[HN Gopher] Yandex said it caught an employee selling access to ...
___________________________________________________________________
Yandex said it caught an employee selling access to users' inboxes
Author : LinuxBender
Score : 118 points
Date : 2021-02-12 17:18 UTC (5 hours ago)
(HTM) web link (www.zdnet.com)
(TXT) w3m dump (www.zdnet.com)
| throwawaysea wrote:
| That's quite scary. I wonder if something like this is possible
| at Google or Microsoft or Yahoo. Even if multiple people need to
| approve that kind of access, it must be possible to socially
| overcome those barriers (via influence, bribery, etc.) if the
| right actors can be identified. It would be preferable to have
| control over this from the user-side.
| ceejayoz wrote:
| Not just possible, it happens.
|
| Google: https://gawker.com/5637234/gcreep-google-engineer-
| stalked-te...
|
| Facebook:
| https://www.theguardian.com/technology/2018/may/02/facebook-...
|
| The NSA: https://www.reuters.com/article/us-usa-surveillance-
| watchdog...
|
| These are presumably just the tip of the iceberg of people dumb
| enough to get caught.
| redis_mlc wrote:
| Yahoo historically (for decades) monitors customer support IC
| staff for application-level access abuse to user account
| data, and does investigations for misuse. Mgmt. takes that
| seriously, so the Yandex scenario mentioned in the article
| wouldn't happen for long.
|
| However, as at all companies, engineers have alternate
| server-level access to row-level data, otherwise nobody could
| troubleshoot internal systems. Yahoo is divided into 50+
| engineering silos, so that access is very diffused.
|
| So far, so good.
|
| But in the case of Yahoo, the govt. does kernel-level keyword
| sniffing on email servers. (AFAIK that's unique to Yahoo.
| Never even heard of that for FAANG.) Yahoo was also pwned for
| a few years:
|
| https://www.theregister.com/2018/04/24/yahoo_fined_35m/
|
| https://www.theregister.com/2016/10/04/yahoo_was_nsa_stooge/
|
| Source: worked there.
| ajhurliman wrote:
| This is the idea of local-first software[0]. Imagine you owning
| your own database and the only thing you get when you go to a
| website is the software and none of the data (it accesses your
| database instead). Projects like Textile[1] are building out
| tools that could help with that sort of project. I really hope
| it takes off, the cloud sort of freaks me out.
|
| [0] https://www.inkandswitch.com/local-first.html
|
| [1] http://textile.io/
| Scene_Cast2 wrote:
| So the core problem is that when something is running on
| someone else's server, you can't even verify what they're
| running.
|
| E2E encryption avoids that by not trusting whatever is
| running on the servers Local DBs avoid that by not giving up
| local data.
|
| However, it would be quite interesting to have a way to
| remotely know that a certain service is running the code you
| think it's running.
| jaywalk wrote:
| > it would be quite interesting to have a way to remotely
| know that a certain service is running the code you think
| it's running.
|
| It sure would, and it would be a hell of a discovery if
| someone could come up with it. Because I sure can't think
| of a way that I can't easily debunk.
| Scene_Cast2 wrote:
| Intel has done some work on this front that can
| hypothetically be used this way, but I wouldn't say it's
| practical, for various reasons.
| DSingularity wrote:
| You mean like intel TXT remote attestation?
| Scene_Cast2 wrote:
| The trick here would be integrating that to play nicely
| with load balancers, REST-style APIs, and reducing
| overhead from establishing yet another secure connection.
| yrgulation wrote:
| Either that or each user's records are encrypted using their
| own password and forgot password recovery question/s answers.
| Here is an example of how it can be done:
|
| https://security.stackexchange.com/questions/30193/encryptin.
| ..
|
| Although this approach still requires trust that service
| providers do indeed encrypt user data.
| hezag wrote:
| Related: Solid Project
|
| - HN discussion:
| https://news.ycombinator.com/item?id=25989698
|
| - A great article about the project:
| https://ruben.verborgh.org/blog/2020/12/07/a-data-
| ecosystem-...
| Jugurtha wrote:
| Slightly related, we're working with a similar philosophy.
