Random Rants 92 - Not Enough Snerk

Status
Not open for further replies.
MaryKB said:
Interesting how that's your takeaway. I'd think more we need a "rant at hackers" thread.
Click to expand...
That is certainly a take. The way I look at it is that if there is money to be made in getting through companies security then hackers will exist. What we have a choice about is how we protect ourselves against them. If the big data accumulators are willing to voluntarily give our data away without our say so then that makes it much harder for us to do so, so I will rant about that. I quite see how others would feel then need to rant about the existence of hackers, and that is great too.

To be honest I put the existence of hackers on the big companies too. I think passwords for remote access should have been a thing of the past a decade ago.
 
Samson said:
That is certainly a take. The way I look at it is that if there is money to be made in getting through companies security then hackers will exist. What we have a choice about is how we protect ourselves against them. If the big data accumulators are willing to voluntarily give our data away without our say so then that makes it much harder for us to do so, so I will rant about that. I quite see how others would feel then need to rant about the existence of hackers, and that is great too.

To be honest I put the existence of hackers on the big companies too. I think passwords for remote access should have been a thing of the past a decade ago.
Click to expand...
You missed most of the article, including this bit:

“In every instance where these companies messed up, at the core of it there was a person trying to do the right thing,” said Allison Nixon, chief research officer at the cyber firm Unit 221B. “I can’t tell you how many times trust and safety teams have quietly saved lives because employees had the legal flexibility to rapidly respond to a tragic situation unfolding for a user.”

This situation is about hackers compromising law enforcement accounts that are used for a legitimate emergency purpose and using that for malicious intentions.
 
MaryKB said:
You missed most of the article, including this bit:

“In every instance where these companies messed up, at the core of it there was a person trying to do the right thing,” said Allison Nixon, chief research officer at the cyber firm Unit 221B. “I can’t tell you how many times trust and safety teams have quietly saved lives because employees had the legal flexibility to rapidly respond to a tragic situation unfolding for a user.”

This situation is about hackers compromising law enforcement accounts that are used for a legitimate emergency purpose and using that for malicious intentions.
Click to expand...
My issues are:
  • When this is working correctly, these companies are sending this voluntarily giving UK children's details to American law enforcement. This has to be a breach on the GDPR, at the very least Art. 14 and probably others.
  • If there really is a good use case for this they should tell people, and give people the opportunity to opt out. If they cannot justify it enough so that people will, then is there any good reason to believe they actually have a good reason?
  • There seems to be no security at all on these requests. Email address is no security, see here.
  • They set up a system where they have enough information to to allow people to access the site. I think this is security broken by design, and I do not understand how it is the default in this day and age.
  • The system should be set up expecting hackers to do this. If not they do not understand how the IT world works, or do not care about security.
I will also point out who you are quoting, I am not sure they are unbiased:

https://unit221b.com/ :

Unit 221B performs investigations and counterintelligence operations for the private and public sector. We conduct criminal and national security digital forensic investigations, advanced malware research, law enforcement liaison support, and threat neutralization and containment.​
 
Samson said:
Yeah, I did not complain when I found out they were showing the smaller one. I only got "upset" when I figured out how much work they were doing to show a blurry image. I have never seen them shown at the full size on their web site, so they could have just made it at 770 pixels, or converted it with a bit of software that does anti-aliasing (?) right one time (like my browser is doing), and not have to downsize it badly every time the image is served (though there must be some caching going on), and had a crisp image. It is like every stage would have been easier, and the result would have been better.
Click to expand...


Both pictures were perfectly clear to me. The second picture was larger,
both on my screen and in byte size when I looked at the saved images.

As to why, I will take a guess:

The impact of the war on wheat prices impacts poor people most and poor
people have access to less bandwidth. Websites that see themselves as public
information service providers see it as their duty to be sparing on image size.

It is one of the reasons I go to the BBC first, it loads faster than the commercials.
 
Samson said:
My issues are:
  • When this is working correctly, these companies are sending this voluntarily giving UK children's details to American law enforcement. This has to be a breach on the GDPR, at the very least Art. 14 and probably others.
  • If there really is a good use case for this they should tell people, and give people the opportunity to opt out. If they cannot justify it enough so that people will, then is there any good reason to believe they actually have a good reason?
  • There seems to be no security at all on these requests. Email address is no security, see here.
  • They set up a system where they have enough information to to allow people to access the site. I think this is security broken by design, and I do not understand how it is the default in this day and age.
  • The system should be set up expecting hackers to do this. If not they do not understand how the IT world works, or do not care about security.
I will also point out who you are quoting, I am not sure they are unbiased:

https://unit221b.com/ :

Unit 221B performs investigations and counterintelligence operations for the private and public sector. We conduct criminal and national security digital forensic investigations, advanced malware research, law enforcement liaison support, and threat neutralization and containment.​
Click to expand...
GDPR makes exceptions for emergency situations. You really don't seem to understand at all what the hackers are exploiting. You also can't "opt out" of things involving law enforcement. They're only giving out information in these cases when it's necessary to save lives.

But of course facts and reason don't matter due to bias.
 
MaryKB said:
GDPR makes exceptions for emergency situations. You really don't seem to understand at all what the hackers are exploiting. You also can't "opt out" of things involving law enforcement. They're only giving out information in these cases when it's necessary to save lives.

But of course facts and reason don't matter due to bias.
Click to expand...
I wonder who is not understanding what. Can you point at the GDPR exceptions for "emergencies"? Can you explain how US law enforcement having UK childs IP address saves lives? Can you explain how a system that "only giving out information in these cases when it's necessary" gave out this information?
 
