The Unity forums were hacked, but they say no passwords were taken

All sites should use 2FA if resonably possible.

Kinda sucks somebody did that.
Wonder why though ?
Was it just for shits and gigglez or did somebody have a bone to pick with unity devs ?


Last edited by razing32 on 1 May 2017 at 3:58 pm UTC

Another company?

All sites should use 2FA if resonably possible.

The problem with 2FA is that it's a complete PITA. There are about as many authenticators around as there are applications using 2FA, which is bad to begin with (If you use 30 services protected by 2FA, chances are that you will have to deal with at least 25 different authenticators). But the worst thing about 2FA is that most services want you to use your smartphone as authenticator, which is a really, REALLY stupid idea. Smartphones have a much greater chances to get lost or stolen than (good) passwords have, so doing that is adding a security liability, not an asset.
You also cannot use smartphone based authenticators without exposing your identity, at least to the provider of the authenticator. Which is a significant privacy concern, for using such services anonymously is neigh on infeasible.
And since people tend to replace their smartphone quite often, you will have to reset every single authenticator app when doing that. Fun! Not.

2FA is one of the things that look good on paper, but just don't work in real life. The one possible solution to this dilemma would be a global standard provider of 2FA tokens you could purchase anonymously and that would work with every single service on the planet. But when has standardization ever worked anyway! And even then this would result in a single point of failure you better not ever lose. That's the intrinsic problem with 2FA - it's very point is to make you authenticate with something you HAVE and not just know (unlike passwords). But what you have, you can lose!

In the end, 2FA would be totally unnecessary if people would pick good passwords, not reuse them anywhere, and the service providers would stop being daft and start properly hashing/salting them. 2FA does NOT protect services from getting hacked. All it really does is protecting stolen passwords.

I totally disagrees with all you say, Kim. A good password is unique to each account. And a collection of unique passwords WILL have to be stored in a password file of some sort, and that file WILL, for most persons who do practise good password policy, be stored on the mobile phone too (typically via cloud). And then you're pretty much back to square one if you do lose your mobile and someone gets past the login of the phone.

To argue against 2FS and for good password policy is pretty much counter-productive. 2fs makes the requirement of good passwords less vital and a system much, much more robust. That's the way to go.

In my opinion, absolutely everything even remotely vital (ergo store important data) should be 2FA - preferably all using the same token technology, but today all but one service that I personally use are using the algorithm used in Google Authenticator (it's an open standard, can't recall the protocol right now).


Last edited by Beamboom on 2 May 2017 at 11:11 am UTC

I totally disagrees with all you say, Kim. A good password is unique to each account. And a collection of unique passwords WILL have to be stored in a password file of some sort, and that file WILL, for most persons who do practise good password policy, be stored on the mobile phone too (typically via cloud). And then you're pretty much back to square one if you do lose your mobile and someone gets past the login of the phone.

To argue against 2FS and for good password policy is pretty much counter-productive. 2fs makes the requirement of good passwords less vital and a system much, much more robust. That's the way to go.

In my opinion, absolutely everything even remotely vital (ergo store important data) should be 2FA - preferably all using the same token technology, but today all but one service that I personally use are using the algorithm used in Google Authenticator (it's an open standard, can't recall the protocol right now).

The vital difference is that if I lose the phone with my encrypted password file (people who put unencrypted password files on phones or cloud servers are stupid anyway), I still have a copy of it in my backup, or on my desktop PC. So, if I lose my phone with my encrypted password file, I can simply recover the copy from my backup and carry on. OTOH, losing a 2FA token is a major disaster, since that's the exact thing you need to authenticate with. Recovering lost 2FA tokens is a completely unsolved security problem, btw. There is no satisfying way to prove that the lost token was actually yours, because the possession of the token IS what the system is using to identify you. A service provider will usually resort to asking you things you know, essentially opening possible social engineering attack routes and eliminating most of 2FA's additional security (authenticating with something you KNOW is what passwords do...)