| As a machine learning consultancy that has done many
| learning projects for enterprise, we're building our
| machine learning operations, "MLOps", platform
| (https://iko.ai) to simplify our work. However, what we're
| doing is working from the architecture level to have as
| little and preferrably no sensitive information on our
| service. We're architecting it so that you give us specific
| access to deploy on your cluster, and everything happens
| there: the notebook servers are there, your data is where
| you choose to put it, your training jobs are there, your
| experiments are tracked there. Your models are deployed
| there.
|
| I have a saying that the platform should be able to run on
| a Raspberry PI.
|
| One of my personal pet peeves working with the team is to
| be able to disappear without impacting them, and it has
| become the same with our platform: it must be able to
| disappear users having to scramble to exfiltrate or export
| their work or data from our infrastructure, because it
| simply is not there.
| sn_master wrote:
| It is. For example, machine learning teams at Microsoft run
| software that reads all email content on Exchange servers.
| There are guardrails to make sure the engineers don't gain
| access to the data themselves, but there are accidental slip
| ups from time to time, and certainly a motivated engineer can
| always find a way to peek at the data of any inbox.
| fractionalhare wrote:
| Yeah. That could be resolved if the ML teams only had access
| to the aggregated, anonymized data or the output of the
| models. And if a privileged access token (for example, the
| one the model training flow ostensibly uses) is logged as
| querying specific subsets of the raw data or ferrying it out
| of band, that should throw an immediate alarm with an audit
| trail.
| [deleted]
| arkadiyt wrote:
| I hope the HN crowd doesn't write this off because it's Russia -
| employee abuse of customer data is all too common in tech:
|
| - Google Engineer Stalked Teens, Spied on Chats:
| https://gawker.com/5637234/gcreep-google-engineer-stalked-te...
|
| - Lyft Investigates Allegation That Employees Abused Customer
| Data: https://www.theinformation.com/articles/lyft-investigates-
| al...
|
| - Uber Employees Allegedly Use Data to Stalk Exes, Celebs:
| https://www.newser.com/story/235409/lawsuit-uber-employees-u...
|
| - Facebook Investigating Claim That Employee Used 'Privileged
| Access' to Cyber-Stalk Women: https://gizmodo.com/facebook-
| investigating-claim-that-employ...
|
| - Snapchat Employees Abused Data Access to Spy on Users:
| https://www.vice.com/en_us/article/xwnva7/snapchat-employees...
|
| - Yahoo Engineer Used Insider Access to Get Private Photos of
| Women: https://www.vice.com/en_asia/article/59nwyk/yahoo-
| engineer-u...
|
| Most occurrences likely never even make it into the news.
| cryptochromium wrote:
| It's a real big problem. Employees from our version of the cdc
| (ggd) were caught selling peoples data who were tested positive
| for covid. including social security numbers.
|
| https://www.rtlnieuws.nl/nieuws/nederland/artikel/5210644/ha...
| brnt wrote:
| Who would be buying this info? Are Dutch insurers allowed to
| procure such information?
| jhayward wrote:
| There are more:
|
| https://www.reuters.com/article/us-usa-surveillance-watchdog...
| smsm42 wrote:
| I'm pretty sure unless the system is based on minimum-privilege
| strict audit (with audit logs regularly reviewed by a dedicated
| inspector team) - which I never ever seen happening anywhere -
| somebody out of lots of people that have access will be
| tempted.
|
| And the reason why most of "unicorns" likely do not have strict
| audit system for PI is because it costs many $$$$ but brings
| exactly $0 in revenue. And until it becomes many $$$$ in
| potential lawsuit liability exposure, it will continue so,
| because nobody would invest serious effort in something that is
| only hurting the bottom line.
| polote wrote:
| Not mentioning that to get the blue mark on Instagram, you can
| pay a facebook employee that will give you the badge. This is
| surreal
|
| https://mashable.com/2017/09/01/instagram-verification-paid-...
| lindsay7 wrote:
| Yandex is not russian. It is developed by a company in
| switzerland and primarily targets the russian market.
| justusthane wrote:
| I don't see anything that backs that up on the Wikipedia
| page. Their headquarters is in Moscow and it was founded by
| two Russians. They have a sales office in Lucerne.
|
| https://en.wikipedia.org/wiki/Yandex
| bobuk wrote:
| Yandex is a company registered at the Netherlands, 99% of the
| company's developers are located in Russia. So, technically
| Yandex is Russian.