Samson said:
I wonder who is not understanding what. Can you point at the GDPR exceptions for "emergencies"? Can you explain how US law enforcement having UK childs IP address saves lives? Can you explain how a system that "only giving out information in these cases when it's necessary" gave out this information?
Click to expand...
Read the article you quoted. These hackers have basically taken over law enforcement emails and are pretending to be dealing with an emergency.

Here's a link for you about data in emergencies, since you aren't interested in doing your own research:

https://ico.org.uk/for-organisation...ng-in-an-urgent-situation-or-in-an-emergency/
 
MaryKB said:
Read the article you quoted. These hackers have basically taken over law enforcement emails and are pretending to be dealing with an emergency.
Click to expand...
I did read it. These hackers took over law enforcement emails. That in itself is a very bad sign for law enforcement, considering the amount of personal data they have access to. People should be asking their politicians how their systems are secured. Then the companies sent on personally identifiable data that could be of no use to the law enforcement agency, the aforementioned childs UK IP address to non-federal US LE. The way the company identified the request as coming from a trustworthy source was on the basis of the email address, which is a really bad way to do it, both because they can be falsified and because of hack like this. While there is a good chance these have some level of protection, it really is not enough to validate sending PII. I think I would lose my job if I sent PII out like that.
MaryKB said:
Here's a link for you about data in emergencies, since you aren't interested in doing your own research:

https://ico.org.uk/for-organisation...ng-in-an-urgent-situation-or-in-an-emergency/
Click to expand...
That is not an exception to the GDPR, which is UK law. That is an ICO code of practice. I have had to figure out the basics of GDPR law for work.

There is actually an exception for law enforcement, but only UK law enforcement. This is the list. And it is not that they can email and ask for the data in an emergency, there is a whole process.
 
Last edited:
MaryKB said:
“In every instance where these companies messed up, at the core of it there was a person trying to do the right thing,
Click to expand...
Yes, but that person ‘at the core’ wasn't always ‘at the helm’, which is a big difference. In the case of Facebook in particular they were out to make money whichever way possible and damn everything else, and in fact a lot of the (would-be) whistleblowers ended up leaving.
 
It is also worth mentioning that the fact that law enforcement can require companies to give up data is basically why Schrems II went the way it did, potentially breaking the business model of the big tech havestors by stopping EU PII being processed in the US.

The CJEU found that European Commission’s adequacy determination for Privacy Shield is invalid for two main reasons. First, the court found that U.S. surveillance programs, which the commission assessed in its Privacy Shield decision, are not limited to what is strictly necessary and proportional as required by EU law and hence do not meet the requirements of Article 52 of the EU Charter on Fundamental Rights. Second, the court determined that, with regard to U.S. surveillance, EU data subjects lack actionable judicial redress and, therefore, do not have a right to an effective remedy in the U.S., as required by Article 47 of the EU Charter.​
 
Samson said:
If other people see the 2 images below the same I would love to know, it could be just me.
Click to expand...

Those are not even close.
 
That’s a lot of initialisms and clicking on stuff. Accept this, reject this, “our partners” (who just want to sell me audio versions of Cliff’s Notes and pseudoscientific weight loss supplements.) I wish we could just get rid of a lot of this data analytics advertising crap and just go back to banner ads or whatever.

Supplementary rant: the park took out the machine with the good lemonade.
 
amadeus said:
I wish we could just get rid of a lot of this data analytics advertising crap and just go back to banner ads or whatever.
Click to expand...
*smiles happily in a nostalgic way*
 
amadeus said:
That’s a lot of initialisms and clicking on stuff. Accept this, reject this, “our partners” (who just want to sell me audio versions of Cliff’s Notes and pseudoscientific weight loss supplements.) I wish we could just get rid of a lot of this data analytics advertising crap and just go back to banner ads or whatever.
Click to expand...
What they should have done is introduce optional fields in http requests to allow browsers to include "Reject all cookies" or "Track me everywhere" in the initial requests, so it does not need to be included in the human readable bit of the site.
 
It seems you're still under the influence of...something. I don't have the balls for this but I hope it wasn't poetic justice after all.
 
sometime in 2016 this forum went into Xenforo and all my posts before became nullified , because of spelling stuff which makes them real hard to read even for me . Ms. Rodham was going to be Ms. President ... Yeah , totally worked out in that way .

today we all have 0 posts and will have 0 posts . Unless we don't behave because our posts might then go into negative values ! We are nullified ! Oh come on , dear Pentagon and whatnot , ı haven't started to fight yet .
 
Clearly the reason for the zero post count for everyone is me watching The Equalizer yesterday. This is the non-violent CFC solution.
 
am busy preparing a more serious rant for tomorrow for anyone that comes up with "Aprils Fool" . Am a fool all year round .
 
Status
Not open for further replies.

Similar threads

Broken_Erika
Random Rants 94 I rant at the thread title and shake my fist menacingly.
47 48 49
Replies
976
Views
60K
Gori the Grey
Gori the Grey
Takhisis
  • Locked
Random Rants noventa y tres: The Incredible Hulk will not be presented this evening.
49 50 51
Replies
1K
Views
53K
sophie
sophie
amadeus
  • Locked
Random Rants 91 - Semiprimal Rage
49 50 51
Replies
1K
Views
61K
Birdjaguar
Birdjaguar
Takhisis
  • Locked
Random Rants Q': I protest against subtitles
49 50 51
Replies
1K
Views
67K
Arakhor
Arakhor
Valka D'Ur
  • Locked
Random Rants LXXXIX: I HATE MOVING!
49 50 51
Replies
1K
Views
58K
Arakhor
Arakhor
Back
Top Bottom