One of the common statements in development and indeed here is "when will people realise you can't roll your own auth securely and should just use a third party service".
There are a few security mantras that I wish we could get through to people on, but we security people are often guilty of having a correct answer that moves around based on what just occurred.
I've never heard your version ending with "just use a third party service".
Usually that phrase refers to libraries made by experts, not services that might be setup just as amateurish as one's own, with the drawback of monoculture on top.
There's a false dichotomy in assuming the alternatives are 'single corporate borg' and 'a million little handrolled systems'.
Separate websites and online services having their own authentication bubble but implemented with industry standard libraries would probably be a better alternative to both.
The gossip is that it's actually ransomware (and not having backups) and they're just saying hacker because it's less humiliating to admit. No data/evidence though, just gossip.
> the OneLog log-in platform shared by numerous Swiss media companies
When will people understand that any centralized auth-related service is always going to be a prime target for criminal forces (hacking or not)?
One really doesn't need an IQ higher than 50 to understand this.
One of the common statements in development and indeed here is "when will people realise you can't roll your own auth securely and should just use a third party service".
There are a few security mantras that I wish we could get through to people on, but we security people are often guilty of having a correct answer that moves around based on what just occurred.
I've never heard your version ending with "just use a third party service".
Usually that phrase refers to libraries made by experts, not services that might be setup just as amateurish as one's own, with the drawback of monoculture on top.
Obviously people realize that.
However, that is only one factor among several that are considered when making that sort of decision.
So is a hundred random auth services developed by bit players and separate credentials for each better?
I don't think there's an obvious answer or ideal, but I've also had trouble finding more comprehensive discussion on the subject.
There's a false dichotomy in assuming the alternatives are 'single corporate borg' and 'a million little handrolled systems'.
Separate websites and online services having their own authentication bubble but implemented with industry standard libraries would probably be a better alternative to both.
> One really doesn't need an IQ higher than 50 to understand this.
People's IQ is not constant, especially in management. It depends highly on money and the amount of buzzwords that hit their ears.
The gossip is that it's actually ransomware (and not having backups) and they're just saying hacker because it's less humiliating to admit. No data/evidence though, just gossip.
Makes sense if so, the same happened with another media company in Portugal. Same kind of reaction.
https://www.reuters.com/business/media-telecom/portugals-imp...