Stories
Slash Boxes
Comments

SoylentNews is people

SoylentNews is powered by your submissions, so send in your scoop. Only 12 submissions in the queue.
posted by hubie on Saturday January 06 2024, @01:03PM   Printer-friendly
from the spitting-into-the-wind dept.

Facing more than 30 lawsuits from victims of its massive data breach, 23andMe is now deflecting the blame to the victims themselves in an attempt to absolve itself from any responsibility, according to a letter sent to a group of victims seen by TechCrunch:

"Rather than acknowledge its role in this data security disaster, 23andMe has apparently decided to leave its customers out to dry while downplaying the seriousness of these events," Hassan Zavareei, one of the lawyers representing the victims who received the letter from 23andMe, told TechCrunch in an email.

[...] But in a letter sent to a group of hundreds of 23andMe users who are now suing the company, 23andMe said that "users negligently recycled and failed to update their passwords following these past security incidents, which are unrelated to 23andMe."

"Therefore, the incident was not a result of 23andMe's alleged failure to maintain reasonable security measures," the letter reads.

Zavareei said that 23andMe is "shamelessly" blaming the victims of the data breach.

"This finger pointing is nonsensical. 23andMe knew or should have known that many consumers use recycled passwords and thus that 23andMe should have implemented some of the many safeguards available to protect against credential stuffing — especially considering that 23andMe stores personal identifying information, health information, and genetic information on its platform," Zavareei said in an email.

"The breach impacted millions of consumers whose data was exposed through the DNA Relatives feature on 23andMe's platform, not because they used recycled passwords. Of those millions, only a few thousand accounts were compromised due to credential stuffing. 23andMe's attempt to shirk responsibility by blaming its customers does nothing for these millions of consumers whose data was compromised through no fault of their own whatsoever," said Zavareei.

Previously:


Original Submission

Related Stories

23andMe Says Private User Data is Up for Sale After Being Scraped 12 comments

Records reportedly belong to millions of users who opted in to a relative-search feature:

Genetic profiling service 23andMe has commenced an investigation after private user data was been scraped off its website

Friday's confirmation comes five days after an unknown entity took to an online crime forum to advertise the sale of private information for millions of 23andMe users. The forum posts claimed that the stolen data included origin estimation, phenotype, health information, photos, and identification data. The posts claimed that 23andMe's CEO was aware the company had been "hacked" two months earlier and never revealed the incident. In a statement emailed after this post went live, a 23andMe representative said "nothing they have posted publicly indicates they actually have any 'health information.' These are all unsubstantiated claims at this point."

23andMe officials on Friday confirmed that private data for some of its users is, in fact, up for sale. The cause of the leak, the officials said, is data scraping, a technique that essentially reassembles large amounts of data by systematically extracting smaller amounts of information available to individual users of a service. Attackers gained unauthorized access to the individual 23andMe accounts, all of which had been configured by the user to opt in to a DNA relative feature that allows them to find potential relatives.

[...] The DNA relative feature allows users who opt in to view basic profile information of others who also allow their profiles to be visible to DNA Relative participants, a spokesperson said. If the DNA of one opting-in user matches another, each gets to access the other's ancestry information.

23andMe: Profiles of 6.9 Million People Hacked 18 comments

Hackers have been able to gain access to personal information from about 6.9 million users of genetic testing company 23andMe, using customers' old passwords:

In some cases this included family trees, birth years and geographic locations, the company said.

After weeks of speculation the firm has put a number on the breach, with more than half of its customers affected.

The stolen data does not include DNA records.

[...] As was first reported by Tech Crunch, the company has acknowledged that by accessing those accounts, hackers were then able to find their way into "a significant number of files containing profile information about other users' ancestry".

The criminals downloaded not just the data from those accounts but the private information of all other users they had links to across the sprawling family trees on the website.

The stolen data includes information like names, how each person is linked and in some cases birth years, locations, pictures, addresses and the percentage of DNA shared with relatives.

I'm with Bill Burr on this.

See also: 23andMe Says Private User Data is Up for Sale After Being Scraped


Original Submission

23andMe Proposes $30 Million Payment for Data Breach 6 comments

Genetic information and ancestry reports of U.S. citizens were among the information stolen in the cyber attack:

23andMe proposes to compensate millions of customers affected by a data breach on the company's platform, offering $30 million as part of the settlement, along with providing users access to a security monitoring system.

The genetic testing service will pay the amount to approximately 6.4 million American users, according to a proposed class action settlement filed in the U.S. District Court for the Northern District of California on Sept. 12. Personal information was exposed last year after a hacker breached the website's security and posted critical user data for sale on the dark web.

[...] According to the settlement proposal, users will be sent a link where they can delete all information related to 23andMe.

[...] In an emailed statement to The Epoch Times, 23andMe Communications Director Andy Kill said that out of the $30 million aggregate amount, "roughly $25 million of the settlement and related legal expenses are expected to be covered by cyber insurance coverage."

Also at USA Today, Fox Business and The Verge.

Previously:


Original Submission

23andMe Reportedly Faces Bankruptcy — What Will Happen to Everyone’s DNA Samples? 14 comments

Since it was founded nearly two decades ago, 23andMe has grown into one of the largest biotechnology companies in the world. Millions of people have used its simple genetic testing service, which involves ordering a saliva test, spitting into a tube, and sending it back to the company for a detailed DNA analysis.

But now the company is on the brink of bankruptcy. This has raised concerns about what will happen to the troves of genetic data it has in its possession.

The company's chief executive, Anne Wojcicki, has said she is committed to customer privacy and will "maintain our current privacy policy".

But what can customers of 23andMe themselves do to make sure their highly personal genetic data is protected? And should we be concerned about other companies that also collect our DNA?

[...] 23andMe has had a rapid downfall after the 2021 high of its public listing.

Its value has dropped more than 97%. In 2023, it suffered a major data breach affecting almost seven million users and settled a class action lawsuit for US$30 million.

Last month its seven independent directors resigned amid news the original founder is planning to take the company private once more. The company has never made a profit and is reportedly on the verge of bankruptcy.

What this might mean for its vast stores of genetic data is unclear.

Previously:


Original Submission

This discussion was created by hubie (1068) for logged-in users only, but now has been archived. No new comments can be posted.
Display Options Threshold/Breakthrough Mark All as Read Mark All as Unread
The Fine Print: The following comments are owned by whoever posted them. We are not responsible for them in any way.
(1)
  • (Score: 4, Insightful) by looorg on Saturday January 06 2024, @01:41PM (2 children)

    by looorg (578) on Saturday January 06 2024, @01:41PM (#1339329)

    Victim-blaming. The classy move. Technically I guess they see themselves as the victim here but to pass the responsibility buck on its own users. That is pretty low.

    users negligently recycled and failed to update their passwords following these past security incidents, which are unrelated to 23andMe.

    How would they know that? If they knew that in advance they should have warned about that and prevented their users from picking "bad" passwords. This is just an after event excuse. It's not like password recycling or password patterns or just bad passwords straight from the dictionary are unknown or unheard of or have not been a thing for eons. If you rely on passwords to secure things they usually at least require some kind of pattern as a minimum -- length minimum, mixing and matching cases, some non numerical and/or alphabetical characters etc.

    Right so the previous breaches were just "incidents". No need to worry then ...

    Therefore, the incident was not a result of 23andMe's alleged failure to maintain reasonable security measures

    What is reasonable security anyway?

    That said I guess the only reasonable thing left to do is to remove your account with 23andme after you have the result you wanted and have them destroy all data and test results related to it. Not keep it around on their servers forever cause clearly they don't know what the heck they are doing when it comes to securing said data. Clearly security isn't included in the $100+ fee for using the service.

