> In March 2021, crimew was indicted by a grand jury in the United States on criminal charges related to her alleged hacking activity between 2019 and 2021. The charges were unrelated to the hack of Verkada. Her home and her parents' home were raided by the Swiss police at the request of United States authorities, and her electronic devices were seized. People used the hashtag "#freetillie" to express support for her in the aftermath of the raid, and the Swiss magazine Republik compared her to Jeremy Hammond and Aaron Swartz.
If we truly lived in a sane society, companies with lax security and god awful security policies would be punished.
Mine was founded by some overseas family that can still come over and start telling us what to do as they please.
So uhhh, yeah, can confirm, Canada’s laws basically revolve around keeping old money wealthy without providing any value to anyone.
> Eschew flamebait. Avoid generic tangents. Omit internet tropes.
> Please don't use Hacker News for political or ideological battle. That tramples curiosity.
Remember kids, clicking the "next page" button on court document websites is legal, doing it with javascript is a felony, off to jail with you, join the rapists and murderers!
Also, the need for recognition often drives any human endeavour - and that leads hackers, criminals, etc to boast of their exploits to at least someone … who might be under observation, or under pressure to give up information to escape severe punishment for their own activities.
However are his actions of downloading the no fly list and offering to share with journalists legal? Or does that cross into overreach and criminal activity?
(This is a genuine question) but where's the actual value in having this list?
I'm afraid I regard it as yet another piece of security theatre.
Full disclosure: my passport always fails to scan at the UK Border automated gates.
I had a discussion this week with yet another border agent after getting another "seek assistance" message and having to queue for a manual check.
I pushed for more information on why, for the last couple of years, it refuses to scan.
He suggested it's because I have very common first and middle names (although my surname is not common at all), so let's say I'm called Alice Bob MacQuaffle, someone called Alice and/or Bob is "on a list" somewhere. I would bet a substantial sum there is no-one on any terrorist watch list called MacQuaffle.
This sounds like someone approved a ridiculously broad match, meaning anyone called Alice and/or Bob is inconvenienced every single time they go near a border.
I would prefer to be safe when travelling just like the next guy, but matching watch lists using common first names ... only .... really?
I'd feel uncomfortable referring to anyone as "it" though, as there are some connotations with that :-/
Moreover, depending on the contents of the list, this likely offers proof of what is generally suspected, that the no fly list is a form of discrimination and authoritarian overreach, targeting people that haven't been convicted of a crime but are "suspected" due to race, religion, etc. The whole thing is probably unconstitutional/illegal, but it's hard to prove that since it's been secret.
This seems like a clear case of hacktivism- trying to expose an unethical government program for what it is, so that it can be stopped.
You literally immediately falsified that assertion:
> and only offers to if someone can demonstrate they will use it responsibly.
And nobody ever lies of course.
The problem is to define "demonstrate" and the criteria. Remember the gatekeeper is now an unemployed gal who "know lot's of things about cyber security" according to her main page. Seems likely a competent bad actor could easily impersonate a well-meaning reporter...
Yes, security through obscurity isn't security, but this also seems incredibly irresponsible for any "security researcher". AFAIK, just basic standard good practice is to report the flaws and allow a reasonable interval before publishing, and there seems to be no hint of this.
Modern society really is held together with duct tape, baling twine, and a few pieces of bubble gum...
[EDIT: pronouns]
Maybe there are reasons this is short sighted or I’m missing a greater point. I’d be interested to hear ideas in any case.
Breaking into private S3 buckets because you are bored is not considered an appropriate “Step 1” by the _professional community_ (people who get paid to do this for a living) at large.
Among people who plan to be financially rewarded for their work and also not be in handcuffs, Step 1 is usually to “Get written permission”.
It's almost like you're talking about how a lawnmower decided to run a child over and then incriminate itself by boasting about it on social media. It makes no sense!
I know she picked that pronoun herself, but I really wish she didn't. It just makes communication difficult.
Graciously, though, they’re at least feigning caution with handing out the no-fly list.
Oof the international politics always come out in things like this. Twitter also publicizes all of its suspensions and bans. There's a Wikipedia article with a list of all the notable suspensions since 2010. It's interesting to see that, contrary to popular narratives, many of the international groups banned were actually far-left aligned.
The list gets really boring the more you scroll down however. The last notable ban was Paul Graham for simply sharing their Mastodon handle. A boring dystopia indeed
The list that Wikipedia determines "notable suspensions" is probably not the best gauge to counter "popular narratives". What Wikipedia chooses to highlight is often the sum of actual popular narratives - not simply popular protests [1]- which is sourced almost entirely from the media and then filtered through the culture found among Wikipedia power users.
A raw database of suspensions and their rationale [2] would probably be the only useful analysis.
[1] The people most often protesting bans aren't always the people getting the most media-sourceable attention for their bans
[2] Recent leaks show that that the US state/federal gov employees (and other well connected power players) often sent lists of tens/hundreds of accounts to be banned and Twitter employees often retroactively found reasons to do so when the given reason wasn't justified. So both the rationale and "notable" part both have questionable value for general analysis
That said, I also see bans of accounts with few followers regularly being far-right (white supremacist jokes for instance). They may just not be able to gather large followings at this point and / or be on alternative platforms.
