Post AwWu6KuxeVMTrQuvlw by ThreeSigma@mastodon.online
(DIR) More posts by ThreeSigma@mastodon.online
(DIR) Post #AwWSwXa90y1nTpHjAO by rysiek@mstdn.social
2025-07-26T10:24:23Z
3 likes, 5 repeats
Oh I see the absurdly, negligently insecure Tea app is now getting the "hackers hacked" treatment, so that it can comfortably deflect blame to some unspecified scary hackers?Cool, cool.*takes out a bullhorn*📢 Tea kept drivers license photos of thousands of women in an unprotected Google Firebase storage bucket.📢 Centering "hackers" means helping let those responsible for the horrendous negligence at Tea off the hook.👏 There is no "hack", only other people's negligence.#InfoSec #Tea
(DIR) Post #AwWSwfRvlOD9sfVHTU by rysiek@mstdn.social
2025-07-26T10:33:39Z
1 likes, 0 repeats
I've been on this soapbox for years and I ain't stepping down off of it:https://rys.io/en/155.htmlThis kind of "hackers hacked" bullshit is why we have shit cybersecurity laws that end up penalizing reverse engineering and security researchers instead of negligent companies putting out insecure products and services.Remember the Polish trains DRM scandal? When experts showed that Newag's trains had illegal DRM, Newag explicitly used their self-identifying as "hackers" to smear them in media.
(DIR) Post #AwWZcT9EURbJcE4cHA by stux@mstdn.social
2025-07-26T11:54:26Z
1 likes, 0 repeats
@rysiek Btw, the site claims woman can check things on guys like criminal record, sex offender etcBut the thing is..They do not verify this info! It's in their terms: they do NOT check any given info
(DIR) Post #AwWmn4F8iyBwxrDj3A by jonah@mastodon.neat.computer
2025-07-26T14:21:56Z
0 likes, 0 repeats
@stux @rysiek I mean, two things can be true:1. Tea is grossly negligent2. Tea is grossly unethicalThree things even, since some people get confused about the second, lol:3. 4chan still isn’t remotely justified to irresponsibly leak information, even if it’s the information of users from an unethical app. Tea users are still victims themselves.
(DIR) Post #AwWu6KuxeVMTrQuvlw by ThreeSigma@mastodon.online
2025-07-26T15:38:53Z
0 likes, 0 repeats
@rysiek I dunno. If they had kept the licenses in a cardboard box in an unlocked building and it got stolen, I would still put at least some of the blame on the thieves. Not all, but some.
(DIR) Post #AwWu6M6hEMLJY7Pohc by rysiek@mstdn.social
2025-07-26T15:40:47Z
1 likes, 0 repeats
@ThreeSigma please point me to the place where I said that the dweebs who found it and leaked it are blameless?
(DIR) Post #AwWv5NM5CjRX5Ki1Oi by djsumdog@djsumdog.com
2025-07-26T15:54:59.218104Z
0 likes, 0 repeats
There's plenty of blame to go around, include any idiot who lets anyone scan their ID for almost any purpose.
(DIR) Post #AwX1SWZzfqRo4ydYtU by rysiek@mstdn.social
2025-07-26T10:51:41Z
2 likes, 0 repeats
You need a headline for the story about the Tea app leak?How about:👉 Negligence at Tea Puts 13.000 Women in Danger👉 Tea App Put Drivers License Photos of 13.000 Women Publicly on the Internet👉 Tea Failed to Secure Drivers License Photos of 13.000 WomenIt's *that easy* not to help deflect blame from whoever is actually responsible for 13.000 women now having to deal with their personal details and photos being pored over by the last people they'd like to have access to them.
(DIR) Post #AwX1SeJGvtpE3QsJwO by rysiek@mstdn.social
2025-07-26T15:48:55Z
0 likes, 0 repeats
Some people seem to need a bit of clarification, so here it is:The petty Internet trolls who found this open Google Firebase storage bucket and publicized the data contained within are reprehensible. They acted maliciously. They are responsible for what they did.But this is not an APT-level attack. This is some Internet rando stumbling into a trove of personal data left publicly exposed by the negligent company responsible for its safe-keeping.Focusing on the rando ignores the core issue.
