Random Rants 92 - Not Enough Snerk

Status
Not open for further replies.
Interesting how that's your takeaway. I'd think more we need a "rant at hackers" thread.
That is certainly a take. The way I look at it is that if there is money to be made in getting through companies security then hackers will exist. What we have a choice about is how we protect ourselves against them. If the big data accumulators are willing to voluntarily give our data away without our say so then that makes it much harder for us to do so, so I will rant about that. I quite see how others would feel then need to rant about the existence of hackers, and that is great too.

To be honest I put the existence of hackers on the big companies too. I think passwords for remote access should have been a thing of the past a decade ago.
 
That is certainly a take. The way I look at it is that if there is money to be made in getting through companies security then hackers will exist. What we have a choice about is how we protect ourselves against them. If the big data accumulators are willing to voluntarily give our data away without our say so then that makes it much harder for us to do so, so I will rant about that. I quite see how others would feel then need to rant about the existence of hackers, and that is great too.

To be honest I put the existence of hackers on the big companies too. I think passwords for remote access should have been a thing of the past a decade ago.
You missed most of the article, including this bit:

“In every instance where these companies messed up, at the core of it there was a person trying to do the right thing,” said Allison Nixon, chief research officer at the cyber firm Unit 221B. “I can’t tell you how many times trust and safety teams have quietly saved lives because employees had the legal flexibility to rapidly respond to a tragic situation unfolding for a user.”

This situation is about hackers compromising law enforcement accounts that are used for a legitimate emergency purpose and using that for malicious intentions.
 
You missed most of the article, including this bit:

“In every instance where these companies messed up, at the core of it there was a person trying to do the right thing,” said Allison Nixon, chief research officer at the cyber firm Unit 221B. “I can’t tell you how many times trust and safety teams have quietly saved lives because employees had the legal flexibility to rapidly respond to a tragic situation unfolding for a user.”

This situation is about hackers compromising law enforcement accounts that are used for a legitimate emergency purpose and using that for malicious intentions.
My issues are:
  • When this is working correctly, these companies are sending this voluntarily giving UK children's details to American law enforcement. This has to be a breach on the GDPR, at the very least Art. 14 and probably others.
  • If there really is a good use case for this they should tell people, and give people the opportunity to opt out. If they cannot justify it enough so that people will, then is there any good reason to believe they actually have a good reason?
  • There seems to be no security at all on these requests. Email address is no security, see here.
  • They set up a system where they have enough information to to allow people to access the site. I think this is security broken by design, and I do not understand how it is the default in this day and age.
  • The system should be set up expecting hackers to do this. If not they do not understand how the IT world works, or do not care about security.
I will also point out who you are quoting, I am not sure they are unbiased:

https://unit221b.com/ :

Unit 221B performs investigations and counterintelligence operations for the private and public sector. We conduct criminal and national security digital forensic investigations, advanced malware research, law enforcement liaison support, and threat neutralization and containment.​
 
Yeah, I did not complain when I found out they were showing the smaller one. I only got "upset" when I figured out how much work they were doing to show a blurry image. I have never seen them shown at the full size on their web site, so they could have just made it at 770 pixels, or converted it with a bit of software that does anti-aliasing (?) right one time (like my browser is doing), and not have to downsize it badly every time the image is served (though there must be some caching going on), and had a crisp image. It is like every stage would have been easier, and the result would have been better.


Both pictures were perfectly clear to me. The second picture was larger,
both on my screen and in byte size when I looked at the saved images.

As to why, I will take a guess:

The impact of the war on wheat prices impacts poor people most and poor
people have access to less bandwidth. Websites that see themselves as public
information service providers see it as their duty to be sparing on image size.

It is one of the reasons I go to the BBC first, it loads faster than the commercials.
 
My issues are:
  • When this is working correctly, these companies are sending this voluntarily giving UK children's details to American law enforcement. This has to be a breach on the GDPR, at the very least Art. 14 and probably others.
  • If there really is a good use case for this they should tell people, and give people the opportunity to opt out. If they cannot justify it enough so that people will, then is there any good reason to believe they actually have a good reason?
  • There seems to be no security at all on these requests. Email address is no security, see here.
  • They set up a system where they have enough information to to allow people to access the site. I think this is security broken by design, and I do not understand how it is the default in this day and age.
  • The system should be set up expecting hackers to do this. If not they do not understand how the IT world works, or do not care about security.
I will also point out who you are quoting, I am not sure they are unbiased:

https://unit221b.com/ :

Unit 221B performs investigations and counterintelligence operations for the private and public sector. We conduct criminal and national security digital forensic investigations, advanced malware research, law enforcement liaison support, and threat neutralization and containment.​
GDPR makes exceptions for emergency situations. You really don't seem to understand at all what the hackers are exploiting. You also can't "opt out" of things involving law enforcement. They're only giving out information in these cases when it's necessary to save lives.

But of course facts and reason don't matter due to bias.
 