I find it also hilarious that people use Linux to escape MS's monopoly, but would be willing to handle Google the keys to each and every online service they use. Just sayin'.

I find it also hilarious that people use Linux to escape MS's monopoly, but would be willing to handle Google the keys to each and every online service they use. Just sayin'.

No, you don't understand how this works.
The token you are given by the app is based on a private key that is stored locally on your phone. The application (who doesn't have to be Google's, but any that support that same protocol) uses the timestamp as the second key, and calculates the token based on that. That's why a token only last for a minute - and this is why you need to re-tie the account to your phone when you get a new phone.

So the app doesn't (and shouldn't) require network access privilege, nothing whatsoever is sent across any network - it can forever work on an offline phone -it doesn't even need to have a simcard. Just like those RSA "dongles" that some have from their bank to supply temporary 2nd password. Exact same.

There are of course those who do offer a "cloud storage" of your private key, so that it'll always work across devices. But yeah - it's up to you if you trust that provider or not. I'd not do it, that's for too damn sure.

So why is the Google Authenticator so popular? Because it offers a nice interface to your various keys. It's user friendly. That's the simple reason to use that offline app.

But again - once you understand how this works you'll realise that this system is, in fact, very good.

Two password walls are better than one. And if that second password is valid for only one single minute before it's scrapped, it's even better.
And the service providers do of course offer a functionality for the case where you have lost/stolen your phone. Just like if you've lost/forgotten your password.

Bu this is the way forward. By far not all users practise good password policy, but this enforces proper password practise for all users just by its very nature. From the service providers perspective it doesn't really matter anymore of the user uses one single password across the entire internet - it doesn't put your service at risk unless they *also* break into the users phone. One more barrier to break, and let's face it, it's a tough one for online hackers.

An offline encrypted password file can be hammered forever with no risk - billions of attempts every minute - it's just a matter of a pile of CPU cycles to break that open. Especially since most users use a simple password on that file - since they have to open it quite regularly.

So if a hacker gets their hand on that file, you may just as well consider the content exposed. One with know-how will be able to pry it open.


Last edited by Beamboom on 2 May 2017 at 8:32 pm UTC

But again - once you understand how this works you'll realise that this system is, in fact, very good.

I find it both funny and a little offensive that you're basically suggesting that I don't understand how 2FA works. But I guess rule #1 for internet debates applies: Whenever you're running out of good arguments, take a stab at the other person's qualifications!

I know that you're not -technically- handing your keys to Google. You're still making yourself dependent on them and their service. Which is in the end just as bad.

Two password walls are better than one. And if that second password is valid for only one single minute before it's scrapped, it's even better.

The problems with 2FA I tried to point out isn't related to that. I already said it's a good idea on paper. Unfortunately one that doesn't survive a reality check. See my above postings.

And the service providers do of course offer a functionality for the case where you have lost/stolen your phone. Just like if you've lost/forgotten your password.

Yes, that's my point. Most of these recovery procedures are really weak security. As weak as a bad/lost password. "Answer this silly question about you, that every halfway determined person can find out in 5 mins". Yeah, right!
To me, the recovery question is actually THE central weakness of 2FA as a concept. I can't remotely think of a good solution to that problem that wouldn't completely do away with any notion of privacy/anonymity online. Which is unacceptable.

An offline encrypted password file can be hammered forever with no risk - billions of attempts every minute - it's just a matter of a pile of CPU cycles to break that open.

You do realize that brute force attacking a file encrypted using a proper cypher and a -good- password takes multiple lifetimes, yes?

Especially since most users use a simple password on that file - since they have to open it quite regularly.[quote]

Can't cure stupid. But if they can't be bothered using a good password for the most important file they possess, what makes you think they'd want to add a super-inconvenient second authentication layer on top of that? And that 2FA is super inconvenient is just an objective fact, sorry.

