[HN Gopher] American spy hacked Booking.com, company stayed silent
___________________________________________________________________
American spy hacked Booking.com, company stayed silent
Author : Freak_NL
Score : 539 points
Date : 2021-11-11 07:13 UTC (15 hours ago)
(HTM) web link (www.nrc.nl)
(TXT) w3m dump (www.nrc.nl)
| andygrd wrote:
| I'd feel sorry for anyone who hacked booking.com, they'd end up
| trying to decipher several petabytes of email data saying
| basically, "stop sending me hotel offers in Outer Mongolia!"
| mrich wrote:
| Worse still, they would have to read Perl code :)
| tyingq wrote:
| I love Perl. But, if I were hired to squirrel away code that
| helped me spy on people, Perl would be one of my top choices.
| Lots of opportunity to hide the true purpose of the code with
| weird, little known side-effects, syntax, and so on. Perl
| doesn't have to be cryptic, but it can be.
| kizer wrote:
| Why would anyone build something like that in Perl? I could
| only see it being done "just because". Wasn't Perl
| specifically designed for the quickly code it once and not
| change it again case?
| tantalor wrote:
| Perl was the best/fastest way to write web applications
| (think FastCGI, mod_perl) before PHP stole that crown in
| late 90s.
| tempest_ wrote:
| Perl was python before python was python, and booking.com
| is old.
| nebula8804 wrote:
| I thought the Netherlands was weird in that there is a
| large group of Perl programmers who never decided to move
| on. It is its own ecosystem
|
| Its kind of like how Japan stayed on flip phones for
| forever and even bolted on smartphone features to their
| flip phones.
| mrich wrote:
| On the server it was the predecessor to Node.js, back
| when the alternative was a C program :)
| [deleted]
| iso1210 wrote:
| So you're saying the encrypt their code?
| danmur wrote:
| Hilarious route to security, only Perl programmers can work
| it out and they won't be bought off
| iso1210 wrote:
| Nobody can read my perl code -- including me!
| OneTimePetes wrote:
| Revenge of the Reg/"(?>(?:(?>[^"\\\\]+)|\\\\.)*)"/ ex. The
| enbalm it in pyramids and put a camel in front.
| [deleted]
| tchalla wrote:
| Every time I read such articles, I replace the nationalities
| American with Russian or Chinese just to gauge how the reactions
| would be.
| dang wrote:
| Please don't take HN threads on generic ideological or
| nationalistic tangents. They make discussion significantly more
| shallow (because there's never anything new to say about the
| most generic and well-worn themes), more tedious (because
| predictable), and nastier (because the themes are inflammatory
| and because the mind seems to resort to indignation to amuse
| itself when there isn't any information to chew on).
|
| https://news.ycombinator.com/newsguidelines.html
| dtjb wrote:
| I'm not saying America is innocent, but those are materially
| different things with different motivations and risks. The
| reactions would rightly be different.
| oxfordmale wrote:
| The problem is that if America is able to do such a hack,
| other state actors are more than capable to do the same,
| however, we may just not know about it as they covered their
| tracks better.
| joshgrib wrote:
| How are the motivations and risks different? The motivation
| seems like "country wants more information to use against
| people" and the risk is that they do it. At least in recent
| history (~50 yrs) the US has done way more damage globally
| through its intelligence agencies than probably any other
| country
| tablespoon wrote:
| > The motivation seems like "country wants more information
| to use against people" and the risk is that they do it.
|
| IIRC, the intelligence utility of hotel booking data is for
| _counter_ intelligence, so it's more like "use against
| other spies." They're looking for situations where
| spies/sources are traveling to the same place to meet.
| vmception wrote:
| Sometimes I suggest such hackers are Russian just so the actual
| hacker isnt chased anymore because people are really gullible
| and will take that at face value. People imagine Putin signs
| the contracts himself.
| conjectures wrote:
| The Wire nailed this with, "I'm not even Greek."
| [deleted]
| tgv wrote:
| For edginess' sake? While I don't approve of hacking, I expect
| American spying to have less damaging results than Chinese or
| Russian spying.
| dang wrote:
| Please don't take HN threads further into nationalistic
| flamewar. I'm sure that wasn't your intention but intention
| isn't the high-order bit here.
|
| https://news.ycombinator.com/newsguidelines.html
| hosteur wrote:
| Why?
| nverno wrote:
| Would you rather live under the American, Russian, or
| Chinese government? Probably as simple as that- what's
| considered damaging in this case likely depends on your
| preferences.
| angio wrote:
| I'd rather not live any under of them, and that's the
| reason I live in Europe. This is not the first time the
| US (an ally country) hacked European companies to gather
| data about European citizens (or in other cases
| technology).
| stjohnswarts wrote:
| If you think European countries aren't hacking American
| companies...
| hoppla wrote:
| I would prefer it was China or Russia, if then had a
| grunge with me, the bar would be higher for them to do
| something that affected me. Americans can put you on some
| secret list and generally ruin your life on the basis of
| nothing
| TickCount wrote:
| Maybe I'm just a trivial person, but when I ask myself
| why I wouldn't live in those places, or any place, I find
| I'm simply psychologically incapable of being motivated
| by anything other than living standards, the
| attractiveness of members of my opposite sex, proximity
| to friends and family, and all that.
|
| I would much rather not live in China, for the same
| reason I'd much rather not live in Montana, i.e. the
| living standards are a LOT lower in China than where I
| am, and it will be a lot harder to meet someone on places
| like Tinder I can feel attracted to.
| joshgrib wrote:
| I think you can both say you'd rather live in the US, and
| at the same time our intelligence agencies do just as
| much (if not more) damage worldwide. For example if you
| live in South America the US is a much bigger risk to you
| than other countries because they overthrow any govt they
| don't agree with, regardless of what the people of the
| country want. Russian spying doesn't seem to result in
| much damage as far as I can tell, while US spying is
| regularly used to undermine democracy.
|
| If the motto of a country was "we'll keep you safe inside
| but we'll be treating everyone outside terribly", then
| you'd definitely rather live inside that country, but it
| doesn't mean they're less of a risk to the world.
| WarOnPrivacy wrote:
| > Would you rather live under the American, Russian, or
| Chinese government?
|
| alt: Would you rather be mistreated by a relative or a
| stranger?
|
| As an American I'd rather my gov be held accountable for
| it's unethical IC behavior - especially by it's allies.
|
| The reason is that other nations are proving grounds; the
| methods developed there will eventually be leveraged by
| US government(s) against US citizens.
| nverno wrote:
| this was commentary on the /hypothetical/ scenario from
| OP on which regime was more damaging, which I read as
| essentially ideology choice, not an endorsement of any
| particular methods
| jacquesm wrote:
| If you're a name with brand recognition, and active in a space
| that allows effective monitoring and/or eavesdropping on the
| communications of a large number of people then you can consider
| yourselves either already hacked or a target of various
| intelligence services. Also beware of employees that are overly
| eager to have more access than they should have the 'plant' is a
| very effective way to gain access to data (support: en detail,
| ops: en gros).
|
| Companies routinely wipe hacks and data leaks under the carpet in
| the hope that nobody will notice, with the GDPR active they
| _really_ should stop doing this but it still happens with great
| regularity.
| mclightning wrote:
| > Also beware of employees that are overly eager to have more
| access than they should
|
| Another side of the coin, I always felt shy to ask for access
| to tools in big corporations that I worked at, unless I am
| offered access directly by a manager or co-worker directly.
|
| This can backfire, if you act too strictly around tools, some
| employees will never even try to get a hold of the tool you
| potentially pay 100K$+ a year.
| jacquesm wrote:
| Access to tools is one thing, access to unfiltered large
| amounts of data (say: production database copies, backups,
| reporting tools that have themselves unfiltered access) are a
| real risk and should be handed out with great care and
| oversight.
| mclightning wrote:
| Ah true, that I agree %100
| sofixa wrote:
| > Companies routinely wipe hacks and data leaks under the
| carpet in the hope that nobody will notice, with the GDPR
| active they really should stop doing this but it still happens
| with great regularity.
|
| That's why the DPO is mandatory to have and is personally
| responsible. From my experience ( MSP/MHP/consultancy with lots
| of clients), post-GDPR data leaks are taken much more
| seriously.
| jacquesm wrote:
| Yes, it's better now. But it is still bad. We just went from
| 'terrible' to 'bad'.
| streamofdigits wrote:
| To understand the ramifications without geopolitical biases and
| pink glasses think of the headline:
|
| "X spy hacked Y, company stayed silent"
|
| where X is any (quasi)state actor that feels agrieved or
| entitled, and Y is any giant data collector
|
| The net as it has come to be used is a fractal of bad design in
| practically all conceivable ways: economic, social,
| geo(political)
| aj3 wrote:
| Counter example where companies didn't stay silent:
| https://en.wikipedia.org/wiki/Operation_Aurora
| dmix wrote:
| > The specific intelligence organization--of which the United
| States has 18--is unknown.
|
| This is a great factoid. Eighteen different IC agencies and
| countless contractors.
| seanieb wrote:
| And they couldn't estimate accurately how fast the Taliban was
| recapturing Afghanistan, a country they occupied for over a
| decade! Too many cooks in that kitchen!
| xxs wrote:
| Of course they could not - the gravy train for 20years...
| what's not to like
| Santosh83 wrote:
| Of course they could. Why are people this naive? Nevertheless
| the administration simply did not care. It was time to shift
| the theatre of war elsewhere and that's that.
| dtjb wrote:
| Wendover did an interesting video on the logistics of
| Afghanistan, including the collapse of the ring road which
| hampered intelligence efforts.
|
| https://www.youtube.com/watch?v=o4tuhWvKduU
| Tepix wrote:
| That's not counting the secret agencies.
| jb1991 wrote:
| This isn't surprising to me. I know lots of people who work for
| this company in the Netherlands, and I've heard a lot of inside
| stories about the questionable business practices that go on
| there. Starting at the very top, with the fraudulent marketing
| lies to sell you rooms because there's only X number of rooms
| left, which is entirely bogus, and for which the courts have
| punished them, if I recall. They're not interested in anything
| but profit above all else. It is unfortunate, that this is what
| the tech industry has evolved into.
| ChrisMarshallNY wrote:
| _> It is unfortunate, that this is what the tech industry has
| evolved into._
|
| My thoughts, exactly.
|
| I started off in the 1980s, just as tech was starting to become
| mainstream.
|
| In the early days, we were not the most "socially well-
| adjusted" crew, but were fairly enthusiastic about the tech,
| with most of us working for the love of the craft.
|
| Then, the money started to pour in. It was inevitable.
|
| That brought the sharks and the rapacious bastards.
|
| They became heroes and role models.
|
| And here we are...
| hemloc_io wrote:
| Wasn't alive for 1980s and it's a controversial take here on
| HNs but some of the most excitement I've seen has been in the
| crypto space since the 2010s.
|
| Once you get past the scam/hype bullshit anyway.
| suction wrote:
| I know someone who works in the music industry and recently
| got a new boss, coming over from Booking.com - and guess what
| since that guy started, the new priority on the agenda is to
| introduce dark patterns in the company's online
| offerings...seems like Booking.com is a real hotbed for that.
| [deleted]
| Cthulhu_ wrote:
| Booking.com is the poster child of 'dark UX patterns' like
| that.
| blablabla123 wrote:
| I cannot recall anything concrete but from HN and other tech
| news platforms I heard only bad things about the platform.
| DonHopkins wrote:
| It's a common discussion topic -- a few links:
|
| Bad UX: How Booking.com deceives clients
|
| https://news.ycombinator.com/item?id=15152155
|
| https://medium.com/@ilyadoroshin/bad-ux-how-booking-com-
| dece...
|
| How Booking.com manipulates users (ro-che.info)
|
| https://news.ycombinator.com/item?id=15297915
|
| https://ro-che.info/articles/2017-09-17-booking-com-
| manipula...
|
| [dupe] Dark Patterns (darkpatterns.org)
|
| https://news.ycombinator.com/item?id=20858714
|
| https://www.darkpatterns.org/
|
| Successful machine learning models: lessons learned at
| Booking.com
|
| https://news.ycombinator.com/item?id=21182445
|
| https://blog.acolyer.org/2019/10/07/150-successful-
| machine-l...
|
| Dark Patterns at Scale: Findings from a Crawl of 11K
| Shopping Websites (2019)
|
| https://news.ycombinator.com/item?id=25968531
|
| https://webtransparency.cs.princeton.edu/dark-patterns/
| DonHopkins wrote:
| BooKing.com is one of the biggest Perl shops in the world.