    • (Score: 2) by Ox0000 on Saturday January 06 2024, @02:15PM

      by Ox0000 (5111) on Saturday January 06 2024, @02:15PM (#1339337)

      Now you're just victim-blaming 23andme who clearly is the real victim here...
      </sarcasm> for clarity

    • (Score: 0) by Anonymous Coward on Saturday January 06 2024, @10:02PM

      by Anonymous Coward on Saturday January 06 2024, @10:02PM (#1339380)

      but to pass the responsibility buck on its own usersmarks

      FTFY

  • (Score: 5, Insightful) by Rosco P. Coltrane on Saturday January 06 2024, @02:10PM (4 children)

    by Rosco P. Coltrane (4757) on Saturday January 06 2024, @02:10PM (#1339336)

    But also, in fairness, the users weren't very responsible either: if you have any sense of self-preservation, you don't send your DNA - your very own, most intimate genetic profile - to be sequenced by an American for-profit, that will readily share your data with law enforcement when they get a court order.

    So yeah, not blaming the victims, but they kind of had it coming. Don't send your DNA to 23andme, duh... Not playing is kind of the obvious move here.

    • (Score: 4, Insightful) by Ox0000 on Saturday January 06 2024, @03:16PM (3 children)

      by Ox0000 (5111) on Saturday January 06 2024, @03:16PM (#1339344)

      To heap onto that: when you use these types of 'services', it's not just _your_ DNA that you're handing over, you're also handing over information on your relatives as well.

      You're (not you, Rosco, the general 'you') actions have consequences for others!

      I agree that almost all of the blame is on 23andme here. But its marks need a good talking to as well because they clearly don't take privacy too seriously.

      • (Score: 2, Informative) by Runaway1956 on Sunday January 07 2024, @02:14AM (2 children)

        by Runaway1956 (2926) Subscriber Badge on Sunday January 07 2024, @02:14AM (#1339414) Journal

        I'm not sticking up for 23andme by any stretch of the imagination. But, I'm a little torn on the privacy issues of the DNA databases. I've lost track of the number of cold case murders, rapes, and serial murders that have been solved, thanks to the databases. Cases great and small, cases more than 50 years old, sometimes. Cases where DNA evidence was collected, and not even recognized at the time, because the tech wasn't even born yet. Some pretty horrible people have been brought to justice because of the DNA data being collected. And, the obverse of that coin is, innocent people have been set free, when DNA cleared them of the crimes they were convicted of.

        There are a lot of problems with this invasion of privacy, but, there are some points in favor of it, too.

        For those who are unaware, the cops look at a cold case, examine the DNA evidence, and find that the DNA belongs to some Irish guy who is probably related to a particular Irish old lady in Brooklyn. So, they examine her family tree, and find a niece, nephew, grandchild, who is even a closer match to the unknown perp. They've narrowed things down some, so they look real hard at that new relative's family tree. Can't be him/her, but he/she is such a close match . . . so, they do some interviews, maybe some surveilance, to locate missing relatives. AAH-HA! An undocumented half-brother shows up, they surreptitiously get a DNA sample, and it's a hit!

        Yeah, I've oversimplified, but it's happening. Youtube has a large library of such cases.

        --
        “I have become friends with many school shooters” - Tampon Tim Walz
        • (Score: 0) by Anonymous Coward on Monday January 08 2024, @08:56PM (1 child)

          by Anonymous Coward on Monday January 08 2024, @08:56PM (#1339610)

          This reads very much like "Won't somebody think of the children"

          • (Score: 1) by Runaway1956 on Monday January 08 2024, @09:25PM

            by Runaway1956 (2926) Subscriber Badge on Monday January 08 2024, @09:25PM (#1339611) Journal

            Perhaps, depending on your perspective.

            On the other hand, there have always been monsters that posed as human. With the DNA tech available today, we are catching some of those monsters. It shouldn't be necessary to point out that the monsters prey on adults as frequently as they prey on children. Dahlmer was a good example of that - off the top of my head, I can't remember that he preyed on any children at all. He liked young adult males, it seems.

            --
            “I have become friends with many school shooters” - Tampon Tim Walz
  • (Score: 3, Insightful) by JoeMerchant on Saturday January 06 2024, @02:57PM (17 children)

    by JoeMerchant (3937) on Saturday January 06 2024, @02:57PM (#1339341)

    No matter how perfect your system security is, it can't prevent the end user from writing all the login instructions, including passwords and other "secrets" on a sticky note stuck on the face of the monitor. Or performing the login sequence with full narration for an audience, maybe posted as a video on YouTube.

    And, of course, the millions of end users could all handle their secrets perfectly (in bizarro world) and any other part of the system could expose them.

    As the U2 lyrics say: "a secret is something you tell ONE other person" as that number increases, the likelihood of breach increases exponentially.

    --
    🌻🌻 [google.com]
    • (Score: 4, Insightful) by Ox0000 on Saturday January 06 2024, @03:22PM (12 children)

      by Ox0000 (5111) on Saturday January 06 2024, @03:22PM (#1339345)

      If every site you use has a different & strong password, I'm actually not against you using sticky notes on the back of your display, that is: as long as the location that houses that display has good physical security. I'd rather have that than people using "p@ssword1!" for every account they have and not writing it down because "writing passwords down is insecure". In this case, the writing down distinct passwords actually increases your security, as long as you give every site a distinct, strong password (enabled by having them written down and you not having to remember them).

      If that space with the display-with-stickies has reasonable physical security, which is key here, then the barrier to me getting your passwords is actually not unreasonably low... I'd have to burgle your home or something similar to get to your passwords, which is not something that commonly happens.

      • (Score: 2) by JoeMerchant on Saturday January 06 2024, @03:45PM (6 children)

        by JoeMerchant (3937) on Saturday January 06 2024, @03:45PM (#1339347)

        But, in your scheme, the entire face of a 30" monitor would be covered with sticky notes. And if you ever log in from another location, what then? Take a high resolution photo of the wall of stickies and post it to your Facebook wall, right? After all, you think you set that wall to private, right? Until you forget and make it public to share a picture of your fabulous lunch plate with the whole world....

        The real answer has been available since the 1980s but only in the last 5 years started rolling out for things like credit card security chips: you tell your secrets to ZERO other people, but prove your possession of them through RSA, ECC etc.: asymmetric keys. That's the magic sauce that makes BTC and friends possible. But it's "too hard" for people to implement in 99+% of real world security applications, so we get the deeply flawed security we deserve: symmetric keys, securely cryptographically hashed on the server side, if you're lucky.

        --
        🌻🌻 [google.com]
        • (Score: 2, Insightful) by khallow on Saturday January 06 2024, @05:28PM

          by khallow (3766) Subscriber Badge on Saturday January 06 2024, @05:28PM (#1339354) Journal
          Joe, just have your Facebook friends pinkie swear they won't monkey with your password wall. Geez, some people just don't get security!
        • (Score: 3, Insightful) by Ox0000 on Saturday January 06 2024, @08:04PM (3 children)

          by Ox0000 (5111) on Saturday January 06 2024, @08:04PM (#1339372)

          But, in your scheme, the entire face of a 30" monitor would be covered with sticky notes.

          yes, and? That would also mean that you're obscuring the site you're visiting, thus preventing shoulder surfers...

          And if you ever log in from another location, what then?

          Then your account is secure, even you can't get in.

          All joking aside, you're right though, but I'm talking about "normal human beings", not us technically proficient ones. Us technically proficient users use hardware tokens, smart cards, and (proper, offline) password managers.

          What you're saying makes sense to me, to you, and probably to the majority of folks visiting SoylentNews. Partially because our tolerance for security-impositions tends to be higher than that of an average human.
          One of the main problems is that people have been conditioned to value convenience over security to the point where _any_ inconvenience is perceived as unacceptable. I'm not saying that security must be a huge imposition, but I do hold the opinion that people should be able to bear _some_ inconvenience and that that inconvenience is an extra layer in the Onion that is Security. Unfortunately, people have been conditioned by The System to not accept any inconvenience. So in a way, it's "our own" fault for having raised people this way.