[quote]So if a hacker gets their hand on that file, you may just as well consider the content exposed. One with know-how will be able to pry it open.

No, they can't. I'd die long before they'd be finished. In contrast to Darth Helmet I don't use 12345 as a password. That being said, I'd still change my passwords if I'd ever lose my phone. Chances are that I am done before they brute forced my password file. *shrug*

I find it both funny and a little offensive that you're basically suggesting that I don't understand how 2FA works.

No - I don't think you knew how the tokens - the temporary passwords - work. If you thought that it was giving your keys to Google (or whoever) then yeah, it would be stupid. But it's not.

I know that you're not -technically- handing your keys to Google. You're still making yourself dependent on them and their service. Which is in the end just as bad.

Oh come on. It's an offline tool - one of many of whom you can freely choose. The algorithm is open and freely available for anyone to implement. You're trying to create an argument that's not there, now.

And the service providers do of course offer a functionality for the case where you have lost/stolen your phone. Just like if you've lost/forgotten your password.

Yes, that's my point. Most of these recovery procedures are really weak security. As weak as a bad/lost password. "Answer this silly question about you, that every halfway determined person can find out in 5 mins". Yeah, right!

Well, then criticise that, then. But this is the same regardless if there's one of two layers of password security!
And it then becomes a task for the service provider to handle. Look at how Facebook and Google handles it. Their systems are far more compex than a stupid "secret question" request.

But this is a different discussion.

An offline encrypted password file can be hammered forever with no risk - billions of attempts every minute - it's just a matter of a pile of CPU cycles to break that open.

You do realize that brute force attacking a file encrypted using a proper cypher and a -good- password takes multiple lifetimes, yes?

You're cherry picking the quotes now. I stated that this password often is not secure, because it's a password the user have to remember and use often. I can promise you this, the majority of encrypted password files are not using a long, complex password. It's incredibly impractical when one need to open it regularly.

Can't cure stupid. But if they can't be bothered using a good password for the most important file they possess, what makes you think they'd want to add a super-inconvenient second authentication layer on top of that? And that 2FA is super inconvenient is just an objective fact, sorry.

If it was up to average joe there would barely be any security at all, they'd disable most of it. 2FA must be enforced. Like the banks do today, for example.


Last edited by Beamboom on 2 May 2017 at 10:02 pm UTC

Well, then criticise that, then.

That's indeed what I do and what I called the "reality check" that 2FA doesn't survive. The entire concept has several really fundamental problems that just aren't solved and probably never will be. Like how to solve the lost token recovery WITHOUT trampling on your privacy (and please don't point me at Facebook or Google...we know for a fact that neither of them gives a flying shit about your privacy). Which is a hilarious circumstance given that the most popular token is a device people are super prone to lose - their smartphone.

In the end, my fundamental problem with 2FA that it doesn't really provide any significant additional security for people who use good passwords or service providers that aren't completely inept. Basically 2FA is an attempt to cure stupid. And we all know that in the end you can't. For people who are NOT stupid, it doesn't do anything except making their life more complicated. And introducing a lot of new problems, like making one lose access to -everything- if they happen to lose the single point of failure in that system - their phone.

But go ahead and convince me: Tell me how to design a 2FA system that's foolproof regarding people losing their token, WITHOUT compromising its security in the process, that STILL lets people use the system 100% anonymously if they so desire, AND doesn't put any sort of market leverage in the hand of the token provider, despite them having to be a monopoly by definition (we still want to avoid having to deal with more than one token system!)

yeah they forced a pwd reset. I'm not happy lol...

In the end, my fundamental problem with 2FA that it doesn't really provide any significant additional security for people who use good passwords or service providers that aren't completely inept.

This is, with all due respect but to be totally honest here, not the right attitude. It reminds me a lot of all the companies out there who believes that they are safe from attacks because they got such a modern and secure firewall. Everyone must have mechanics in place that handle an invasion of their network. Just like every user must be prepared to what can happen if their passwords are exposed.