(DIR) Post #AwX2Kvm0DjENqzCHOy by pawelszczur@pol.social
2025-07-26T10:34:28Z
0 likes, 0 repeats
@rysiek this is a thing that companies should be seriously fined. The level of ignorance hard to even think about.Even in the dev environments I setup myself I’m using password, so I can see if all the password mechanics works as expected ;)
(DIR) Post #AwX2KwiqgwIonUjH7o by rysiek@mstdn.social
2025-07-26T10:36:57Z
1 likes, 0 repeats
@pawelszczur this is something that should get someone who made that decision some prison time.Fines are indistinguishable from taxes to rich enough companies. This needs to be personal responsibility of whoever made the call.And I am going to bet there is internal communication at Tea that shows some techie somewhere opposing this bullshit, and some middle manager overriding them because cost or time or whatever.
(DIR) Post #AwZNP5QgkOvIJVyDjs by masek@infosec.exchange
2025-07-27T09:21:55Z
0 likes, 0 repeats
@arichtman @rysiek Remark: I do responsible disclosure for open buckets a lot. I never publicize them before they are closed.But informing the company who leaks the data is an exercise in futility. You get ignored 9/10 times. You nearly always need to find a way to pressure them, but just publicizing stuff is plain wrong. There is no proper way to report this. Microsoft ignores it, AWS ignores it, Google ignores it, CERTs ignore it, and so on. P.S. There are leaks that are unbelievably worse that remain open for month even after reporting them.
(DIR) Post #AwZNP6YWYkmjo6dzai by the_turtle@mastodon.sdf.org
2025-07-27T18:07:58Z
0 likes, 0 repeats
@masek @arichtman @rysiek can you piss in them and get faster results? Like, dump 200gb of gzipped cat pictures in them?
(DIR) Post #AwZNP7mO0hT3bO8Zpw by masek@infosec.exchange
2025-07-27T19:53:52Z
0 likes, 1 repeats
@the_turtle @arichtman @rysiek No need, if the bucket is writeable, you'll find tons of malware in it already.Example of communication with AWS:Hey AWS, there is a bucket with hundreds of malware files. Here is a link to one example X1.AWS here, we deleted X1.Hey AWS, but you left all other malware there. Example X2, X3, X4, ...AWS here, please open a new ticket.And while the answers from AWS are a shame for every service provider, at least they answer. Microsoft is all hear nothing, see nothing, say nothing in such cases.
(DIR) Post #AwZNP8trqN2v4se48W by selea@social.linux.pizza
2025-07-27T20:21:37Z
0 likes, 0 repeats
@masekSame story if there is a spammer, or a malicious bot.Impossible @the_turtle @arichtman @rysiek
(DIR) Post #AwjJu8vzVE4hvRaDRI by solitha@mastodon.social
2025-07-26T17:09:09Z
1 likes, 0 repeats
@Lydie @rysiek I mean, let's take that "designed as a women's safe space" apart because it obviously wasn't *designed* to be safe from anything.
(DIR) Post #AwjKEAWPJJaKdlAJzk by eric@mammut.ericmitch.com
2025-07-26T14:37:38Z
0 likes, 0 repeats
@jonah @stux @rysiek maybe people just need to think twice about using and app/service that requires you to login/sign up to use it. This is just another data Hoover app disguised as a service. They are no better than 4chan and frankly the unethical nature at both ends of the spectrum cancel each other out.
(DIR) Post #AwjKEB7H6F4kU6PlSa by jonah@mastodon.neat.computer
2025-07-26T14:41:30Z
0 likes, 0 repeats
@eric eh, they’re no better than 4chan, but I don’t think two wrongs make a right, I think it’s just double wrong. Losers on every side of this story unfortunately.@stux @rysiek
(DIR) Post #AwjKEBhmuUHaJLUvNA by eric@mammut.ericmitch.com
2025-07-26T14:44:25Z
0 likes, 0 repeats
@jonah @stux @rysiek we keep complaining about users data being leaked. No one wants to acknowledge that these app/internet companies are following an accepted business model. Collect as much data on users as possible to feed the global data profiling machine. But the users just keep giving data away.
(DIR) Post #AwjKECMCUEboKgPCMa by jonah@mastodon.neat.computer
2025-07-26T14:54:43Z
1 likes, 0 repeats
@eric now I am no philosopher, but I don’t think ethics is a zero-sum game personally. Nor most other things, for that matter 🤷‍♂️ @stux @rysiek