Wednesday, September 21, 2022

Note the even huge breaches don’t make much of a ripple on the evening news.

https://www.databreaches.net/ask-fm-user-database-with-350m-user-records-has-shown-up-for-sale/

Ask.FM user database with 350m user records has shown up for sale

“I think it’s probably one of the biggest breaches in a long time, can’t think of any bigger ones,” Pompompurin, the owner of Breached.to, wrote when asked about a new for-sale listing that appeared on his forum.

A seller called “Data,” who Pompompurin says he will “vouch all day and night for” listed user data from Ask.FM (ASKfm), the social networking site.

“I’m selling the users database of Ask.fm and ask.com,” Data wrote. “For connoisseurs, you can also get 607 repositories plus their Gitlab, Jira, Confluence databases.”

There are about 350 million records in the database, with about 45 million of them using Single Sign-On login.

The fields in the user database include: “user_id, username, mail, hash, salt, fbid, twitterid, vkid, fbuid, iguid” and the hashes are reportedly crackable.

Data, who joined the forum in March, also provided a list of repositories, and sample git and sample user data.

DataBreaches reached out to Data to ask some questions about when the data were acquired and how. DataBreaches also reached out to Ask.FM last night to ask them some questions.

Ask.FM didn’t reply to either of two inquiries over a 24 hour period, but Data did respond to this site’s questions, with two prefacatory remarks. The first was to berate yours truly for having a protonmail account. The second was a request to please add “Marine Le Pen is a racist fraudster.”

Having dealt with those remarks, let’s turn to the clarification Data provided on the Ask.FM incident.

In response to the first query about initial access, Data replied that there was a vulnerability in Safety Center: the server contained a WordPress site on their ASKFM-NET network.

As to when the hack occurred, Data replied that the server was first accessed in 2019 and the database was obtained on 2020-03-14. Data provided this site with users on the Safety Center and wrote insultingly about a certain ‘lazy’ administrator who allegedly used the same password everywhere.

[Note: Data provided specific and technical details that DataBreaches is not reproducing in this post out of concern that they might encourage or enable others to re-attack Ask.FM. According to Data, Ask.FM is still vulnerable due to a poor response to the 2020 incident.

“Specific parts were taken in 2021, although they assumed the aggressors were kicked off,” Data wrote. “The buyer will get specific details on how piss easy it is to compromise the morons.”]

How easy is “piss easy,” you wonder? “Just need to open 10 source files and spot either a vulnerability or peek at the heavy password re-use,” Data told DataBreaches.

Ask.FM Knew But Kept Quiet?

When asked whether Ask.FM knew about the breach in 2020, Data was unequivocal in stating that they knew. Ask.FM noticed the March 2020 breach circa June 2020, Data claims, but “was apparently too busy laying off employees to give Answers to the attempt to contact them.”

Data’s claim that Ask.FM knew was based, in part, on Ask.FM burning some specific access the hackers had played around with, like several production AWS credentials provided to DataBreaches.

DataBreaches could find no media coverage or other indication that Ask.FM ever disclosed the March 2020 breach or notified users of it. If anyone ever received a notification about it, please contact DataBreaches. If Ask.FM replies to inquiries, this post will be updated.

Because Data invited contacts by private message, it’s not clear how many purchase offers they have received at this point, but they tell DataBreaches that they are now looking more at a single (exclusive) sale.

Updated 9/21/2022: Because there has still been no reply by AskFM, DataBreaches sent an inquiry to the Irish DPC asking whether AskFM ever reported the March 2020 incident to them under the GDPR. This post will be updated when a reply to that inquiry is received.





Will lawyers be asked to arrange abortions and will that communication be as vulnerable?

https://www.theregister.com/2022/09/20/encryption_abortion_data/

Meta, Twitter, Apple, Google urged to up encryption game in post-Roe America

Now that America has entered its post-Roe era, in which more than a dozen states have banned abortion, digital rights advocacy group Fight for the Future has called on tech companies to implement strong on-by-default end-to-end encryption (E2EE) across their messaging services to secure users' communications, and prevent conversations from being shared with police and others.

Crucially, campaigners want to ensure that people's chats discussing procedures outlawed at the state level can't be obtained by the cops and used to build a criminal case against them.

"When our messages are protected from interlopers, we can communicate freely, without the fear of being watched," said Caitlin Seeley George, Fight for the Future's campaigns and managing director, in a statement.





We had an effect? You’re welcome?

https://fpf.org/blog/the-colorado-effect-status-check-on-colorados-privacy-rulemaking/

THE “COLORADO EFFECT?” STATUS CHECK ON COLORADO’S PRIVACY RULEMAKING

Colorado is set to formally enter a rulemaking process which may establish de facto interpretations for privacy protections across the United States. With the passage of the Colorado Privacy Act (CPA) in 2021, Colorado, along with Virginia, Utah, and Connecticut, became part of an emerging group of states adopting privacy laws that share a similar framework and many core definitions with a legislative model developed (though never enacted) in Washington State. However, while the general model of legislation seen in the CPA is similar to recently enacted state privacy laws, the CPA stands alone in providing authority to the state Attorney General to issue regulations.