GDPR makes exceptions for emergency situations. You really don't seem to understand at all what the hackers are exploiting. You also can't "opt out" of things involving law enforcement. They're only giving out information in these cases when it's necessary to save lives.

But of course facts and reason don't matter due to bias.
I wonder who is not understanding what. Can you point at the GDPR exceptions for "emergencies"? Can you explain how US law enforcement having UK childs IP address saves lives? Can you explain how a system that "only giving out information in these cases when it's necessary" gave out this information?
 
I wonder who is not understanding what. Can you point at the GDPR exceptions for "emergencies"? Can you explain how US law enforcement having UK childs IP address saves lives? Can you explain how a system that "only giving out information in these cases when it's necessary" gave out this information?
Read the article you quoted. These hackers have basically taken over law enforcement emails and are pretending to be dealing with an emergency.

Here's a link for you about data in emergencies, since you aren't interested in doing your own research:

https://ico.org.uk/for-organisation...ng-in-an-urgent-situation-or-in-an-emergency/
 
Read the article you quoted. These hackers have basically taken over law enforcement emails and are pretending to be dealing with an emergency.
I did read it. These hackers took over law enforcement emails. That in itself is a very bad sign for law enforcement, considering the amount of personal data they have access to. People should be asking their politicians how their systems are secured. Then the companies sent on personally identifiable data that could be of no use to the law enforcement agency, the aforementioned childs UK IP address to non-federal US LE. The way the company identified the request as coming from a trustworthy source was on the basis of the email address, which is a really bad way to do it, both because they can be falsified and because of hack like this. While there is a good chance these have some level of protection, it really is not enough to validate sending PII. I think I would lose my job if I sent PII out like that.
Here's a link for you about data in emergencies, since you aren't interested in doing your own research:

https://ico.org.uk/for-organisation...ng-in-an-urgent-situation-or-in-an-emergency/
That is not an exception to the GDPR, which is UK law. That is an ICO code of practice. I have had to figure out the basics of GDPR law for work.

There is actually an exception for law enforcement, but only UK law enforcement. This is the list. And it is not that they can email and ask for the data in an emergency, there is a whole process.
 
Last edited:
“In every instance where these companies messed up, at the core of it there was a person trying to do the right thing,
Yes, but that person ‘at the core’ wasn't always ‘at the helm’, which is a big difference. In the case of Facebook in particular they were out to make money whichever way possible and damn everything else, and in fact a lot of the (would-be) whistleblowers ended up leaving.
 
It is also worth mentioning that the fact that law enforcement can require companies to give up data is basically why Schrems II went the way it did, potentially breaking the business model of the big tech havestors by stopping EU PII being processed in the US.

The CJEU found that European Commission’s adequacy determination for Privacy Shield is invalid for two main reasons. First, the court found that U.S. surveillance programs, which the commission assessed in its Privacy Shield decision, are not limited to what is strictly necessary and proportional as required by EU law and hence do not meet the requirements of Article 52 of the EU Charter on Fundamental Rights. Second, the court determined that, with regard to U.S. surveillance, EU data subjects lack actionable judicial redress and, therefore, do not have a right to an effective remedy in the U.S., as required by Article 47 of the EU Charter.​
 
If other people see the 2 images below the same I would love to know, it could be just me.

Those are not even close.
 
That’s a lot of initialisms and clicking on stuff. Accept this, reject this, “our partners” (who just want to sell me audio versions of Cliff’s Notes and pseudoscientific weight loss supplements.) I wish we could just get rid of a lot of this data analytics advertising crap and just go back to banner ads or whatever.

Supplementary rant: the park took out the machine with the good lemonade.
 
I wish we could just get rid of a lot of this data analytics advertising crap and just go back to banner ads or whatever.
*smiles happily in a nostalgic way*
 
That’s a lot of initialisms and clicking on stuff. Accept this, reject this, “our partners” (who just want to sell me audio versions of Cliff’s Notes and pseudoscientific weight loss supplements.) I wish we could just get rid of a lot of this data analytics advertising crap and just go back to banner ads or whatever.
What they should have done is introduce optional fields in http requests to allow browsers to include "Reject all cookies" or "Track me everywhere" in the initial requests, so it does not need to be included in the human readable bit of the site.
 
It seems you're still under the influence of...something. I don't have the balls for this but I hope it wasn't poetic justice after all.
 
sometime in 2016 this forum went into Xenforo and all my posts before became nullified , because of spelling stuff which makes them real hard to read even for me . Ms. Rodham was going to be Ms. President ... Yeah , totally worked out in that way .

today we all have 0 posts and will have 0 posts . Unless we don't behave because our posts might then go into negative values ! We are nullified ! Oh come on , dear Pentagon and whatnot , ı haven't started to fight yet .
 
Clearly the reason for the zero post count for everyone is me watching The Equalizer yesterday. This is the non-violent CFC solution.
 
am busy preparing a more serious rant for tomorrow for anyone that comes up with "Aprils Fool" . Am a fool all year round .
 
Status
Not open for further replies.
Back
Top Bottom