See the AT&T/iPad data leak, where AT&T were leaking private information on the internet with no security checks at all. Someone found it, told the press, who in turn told AT&T, but the FBI still investigated it as a "crime", raided their home, charged them with "conspiracy to access a computer without authorization." AT&T go no punishment at all.
I think you are missing some nuance here. They found a vulnerability where they could just increment an "id" and get access to another user's information. They then went ahead and scraped as much as they could. Also this person (iProphet / weev / Andrew Auernheimer) is awful and certainly not a victim. AT&T did not leak the information, Andrew did!
Should they have had better security? Yes. Was the vulnerability extremely basic? Yes. Doesn't change much, a vulnerability was used to dump a bunch of private data.
Exactly. If you find an unlocked warehouse, even if you are supposed to pick up something of yours, and instead of directly complaining you also ransack everything, you’re going to catch some heat.
> I think you are missing some nuance here. They found a vulnerability where they could just increment an "id" and get access to another user's information.
That's not nuance; the information was publically available on the internet without any security. Even search engines had indexed it before it was patched.
> They then went ahead and scraped as much as they could.
They told the press instead of releasing it.
> AT&T did not leak the information, Andrew did!
So AT&T dumping it all onto the open internet without any security isn't culpable, but the person who let the press know that their information was available to everyone is. That's quite an interesting take.
I'm struggling to see the nuance... You just repeated back what I already said, but added that you dislike the person personally, which is absolutely fine, but we're talking about miscarriages of justice not running a popularity contest. If you feel like they committed other crimes (which they likely did per Wikipedia), that is unrelated to THIS supposed crime.
> Was the vulnerability extremely basic? Yes.
There was no vulnerability. You just needed to request a record from a public web-server, which the server happily provided with no extra steps.
Let me ask this: When you request e.g. google.com, and they return a HTTP response, why is that not a "vulnerability?" Because we'd both agree it objectively is not. So then, why, when AT&T provides a URL with information they're meant to keep private but available to the public, and you then request it, that is suddenly a "vulnerability?"
well which specific piece, your instagram username is very different than your phone number right? And depends on the event. Is it speed-dating or tech conference? You can chose what to broadcast. If you are at the event, you have some goal of who you want to meet. Long term in the app I want to let you give more info about that and then filter the list for you. Help you find your people.
Which is not obvious at all if you have JavaScript disabled by default, since it only shows up as a blank space, which could also be a blocked ad or an image which failed to load correctly.
The first few times I saw one of these transcripts with video at the top (IIRC, it was on Practical Engineering, not this site), I thought it sounded odd but didn't get that it was a transcript. Only later did I find out that there were videos (and they're great).
>The possibility to pay by card when the internet is not working – ‘so-called offline payments’ – is an area that ‘the Riksbank believes needs to be improved considerably, particularly in light of the geopolitical unease in the world,’ according to the announcement
Actually we just thought it was interesting that an attacker installed our EDR agent on the machine they use to attack their victims. That’s really bad operational security and we were able to learn a lot from that access.
What is weird to me is that you have access to this information at all? It would make sense for the people who use your software ... the IT departments or whatever to have access but why on earth do your engineers need access? What gates access to your customers' machines? What triggers a write-up like this? Hostnames, "machine names" are ... not unique by nature.
Huntress is a cybersecurity company. They’re specifically hired for this purpose, to protect the company and its assets.
As far as unique identifiers go, advertisers use a unique fingerprint of your browser to target you individually. Cookies, JavaScript, screen size, etc, are all used.
The article states that the "attacker" downloaded the software via a Google ad, not deployed by their corporate IT.
I'm also slightly curious as to if you might be associated with an EDR vendor? I notice that you only have three comments ever, and they all seem to be defending how EDR software and Huntress works without engaging with this specific instance.
Again, threat actors are well aware of what they’re downloading. FWIW I’m an offsec specialist. I spend a lot of time bypassing EDR. Im just shocked at how little this crowd is aware of OpSec and threat intel. I’ll crawl back into my Reddit hole
If you just want a different source, I can vouch for what cybergreg is saying.
Cybersecurity companies aren't passive data collectors like, say, Dropbox. They actively hunt for attacks in the data. To be clear, this goes way beyond MDR or EDR. The email security companies are hunting in your email, the network security companies are hunting in your network logs, so on. When they find things, they pick up the phone, and sometimes save you from wiring a million dollars to a bad guy or whatever.
The customer likes this very much, even if individual employees don't.
I also got rejected by Anthropic, and now I’m working at an amazing startup instead. Anthropic’s hiring process is dumb, you shouldn’t take it personally.
reply