Two layers of security is and will always be better than one. Just think about it: As a service provider you build intricate analysers who scan the traffic for suspect actions, set up tight rules on each layer, from firewall to router to load balancers to application servers, an entire stack of security to stay safe from the wilderness.

And then you leave the main entrance up to the individual users out there, with one tiny little string of characters as the only - ONLY - prevention from someone totally taking over the account on that server, with all privileges that comes with that user. Just one little string, consisting of usually 6-8 characters, often in a clear pattern. One single point of failure. It goes against everything you've ever learnt in computer security.

A temporary token system makes your account safe even if you get a friggin' KEYLOGGER installed on your computer. You are safe(r) from many man-in-the-middle attacks that leaves your password exposed. Or when the service providers database is breached and passwords are not properly protected (this happen ALL the time - it's reality. A scenario where everything is perfect is utopia - you can't use that as a prerequisite). You are safer from a whole stack of attack methods where you - the user - are totally without blame, methods where your personal practise means squat, zero, nill.

Can't you see? It is a layer of security that has other properties than a static password can provide. And that is a Good Thing.

Basically 2FA is an attempt to cure stupid.

Yes, that and laziness. Especially laziness.

And we all know that in the end you can't.

But we have to limit the consequences sa best as we can. We have to, and we do - everywhere.

We have rules for security equipment in dangerous workplaces. Why the hell don't bikers wear a helmet without rules telling them they have to or they will be fined? That's how we cure stupidity there. We cure stupidity absolutely everywhere.

And 2FA is a good cure. one of several cures. The others are done server side. But we have to secure also the client side of things - we can't handle absolutely every scenario server side.

For people who are NOT stupid, it doesn't do anything except making their life more complicated.

Hence, "laziness".

But go ahead and convince me: Tell me how to design a 2FA system that's foolproof regarding people losing their token, WITHOUT compromising its security in the process, that STILL lets people use the system 100% anonymously if they so desire, AND doesn't put any sort of market leverage in the hand of the token provider, despite them having to be a monopoly by definition (we still want to avoid having to deal with more than one token system!)

That is not the topic. The topic is security. Two layers of security are better than one - period.

We can discuss anonymity and the internet another time. Or market leverage or app design.
The topic now is if 2FA provides a more secure regime than one single password. And it does. If you lose your phone or password file or the password to your password file or whatever else, that is a challenge that must be handled. It must be designed a system that can take care of that the best possible way with the least risk involved. Yes, it is a challenge, but as long as we deal with passwords at all, we just need to handle that.

Personally I am against passwords, period, since it's such a pain in the arse either way, and a stupid stupid thing from a security perspective.

I predict that in a decades time we don't have to fool around with these bloody passwords anymore - then there's other systems that's taken over verification.

My password file contains 150 passwords. Count'em: One hundred and fifty unique passwords, and mostly unique usernames too. And many have much more than that. It's complete, plain madness of a archaic system that stems from a time where we all had one account on our LAN. It's one giant ulster of a security challenge that can only be overcome by replacing it with something better.

But until then: Temporary passwords with one usage and then scrapped does negotiate a few of the gaping flaws of static passwords.
That's really all I am hoping to make you, and others, realise. So can we all join in on a complain hymn about the hassle, oh the hassle!, until something better comes along.


Last edited by Beamboom on 3 May 2017 at 1:33 pm UTC

"The Unity team note that no passwords were taken"
---
You cant NEVER say "no passwords where taken", only thing you can say "passwords are taken" if you are sure that they where taken; you must act on presumption that they are taken.
---
Everybody who says "no passwords where taken" dont know a shit about security, Unity team claim is wittingly a LIE (because they cant know that for sure), their security enginering skill is only second to their 3D engine enginering skills.

Two layers of security is and will always be better than one.

You will hear no dissent from me here. I said a few times already that 2FA looks good on paper.

