Remix.run Logo
tonymet 5 days ago

I agree, but relying on lawsuits is far too slow and costly . We can reduce the latency of discovery and resolution by adding software protocols.

bawolff 5 days ago | parent [-]

Having the threat of lawsuits is not really about the actual lawsuit, its about scaring people into being more careful. If you actually get to the lawsuit stage, the strategy has failed.

> We can reduce the latency of discovery and resolution by adding software protocols.

Can we? What does this even mean?

[Edit: i guess you mean the things in your parent comment about requiring including some sort of canary token in the DB. I'm skeptical about that as it assumes certain db structure and is difficult to verify compliance.

More importantly i don't really see how it would have stopped this specific situation. It seems like the leak was published to 4chan pretty immediately. More generally how do you discover if the token is leaked, in general? Its not like the hackers are going to self-report.]

tonymet 5 days ago | parent [-]

The signatures would appear in the drop . A primitive version would be file meta data or jfif. Even the images themselves or steganography could be used

bawolff 5 days ago | parent [-]

I guess, but it seems a bit like a solution that only works for this specific dump - most db breaches don't have photos in them.

My bigger concern though is how you translate that into discovering such breaches. Are you just googling for your token once a day? This breach was fairly public but lots of breaches are either sold or shared privately. By the time its public enough to show up in a google search usually everyone already knows the who and what of the breach. I think it would be unusual for the contents of the breach to be publicly shared without identifying where the contents came from.

tonymet 4 days ago | parent [-]

dark web scanning is common. the developers would be notified when those signatures appear in dark web indexes .

jfif is just an example. any file format or metadata could be used as a signature depending on the storage type.

bawolff 3 days ago | parent [-]

There is no indication that this particular breach was ever on the "dark web" before widely being discovered.

Yes dark web scanners are a thing, but just because something exists does not mean it would work for a specific situation. I'm doubtful they would work most of the time.