Hacker News new | ask | show | jobs
by gouggoug 3092 days ago
In those security disclosures, I often read what I see as contradictory language.

For example, I'm confused by this kind of statement:

> Mailgun has now completed its diagnostic of accounts that were affected and has notified each of the affected users. At this time, we believe less than 1% of our customer base was potentially affected. If you were not directly notified by Mailgun regarding this incident, then your account was not affected.

If you believe that less than 1% of users were affected, it means you don't know for sure how many accounts were affected.

From there, how can you state that "If you were not directly notified by Mailgun regarding this incident, then your account was not affected"?

Doesn't this last statement mean you know for sure my account was not affected? Isn't it in direct contradiction with the previous statement?
2 comments
Goopplesoft 3092 days ago
Foremost, it was written by a human and unintended language contradictions are common. With that said, what you're suggesting isn't necessarily true -- the language can also indicate potential false positives, again because of the nuances of language.
link
gouggoug 3092 days ago
> unintended language contradictions are common

Yes, definitely true. Although some contexts, like a security disclosure, might warrant a very carefully non-contradictory worded statement that leaves no doubts of interpretation.

> the language can also indicate potential false positives, again because of the nuances of language.

Yes, but in this context, false-positive aren't important to the audience of the disclosure. Nobody really cares if their account was "identified as affected, but in the end wasn't".

If you announce that 1% of your user base was affected, and it turns out that 50% of this 1% were false-positive, great! You were still right in announcing that 1% of your user base was affected. You can always correct this later and announce that things panned out better and only 0.5% of your users were impacted.

link
discreditable 3092 days ago
These sorts of articles always remind me of “We take security seriously”, otherwise known as “We didn’t take it seriously enough”: https://www.troyhunt.com/we-take-security-seriously-otherwis...
link