          I have tried explaining how to practice safe hex with non-technical friends and acquaintances. As soon as I talk about "this will make X a tad bit harder" they respond with "do you have something _without_ that?" and doze off on the negatory reply. And that's before I even attempt to talk about hardware tokens, SSH or RSA keys and the like.

          Case in point: the rest of the world had been on board with chip+pin for years before we in the US caught up with that. The reason: chip+pin was too inconvenient for consumers, paying took too long and people forgot their pin. And that's also the real reason why contactless/NFC payments became a thing(*).

          (*) I understand that contactless/NFC is actually pretty secure to the best of my knowledge and that it should be preferred over regular swipes at all time... but I'm happy for someone to point out the errors of my ways...

          • (Score: 2) by Gaaark on Saturday January 06 2024, @09:25PM (1 child)

            by Gaaark (41) on Saturday January 06 2024, @09:25PM (#1339377) Journal

            One of the main problems is that people have been conditioned to value convenience over security to the point where _any_ inconvenience is perceived as unacceptable

            Also, the old "If you have nothing to hide, you have nothing to worry about", without thinking 'YES, YOU DO HAVE SOMETHING TO HIDE! YOUR PERSONAL INFORMATION!'.

            I keep wondering how many Jews back in 1930's Germany were saying the same thing when told they had to register with the local police: "Oh, if you have nothing to hide, you have nothing to worry about."
            The Jews who worried got out and survived (like Einstein)... the ones who thought there was nothing to worry about found there WAS something to worry about.

            Too many people walk blindly, led by the wrong shepherd.

            --
            --- Please remind me if I haven't been civil to you: I'm channeling MDC. ---Gaaark 2.0 ---
            • (Score: 4, Interesting) by Ox0000 on Saturday January 06 2024, @10:06PM

              by Ox0000 (5111) on Saturday January 06 2024, @10:06PM (#1339381)

              Also, the old "If you have nothing to hide, you have nothing to worry about", without thinking 'YES, YOU DO HAVE SOMETHING TO HIDE! YOUR PERSONAL INFORMATION!'.

              I prefer an alternate response to the "if you have nothing to hide" fallacy: Your suggestion that I have nothing to hide, is an admission that you have no reason to look.

          • (Score: 0) by Anonymous Coward on Sunday January 07 2024, @02:20AM

            by Anonymous Coward on Sunday January 07 2024, @02:20AM (#1339416)

            I consider myself reasonably technically proficient. My security is a small notebook. Each site that needs a password gets its own page. The login, and password, and any recovery information is written on that page. There is room on the page to cross out and rewrite any information that changes. Passwords are up to 20 random characters depending on how much I care about the site.
            Access to that notebook is limited to me, and that security has not been broken in 25 years.

        • (Score: 3, Insightful) by Common Joe on Sunday January 07 2024, @01:09PM

          by Common Joe (33) <reversethis-{moc ... 1010.eoj.nommoc}> on Sunday January 07 2024, @01:09PM (#1339449) Journal

          Here's an anecdote for you: Sometime in the past ten years, I went to help the CEO of the company I was working for and discovered his password fully open to the world on his cork board. I told him that was a bad idea. Fast forward a few months later, we had trouble with a user and when they were let go under questionable circumstances, I recommended that to the CEO change his password because if I had noticed that his password was still on his cork board hidden under other papers, then the other person might have noticed too. The CEO was pissed at me.

          I suppose his attitude and the attitude of the rest of management at the company came better into focus after that moment. When I recommended locking their computers when they were away from their desks and having passwords longer than 8 characters, they bitched at me because "it would be too much effort". I told them I had no sympathy because I typed in my password which was greater than 16 characters dozens of times a day. I didn't dare bring up two factor.

          Thankfully, I don't work at that nightmare anymore. I work at another place which... I won't comment about at this moment. I will say this: For every place I've ever worked for (under 50 users and over 25000 users, private business or government or educational), they have all been lacking simple security in one area or another at one time or another. It's pretty freakin' sad.

      • (Score: 3, Insightful) by Beryllium Sphere (r) on Saturday January 06 2024, @09:26PM (4 children)

        by Beryllium Sphere (r) (5062) on Saturday January 06 2024, @09:26PM (#1339378)

        My pockets are good enough security for the keys to the house where my family sleeps. I would be OK keeping my Amazon password there.

        • (Score: 2) by JoeMerchant on Saturday January 06 2024, @11:33PM (3 children)

          by JoeMerchant (3937) on Saturday January 06 2024, @11:33PM (#1339397)

          Amazon yes, your retirement accounts?

          --
          🌻🌻 [google.com]
          • (Score: 0) by Anonymous Coward on Saturday January 06 2024, @11:46PM

            by Anonymous Coward on Saturday January 06 2024, @11:46PM (#1339400)

            Retirement accounts? 'Ere in the US we ain't got no retirement accounts, boy! 'Ere we die like men: well before our time, and destitute! We don't do none o' that crazy commie "retirement" thing 'ere. 'Ere the companieses are the boss!

            Yeehaw!

          • (Score: 3, Touché) by Tork on Sunday January 07 2024, @12:58AM (1 child)

            by Tork (3914) Subscriber Badge on Sunday January 07 2024, @12:58AM (#1339409)
            My house is worth more than my retirement account.
            --
            🏳️‍🌈 Proud Ally 🏳️‍🌈
            • (Score: 2) by JoeMerchant on Sunday January 07 2024, @01:14AM

              by JoeMerchant (3937) on Sunday January 07 2024, @01:14AM (#1339411)

              And you haven't registered your home title with "Fly By Nite Home Titles - Quick Transfers Online" yet? They have a one-time promotional free signup period, normally a $2000 value! /s for: sadly, such a scheme would surely net suckers if promoted quickly and broadly enough to execute their exit strategy before the 5 years it would take the FTC to begin proceedings against them, longer if they have political connections.

              Still, living in your home with nothing but SSDI income would be a lot less enjoyable if you lost your retirement funds to password crackers. Sadder still: if your retirement fund is small enough, it's less likely anyone including yourself will find it worthwhile to fight to get even a portion of it back.

              --
              🌻🌻 [google.com]
    • (Score: 3, Interesting) by RamiK on Saturday January 06 2024, @03:55PM

      by RamiK (1813) on Saturday January 06 2024, @03:55PM (#1339348)

      No matter how perfect your system security is, it can't prevent the end user from writing all the login instructions, including passwords and other "secrets" on a sticky note stuck on the face of the monitor.

      https://www.youtube.com/watch?v=xP1KEIqF_BM [youtube.com]

      --
      compiling...
    • (Score: 1) by wArlOrd on Saturday January 06 2024, @11:06PM (1 child)

      by wArlOrd (2142) on Saturday January 06 2024, @11:06PM (#1339391)

      --
      As the U2 lyrics say: "a secret is something you tell ONE other person" as that number increases, the likelihood of breach increases exponentially.
      --
      As the U2 lyrics say: "a secret is something you tell ONE other person" as that number decreases, the likelihood of security increases.

      • (Score: 1) by Runaway1956 on Sunday January 07 2024, @02:51AM

        by Runaway1956 (2926) Subscriber Badge on Sunday January 07 2024, @02:51AM (#1339418) Journal

        A secret is something you share with no one. At all. Ever.

        --
        “I have become friends with many school shooters” - Tampon Tim Walz
    • (Score: 2) by aafcac on Sunday January 07 2024, @04:01AM

      by aafcac (17646) on Sunday January 07 2024, @04:01AM (#1339422)

      I'm wondering what portion of the users impacted by this weren't being irresponsible with their passwords. If it truly is a matter of people reusing passwords, I don't see how they'd be responsible for that. At some point, a company is no longer responsible and really can't be.

