minor' breach. But where is the blog post from the clever
and witty founder, about not trying to hire the top 5% of security engineers
because everyone is?

