Friday, June 8, 2012

So long Libre.fm.. I will miss you..

Don't panic.. Libre.fm is still around live and well (at least as of today, 05/08/12, they were). I'm saying so long because I won't be using the service any longer. There should be no mistaking the fact that I was at best, an infrequent user of Libre.fm and my lack of use/participation will in no way have any significant effect on their numbers or service. I am taking time though, to express why it is that I've decided to not use them anymore and will likely make the same decision with other service providers on the interwebs. Let me be clear here: I'm not picking on Libre.fm to be malicious. I believe greatly in what they do generally. I am not, here, seeking to get anyone to join me in a boycott, repudiation, demonstration or any other such nonsense. They are just one of many services who has done something that I'm sick of and it happens to be that they are the last straw (for me).

What's the problem...

Idiots! But I digress. Today I got an email message letting me know that libre.fm had decided to protect it's users by being proactive in responding to the potential threat posed by the recent security breach at LinkedIn (6.4 million hashed passwords of linkedin.com users were publicly posted). [UPDATE 05/09/12] Thanks to Mike for pointing out that this was a response to breaches at both LinkedIn and Last.fm, the latter of which is a fairly similar service to Libre and therefore the likelihood that passwords might be shared between the sites is increased. [/UPDATE] Libre.fm decided that since it's very likely that a significant number of their users are also users at LinkedIn.com it's reasonable/acceptable to reset passwords for all of the users at libre.fm. This is because some (hell many) users use the same password on multiple sites. If user theidiot@dumasuser.com is on linkedin and also uses libre there is a chance that the same password was used for both accounts and once the hackers get around to cracking that particular entry in the database they can use password they found on every other known service just to see if it works. 

This is great for those among the populous unwise enough to use the same password on multiple sites but for those of us who know better, it's annoying and time consuming. Many users take the time to develop good strong password practices and don't reuse the same password on multiple sites. Libre.fm is sending a message to both groups of users: 1) If you're silly enough to use the same password for both linkedin and libre we'll take care of you so you don't need to worry about being a better netizen & 2) If you're a user who's taken the time to understand and be aware of the implication of lax security/password practices it doesn't matter here because we treat everyone like they just don't know any better. 

They are not alone...

I've dealt with this sort of thing before. I was notified by one of my financial institutions that I needed to reset my password because my email address showed up in some list of accounts from some compromised site (no it wasn't a phishing scam). They had the same thought as Libre.fm: let's protect our users from their own lax practices...which is bullshit. 

Interestingly in the case of the financial institution I let them know (via email) that there was no way to have the same password on both sites as their policies were completely incompatible. This did not sway them obviously. 

What I'm doing about it...

If a company decides that they want to protect me from the idiotic practices of others, I'm simply going to avoid using that service. 

Why it's a problem...

The approach taken by Libre and other sites in response to compromises on other internet services does not scale well. Since the linkedin compromise at least 15 other sites on the interwebs have admitted to being breached in some way. If every major service required users to reset their passwords every time one of the other major services online got compromised we'd spend more time managing passwords than getting shit done. 


I love you libre.. and I will miss you...


1 comment:

  1. It was as much (if not more) about the last.fm password leak rather than the LinkedIn one (although that is mentioned in the message as well), since there's a much higher than average probability of users sharing passwords between libre.fm and last.fm (since this can make configuration of a number of scrobblers much simpler).

    ReplyDelete