Because no other similar state law has provided for this type of interpretative authority, regulations issued by the Colorado Attorney General could have far-reaching implications for how both businesses and regulators in other jurisdictions come to interpret key state privacy rights and protections. Colorado’s pre-rulemaking process recently concluded, revealing a range of possible directions that formal rulemaking could take. Below, we assess key priorities and areas of significant divergence that have been brought into focus both through public comments from stakeholders and questions posed by the Attorney General.





Agreed, but I’m not sure that’s the solution.

https://www.scientificamerican.com/article/artificial-intelligence-needs-both-pragmatists-and-blue-sky-visionaries/#

Artificial Intelligence Needs Both Pragmatists and Blue-Sky Visionaries

Artificial intelligence thinkers seem to emerge from two communities. One is what I call blue-sky visionaries who speculate about the future possibilities of the technology, invoking utopian fantasies to generate excitement. Blue-sky ideas are compelling but are often clouded over by unrealistic visions and the ethical challenges of what can and should be built.

In contrast, what I call muddy-boots pragmatists are problem- and solution-focused. They want to reduce the harms that widely used AI-infused systems can create. They focus on fixing biased and flawed systems, such as in facial recognition systems that often mistakenly identify people as criminals or violate privacy. The pragmatists want to reduce deadly medical mistakes that AI can make, and steer self-driving cars to be safe-driving cars. Their goal is also to improve AI-based decisions about mortgage loans, college admissions, job hiring and parole granting.





Do you need to read cursive or are you willing to trust an AI App on your phone to read it for you? “For sure and several years ago our fathers bought this continent, a new station, conceited and liberally dominated by the preposition that owl men are created evil.

https://www.bespacific.com/gen-z-never-learned-to-read-cursive/

Gen Z Never Learned to Read Cursive – How will they interpret the past?

The Atlantic: “In 2010, cursive was omitted from the new national Common Core standards for K–12 education. The students in my class, and their peers, were then somewhere in elementary school. Handwriting instruction had already been declining as laptops and tablets and lessons in “keyboarding” assumed an ever more prominent place in the classroom. Most of my students remembered getting no more than a year or so of somewhat desultory cursive training, which was often pushed aside by a growing emphasis on “teaching to the test.” Now in college, they represent the vanguard of a cursiveless world. Although I was unaware of it at the time, the 2010 Common Core policy on cursive had generated an uproar. Jeremiads about the impending decline of civilization appeared in The Atlantic, The New Yorker, The New York Times, and elsewhere. Defenders of script argued variously that knowledge of cursive was “a basic right,” a key connection between hand and brain, an essential form of self-discipline, and a fundamental expression of identity. Its disappearance would represent a craven submission to “the tyranny of ‘relevance.’ ” In the future, cursive will have to be taught to scholars the way Elizabethan secretary hand or paleography is today. Within a decade, cursive’s embattled advocates had succeeded in passing measures requiring some sort of cursive instruction in more than 20 states. At the same time, the struggle for cursive became part of a growing, politicized nostalgia for a lost past. In 2016, Louisiana’s state senators reminded their constituents that the Declaration of Independence had been written in cursive and cried out “America!” as they unanimously voted to restore handwriting instruction across the state…”





Perspective.

https://www.schneier.com/blog/archives/2022/09/automatic-cheating-detection-in-human-racing.html

Automatic Cheating Detection in Human Racing

This is a fascinating glimpse of the future of automatic cheating detection in sports:

Maybe you heard about the truly insane false-start controversy in track and field? Devon Allen—a wide receiver for the Philadelphia Eagles—was disqualified from the 110-meter hurdles at the World Athletics Championships a few weeks ago for a false start.
Here’s the problem: You can’t see the false start. Nobody can see the false start. By sight, Allen most definitely does not leave before the gun.
But here’s the thing: World Athletics has determined that it is not possible for someone to push off the block within a tenth of a second of the gun without false starting. They have science that shows it is beyond human capabilities to react that fast. Of course there are those (I’m among them) who would tell you that’s nonsense, that’s pseudoscience, there’s no way that they can limit human capabilities like that. There is science that shows it is humanly impossible to hit a fastball. There was once science that showed human beings could not run a four-minute mile.
Besides, do you know what Devon Allen’s reaction time was? It was 0.99 seconds. One thousandth of a second too fast, according to World Athletics’ science. They’re THAT sure that .01 seconds—and EXACTLY .01 seconds—is the limit of human possibilities that they will disqualify an athlete who has trained his whole life for this moment because he reacted one thousandth of a second faster than they think possible?

We in the computer world are used to this sort of thing. “The computer is always right,” even when it’s obviously wrong. But now computers are leaving the world of keyboards and screens, and this sort of thing will become more pervasive. In sports, computer systems are used to detect when a ball is out of bounds in tennis and other games and when a pitch is a strike in baseball. I’m sure there’s more—are computers detecting first downs in football?—but I’m not enough of a sports person to know them.



No comments: