You Can Access Passwords, Ongoing Discussions of Security Vulnerabilities and Other Sensitive Data of Governments, UN, Companies Using Search Engines + China Moving Beyond Cashless into An Orwellian Nightmare

in #privacy6 years ago

on Trello, a popular project management website, the governments of the United Kingdom and Canada exposed to the entire internet details of software bugs and security plans, as well as passwords for servers, official internet domains, conference calls, and an event-planning system. The U.K. government also exposed a small quantity of code for running a government website, as well as a limited number of emails. All told, between the two governments, a total of 50 Trello pages, known on the site as “boards,” were published on the open web and indexed by Google.

You bet I kept reading that article. This was just after I shared details about the Sidekik which allows you to create an AI version of yourself by analyzing all your data. When it comes toa massive government some intelligent people will not put any faith in them. But still many puts more faith in private companies technology companies who are supposed to know things better. But it seems that the ease and lack of care even plagues those who are supposed to fix the bugs vulnerabilities.

When Guardians Leave Diligence At Door

Source: https://medium.freecodecamp.org/discovering-the-hidden-mine-of-credentials-and-sensitive-information-8e5ccfef2724

All sorts of sensitive information were discussed including security vulnerabilities (which means these were the people who were in charge of security) in a way that a malicious actor could simply use a search engine to mine these information. The person who discovered and reported this to these companies (Kushagra Pathak) was pretty much left without compensation because even bug bounty programs don't categorize these sort of reporting to become eligible for rewards.

Then again, it was the people who are taking care of these bugs that messed up things in the first place. Now just imagine all this information being sold on the black market. Is there even enough reasons to think that it has not happened. When you think about hacks into multi billion dollar corporations, don't you think that something like this couldn't have helped such hacks?

Even UN Messed Up

  • A social media team promoting the U.N.’s “peace and security” efforts published credentials to access a U.N. remote file access, or FTP, server in a Trello card coordinating promotion of the International Day of United Nations Peacekeepers. It is not clear what information was on the server; Pathak said he did not connect to it.
  • One public Trello board used by the developers of Humanitarian Response and ReliefWeb, both websites run by the U.N.’s Office for the Coordination of Humanitarian Affairs, included sensitive information like internal task lists and meeting notes. One public card from the board had a PDF, marked “for internal use only,” that contained a map of all U.N. buildings in New York City. Another card had an attached PDF that included a phone tree with names and phones numbers of people working for a division of U.N.’s human resources department. Some cards contained links to internal documents hosted on Google Docs that, in turn, contained sensitive information about web development projects, including a web address and password to access a staging environment to test early features of the website.

You can read more following the above link.

The Power of Meta Data

Facebook’s data trove goes beyond posts or location, though. By analysing your likes and interactions, Facebook can deduce private information you would never willingly agree to share. It does this with surprising accuracy.
Jamie Bartlett demonstrated this on a smaller scale in his brilliant book The People vs Tech when he visited Michal Kosinski at Stanford University. He gave Kosinski just 200 Facebook likes, and their system was able to determine a variety of personal information.
Some examples of information the system found out about Jamie Bartlett:
o Education: Studied history at university
o Politics: Liberal
o Religion: Atheist (If he was religious, probably Christian)
All of these predictions were accurate, and all it took was 200 Facebook likes (a shred of the actual amount of information Facebook has on its users).
Source

Now the problem is that your data are not just accessed by tech companies. They are pretty much stolen all the time in small amounts. The reason why even the "patriots" opposed Apple Inc making a backdoor for iPhone is because any tool can eventually be gained by the "bad guys". That's why I'm such a fan of zero-knowledge proofs and Enigma Protocol.

This attack exploited the complex interaction of multiple issues in our code. It stemmed from a change we made to our video uploading feature in July 2017, which impacted “View As.” The attackers not only needed to find this vulnerability and use it to get an access token, they then had to pivot from that account to others to steal more tokens.

That's what Facebook said when it discovered a security breach that affected 50 million users. @jaicha made a post about this here. The exploit was capable because of some features added for convenience.

Our investigation is still in its early stages. But it’s clear that attackers exploited a vulnerability in Facebook’s code that impacted “View As”, a feature that lets people see what their own profile looks like to someone else. This allowed them to steal Facebook access tokens which they could then use to take over people’s accounts. Access tokens are the equivalent of digital keys that keep people logged in to Facebook so they don’t need to re-enter their password every time they use the app.

Then there are these quiet fights against privacy laws from Google and Facebook. This is all the while Silicon Valley is getting cozy with the Orwellian China. I must stress that China isn't all bad. They have some amazing technological developments in developed parts of the country that easily surpass most of the developed world without even breaking a sweat. Just look at what you can do with WeChat app alone:

Now all that info (including GPS data) goes to one company (Tencent) that is cozy with the government. I highly applaud the developments. But the lack of privacy is a nightmare. But it does make a lot of money and Silicon Valley don't want to miss out.

Sort:  

To listen to the audio version of this article click on the play image.

Brought to you by @tts. If you find it useful please consider upvoting this reply.

Curated for #informationwar (by @commonlaw)

  • Our purpose is to encourage posts discussing Information War, Propaganda, Disinformation and other false narratives. We currently have over 8,000 Steem Power and 20+ people following the curation trail to support our mission.

  • Join our discord and chat with 200+ fellow Informationwar Activists.

  • Join our brand new reddit! and start sharing your Steemit posts directly to The_IW!

  • Connect with fellow Informationwar writers in our Roll Call! InformationWar - Contributing Writers/Supporters: Roll Call Pt 11

Ways you can help the @informationwar

  • Upvote this comment.
  • Delegate Steem Power. 25 SP 50 SP 100 SP
  • Join the curation trail here.
  • Tutorials on all ways to support us and useful resources here

You got voted by @votefun thanks to Makishima Shougo. To support development, check out Rishi556. Hosted on the @cryptowithincin discord.

Congratulations! This post has been upvoted from the communal account, @minnowsupport, by Makishima Shougo from the Minnow Support Project. It's a witness project run by aggroed, ausbitbank, teamsteem, someguy123, neoxian, followbtcnews, and netuoso. The goal is to help Steemit grow by supporting Minnows. Please find us at the Peace, Abundance, and Liberty Network (PALnet) Discord Channel. It's a completely public and open space to all members of the Steemit community who voluntarily choose to be there.

If you would like to delegate to the Minnow Support Project you can do so by clicking on the following links: 50SP, 100SP, 250SP, 500SP, 1000SP, 5000SP.
Be sure to leave at least 50SP undelegated on your account.