| diggan wrote:
| What, you're joking surely? Yandex was founded by three
| Russians and the HQ is in Moscow, and they obviously target
| the Russian market. If Yandex is not Russian, what is?
|
| Like saying Google is Irish because they have some center
| there for the EU business. Google is surely a US-based
| company.
| fire7000 wrote:
| Sergey Brin is from Russia. He only co-founded Google...
| filoleg wrote:
| From their wikipedia page [0]:
|
| >Yandex is a Russian Dutch-domiciled multinational
| corporation providing Internet-related products and services,
| including transportation, search and information services,
| eCommerce, navigation, mobile applications, and online
| advertising.
|
| >The firm is registered in Schiphol, the Netherlands as a
| naamloze vennootschap (Dutch public limited company), but the
| company founders and most of the team members are located in
| Russia.
|
| So yes, technically the company is registered outside of
| Russia (Netherlands, not Switzerland like you claimed), but
| their HQ and heavy majority of their workforce and the
| founders are located in Moscow. I would definitely count it
| as a Russian company.
|
| 0. https://en.wikipedia.org/wiki/Yandex
| Scoundreller wrote:
| I find it funny when companies are registered in Schiphol.
|
| It means they can literally run their mandatory board
| meetings in the transit lounge at the airport.
|
| Ferrari has a similar structure at Schiphol, but I think
| it's also because Italy has a "speculator tax" on stock
| transactions, so they just register elsewhere.
| duskwuff wrote:
| It's also a service whose users are mostly in Russia and
| neighboring countries. The country selector on their .com
| home page links to localized sites for Russia, Ukraine,
| Belarus, Kazakhstan, Uzbekistan, and Turkey -- neither
| Switzerlands nor the Netherlands are an option.
| k_bx wrote:
| And it was banned in Ukraine for being a national threat
| (which, as a Ukrainian, I fully support). Should also be
| a hint
| eimrine wrote:
| Sadly that you are supporting the censorship of yourself.
| Especially about banning Yandex whose maps showed Crimea
| as Ukrainian's for any visitor with Ukrainian IP.
| filoleg wrote:
| While I am, overall, fully with you on censorship and
| don't think it is acceptable, this specific case is a bit
| different.
|
| It is one thing to censor something due to a hypothetical
| possibility of a threat or due to some "dangerous ideas".
| But it is another thing to censor a tech giant from an
| authoritarian country (with the government of which that
| said tech giant is almost definitely collaborating) that
| is literally physically invading your borders by force
| and taking your territory using shady tactics and excuses
| ("these are not our soldiers, they are just some unmarked
| militia that has access to our top tier weaponry... oh
| wait, jk, we lied, it was our troops all along").
|
| Especially given the fact that tech giants in Russia are
| all, pretty much, under a thumb of the government. Just
| check up on what happened to Pavel Durov (the Telegram
| guy, previously known for creating another russian tech
| giant VK.com aka russian version of FB), he ended up
| having to give up his company and flee the country,
| because he didn't collaborate with the regime readily.
|
| And no, I am not a russophobe, I grew up in Russia
| myself, and I am not the kind to fall for the "every hack
| is now attributed to russian government-funded hackers"
| hysteria that seems to have polluted mass media in the
| west recently. Which is why, imo, it is important to
| emphasize when the real threats happen and address them,
| just like Ukraine did with the Yandex ban.
| bpodgursky wrote:
| I don't want to speak to the other companies, but that Google
| link is over a decade old.
|
| They absolutely have very strict access control now -- it would
| be 100% impossible for a Google employee to do this nowdays.
| throwawayboise wrote:
| Your employer is very possibly doing it to you and other
| employees as well, and it's perfectly legal for them to do it.
| I keep any work-issued equipment I have at home powered off if
| I'm not actually working.
| foolinaround wrote:
| never thought of this level of paranoia!
|
| you think they would record audio/video, or just log the
| keystrokes?
| SirSourdough wrote:
| I'm aware of at least one case of a school installing
| software that allowed them to remotely access the webcams
| of students, and they admitted to using the software on 40+
| occasions. I wouldn't be surprised if this practice existed
| in the corporate world as well.
| sam_lowry_ wrote:
| In many places in the world, they can't. In Europe, the
| matter of employers monitoring employees is highly regulated.