  • (Score: 2, Informative) by pTamok on Saturday January 06 2024, @04:05PM (12 children)

    by pTamok (3042) on Saturday January 06 2024, @04:05PM (#1339349)

    A lot of commentators are saying that 23andMe should have been using 2FA.

    No, no, and thrice no. Current implementations of 2FA are lousy, and make you dependant on third-party technology. This is not a good trade-off for the end-user.

    The initial crack used credential-stuffing: using usernames (which were email addresses) and passwords revealed from other services which were re-used by the end-user as the authentication mechanism for 23and Me.
    The data-sharing practices of 23andME allowed scraping of data from other individuals related to the individuals whose accounts were breached.

    Details in this Wired article: https://www.wired.com/story/23andme-breach-sec-update/ [wired.com]

    In October and again this week, though, WIRED pressed 23andMe on its finding that the user account compromises were attributable solely to credential-stuffing attacks. The company has repeatedly declined to comment, but multiple users have noted that they are certain their 23andMe account usernames and passwords were unique and could not have been exposed somewhere else in another leak.

    In at least one example, though, 23andMe eventually provided an explanation to the user. On Tuesday, US National Security Agency cybersecurity director Rob Joyce noted on his personal X (formerly Twitter) account: “They disclose the credential stuffing attacks, but they don’t say how the accounts were targeted for stuffing. This was unique and not an account that could be scraped from the web or other sites.” Joyce wrote that he creates a unique email address for each company he uses to make an account. “That account is used NOWHERE else and it was unsuccessfully stuffed,” he wrote, adding: “Personal opinion: @23andMe hack was STILL worse than they are owning with the new announcement.”
    Hours after Joyce publicly raised these concerns (and WIRED asked 23andMe about his case), Joyce said that the company had contacted him to determine what had happened with his account. Joyce did use a unique email address for his 23andMe account, but the company partnered with MyHeritage in 2014 and 2015 to enhance the DNA Relatives “Family Tree” functionality, which Joyce says he subsequently used. Then, separately, MyHeritage suffered a data breach in 2018 in which Joyce's unique 23andMe email address was apparently exposed. He adds that because of using strong, unique passwords on both his MyHeritage and 23andMe accounts, neither was ever successfully compromised by attackers.

    The conclusion to draw from this is that using an email address as the identifier for an individual is a terrible idea, because everyone does the same. It is not unique per service. Each service should generate a local, service-specific unique identifier to identify the person logging in. You can record the (current) email address associated with the person as an attribute, but using it as the primary key is just plain idiotic.
    Yes, you have to remember the identifier for each service, which is slightly inconvenient, but it's fine to write it down somewhere secure.

    Once you have done that, then attackers have to get the data that associates individuals to service-specific identifiers, and only then can they test to see if the individual has be unwise enough to re-use passwords, or use a sufficiently easily guessable password-generating scheme.

    The Wired article points out that this worked for the person that generates unique email addresses for each service they use, but because the unique identifier he used for 23andMe was shared with another organisation which suffered its own attack, the unique identifier was available to be probed - but didn't work because he used different passwords.

    So, don't use you email address as an identifier, because it is non-unique. Don't use the same password everywhere.

    And don't share unique identifiers with other organisations. I've caught two financial institutions doing just that with my data. I use unique email addresses for all my accounts.

    • (Score: 2) by JoeMerchant on Saturday January 06 2024, @07:43PM (10 children)

      by JoeMerchant (3937) on Saturday January 06 2024, @07:43PM (#1339370)

      >using an email address as the identifier for an individual is a terrible idea, because everyone does the same.

      What you're driving at is using a harder to guess identifier - which is security by obscurity - which _does_ work quite well in practice (or, should I rather say: works better in practice than bone-headed things like using e-mail addresses as identifiers), but... is still terribly deficient against targeted attacks.

      The whole situation is rather hopeless, because people don't like strong trackable identifiers - like a personal certificate (public key) publication system would enable. If you identify by a combination of your public certificate AND a unique key for each website you access, that would be secure (done properly.) The tools have been around for 3+ decades, but the user and developer bases have resisted ferociously through intense passive-aggressive ignoring of the actually secure tech all that time.

      The major CC processors in the US and most of the world have moved to asymmetric key technology in chip cards - you can still buy things using your oh-so-(NOT)secure sixteen digit account code plus name, postal code, expiration date, and three digit "secret" code (does anyone else detect patches on crutches on stop-gap measures in that list?), but for the really high exposure transactions like pay-at-the-pump fueling stations, they demand physical presentation of the card (and chip therein) to prove your identity to a much higher degree of confidence - mostly because of the extreme difficulty in cloning the embedded (asymmetric key) secret in the security chips.

      --
      🌻🌻 [google.com]
      • (Score: 2) by Ox0000 on Saturday January 06 2024, @08:10PM

        by Ox0000 (5111) on Saturday January 06 2024, @08:10PM (#1339374)

        The major CC processors in the US and most of the world have moved to asymmetric key technology in chip cards - you can still buy things using your oh-so-(NOT)secure sixteen digit account code plus name, postal code, expiration date, and three digit "secret" code (does anyone else detect patches on crutches on stop-gap measures in that list?), but for the really high exposure transactions like pay-at-the-pump fueling stations, they demand physical presentation of the card (and chip therein) to prove your identity to a much higher degree of confidence - mostly because of the extreme difficulty in cloning the embedded (asymmetric key) secret in the security chips.

        In the EU, you plunk your CC's chip in a reader connect to your computer and pay using the chip. Why can't we have nice things in the US(*)? Why are we a retarded(**) backwater when it comes to actually nice and proper things?

        (*) Don't answer that, I know the answer already...
        (**) To be understood as literally as possible: slow and behind others

      • (Score: 1) by pTamok on Saturday January 06 2024, @10:15PM (8 children)

        by pTamok (3042) on Saturday January 06 2024, @10:15PM (#1339382)

        - which _does_ work quite well in practice

        The 'real world' prefers things that work in practice, rather than things that work in theory but are used by few.

        I agree that security by obscurity is theoretically poor. But using a separate, different identifier for each site makes it more difficult to attack by credential stuffing (re-using the same identifier and password from another site).

        Browsers already remember passwords for each site you log in to. It would not be difficult to get them to remember the log-in username (identifier) for each site as well. So instead of using johndoe@hotmail.com with a password of PASSWORD1! for every site, you could have each site generate a unique user-id, which the browser remembers (or your password manager).

        So your userid for 23andMe could be: zestfully-retorted-ludicrous-gesture, with whatever password you choose, and an attribute of the account is one (or preferably several) emails accessible to the account owner.

        If you forget the user-id, you email 23andMe from the email account, which 23andMe replies to that account with the account user-id.

        Someone with a list of user-ids and passwords obtained nefariously from somewhere else knows that because all user-ids are unique, that none of the user-id and password combinations will work anywhere other than the site they were nefariously obtained from. That makes life difficult for credential-stuffing.

        So, I'll say again, email addresses should not be used as login identifiers. It makes credential-stuffing too easy.

        • (Score: 2) by Ox0000 on Saturday January 06 2024, @10:24PM (6 children)

          by Ox0000 (5111) on Saturday January 06 2024, @10:24PM (#1339384)

          Browsers already remember passwords for each site you log in to. It would not be difficult to get them to remember the log-in username (identifier) for each site as well. So instead of using johndoe@hotmail.com with a password of PASSWORD1! for every site, you could have each site generate a unique user-id, which the browser remembers (or your password manager).

          Browsers already remember your username. That's not the problem. The problem is that sites shouldn't assume that an e-mail address is a reasonable user id. Oh hey, look at this article from last Thursday [soylentnews.org]...(*)

          (*) My theory of why sites insist of using an e-mail address as UserID is because an e-mail address is something that tends to be scarce and thus people typically have one or only a few, and therefor they think it somehow guarantees uniqueness of 'person' behind the address. Secondly, it also gives them something towards which they can direct spamvaluable material informing the customer of things they obviously want to know, and which they can sell.
          In other words: if we can make e-mail addresses plentiful in a user-friendly way, then we can reduce the value of an e-mail address to an adversarywebsite to something that is close to zero.

