[sf-lug] HaveIBeenPwned.com (was: Safer Browsing)

Mon Mar 11 17:58:43 PDT 2019

Rick Moen writes:
(a long and helpful post full of details and suggestions about
internet privacy and security)

Thanks for that. I always wonder about these big data breaches that
"may include" a long list of personal information and it's not clear
why the breached company would have that data in the first place.

Just a question about a couple of points in your suggestions:

>    Did you open a GitHub account?  Clever primate!  It automatically 
>    makes a Gravatar for you, and see foregoing.
> https://arstechnica.com/information-technology/2013/07/got-an-account-on-a-site-like-github-hackers-may-know-your-e-mail-address/
>    (GitHub, now a wholly owned subsidiary of Microsoft Corporation,
>    _does_ provide a way to remove the generated Gravatar from 
>    your GitHub account, as noted in the comments to that link.)

I don't knowingly have a "gravatar", but I do have a GitHub account.
I went to "Your profile" and clicked Edit, but I don't see anything
about a gravatar (the comment in that article mentions a "Gravatar
email" field which I don't see). And the article itself says:

  | By viewing the page source, I could see that in the process, 
  | Github automatically created a Gravatar ID that included the
  | following identifier: https://secure.gravatar.com/avatar/...

He doesn't mention *what* page's source he was viewing, but if I
view page source for my profile page on GitHub and search for
gravatar, I don't find any matches.

The article is dated 2013, so this may be long obsolete. Best I can
find from a web search is that GitHub stopped using gravatars around
2014. What I don't know is whether this means there's still a
gravatar floating around the net associated with my email address
based on something GitHub did years ago. Though in truth, for me
it's academic because my email address appears all over the place
and every spammer in existence seemingly already has it.

Of course your larger point still holds: the more accounts you make
on various websites, the more likely it is that they're sharing your
information with various other companies behind your back, and
the more likely it is that some of your shared info will leak.

>   Step 2: Enable 2 factor authentication and store the codes inside your
>   1Password account.

This is something you quoted from the advisory, not something you're
personally pushing as gospel; later on you make it clear that you
don't think it necessarily solves the problem. I want to elaborate
on that.

2FA sounds like a great idea in principle. But in most cases, I'm
not convinced it adds any real security. Most companies (even banks)
that use 2FA seem to use it as an optional step: if you lose your
phone or your hardware dongle, no problem, we'll give you another
way to log in even without bothering to do much verification. And in
the case of phone-based 2FA, seems like I keep seeing stories of
people who get their phone number hijacked by people who then use
it for 2FA to break into an account. Apparently this is pretty easy
to do. I'd trust a dedicated hardware dongle a lot more than
phone-based 2FA, but not many places offer one and almost none
let you set things up so it's required.

Plus, for phone-based 2FA, there's the issue you already mentioned:

> There's certainly nothing wrong in abstract with 2FA, though I really
> would not want the second-nosiest company in the world to have my
> cellphone number.

        ...Akkana