Note the even huge breaches don’t make much of a ripple on the
evening news.
https://www.databreaches.net/ask-fm-user-database-with-350m-user-records-has-shown-up-for-sale/
Ask.FM user
database with 350m user records has shown up for sale
“I think it’s probably one of the biggest
breaches in a long time, can’t think of any bigger ones,”
Pompompurin, the owner of Breached.to, wrote when asked about a new
for-sale listing that appeared on his forum.
A seller called “Data,” who Pompompurin says
he will “vouch all day and night for” listed user data from
Ask.FM (ASKfm), the social networking site.
“I’m selling the users database of Ask.fm and
ask.com,” Data wrote. “For connoisseurs, you can also get 607
repositories plus their Gitlab, Jira, Confluence databases.”
There are about 350 million records in the
database, with about 45 million of them using Single Sign-On login.
The fields in the user database include: “user_id,
username, mail, hash, salt, fbid, twitterid, vkid, fbuid, iguid”
and the hashes are reportedly crackable.
Data, who joined the forum in March, also provided
a list of repositories, and sample git and sample user data.
DataBreaches reached out to Data to ask some
questions about when the data were acquired and how. DataBreaches
also reached out to Ask.FM last night to ask them some questions.
Ask.FM didn’t reply to either of two inquiries
over a 24 hour period, but Data did respond to this site’s
questions, with two prefacatory remarks. The first was to berate
yours truly for having a protonmail account. The second was a
request to please add “Marine Le Pen is a racist fraudster.”
Having dealt with those remarks, let’s turn to
the clarification Data provided on the Ask.FM incident.
In response to the first query about initial
access, Data replied that there was a vulnerability in Safety Center:
the server contained a WordPress site on their ASKFM-NET network.
As to when the hack occurred, Data replied that
the server was first accessed in 2019 and the database was obtained
on 2020-03-14. Data provided this site with users on the Safety
Center and wrote insultingly about a certain ‘lazy’ administrator
who allegedly used the same password everywhere.
[Note: Data provided specific and technical
details that DataBreaches is not reproducing in this post out of
concern that they might encourage or enable others to re-attack
Ask.FM. According to Data, Ask.FM is still vulnerable due to a poor
response to the 2020 incident.
“Specific parts were taken in 2021, although
they assumed the aggressors were kicked off,” Data wrote. “The
buyer will get specific details on how piss easy it is to compromise
the morons.”]
How easy is “piss easy,” you wonder? “Just
need to open 10 source files and spot either a vulnerability or peek
at the heavy password re-use,” Data told DataBreaches.
Ask.FM Knew But Kept Quiet?
When asked whether Ask.FM knew about the breach in
2020, Data was unequivocal in stating that they knew. Ask.FM noticed
the March 2020 breach circa June 2020, Data claims, but “was
apparently too busy laying off employees to give Answers to the
attempt to contact them.”
Data’s claim that Ask.FM knew was based, in
part, on Ask.FM burning some specific access the hackers had played
around with, like several production AWS credentials provided to
DataBreaches.
DataBreaches could find no media coverage or other
indication that Ask.FM ever disclosed the March 2020 breach or
notified users of it. If anyone ever received a notification about
it, please contact DataBreaches. If Ask.FM replies to inquiries,
this post will be updated.
Because Data invited contacts by private message,
it’s not clear how many purchase offers they have received at this
point, but they tell DataBreaches that they are now looking more at a
single (exclusive) sale.
Updated 9/21/2022: Because there has still been no
reply by AskFM, DataBreaches sent an inquiry to the Irish DPC asking
whether AskFM ever reported the March 2020 incident to them under the
GDPR. This post will be updated when a reply to that inquiry is
received.
Will lawyers be asked to arrange abortions and
will that communication be as vulnerable?
https://www.theregister.com/2022/09/20/encryption_abortion_data/
Meta,
Twitter, Apple, Google urged to up encryption game in post-Roe
America
… Now
that America has entered its post-Roe era, in which more than a dozen
states have banned abortion, digital rights advocacy group Fight for
the Future has called
on tech
companies to implement strong on-by-default end-to-end encryption
(E2EE) across their messaging services to secure users'
communications, and prevent conversations from being shared with
police and others.
Crucially,
campaigners want to ensure that people's chats discussing procedures
outlawed at the state level can't be obtained by the cops and used to
build a criminal case against them.
"When
our messages are protected from interlopers, we can communicate
freely, without the fear of being watched," said Caitlin Seeley
George, Fight for the Future's campaigns and managing director, in a
statement.
We had an effect? You’re welcome?
https://fpf.org/blog/the-colorado-effect-status-check-on-colorados-privacy-rulemaking/
THE
“COLORADO EFFECT?” STATUS CHECK ON COLORADO’S PRIVACY
RULEMAKING
Colorado
is set to formally enter a rulemaking process which may establish de
facto interpretations
for privacy protections across the United States. With the passage
of the Colorado
Privacy Act (CPA)
in 2021, Colorado, along with Virginia, Utah, and Connecticut, became
part of an emerging group of states adopting privacy laws that share
a similar framework and many core definitions with a legislative
model developed
(though never enacted) in Washington State. However, while the
general model of legislation seen in the CPA is similar to recently
enacted state privacy laws, the
CPA stands alone in providing authority to the state Attorney General
to issue regulations.