          • (Score: 2) by JoeMerchant on Saturday January 06 2024, @10:41PM (5 children)

            by JoeMerchant (3937) on Saturday January 06 2024, @10:41PM (#1339389)

            I agree that real world users are less secure when forced to use an email address as a username, however... an email address is usually required for account authentication and password recovery anyway, and if the user metadata is all equally secure (/exposed) then email address will be along for the ride when user data is exposed.

            Storing passwords as salted hashes actually does more to prevent credential stuffing than freeing up usernames as a separate data field than the password recovery e-mail address. The same users who use identical passwords on every site are likely to also use the same username.

            --
            🌻🌻 [google.com]
            • (Score: 3, Insightful) by Ox0000 on Saturday January 06 2024, @10:54PM (4 children)

              by Ox0000 (5111) on Saturday January 06 2024, @10:54PM (#1339390)

              I agree that real world users are less secure when forced to use an email address as a username, however... an email address is usually required for account authentication and password recovery anyway, and if the user metadata is all equally secure (/exposed) then email address will be along for the ride when user data is exposed.

              I disagree with you. If I can select a distinct User ID per system (even if within that system, it is linked to my e-mail address) then you knowing that I am known under UserID "asdfaiyu" on system A doesn't tell you that I'm known as "ao8a7uercxlv" on system B, or even that I have an account there. Unless of course you have compromised system B as well, in which case you don't need my info anymore since you have it already.
              Before you come back with "Couldn't I just enter your e-mail address to get a password reset link, how would you handle that, wiseguy?": Systems that allow arbitrary User IDs typically have a(n at least) two-step process to do password recovery: 1) what is your user id (we need that to validate step 2) followed by 2) what is the e-mail address associated with that User ID and to which we would send the link if we see it matching.

              Storing passwords as salted hashes actually does more to prevent credential stuffing than freeing up usernames as a separate data field than the password recovery e-mail address. The same users who use identical passwords on every site are likely to also use the same username.

              Salted Hashes do not work the way you think they do... Storing salted hashes just does that: it stores the value you'll compare against as a salted hash... which incidentally gets created by the target system when it subjected to a credential stuffing attack. It doesn't magically protect that value against credential stuffing.

              Storing passwords as salted hashes does absolutely nothing against credential stuffing, it only helps with exposure containment on compromise of your own system. What it does help with is surface reduction of what the attacker actually got when you get compromised: they got those salted hashes instead of plaintext passwords, the latter of which they could then go and stuff somewhere else. At least with salted hashes, you're making it too hard for them to even try to figure out which password matches which salted hash.

              So, even if I store your password "P@ssword1!" as a salted hash in my system and never as plaintext, if some other system does NOT do that, and gets then compromised, the attacker from that second system can use the password they recover from that other system and get into mine under your identity in a credential stuffing attack.

              All this being said: reusing passwords across systems is a very unwise thing to do, obviously...

              • (Score: 3, Insightful) by JoeMerchant on Saturday January 06 2024, @11:29PM (3 children)

                by JoeMerchant (3937) on Saturday January 06 2024, @11:29PM (#1339396)

                >what is your user id (we need that to validate step 2) followed by 2) what is the e-mail address associated with that User ID

                I have seen any number of systems that ask both "forgot password?" and "forgot user ID?" Both of which tend to validate user identity using only their email account. We can assume that any system poor enough to store passwords in the clear or otherwise insecurely will also store other user data in the same database, or another equally easily exfiltrated.

                >if some other system does NOT do that, and gets then compromised, the attacker from that second system can use the password they recover from that other system and get into mine under your identity in a credential stuffing attack.

                https://xkcd.com/792/ [xkcd.com]

                --
                🌻🌻 [google.com]
                • (Score: 3, Insightful) by Ox0000 on Saturday January 06 2024, @11:42PM (2 children)

                  by Ox0000 (5111) on Saturday January 06 2024, @11:42PM (#1339399)

                  I have seen any number of systems that ask both "forgot password?" and "forgot user ID?" Both of which tend to validate user identity using only their email account.

                  And you'd still need access to the content of the e-mail account and/or user ID to log in. Just knowing the e-mail address is still not enough to get in. Those mechanisms are typically not used to authenticate a user, but to provide the user with either a reminder of what their UserID was or with a way to reset the password (in other words: you'd have to be in the e-mail address that you don't know yet anyway). And that is typically done via an e-mail to that e-mail account to which you don't have the password either.

                  You're trying to use examples of bad behavior/implementation to try to discredit the entire approach, which I feel is not entirely intellectually honest.

                  But boy, did that XKCD have it wrong on google being bad at being evil. It's right there in their motto "Don't, be evil" (note the comma after "Don't"!)

                  • (Score: 2) by JoeMerchant on Sunday January 07 2024, @12:04AM

                    by JoeMerchant (3937) on Sunday January 07 2024, @12:04AM (#1339403)

                    For xkcd 792 is a fairly low number.

                    As for randomizable user names, I contend that anyone who would use them to secure effect is most likely already varying their passwords from site to site as well.

                    I continue to contend that usernames aren't an inherent security element, that's what passwords are for. On the other hand, for users who would attempt to obfuscate their identity across sites with varied usernames, yes that does make attackers' challenges a little more difficult.

                    I have a relative with a common name, similar to "John Smith" - that's almost as good as being anonymous, there are literally dozens of men with his name and approximate age in his zip code, many more in his city, county and state. Being " JohnSmith38517" where the number is randomly chosen for each website should confer similar protection.

                    --
                    🌻🌻 [google.com]
                  • (Score: 2) by JoeMerchant on Sunday January 07 2024, @12:33AM

                    by JoeMerchant (3937) on Sunday January 07 2024, @12:33AM (#1339406)

                    Fun fact:

                    Joe Merchant was chosen as a "plausible deniability" username, because it is widely used by many people across the internet being the title character of a Jimmy Buffet novel.

                    --
                    🌻🌻 [google.com]
        • (Score: 2) by JoeMerchant on Saturday January 06 2024, @10:32PM

          by JoeMerchant (3937) on Saturday January 06 2024, @10:32PM (#1339386)

          >Browsers already remember passwords for each site you log in to. It would not be difficult to get them to remember the log-in username (identifier) for each site as well.

          Chrome, and Last Pass (ignoring all of its other problems) already do remember both username and password for all sites. However, unless I am trying to obfuscate my identity (for reasons other than security) I generally do use the same username for most sites. I figure that if they have access to my unique per site password, the username probably came with it.

          >Someone with a list of user-ids and passwords obtained nefariously

          Has a pretty good chance of obtaining all the associated metadata as well, including IP addresses you access the site from. No, they aren't supposed to collect such metadata, can you prove that anyone doesn't?

          >email addresses should not be used as login identifiers. It makes credential-stuffing too easy.

          Agreed, for the real world. However, simply using unique (preferably long and random) passwords on every site provides better protection for users who choose to do it.

          --
          🌻🌻 [google.com]
    • (Score: 2) by darkfeline on Saturday January 06 2024, @11:49PM

      by darkfeline (1030) on Saturday January 06 2024, @11:49PM (#1339401) Homepage

      > Current implementations of 2FA are lousy, and make you dependant on third-party technology.

      No? The only widespread 2FA at the moment is FIDO/U2F which is an open standard.

      In fact, I don't think there is ANY 2FA (meaning something you own physically or something you are, in addition to something you know) that relies on third-party technology. Even TOTP (which is touted as 2FA even though it is not, as it relies on a seed that you know, like a password) is an open standard with no 3P dependencies.