But go ahead and convince me: Tell me how to design a 2FA system that's foolproof regarding people losing their token, WITHOUT compromising its security in the process, that STILL lets people use the system 100% anonymously if they so desire, AND doesn't put any sort of market leverage in the hand of the token provider, despite them having to be a monopoly by definition (we still want to avoid having to deal with more than one token system!)

That is not the topic. The topic is security. Two layers of security are better than one - period.

To me, that IS the topic. That and nothing else is. A security system that increases security (it does, we don't disagree here), but comes with a astonishing number of inconveniences, unsolved design flaws and privacy concerns is UNACCEPTABLE. Yes, even if it otherwise works. Security is not something you can and want to maximize. It always comes paired with secondary concerns. The most famous one being Security vs. Freedom. But convenience is -certainly- one of the secondary concerns, as is privacy, and making the system resilient against single point of failures. 2FA doesn't satisfy ANY of these considerations. It works in some select areas where these concerns do not matter. You named banks, and I agree with that, since they already know my identity anyway and can ask me to show up in person if I lose my token. It works because banking is still at least partially an offline business. Most other areas that need good online security aren't like that.

I do otherwise agree with you that we need something better than static passwords. Unfortunately nobody has ever come up with a great idea what to replace them with. 2FA isn't it, at least not without considerably improving the way it's currently implemented. For the time being, I am rather willing to accept somewhat weaker security than living with the plethora of unsolved issues it comes with. *shrug*


Last edited by Kimyrielle on 3 May 2017 at 9:21 pm UTC

I do otherwise agree with you that we need something better than static passwords.

I am however doubtful that you'll like the tech that will replace it, in regards to your privacy concerns. :)

By all means, the privacy concerns regarding internet technology is massive. It can not be overstated. I'm with you there. It's gigantic, and almost impossible to imagine the world will ever be the same again in regards to those questions. But from a pragmatic perspective, I see this as unavoidable.

From a pure security perspective, and from a service providers perspective more than consumer perspective, I'm afraid we just have to realize that the less dependence on user decisions (and with that, privacy) the better. Biometric scans (voice, fingerprint, retina etc) are for example something that I expect will become a lot more common means for identification also for internet services. It's already common on the mobile phones, all that is needed is to extend that usage. And it's in excessive use on modern airports (face recognition).

But yeah - it will become harder and harder to remain anonymous, or to even control the information about you out there. And the morale and ethical questions around this are of course huge.

PS: I never started using Linux "to escape MS's monopoly" - I did it because it's simply the better OS for my line of work. ;)


Last edited by Beamboom on 4 May 2017 at 1:05 pm UTC

PS: I never started using Linux "to escape MS's monopoly" - I did it because it's simply the better OS for my line of work. ;)

Sysadmin ?

PS: I never started using Linux "to escape MS's monopoly" - I did it because it's simply the better OS for my line of work. ;)

Sysadmin ?

My guess would have been developer. ;)

And well, Linux is a better OS than Windows in every regard I can think of. The area Windows is ahead is the number of software products available for it, that's really all. Namely games and design software. If we'd be evenly supported by software, nobody in their right mind would still be using Windows.

PS: I never started using Linux "to escape MS's monopoly" - I did it because it's simply the better OS for my line of work. ;)

Sysadmin ?

My guess would have been developer. ;)

And well, Linux is a better OS than Windows in every regard I can think of. The area Windows is ahead is the number of software products available for it, that's really all. Namely games and design software. If we'd be evenly supported by software, nobody in their right mind would still be using Windows.

Somewhat related to the 2FA talk you were having :
https://motherboard.vice.com/en_us/article/we-were-warned-about-flaws-in-the-mobile-data-backbone-for-years-now-2fa-is-screwed

And yes , I think with proper support Linux can beat windows. It's just we lack software, drivers in some cases and what most low-tech users want : easy eye candy operation.
(Still , I don't hate windows as an OS on principle. It could be good too if MS wasn't a bunch of dicks.)