A list that details primarily terrorists having terrorists listed on it. Colour me surprised.
Paul Graham is a man, not a plural entity.
In English the word can be used as a singular pronoun
Massachusetts state police posted a photo on twitter from inside one of the emergency management command post whatever facilities.
In the background was a projector screen showing a web browser and in the toolbar was at least one link to a facebook group for one of the occupy movements.
Of course, no visible bookmarks to any of the state's numerous white supremacist or far right groups.
Those polo-shirt-and-khaki wearing clowns? From numerous accounts by witnesses, reporters, and photos on twitter they received what amounted to a police escort from the public transit station where they all parked, all the way into the city...and then from the transit station to their protest site. And then back again.
See: FBI report from a decade or two ago citing the huge problem with white supremacist groups infiltrating law enforcement.
1) Be a billionaire
2) Start an Airline
1. Create Tesla. 2.
Corresponding news story: https://www.dailydot.com/debug/no-fly-list-us-tsa-unprotecte...
There were also prod AWS credentials in the files exposed in Jenkins.
But then, I am not a Bond-esque criminal organization bent for world domination.
At the very least, I don't think the company was operating like every random developer should have full-access to the no-fly list, which is what they de-facto gave them when they dumped an old copy into the test pipeline.
Eg when an airline had a public API where you could get someone's passport number and details just from their boarding pass https://mango.pdf.zone/finding-former-australian-prime-minis...
Password salts that were identical for the entire set?
"Random" initialization vectors always created from the same prng seed?
Without coders like these, hackers would really have to work for it.
(And, yes, I've encountered all of these in my career.)
Underneath all the garbage, good story. But Holy Hell, why do bloggers write so terribly and self-indulgently? That's a half hour of my life I'll never get back that shouldn't have been more than 10 minutes. Don't they have Ritalin in Australia? They really should.
This website is what me from 1993 thought a hacker's website would look like. A nod of respect to them for kickin' it old-school.
A webring! I'd completely forgotten that these were a thing.
Seriously? I know like none of the tools or terms they used, like wtf is shodan?
In general the author doesn't seem to follow the white hat guidelines, and I'd be worried what they've done is quite illegal (possibly on a federal level if the nofly list is so secret)
shodan[1] is a search engine that deals in hosts and ip addresses rather than web pages, and is a goldmine for finding everything from exposed ip webcams to jenkins instances.
Accessing computer systems owned by a US company based in the US might constitute a violation of US law, but the hacker is based in Switzerland - where US law does not apply.
As you can see in the linked Wikipedia article, accessing these systems is probably not illegal in Switzerland, thus, for all intents and purposes, no crime was committed.
This was roughly 10 years ago, so things might have changed, but at the time it seemed like federal agencies could easily append to the list, but there was no standard process to get off it. I'd guess there are obvious incentive for agencies to add ("hey look, we've found terrorists", even if nothing was actually done about it), and none to remove people from it.
Made me realize that 'vintage' basically means to many people 'things that are before my living memory' and it can literally only be 0 to 5 years back before they were born.
> CommuteAir added that the server, which was taken offline prior to publication after being flagged by the Daily Dot, did not expose any customer information based on an initial investigation.
> On the list were several notable figures, including the recently freed Russian arms dealer Viktor Bout, alongside over 16 potential aliases for him.
> [...]
> Numerous names included aliases that were common misspellings or slightly altered versions of their names.
For non-natively-Latin names, the US government is thorough to the point of hilarity in including every possible romanization and misspelling of one, and they list full names not their individual parts so combinatorics ahoy, as well. For example, if you know a bit of any Slavic language written in Cyrillic, browse the Russian sanction lists, it’s going to give you a chuckle.
In all seriousness, this actually makes perfect sense given the prospective consumers of the lists may not have any clue about the languages the targeted people speak. It’s just that the article makes 16 aliases sound vaguely sinister, whereas if you’re a Russian—or, for that matter, a Ukrainian or a Belarusian—that’s just a reasonably low estimate for how many romanizations of your name people may think up. (Not that Bout isn’t sinister as hell.)
[1] https://www.dailydot.com/debug/no-fly-list-us-tsa-unprotecte...
https://www.cbc.ca/news/canada/london/no-fly-child-redress-1...
Soon they'll give everyone a number so they can travel. And print it out in physical form too. And call it a passport.
That "solution" seems a bit backwards.
You won't be extradited though.
The Swiss could maybe prosecute domestically, but its not (currently) in the public interest to do so.
[EDIT]
https://techcrunch.com/2021/09/06/protonmail-logged-ip-addre...
Administrative IAM's should be IP restricted as well: https://aws.amazon.com/premiumsupport/knowledge-center/iam-r...
For once.
Meanwhile, another front page article is some genius asking why there aren’t any cars in 1984.
^^^ this killed me. i'm sure everyone who has ever interacted with a SOAP api feels the same. god bless this tiny kitten/person/hacktivist, the world needs more of this energy.
See in particular the broad definition of “protected computer.”
Oh, also secure your Jenkins servers.
The fact it still exists at all is incredible, but a disturbing precedent.
Seriously, though, is the list on the github yet?
[2] https://en.wikipedia.org/wiki/Maia_arson_crimew
[3] https://www.justice.gov/usao-wdwa/pr/swiss-hacker-indicted-c...
