undefined | Better HN

0 pointsticulatedspline2y ago0 comments

they do offer 2fa. Personally I do blame the users, it's like if I robbed your house and then you sued the city because there wasn't a law that required you to put steel bars on your windows and have 3 locks and your argument is "I moved into a area where crime could occur, the city should have known I was too stupid to secure my stuff, we want a nanny state!"

as long as they weren't actively inhibiting security by not offering 2 factor or disallowing strong passwords, I don't think it's legally a company's responsibility to make their users eat their vegetables. good idea? maybe, but not required.

0 comments

jacquesm2y ago

Offering != mandating. You don't offer a service like this to the general public without ensuring that their data is protected from the most obvious attacks, and password reuse is probably the #1 candidate for that unless using very weak passwords is a better #1. Either of these should be very explicitly guarded against. If you can't do that you shouldn't be operating a service like this.

What they are doing with this response is letting their legal department drive their car away from the scene of the hit-and-run. At least, that's what they hope.

synicalx2y ago

While it might not be "legally" required (or maybe it is, courts haven't decided yet) it's in 23andme's own best interest to at least take some steps to ensure the technically illiterate users aren't leaving the front door wide open because if they don't then they end up in situations like this.

They can blame anyone they want but at the end of the day it's their brand that's getting dragged through the mud right now and after this NO ONE will trust them ever again.

ticulatedsplineOP2y ago

oh absolutely they look bad, and they could certainly have chosen a more tactful response. Most people won't even understand the nature of the data loss, and it's likely to affect their bottom line. And honestly IMHO that's more than enough lesson to start forcing security down their customer's throats.

But as I see it right now they have no legal culpability and calling for them to be drawn and quartered over it isn't exactly productive. Honestly I'd worry more about an industry knee-jerk reaction slapping crappy but CYA security on all kinds of sites if they lose the legal battle over this.

jacquesm2y ago

Negligence is a perfectly valid reason for culpability and I see the fact that they offered a service with this kind of data to the general public without mandatory 2FA as negligent. If only because their users are more than likely to be unaware of the kinds of risks they are taking whereas 23andme knows exactly what kind of risk those users are taking: that's why they wanted their data in the first place.

In my opinion the real reason why they didn't mandate 2FA is very simple: it would have alerted users to the fact that what they were doing was significant and it would have been a point of friction in setting up the account. But all they wanted is the data, the rest was infotainment and a sideshow from the POV of 23andme. The words 'duty of care' probably mean absolutely nothing to them.

michaeljx2y ago

They could have mandated 2fa only at the point where they present the results.

1 more reply

philistine2y ago

Blame is irrelevant. Do you honestly believe that 23andMe is reacting appropriately to the massive problem ?

The only reasonable reason they are reacting this way is not a question of belief, it's their legal defence as PR.

j / k navigate · click thread line to collapse

0 comments

jacquesm2y ago

What they are doing with this response is letting their legal department drive their car away from the scene of the hit-and-run. At least, that's what they hope.

synicalx2y ago

They can blame anyone they want but at the end of the day it's their brand that's getting dragged through the mud right now and after this NO ONE will trust them ever again.

ticulatedsplineOP2y ago

jacquesm2y ago

michaeljx2y ago

They could have mandated 2fa only at the point where they present the results.

1 more reply

philistine2y ago

Blame is irrelevant. Do you honestly believe that 23andMe is reacting appropriately to the massive problem ?

The only reasonable reason they are reacting this way is not a question of belief, it's their legal defence as PR.

j / k navigate · click thread line to collapse