      --
      Join the SDF Public Access UNIX System today!
  • (Score: 3, Insightful) by DadaDoofy on Saturday January 06 2024, @04:40PM

    by DadaDoofy (23827) on Saturday January 06 2024, @04:40PM (#1339351)

    "millions of consumers whose data was compromised through no fault of their own whatsoever"

    If you are foolish enough to voluntarily hand over your DNA to a third party and it gets compromised, I'm afraid that's on you. If you don't give them anything, nothing can be breached.

    It might surprise you to know that these companies routinely share customers' DNA profiles with law enforcement. If your DNA shows up on a murder victim, you have to defend yourself against a murder charge, which is enough to bankrupt most people.

    But wait you say, "I don't have to worry. I haven't murdered anyone!" Think again...

    https://www.criminallegalnews.org/news/2018/aug/15/secondary-dna-transfer-rarely-discussed-phenomenon-can-place-innocent-and-dead-crime-scene-theyve-never-been/ [criminallegalnews.org]

    https://www.columbusdefenselawyer.attorney/dna-the-power-to-convict-murder-charges-with-just-a-trace/ [www.columbusdefenselawyer.attorney]

  • (Score: 2) by bzipitidoo on Saturday January 06 2024, @07:26PM (8 children)

    by bzipitidoo (4388) on Saturday January 06 2024, @07:26PM (#1339369) Journal

    I ran into a minor problem with Steam. Tried to create an account, and was given a long series of captchas to solve to prove that I wasn't a robot. (It was that grid of images in which you have to choose the ones with buses, bicycles, motorcycles, crosswalks, or traffic lights.) It went on and on, and finally, when done, it told me "Your response to the CAPTCHA appears to be invalid. Please re-verify that you're not a robot below". It gets difficult when you have to make judgment calls. Is the pole that a traffic light is on part of the traffic light, or not? My initial thought was that I'd missed something of that sort.

    But reading about this online, I learned that as long as an account is logged in at the same IP address, it's not possible to create another account! This whole captcha thing was a big fat lie, just stringing the user along, ending the fake exercise by telling the user they failed. Log out, then create an account, and it will succeed. I can imagine that if Steam is ever called on this, they will have an excuse. Say it was just a mistake, or that it is necessary. I don't believe it is an accident that it works like that. In which case, they have resorted to security by obscurity. Steam is not the only one. Roblox does it too. Gives you this captcha in which you have to examine a picture of dice to see which one adds up to a requested total. Asks you to do that 5 times, then a few more times, then even more times, until you've done 20 of those, and then, it always says you got some wrong whether you did or not. Now 23andMe is pulling a similar stunt. In the past, M$ has done similar things. Remember Windows Vista when they redefined "security" as securing themselves against their own users? Implying that piracy is bad and everyone could be a pirate? They still think that, but they've learned they have to be more circumspect.

    • (Score: 2) by JoeMerchant on Saturday January 06 2024, @07:51PM (6 children)

      by JoeMerchant (3937) on Saturday January 06 2024, @07:51PM (#1339371)

      Regardless of your views of piracy, everyone indeed could be a pirate - particularly when they present as a https session.

      That's the first tenet of building a secure system: verify before trusting.

      Now: when running a business, whatever maximizes users' collective total willingness to proffer payment is the ultimate target, and if that means stroking the users' egos by making them feel trusted, you can likely make more money by doing that and ignoring the piracy that comes with it for a long, long time - like Netflix did for the 90s, 00s, and 10s... and Microsoft did in the 80s and 90s. Once you reach global market saturation by the "we don't care about piracy" model, you eventually have to pivot to enforcing some anti-piracy policies you had on the books all along if you're going to continue to grow revenue at double digit annual rates like public stock exchange traders demand.

      --
      🌻🌻 [google.com]
      • (Score: 2) by bzipitidoo on Saturday January 06 2024, @10:36PM (5 children)

        by bzipitidoo (4388) on Saturday January 06 2024, @10:36PM (#1339387) Journal

        Copying is a natural right that should be returned to the people, all criminalization of it removed, and businesses should shift to other business models that do not rely on artificial scarcity. There's no limit to how costly it can get to society to enforce that unnatural scarcity.

        Giving people runarounds with captcha systems that are unsatisfiable definitely doesn't stroke the ego. Rather the opposite. Infuriating to learn I've been played for a sucker. I was not expecting such trickery from large, established, and supposedly reputable businesses. What they're doing is a kind of Trojan. Maybe that was naive of me, considering how very many instances there are of large businesses not behaving with integrity and honor.

        There've been many cases of businesses resorting to unethical measures to satisfy unreasonable growth demands. For instance, Bernie Madoff's pyramid scheme. What do they teach in Economics classes these days? One of the biggest scams of finance is the whole idea of interest. The only way that can possibly work over the long term is if money is devalued at an average rate at least equal to average interest rates. Sure would be nice and convenient if inflation could be kept at 0%, just so the prices to which we become accustomed in our youth stay the same throughout our lives. 0% inflation maybe could be done, but no doubt doing it would make far worse problems than not doing it makes with the price dislocation seniors experience.

        • (Score: 2) by JoeMerchant on Saturday January 06 2024, @11:12PM (4 children)

          by JoeMerchant (3937) on Saturday January 06 2024, @11:12PM (#1339393)

          >businesses should shift to other business models that do not rely on artificial scarcity

          That's an idealistic polar position that ignores the reasoning behind copyright and patent systems. They aren't entirely evil, and the do provide benefits to society in the form of protection to businesses which would not invest in development if that protection were absent.

          I have written earlier about ideas for a better funded and time limited copyright system. Something like: the first 10, maybe 15 years of copyright cost nothing but digital registration of the work with the copyright office. After that, feed increase exponentially... Say $10 for years 11-20. At year 20 we get serious: $10 per year per protected work, increasing to $100 per year at year 25, $1000 per year at year 30, $100000 per year at year 40, $10M / year at 50, etc. Whenever the copyright holder feels the expense is too high for the protection, they stop paying and the work goes public domain when their payments are insufficient for the time elapsed. This isn't so different from what Disney did for Mickey et al, except that it gets more expensive more quickly and charges per work instead of blanket protection for the industry.

          >One of the biggest scams of finance is the whole idea of interest. The only way that can possibly work over the long term is if money is devalued at an average rate at least equal to average interest rates.

          Not exactly. Long term inflation 1970-2020 ran very close to 2% per year over the entire 50 years. Time value of money underpins much of our financial structures for the past 300+ years. It is one of the many ways that it "takes money to make money" protecting the oligarchy from the chaotic rabble they "trickle down upon". Erasing the carrot of passive income through investment would probably destabilize the semblance of world peace we have enjoyed for the past 70ish years.

          --
          🌻🌻 [google.com]
          • (Score: 2) by bzipitidoo on Sunday January 07 2024, @01:46AM (3 children)

            by bzipitidoo (4388) on Sunday January 07 2024, @01:46AM (#1339412) Journal

            The reasoning is simple enough: copyright, and patent law, are the means of encouraging more art and science. Also, they are the means of trying to assign a value to a work. Many incorrectly believe they are necessary to prevent plagiarism. Most people, evidently you among them, would like to reform copyright. That would be good, but I think that won't go far enough. I take the much more radical position that the best thing would be to abolish copyright and patents entirely, and replace their functions with models that do a better job of valuation and encouragement.

            What might be better? Patronage and crowdfunding. Also, where it is possible to measure usage honestly, some kind of levy could be used. For instance, Canada has a tax upon blank media. That Big Media has not honored their end of that agreement by continuing to sue over copyright violations is a problem that could be solved by abolishing copyright, thus removing all basis for their pretensions of ownership. That would also forever end copyright trolling. The case in which I was denied a custom printed birthday cake over worries that the image I provided violated copyright, is just absurd. Why wasn't there a mechanism by which I could be asked to pay a little extra, instead of being flatly refused? Don't even ask, just charge everyone a small levy! There's also the advertising model used by radio and broadcast TV. We have oodles of games built around microtransactions.

