A theme across my intro was that I encouraged people to ask not whether #covidsafe ensured privacy or not, but rather how it *changes* privacy from what it would be without the app. If you test positive, for example, how will privacy differ with or without the app?
The epiphany is that people are frequently associating digitised records directly with the app. They ask questions like “how will data from the app be protected on the server” but never seem to consider that even without the app, your data will still be on a server if positive.
For example: some people were unhappy that #covidsafe stores data on Amazon, but where is data stored if you’re *not* using the app and test positive? Because y’know it’ll go onto a server somewhere, right?
Or they’re worried that uploading data on contacts (something that only happens if tested positive) poses a risk. Do people realise they’ll be queried about their movements and contacts and that their answers will be digitised even with no app?
These are all (quite rightly) valid concerns, my point is that for the most part they’re equally valid with or without the app in its current implementation. You catch this thing and a whole bunch of your personal data is going to end up on a server somewhere. That’s the point.
• • •
Missing some Tweet in this thread? You can try to
force a refresh
Firstly, this has come after @zackwhittaker's article which boils down to "it's stalkerware and it has appeared in a bunch of hotels it maybe shouldn't have and we know this because it has vulns disclosing what's captured and the company isn't responding" techcrunch.com/2024/05/22/spy…
It appears that in response to that piece, someone has gone and found a very easily exploitable bug that boiled down to a SOAP based API with an associated WSDL that documented the endpoints, one of which returned valid AWS creds
So this is an interesting one for several reasons. Firstly, the defacement which was obviously designed to antagonise a conservative media company. Maybe someone with an axe to grind, but definitely evidence of breach.
Then there are the 3 different classes of data set published at the bottom of the defacement, let's go through each by file name:
editors.json: this includes the name, personal email, phone and sometimes address of the journo. Given the politically charged nature of some of the content, PII exposure of this nature is extra concerning. It's now easy to match a story to someone's physical address and phone.
Alright folks, this is starting to smell like bullshit. Not the alleged breach (which smells bad for reasons I'll explain in a moment), but the "AI" line from both Europcar and the PR agency that just emailed me pitching someone's hot take on it. Here's why:
Firstly on the legitimacy of the data, a bunch of things don't add up. The most obvious one is that the email addresses and usernames bear no resemblance to the corresponding people names. For example:
Next, each of those usernames is then the alias of the email address. What are the chances that *every single username* aligns with the email address? Low, very low.
We often receive comments to the effect of “we want to purchase a @haveibeenpwned subscription but our company doesn’t allow us to use a credit card”. What is the financial reason behind this?
This is a very small portion compared to those that *do* pay by card, but why is this?
To add to this, having spent 14 years at Pfizer I’d see policies like this all the time. But it’s also not like there was a blanket ban: try going on a business trip and asking the person at the noodle shop you’re having lunch at to raise an invoice on 60 day terms 🤣
This also isn’t about traceability; spend the money, raise an expense claim with receipt, job done. I could understand if the answer was “because an invoice and wire transfer stops people randomly being stuff and puts procurement in control”, but they could still pay with a card.
Let me add some more context to the Dymocks breach, starting with giving them a massive pat on the back for responding so quickly. It was less than 48 hours ago between me contacting someone there via LinkedIn and them having sent disclosure emails to customers. Massive kudos!
What's not as clear from the story is the extent to which the data was already circulating before I was able to get in touch with them. Multiple Telegram channels and a popular *clear web* (not dark web) forum were broadly circulating the data.
I also suspect we're about to see a repeat of the question so many people raised after Optus and Medibank: why do they still have my data? About a quarter of the rows are flagged "inactive" with dates as far back as 2005, yet still sit there with address, email, phone etc.