| shim2k wrote:
| Not saying it does not occur in tech in general, but there is a
| difference in scale between selling the data and abusing it for
| personal reasons. The examples you provided are exclusively the
| latter.
|
| The mentioned employee sold access to 4,887 email accounts.
| sn_master wrote:
| Also, plenty of employees in car dealerships and finance
| companies in the US sell access to credit reports (i.e. they
| make a new credit report search on demand, not a previously
| stolen one). Just go to any of the darkweb markets and you'll
| find them there, with a lot of glowing "reviews".
|
| If the money is there, and it can be done anonymously, people
| will keep doing it.
| Person5478 wrote:
| Which should be __SCORCHINGLY__ illegal because too many
| credit report requests can actually affect your credit score.
| bserge wrote:
| Not sure if this would make anyone feel better or worse, but
| you can find these kinds of examples _everywhere_. Abuse of
| position, often with results way, way worse than a hacked
| account, is extremely common in every single industry. We 're
| all human, after all.
| ransom1538 wrote:
| "I hope the HN crowd doesn't write this off because it's
| Russia"
|
| Sorta. I worked next to them in Burlingame, CA.
| ericcholis wrote:
| - eBay employees stalk and harass bloggers
| https://www.nytimes.com/2020/09/26/technology/ebay-cockroach...
| selykg wrote:
| Best approach to data is that if it can't be seen or read
| (through any means) then that data can't be abused or misused.
|
| This is why end-to-end encryption should be a first choice for
| pretty much everything.
| edrobap wrote:
| > Yandex officials also said they re-secured the compromised
| accounts and blocked what appeared to be unauthorized logins.
| They are now asking impacted account owners to change their
| passwords.
|
| I'm curious how access was provided to these sold accounts. The
| password change implies the passwords were shared and that means
| plan text password were available to admins!?
| justusthane wrote:
| I'm not sure why you were downvoted - I vouched for your
| comment to bring it back (in fact, looking at your comment
| history it looks like almost all of your comments are dead).
|
| I think you're right though--it does seem like they must have
| sold the passwords themselves. It's interesting to think about
| how you would sell access to an account if you wanted to.
| [deleted]
| aasasd wrote:
| As usual, the site can't be bothered to link to the first-hand
| announcement. Which is absolutely a 'dark pattern', and half of
| news sites that are generally considered alright, still feel the
| need to do this.
|
| https://yandex.com/company/press_center/press_releases/2021/...
|
| Or in Russian:
| https://yandex.ru/company/press_releases/2021/2021-02-12
| camgunz wrote:
| As long as it's possible to do this and there aren't serious
| high-level repercussions for it, it will keep happening. This is
| why people flock to e2e systems, because we don't trust
| corporations or governments to protect us.
| sn_master wrote:
| The sad part is, most e2e aren't true e2e. Even if they are,
| they often backup everything in a central location like
| Whatsapp/ which put everything in your Google account without
| any additional crypto layers, making it all accessible with a
| subpeona or prism to any law enforcement agency.
|
| Edit: Removed Signal as an example.
| tokamak-teapot wrote:
| Signal only backs up messages on Android - and requires a
| thirty digit key to be provided to save/restore. Is this not
| the encryption key then?
| [deleted]
| eatingCake wrote:
| > they often backup everything in a central location like
| Whatsapp/Telegram/Signal which put everything in your Google
| account without any additional crypto layers
|
| I don't know about the others but I don't think Signal does
| this. Signal offers the user the ability to backup their
| messages, and lets them password protect them, but the way
| you've written this implies Signal is uploading messages to
| Google of its own volition, unencrypted, which afaik is not
| the case.
| teddyh wrote:
| > _As long as it 's possible to do this ... it will keep
| happening._
|
| FTFY. The _only_ solution is for the information never to exist
| in the first place, never centralized, never even collected.
| camgunz wrote:
| Decentralization is probably the (old) new geek frontier, the
| way the internet used to be. I doubt it'll ever be
| mainstream, because the network effects, business incentives,
| and markets just aren't there--there'll never be a successful
| decentralized Spotify. But that's a feature; I don't want
| that stuff to go mainstream because that's how you get Slack
| instead of IRC (etc. etc.)
| HNSAXU wrote:
| Google trolling competitors?
___________________________________________________________________
(page generated 2021-02-12 23:02 UTC)