            • (Score: 2) by JoeMerchant on Sunday January 07 2024, @02:37AM (2 children)

              by JoeMerchant (3937) on Sunday January 07 2024, @02:37AM (#1339417)

              >Also, they are the means of trying to assign a value to a work.

              Hardly. The number of copyrighted works that have yielded little or no value to their rights holders far exceeds those that have provided meaningful value.

              Copyright is the protection from theft of "intellectual property" (I know, a distasteful term, but...) such that the rights holders are guaranteed a period of protection from exploitation of the work by copyists. This was almost as much an issue in the time of Benjamin Franklin and printing presses as it is today with digital copying and distribution.

              Intellectual property is an entirely created construct with no natural basis, and yet: it provides incentive for artists, authors, inventors and other creatives to produce their work without fearing that others will simply copy it when they are done and reap the bulk of the profits from their labors. Copyright / patent assigns no particular value to a work, only the rights of copying / practicing the work and presumably thereby profiting from it.

              If, instead of an arbitrary 17, or 25, or 95 years of protection, protection is assigned upon initial disclosure and then maintained by the rights holders by means of payment of an escalating tax, then that tax can go towards the enforcement protection of rights holders' interests, and any surplus left over could be used to fund additional creative work in various ways.

              >Many incorrectly believe they are necessary to prevent plagiarism.

              Nothing prevents plagiarism, except direct penalties for getting caught - usually in academic context. The whole concept of plagiarism is becoming antiquated in a planet filled with 8 billion mostly educated people with instant global communication. http://www.spiderrobinson.com/melancholyelephants.html [spiderrobinson.com]

              >What might be better? Patronage and crowdfunding.

              My life experience tells me that patronage most often dances at and over the line of controlling abuse of the artist(s), and human nature "crowdfunds" at a rate something less than 1% of what they provide in funds for direct purchase of existing goods / services. I sold a piece of software on "PalmGear HQ" in the 1990s... it was "shareware" with a suggested donation of $9. I don't think I ever received a single voluntary donation in the 3-4 years it was listed. One month, PalmGear gave me a free spot on their promotional page, I didn't change anything about my software or descriptions thereof, but the PalmGear intro piece they wrote implied that pre-payment was required to use the software. In that month I sold a couple dozen copies. Their traffic stats suggested that I only had about 10x as much traffic viewing my software to consider it for purchase during that month as compared with my normal placement, but... my "conversion rate" to paying customers was infinitely higher when the customers were misled to believe they had to pay to use the software. Perhaps ironically, the software that was selling thousands of copies a month instead of dozens was virtually all rip-off clones of popular old arcade games, mostly at price points around $15-20 IIRC.

              >Canada has a tax upon blank media.

              The US had (has?) this as well on cassette tapes. Whatever tax may have been levied on blank DVDs must have been irrelevant, considering you can store several thousand LP albums of music on a single $0.25 blank DVD.

              >The case in which I was denied a custom printed birthday cake over worries that the image I provided violated copyright, is just absurd.

              Agreed, and that's mostly a case of ignorance of correct interpretation of fair use, something that could be easily remedied on a government website if they would take the time to produce easy to understand presentations of the subject.

              >There's also the advertising model used by radio and broadcast TV.

              I almost threw up upon reading that ^^^ the U.S. commercial radio market is absurdly dysfunctional, and has been for decades - unless you're an ambulance chasing lawyer or similar advertiser.

              >We have oodles of games built around microtransactions.

              More distasteful than the current copyright system, IMO.

              If you would indulge my concept of the "copyright maintenance fee" for a moment... the same system used to register copyright could also be used to render payment for use to the rights holders (expenses of running the system, securely, to be borne by the fee paying rights holders, or a percentage of payments processed, most likely both). A rights holder could, for instance, demand $0.001 or 20% of advertising income, whichever is less per play of their music as background on a web video production - YouTube already has the mechanisms in place to detect this type of usage and transact micro-payments. Instead of putting videos with copyrighted music in them into "no advertising payment" mode, the system could ask the video creator if they consent to the rights holders' terms, if so: everyone continues to function happily, if not: the video producer is free to find background music with better terms, or create their own.

              Book authors could "demand" $0.25 per download of their works, and digital e-reader companies could provide audit evidence that they are remitting proper payment for their uses of the authors' works. Etc. etc. The government copyright office itself could become a central payment clearinghouse, providing a legally acceptable conduit for rights holders to get paid, and the rights holders themselves need not negotiate directly with all users of their works, they merely need to set their terms on the copyright system and publishers can "take it or leave it" as they choose. The long tail would certainly regrow.

              --
              🌻🌻 [google.com]
              • (Score: 2) by bzipitidoo on Sunday January 07 2024, @04:39AM (1 child)

                by bzipitidoo (4388) on Sunday January 07 2024, @04:39AM (#1339427) Journal

                One thing I have in mind is that a Great Library, such as the Library of Congress or the Internet Archive, keep copies of everything (within the limits of practicality), monitor usage, and pay authors accordingly, possibly with money from general government revenues, or possibly with money from funds specially for this purpose. This could be done without need of any copyright.

                To be sure, there would be problems. A huge problem would be detecting and preventing fraudulently inflated usages. (Would be a heck of a use case for DDOS capability. Make the botnet download millions of copies of some work.) We have had cases of the bestseller lists for paperback novels and the Hugo Awards being manipulated in this fashion.

                But the real shame of our current system with respect to our public libraries is that it hogties and hamstrings them. Could be offering digitized editions of over 100x more than everything they have in print, ditch 90% or more of their print archives, if not for copyright law. Such a repository would be 1000x more searchable. But no, we're standing around watching while Google hoovers up all that data, makes their own deals with publishers, and makes a killing off making it searchable.

                > Copyright is the protection from theft of "intellectual property" (I know, a distasteful term, but...)

                The most distasteful part is that word "theft". The propaganda to equate copying with theft has enjoyed entirely too much success.

                I do not like microtransaction games either. But it is another method, definitely worth trying. Yes, one problem is that the operators of such systems are too greedy. Too many horror stories of a kid getting hold of a parent's smartphone or tablet, and buying thousands of dollars worth of in-game purchases in the space of a few hours.

                I think the current problems with radio broadcasting, that is, the "payola", monopolization, and outright flamebating of the conservatives especially, are not an indictment of the advertising business model itself.

                A copyright maintenance fee would improve things. But there are other problems with copyright that it doesn't address. I argue that the damage copyright does is much more than is readily apparent. It suckers us all into assigning value wrongly. So many stories revolve around "precious knowledge", making much melodrama over the possibility it could be lost. Yes, in past centuries, knowledge was easy to lose. But now, it need not be. I'll post in my blog my essay about this.

                • (Score: 2) by JoeMerchant on Sunday January 07 2024, @06:13AM

                  by JoeMerchant (3937) on Sunday January 07 2024, @06:13AM (#1339436)

                  >keep copies of everything (within the limits of practicality), monitor usage, pay authors accordingly, possibly with money from general government revenues, or possibly with money from funds specially for this purpose. This could be done without need of any copyright.

                  How are you going to monitor usage? Say I borrow a DVD from the library, rip a copy to a local hard drive, then watch it 100 times - all you know is that the disc was borrowed from the library, perhaps for less than 6 hours.

                  Copyright is the law that says: thou shalt not use copyrighted material inappropriately. In another use case, say I own a restaurant, or chain of restaurants, and I pipe music in according to my ideas of what will keep my customers spending more money. Some of this music happens to be in your "copies of everything" library. I suppose if I stream it directly from you, then you can monitor usage and make me pay the artists their due. But, if I take a local copy (something that is technologically impossible to stop), then you no longer have direct monitoring access. I suppose you make playing of these local copies in my public venues, for profit no less, illegal - how is that materially any different from copyright?

