Data are Liability: Billion-record stolen Chinese database for sale on breach forum

A threat actor has taken to a forum for news and discussion of data breaches with an offer to sell what they assert is a database containing records of over a billion Chinese civilians – allegedly stolen from the Shanghai Police.

Over the weekend, reports started to surface of a post to a forum at Breached.to. The post makes the following claim:

In 2022, the Shanghai National Police (SHGA) database was leaked. This database contains many TB of data and information on Billions of Chinese citizens.

HN discussion: https://news.ycombinator.com/item?id=31986441

Nothing tracks like a police state.

And nothing leaks like a police state.

https://www.theregister.com/2022/07/05/shanghai_police_database_for_sell/

#DataAreLiability #Shanghai #China #Surveillance #SurveillanceState #DataBreach

After the Capitol riot, ‘Stop the Steal’ organizer Ali Alexander was scrambling to hide his digital footprint

The 'Stop the Steal' founder's data was swept up in the breach of web hosting company Epik.

Just days after supporters of former President Donald Trump violently stormed the Capitol on Jan. 6, Ali Alexander, one of the primary organizers of the rally that day, appeared to be busy, attempting to hide his ties to dozens and dozens of websites calling the 2020 election stolen.

Domains tied to Alexander that pushed Stop the Steal, which the Daily Dot reviewed, including ones he publicly posted on as himself, were scrambled in the wake of the riot to hide ownership. But hacked documents show they trace right back to Ali and an anonymize service from the web hosting company Epik.

In the run-up to the failed insurrection, which was sparked by weeks of false allegations regarding widespread voter fraud in the 2020 presidential election, Alexander had positioned himself as the movement’s de facto leader with his “Stop the Steal” campaign. ...

Previously known as Ali Akbar.

https://www.dailydot.com/debug/ali-alexander-epik-hack-web-domains-capitol-riot/

#uspol #Jan6Coup #AliAkbar #AliAlexander #EpikFail #Insurrection #StopTheSteal #DataAreLiability #DataBreaches #politics

Dumb Phone

Elsewhere a friend laments:

The frequency with which I need my email and a notebook while I'm on the phone makes integrated devices foolish.

I'd covered that point a few years ago in a larger essay on the tyranny of the minimum viable user:

It's also interesting to consider what the operating environment of earlier phones was -- because it exceeded the device itself.

A business-use phone of, say, the 1970s, existed in a loosely-integrated environment comprising:

• The user
• The phone itself
• A Rolodex or addressbook / contacts list
• The local PBX -- the business's dedicated internal phone switch.
• A secretary or switchboard operator, serving also as a message-taking (voice-to-text), screening, redirect, directory, interactive voice response, and/or calendaring service
• A desk calendar
• A phone book
• A diary or organiser
• Scratch paper

Critically: these components operated simultaneously and independently of the phone.

A modern business, software, or smartphone system may offer some, or even all, of these functions, but frequently:

• They aren't available whilst a call is in process
• They have vastly less capability or flexibility than the systems they replaced

https://old.reddit.com/r/dredmorbius/comments/69wk8y/the_tyranny_of_the_minimum_viable_user/

There's also the increasingly evident problem that having all your critical data on a communications device is a fundamental and intractable risk. The dis-integrated business telephony environment of the 1950s--1990s maintained data isolation between elements. Telephone numbers served as the reasonably-viable data-exchange-and-linking interface between components (map a name or address to a number, enter the number on a calendar or correspondence, etc.).

It's almost as if putting your filing system, personal diary, correspondence, photo album, and directory on a surveillance and exfiltration device was a Bad Idea.

And not just from a UI/UX / accessibility perspective.

It turns out that a chief affordance of the old POTS landline telephone was the air gap between it and everything else inside your office / home.

(We can talk about the solicitations, robocalls, and phishing issues separately.)

