[ale] evernote security breach
Richard Bronosky
richard at bronosky.com
Mon Mar 4 17:59:40 EST 2013
Accept that Evernote did it by "first in wins". I didn't appreciate that my
machines that had previously been validated before the breach were kicked
out AND they sent me to the website to login (with presumably the
information that had been stolen) and create a new password. If there truly
is a cat & mouse game going on with user's security, it stands to reason
that you should favor trusting the person who already has a local copy of
the data rather than trusting the first person to sign in on a website.
If you think about it, services like Evernote, Amazon, Gmail, Paypal,
(anyone whose app you have on your phone) etc. already have adequate 2
factor authentication (for most of their users) that could be used in a
post-breach situation. They just have to have prepared in advance to be
able to use it. It's not 100% in that there will be many users who find
themselves in a "no client-side app+data that could be used as a security
bootstrap" situation. But, that would make the attack pool so small that it
would make these huge companies not even worth targeting.
Hey, I'm onto something here. I need to write a paper!
On Mon, Mar 4, 2013 at 4:34 PM, Matt Hessel <matt.hessel at gmail.com> wrote:
> It's hard to be unaware, with the mass notification emails from them, and
> my devices getting locked out.
>
> It's nice to see a proper response to a security threat by an organization
> these days. :)
> On Mar 4, 2013 9:37 AM, "Ron Frazier (ALE)" <
> atllinuxenthinfo at techstarship.com> wrote:
>
>> Hi all,
>>
>> I first saw the link to this article on the dc404 mailing list. If
>> you're an evernote user, you need to know about this.
>>
>> http://www.theverge.com/2013/3/2/4056704/evernote-password-reset
>>
>> Sincerely,
>>
>> Ron
>>
>>
>> --
>>
>> Sent from my Android Acer A500 tablet with bluetooth keyboard and K-9
>> Mail.
>> Please excuse my potential brevity if I'm typing on the touch screen.
>>
>> (PS - If you email me and don't get a quick response, you might want to
>> call on the phone. I get about 300 emails per day from alternate energy
>> mailing lists and such. I don't always see new email messages very
>> quickly.)
>>
>> Ron Frazier
>> 770-205-9422 (O) Leave a message.
>> linuxdude AT techstarship.com
>>
>>
>> _______________________________________________
>> Ale mailing list
>> Ale at ale.org
>> http://mail.ale.org/mailman/listinfo/ale
>> See JOBS, ANNOUNCE and SCHOOLS lists at
>> http://mail.ale.org/mailman/listinfo
>>
>
> _______________________________________________
> Ale mailing list
> Ale at ale.org
> http://mail.ale.org/mailman/listinfo/ale
> See JOBS, ANNOUNCE and SCHOOLS lists at
> http://mail.ale.org/mailman/listinfo
>
>
--
.!# RichardBronosky #!.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mail.ale.org/pipermail/ale/attachments/20130304/1d0f2f54/attachment-0001.html>
More information about the Ale
mailing list