                  >A huge problem would be detecting and preventing fraudulently inflated usages.

                  Yeah, this is why the users pay, not society at large.

                  >Could be offering digitized editions of over 100x more than everything they have in print, ditch 90% or more of their print archives, if not for copyright law.

                  This isn't my experience with a fair slice of content. Our local library has a "hoopla" component where you can digitally "check out" and stream a great deal of content, particularly music, but also a middling selection of videos (it's better than trying to watch cable TV), and books. Now, I did request one particular book a few years back and it took about 8 weeks to show up at the library, when I got it it was hot off the press, freshly printed. I suppose that's a case of rights for that particular book requiring that it be delivered in physical form, and the library just printing it on demand for me (for free) - I suspect they have some sort of budget for that, and now that I have requested the book, it's physically "in the system" for anyone else who might request it in the future.

                  >The propaganda to equate copying with theft has enjoyed entirely too much success.

                  The only reason I agree with this statement is because of the egregious copyright lifetime extensions Disney won over the decades. it is an utter perversion of the original intent of the Copyright law framers and the opposite of what should have been happening in our world of ever faster paced activities - copyright terms should have been shortening, not lengthening. As I proposed: 10 years for free (instead of the original 20), and then you start paying, and at 20 years you start paying "real money," and by 50 years you could probably count on one hand the number of works worth paying the protection fee anymore, globally.

                  >It suckers us all into assigning value wrongly.

                  As a hobby, try authoring a book, even a reasonably worthwhile pamphlet, and see how you feel when the market value for your work drops to zero because somebody posted your work in its entirety on a website where they make advertising revenue and you get nothing. Now try making a living doing that kind of authorship. Don't bitch about the quality of written material "out there," much less the quality of music and movie production, when copyright is no more and the content producers take up farming or basket weaving as a more lucrative and fulfilling careers.

                  >Yes, in past centuries, knowledge was easy to lose. But now, it need not be.

                  I feel that knowledge is seeming easier to lose by the decade lately, particularly since the advent of the world wide web... it's all "out there" but it's also buried in lies, misdirection, misinformation, manipulation, and horrific piles of garbage. It took me over 3 hours of searching before I finally found some decent 1:50,000 topographical maps of Costa Rica. Crappy whole country tourist focused junk kept coming up, Amazon doesn't carry "the good stuff" so the crap they do sell seems to dominate the top 200 search results. Ultimately, there are a couple of good online sources, such as: https://www.chartsandmaps.com/index.php?main_page=product_info&cPath=3_16&products_id=2794 [chartsandmaps.com] but they had to be found "sideways" reading web blogs of hikers and similar things.

                  --
                  🌻🌻 [google.com]
    • (Score: 2) by Ox0000 on Saturday January 06 2024, @08:06PM

      by Ox0000 (5111) on Saturday January 06 2024, @08:06PM (#1339373)

      I ran into a minor problem with Steam. Tried to create an account, and was given a long series of captchas to solve to prove that I wasn't a robot. (It was that grid of images in which you have to choose the ones with buses, bicycles, motorcycles, crosswalks, or traffic lights.) It went on and on, and finally, when done, it told me "Your response to the CAPTCHA appears to be invalid. Please re-verify that you're not a robot below". It gets difficult when you have to make judgment calls. Is the pole that a traffic light is on part of the traffic light, or not? My initial thought was that I'd missed something of that sort.

      From an AC a good while back:

      > No, tired of all CAPTCHAs, even the not boring ones. People get tracked around the web in the most detail possible, but they can't figure out who is a bot and who isn't? - AC

  • (Score: 2) by VLM on Saturday January 06 2024, @09:03PM

    by VLM (445) on Saturday January 06 2024, @09:03PM (#1339376)

    What is 23andme?

    I know the trivial answer.

    But on deeper analysis, does it match better with github, myspace, ancestry.com, or does it match better with my local hospital med labs site or my bank?

    Now before you knee-jerk that its medical data, remember their whole business model is keep you coming back with social features like the "link to family members" stuff.

    I'd argue its kind of like a breathless security disclosure that foursquare is publishing your location. Or those banner ads from years past breathlessly warning that "Your computer is broadcasting an IP address click here to spend money to fix that"

  • (Score: 2) by crafoo on Saturday January 06 2024, @10:01PM (2 children)

    by crafoo (6639) on Saturday January 06 2024, @10:01PM (#1339379)

    whatever you do don't look into who owns and controls 23andme, and who they have connections with.

    • (Score: 2) by Ox0000 on Saturday January 06 2024, @10:16PM (1 child)

      by Ox0000 (5111) on Saturday January 06 2024, @10:16PM (#1339383)

      Richard Branson? Can you elaborate a bit more instead of begging the question?

      From the wiki page [wikipedia.org]:

      In February 2021, the company announced that it had entered into a definitive agreement to merge with Sir Richard Branson's special-purpose acquisition company, VG Acquisition Corp, in a $3.5 billion transaction.

      In June 2021, the company completed the merger with VG Acquisition Corp. The combined company was renamed to 23andMe Holding Co. and began trading on the Nasdaq stock exchange on June 17, 2021 under the ticker symbol “ME”.

      Granted early investors were GSK (and who knows what survived of the agreement they had with GSK to allow them to use test results to develop new drugs), google, and some other folks I'd rather not hang around with, but what evidence is there that there is still some darkened, smoke-filled room where secret strings are being pulled?
      23andme already does stupid enough shit by themselves. Implying things that aren't there only gives apologists ammunition to use in deflecting from that stupid shit; don't try to give them that ammunition by implying scenarios that are dreamt up.

      • (Score: 2) by JoeMerchant on Saturday January 06 2024, @11:21PM

        by JoeMerchant (3937) on Saturday January 06 2024, @11:21PM (#1339395)

        From what I gather about Branson from the popular press, and an ex miss (US state) beauty queen friend who drinks at the same bar as him in the Virgin Islands, he's a "right tosser" in the Harry Potter vernacular.

        Dyslexic, master delegator, and supremely lucky - starting of course with being born to money, but more than that being in the right places (record stores, airlines) at the right times to make ludicrous profits. Like David Geffen, only starting richer and more diversified. He's not sharp enough to even attempt the "boy genius" thing Musk played, plus: that wasn't so in fashion while Branson's star was rising. Still Richard and Elon are playing vaguely similar portfolios, with Richard's staying a little more traditional business than Musk's bleeding edge brand.

        --
        🌻🌻 [google.com]
  • (Score: 3, Insightful) by darkfeline on Saturday January 06 2024, @11:55PM (1 child)

    by darkfeline (1030) on Saturday January 06 2024, @11:55PM (#1339402) Homepage

    Does anyone know how 23andMe is at fault? AFAIK, the "breach" was due to attackers using emails and password obtained from other breaches to access those accounts on 23andMe "legitimately" and then downloaded the information visible to those accounts legitimately. At no point was there any vulnerability or bug in 23andMe.

    Users reusing their passwords should not be 23andMe's responsibility. Or are all websites legally obligated to buy all user passwords on the black market to check if any of their users have been compromised and ask them to change their passwords?

    --
    Join the SDF Public Access UNIX System today!
    • (Score: 4, Informative) by Tork on Sunday January 07 2024, @01:07AM

      by Tork (3914) Subscriber Badge on Sunday January 07 2024, @01:07AM (#1339410)
      The steps they took to safeguard the data were disproportionate to the value of the data. example: using an email address instead of a username to log in. If that's not enough then I'll ask that you take into consideration that they made changes to their TOS to safeguard against legal consequences after fallout from *this* incident. https://gizmodo.com/23andme-terms-of-service-hacked-users-1851077109 [gizmodo.com]
      --
      🏳️‍🌈 Proud Ally 🏳️‍🌈
(1)