Because
no other similar state law has provided for this type of
interpretative authority, regulations issued by the Colorado Attorney
General could have far-reaching implications for how both businesses
and regulators in other jurisdictions come to interpret key state
privacy rights and protections. Colorado’s pre-rulemaking process
recently concluded, revealing a range of possible directions that
formal rulemaking could take. Below, we assess key priorities and
areas of significant divergence that have been brought into focus
both through public comments from stakeholders and questions posed by
the Attorney General.
Agreed, but I’m not sure that’s the solution.
https://www.scientificamerican.com/article/artificial-intelligence-needs-both-pragmatists-and-blue-sky-visionaries/#
Artificial
Intelligence Needs Both Pragmatists and Blue-Sky Visionaries
Artificial intelligence thinkers seem to emerge
from two communities. One is what I call blue-sky visionaries who
speculate about the future possibilities of the technology, invoking
utopian fantasies to generate excitement. Blue-sky ideas are
compelling but are often clouded over by unrealistic visions and the
ethical challenges of what can and should be built.
In contrast, what I call muddy-boots pragmatists
are problem- and solution-focused. They want to reduce the harms
that widely used AI-infused systems can create. They focus on fixing
biased and flawed systems, such as in facial recognition systems that
often mistakenly identify people as criminals or violate privacy.
The pragmatists want to reduce deadly medical mistakes that AI can
make, and steer self-driving cars to be safe-driving cars. Their
goal is also to improve AI-based decisions about mortgage loans,
college admissions, job hiring and parole granting.
Do you need to read cursive or are you willing to
trust an AI App on your phone to read it for you? “For sure and
several years ago our fathers bought this continent, a new station,
conceited and liberally dominated by the preposition that owl men are
created evil.”
https://www.bespacific.com/gen-z-never-learned-to-read-cursive/
Gen Z Never
Learned to Read Cursive – How will they interpret the past?
The
Atlantic:
“In
2010, cursive
was omitted from the new national Common Core standards for K–12
education. The students in my class, and their peers, were then
somewhere in elementary school. Handwriting instruction had already
been declining as laptops and tablets and lessons in “keyboarding”
assumed an ever more prominent place in the classroom. Most of my
students remembered getting no more than a year or so of somewhat
desultory cursive training, which was often pushed aside by a growing
emphasis on “teaching to the test.” Now in college, they
represent the vanguard of a cursiveless world. Although I was
unaware of it at the time, the 2010 Common Core policy on cursive had
generated an uproar. Jeremiads about the impending decline of
civilization appeared in The
Atlantic, The
New Yorker,
The
New York Times,
and elsewhere. Defenders of script argued variously that knowledge
of cursive was “a
basic right,”
a key connection between hand and brain, an essential form of
self-discipline, and a fundamental expression of identity. Its
disappearance would represent a craven submission to “the
tyranny of ‘relevance.’ ”
In
the future, cursive will have to be taught to scholars the way
Elizabethan secretary hand or paleography is today.
Within a decade, cursive’s embattled advocates had succeeded in
passing
measures requiring some sort of cursive instruction in
more than 20 states. At the same time, the struggle
for cursive became
part of a growing, politicized nostalgia for a lost past. In 2016,
Louisiana’s state senators reminded their constituents that the
Declaration of Independence had been written in cursive and cried out
“America!” as they unanimously voted to restore handwriting
instruction across the state…”
Perspective.
https://www.schneier.com/blog/archives/2022/09/automatic-cheating-detection-in-human-racing.html
Automatic
Cheating Detection in Human Racing
This
is a fascinating
glimpse of
the future of automatic cheating detection in sports:
Maybe
you heard about the truly insane false-start controversy in track and
field? Devon Allen—a wide receiver for the Philadelphia Eagles—was
disqualified from the 110-meter hurdles at the World Athletics
Championships a few weeks ago for a false start.
Here’s
the problem: You can’t see the false start. Nobody can see the
false start. By sight, Allen most definitely does not leave before
the gun.
But
here’s the thing: World Athletics has determined that it is not
possible for someone to push off the block within a tenth of a second
of the gun without false starting. They have science that shows it
is beyond human capabilities to react that fast. Of course there are
those (I’m among them) who would tell you that’s nonsense, that’s
pseudoscience, there’s no way that they can limit human
capabilities like that. There is science that shows it is humanly
impossible to hit a fastball. There was once science that showed
human beings could not run a four-minute mile.
Besides,
do you know what Devon Allen’s reaction time was? It was 0.99
seconds. One thousandth of a second too fast, according to World
Athletics’ science. They’re THAT sure that .01 seconds—and
EXACTLY .01 seconds—is the limit of human possibilities that they
will disqualify an athlete who has trained his whole life for this
moment because he reacted one thousandth of a second faster than they
think possible?
We
in the computer world are used to this sort of thing. “The
computer is always right,” even when it’s obviously wrong. But
now computers are leaving the world of keyboards and screens, and
this sort of thing will become more pervasive. In sports, computer
systems are used to detect when a ball is out of bounds in tennis and
other games and when a pitch is a strike in baseball. I’m sure
there’s more—are computers detecting first downs in football?—but
I’m not enough of a sports person to know them.