#telephony #telephones #risk #AirGap #data #DataAreLiability #UIUX #Usability #SmartPhones #DumbPhones #computers #communications #privacy #security #surveillance

Belarus manufactures "bomb threat" to hijack airliner and kidnap opposition journalist at president's direct orders

The story's all over the news, NPR has a good summary:

Authorities in Belarus ordered a Ryanair flight to make an emergency landing in the capital city of Minsk, after reports that a bomb was on board the aircraft. Officials then boarded the plane and arrested Roman Protasevich, the former editor and founder of an opposition blog and social media channel.

No explosives were found on the plane.

The flight, which had taken off in Athens and was on its way to Lithuania, was just leaving Belarusian airspace when the bomb was reported. The Belarusian regime says it then sent a scrambled fighter jet to escort the flight to the Minsk airport.

The Ryanair flight made a kind of U-turn just before the Lithuanian border before heading back toward Minsk, according the site Flightradar24. It was closer to the Vilnius airport in Lithuania than Minsk at the time.

The act has drawn condemnation from European leaders, demanding an explanation. ...

https://www.npr.org/2021/05/23/999603575/ryanair-flight-carrying-opposition-journalist-forced-to-land-in-belarus

I'll note that there's widespread open acknowledgement that:

• The threat was entirely fabricated.
• The orders appear to have come directly from Belarus president Alexander Lukashenko.
• The motive was to capture an opposition journalist, travelling between two third-party countries.

There's a "data are liability" angle.

The Belarus plane hijack is a small reminder why it's generally not a good idea to let governments know who is going to where. I'm not sure why governments that like to think of themselves as democratic don't see the risks.

-- Alexander Bochmann https://mastodon.infra.de/@galaxis/106285985254850170

I'd made a similar point following the assassination of Kim Jung-nam at an Indonesian airport in 2017:

Travel and hospitality databases are widely accessible and shared amongst a tremendous number of organisations. State intelligence organisations might readily have access through their own state-run airline, or through private operations or plants within same. Similarly for terrorist, narco-criminal, money-laundering, or other organisations. Financial, banking, and payment-processing systems, only slightly less so. A P.I. license or position on a fraud or abuse desk at a major online retailer, or any skip-tracing agency, can have access to such information.

https://old.reddit.com/r/dredmorbius/comments/5ud243/data_are_liability_book_your_assassination_now/

What is your threat model?

Note that your own threat model may not include possibilities which put others at risk.

In fairness, it appear that Protasevich was followed onto the plane itself, suggesting that in-flight availability of manifests played little role. The question of what pre-flight intelligence methods were employed remains open.

And yes there are parallels to earlier incidents, including the effectual grounding of the Bolivian Presidential airplane in 2017 in an attempt to intercept Edward Snowden, see https://www.bbc.com/news/av/world-latin-america-23166146.

#belarus #DataAreLiability #ryanair #kidnapping #ElexanderLukashenka #RomanProtasevich #kgb #Minsk #Lithuania #Greece

Further empty Glenn Greenwald apologia for Parler proving entirely false

Gizmodo put paid Greenwald's unfounded assertions.

Greenwald tweeted:

Do you know how many of the people arrested in connection with the Capitol invasion were active users of Parler?

Zero.

https://twitter.com/ggreenwald/status/1348619731734028293

Noting his highly-conditioned and narrowly-scoped criteria (arrests are ongoing, and few to date), data obtained directly from Parler puts multiple members directly at the scene of the coup:

At least several users of the far-right social network Parler appear to be among the horde of rioters that managed to penetrate deep inside the U.S. Capitol building and into areas normally restricted to the public, according to GPS metadata linked to videos posted to the platform the day of the insurrection in Washington.

The data, obtained by a computer hacker through legal means ahead of Parler’s shutdown on Monday, offers a bird’s eye view of its users swarming the Capitol grounds after receiving encouragement from President Trump — and during a violent breach that sent lawmakers and Capitol Hill visitors scrambling amid gunshots and calls for their death. GPS coordinates taken from 618 Parler videos analyzed by Gizmodo has already been sought after by FBI as part of a sweeping nationwide search for potential suspects, at least 20 of whom are already in custody.

https://gizmodo.com/parler-users-breached-deep-inside-u-s-capitol-building-1846042905/

Greenwald is simply fabulating at this point.

Get this boy an editor. Or mental help.

h/t: https://twitter.com/hannahgais/status/1349082704424427520

Image: Gizmodo.

#Jan6Coup #Parler #GlennGreenwald #Fabulists #credibility #Gizmodo #DataAreLiability

Dear Googles: I hope you're giving a lot of hard thought to Brownshirt-proofing your vast troves of personal data.

Just sayin'.

---

Adapted from an earlier G+ post.

#DataAreLiability #Google #Facebook #Twitter #Microsoft #Oracle #Zoom #Apple #Amazon #Kristalnacht

Hunting the Hunters: How We Identified Navalny’s FSB Stalkers

... Due to porous data protection measures in Russia, it only takes some creative Googling (or Yandexing) and a few hundred euros worth of cryptocurrency to be fed through an automated payment platform, not much different than Amazon or Lexis Nexis, to acquire telephone records with geolocation data, passenger manifests, and residential data. For the records contained within multi-gigabyte database files that are not already floating around the internet via torrent networks, there is a thriving black market to buy and sell data. The humans who manually fetch this data are often low-level employees at banks, telephone companies, and police departments. Often, these data merchants providing data to resellers or direct to customers are caught and face criminal charges. For other batches of records, there are automated services either within websites or through bots on the Telegram messaging service that entirely circumvent the necessity of a human conduit to provide sensitive personal data.

For example, to find a huge collection of personal information for Anatoliy Chepiga — one of the two GRU officers involved in the poisoning of Sergey Skripal and his daughter — we only need to use a Telegram bot and about 10 euros. Within 2-3 minutes of entering Chepiga’s full name and providing a credit card via Google Pay or a payment service like Yandex Money, a popular Telegram bot will provide us with Chepiga’s date of birth, passport number, court records, license plate number, VIN number, previous vehicle ownership history, traffic violations, and frequent parking locations in Moscow. A sample of the baseline information provided can be seen below, with key personal details censored. ...

https://www.bellingcat.com/resources/2020/12/14/navalny-fsb-methodology

h/t @Glyn Moody

Previous discussion.

#surveillance #DataAreLiability #SurveillanceCapitalism #SurveillanceState #bellingcat #privacy #russia

44 bits

So, a redditor tracked down the location of a monolith placed in the Utah desert a few years ago, recently discovered by authorities, who did not disclose where it was.[1]

I looked at rock type (Sandstone), color (red and white - no black streaks like found on higher cliffs in Utah), shape (more rounded indicating a more exposed area and erosion), the texture of the canyon floor (flat rock vs sloped indicating higher up in a watershed with infrequent water), and the larger cliff/mesa in the upper background of one of the photos. I took all that and lined it up with the flight time and flight path of the helicopter - earlier in the morning taking off from Monticello, UT and flying almost directly north before going off radar (usually indicating it dropped below radar scan altitude. From there, I know I am looking for a south/east facing canyon with rounded red/white rock, most likely close to the base of a larger cliff/mesa, most likely closer to the top of a watershed, and with a suitable flat area for an AS350 helicopter to land. Took about 30 minutes of random checks around the Green River/Colorado River junction before finding similar terrain. From there it took another 15 minutes to find the exact canyon. Yes... I'm a freak.

-- /u/Bear__Fucker @ reddit

It's relatively well known that 33 distinct bits is enough to uniquely identify any individual person now alive on Earth.[2]

Geospatially, assuming 10m resolution, 44 bits is enough to identify any unique location on Earth's land surface. 46 bits buys you the oceans as well.

Searching for a ~1m^2^ monolith visually within a 10m^2^ square is reasonable.

GNU units:

You have: ln((.3 * 4 * (earthradius^2) * pi)/10m^2)/ln(2)
        Definition: 43.798784
You have: ln((1 * 4 * (earthradius^2) * pi)/10m^2)/ln(2)
        Definition: 45.535749

49 bits gives 1m accuracy, 63 bits 1cm, 69 bits 1mm. Anywhere on Earth, land or sea.

