|
|
|
|
|
|
by dannysu
3121 days ago
|
|
|
The blog post was in 2014. This security bypass happened in 2016. I think what we're witnessing here is that despite best intentions and past experience, humans are going to be humans. I actually felt good after reading that blog post in 2014 thinking that you guys are going to be better than most companies here. Nope. But I think a lesson can be learned here. The lesson is simply that humans are the weakest link. As much as you might try to add process and try to minimize, the best is having zero human capability at all. So when tptacek asks _who_ has ability to change things about an account, we really do want to know. Because those people are the weakest links. (don't mean naming names, but understanding who in general has those powers) I mentioned elsewhere. I own my domain. I backup my emails. It's way more likely for a FastMail human loophole to screw me over than for me to need human assistance on login (which is never). |
|
|