For comparison, cellphone positioning accuracy is typically 8--600m:

• 3G iPhone w/ A-GPS ~ 8 meters
• 3G iPhone w/ wifi ~ 74 meters
• 3G iPhone w/ Cellular positioning ~ 600 meters

https://communityhealthmaps.nlm.nih.gov/2014/07/07/how-accurate-is-the-gps-on-my-smart-phone-part-2/

https://www.gps.gov/systems/gps/performance/accuracy/

The power of disparate data traces to rapidly narrow down search spaces on a specific item, individual, or location, is what makes #BigData aggreggation so powerful, and terrifying.

---

Notes:

1. https://old.reddit.com/r/geoguessr/comments/jzw628/help_me_find_this_obelisk_in_remote_utah/gdfbzee/ https://news.ycombinator.com/item?id=25199879

2. https://web.archive.org/web/20160304012305/33bits.org/about/

#privacy4 #location #33bits #44bits #data #deanonimization #DataAreLiability #surveillance #SurveillanceState #SurveillanceCapitalism

Why Amazon Knows So Much About You

…One database contains transcriptions of all 31,082 interactions my family has had with the virtual assistant Alexa. Audio clips of the recordings are also provided. The 48 requests to play Let It Go, flag my daughter’s infatuation with Disney’s Frozen.
Other late-night music requests to the bedroom Echo, might provide a clue to a more adult activity…

https://www.bbc.co.uk/news/extra/CLQYZENMBI/amazon-data

#amazon #surveillanceCapitalism #dataAreLiability #privacy #bbc

Kristallnacht, Vermont: ICE Is Targeting Activists in Vermont. And the State’s DMV Has Been Helping Them

One of my long-standing critical posts of Google takes the idea that even well-intended and well-executed data collection can prove dangerous. A tool that was critical in the persecution of Jews and others in Europe were the routine data collection -- business and census records, as examples -- particularly of governments at various levels. In some cases, the local political climate changed, as in Germany on the night of 9-10 November 1938, in others, the countries were invaded and conquered by military force, and the records made available to the Nazi regime. The Netherlands and Poland are particular examples of this, and of course there's the history of IBM in directly supporting the Holocaust's data-processing requirements (more). The information technology industry has blood on its hands.

Google, of course, collect vast troves of data on billions of people, as do many other tech giants. And even if the intentions are good, the execution excellent, and the policies robust, a change in political regime, or black-hat actors internally at the right levels, can turn these data against their subject with devastating effect.

This is what's now happened and happening in Vermont

From the ACLU:

In October 2017, Vermont-based Migrant Justice scored a major victory in the organization’s campaign to extend labor protections to undocumented farmworkers in the state. After years of public action and lobbying, they reached an agreement with Ben & Jerry’s that established basic labor standards at the farms supplying dairy products to the company. Those standards included one day off a week, a minimum wage of $10 per hour, and accommodations that included electricity and running water — a milestone for farmworkers’ rights in Vermont. For many Migrant Justice organizers, who were themselves undocumented and had worked long hours in those dairy farms, the victory was personal....

In 2013, Migrant Justice played a critical role in the passage of Vermont’s Driver Privilege Card law, which allowed undocumented immigrants to obtain legal driving permits. But a public-records request filed by the ACLU revealed that DMV officials systematically passed the private information of applicants for those permits directly to ICE, even in cases where ICE agents hadn’t asked for it. Email correspondence obtained in the request show DMV workers using racist language to describe those applicants, referring to “South of the Border” names and in one case lamenting that the state was being “over run by immigrants.”

Data are liability.

h/t Shava Narad at the PLOOS.

#Kristallnacht, #DataAreLiability #Vermont #ICE #immigrants #SanctuaryCity #racism #ACLU

https://www.aclu.org/blog/immigrants-rights/ice-targeting-activists-vermont-and-states-dmv-has-been-helping-them