|
| They're desperate to hire lots of willing Perl programmers,
| so they have to set the bar low.
|
| And inexperienced programmers cause lots of security
| problems.
|
| Edit: My point is about the moral flexibility of BooKing.com,
| which is well established and widely known, not good Perl
| programmers, who are rare, hard to hire, and extremely
| expensive (especially by Netherlands programmer salary
| rates).
|
| And to jacquesm's point about plants: All any intelligence
| service has to do to place a plant at BooKing.com is fake
| them up a good looking resume full of Perl experience, and
| Bob's your U.N.C.L.E.!
|
| Edit2: yes xxs, downvoting's probably from royalists offended
| at the thought of one of the Netherland's biggest tech
| companies has been mocking their King. Good Perl programmers
| can take a joke. ;)
| dep_b wrote:
| > especially by Netherlands programmer salary rates
|
| Well Booking.com pays about double of that.
| __alexs wrote:
| Are Perl programmers generally more morally flexible than
| others?
| ManuelKiessling wrote:
| They grep what they can.
| DonHopkins wrote:
| No, I mean that BooKing.com is morally flexible enough to
| hire anyone who claims they are willing to program in
| Perl, because it's so damned hard to find good Perl
| programmers who don't know any other languages they enjoy
| programming in more, and can't find better jobs than
| programming in Perl.
|
| If BooKing.com were trying to hire JavaScript
| programmers, they'd have a vastly more enormous pool of
| young and old, well educated and self taught, local and
| remote, highly experienced and self motivated talent to
| hire from, and wouldn't have to be so flexible about who
| they hired to program in Perl.
|
| And the moral flexibility of that company (not the
| programmers) also expresses itself through those "dark UX
| patterns" that BooKing.com is so famous for.
|
| (Although they should probably talk to somebody about
| their domain name: I always assumed BooKing.com was an
| anti-royalist web site. ;) )
| b20000 wrote:
| javascript implies well educated? so much LOL here. maybe
| perl programmers are happy with perl and have no interest
| in learning yet another programming language.
| DonHopkins wrote:
| No, I actually meant to indicate that there is a densely
| populated multidimensional spectrum of young to old,
| local to remote, well education to self taught, highly
| experienced to self motivated.
|
| While generally speaking, most remaining Perl 5
| programmers are old, remote, self taught, highly
| experienced, very busy, hard to find, and extremely
| expensive.
|
| There aren't many schools and universities and bootcamps
| and online learning sites and youtube channels cranking
| out new Perl 5 programmers that I know of. But there are
| a hell of a lot of them for JavaScript.
| b20000 wrote:
| the job of a university is to teach CS, not a specific
| programming language. javascript is just a language like
| any other, there is nothing particularly good about it.
| it became popular because a scripting language was needed
| in browsers and because every idiot out there wants to
| become a web developer because they think they will be
| zuckerburg in 6 months. indeed, there are endless
| programming bootcamps parasiting off these people as you
| pointed out.
|
| finally, it is perfectly valid to choose to become BETTER
| in a tool set instead of learning a new one every year.
| i'm pretty sure there are many developers out there who
| have no interest in learning other languages and are
| content in spending their valuable time learning other
| skills that are more valuable.
| DonHopkins wrote:
| Anti-intellectualism and refusal to learn any other
| language isn't going to get you a good job or much
| interesting experience.
|
| You can get better in one language by learning and using
| several other different languages (the more languages and
| the more different, the better), which expands the scope
| of what you know how to do in ANY language.
|
| And if you refuse to learn more than one language, that
| limits yourself to tasks that don't involve multiple
| languages, which is a large proportion of the typical
| tasks a professional programmer encounters. Many common
| tasks are impossible to do in only one language, since
| all libraries and apps aren't written in the same
| language.
|
| Again, my point that you haven't countered is:
|
| Any programmer who permanently sticks to only one
| language and has "no interest in learning yet another
| programming language" simply isn't a good programmer, no
| matter what their only language is.
|
| Any decent professional programmer (ESPECIALLY web
| developers) should have no trouble picking up and
| applying new languages, and regularly using multiple
| languages together at the same time every day. The world
| is not partitions into mono-linguistic silos, and no one
| language is good for everything.
|
| If those monolinguistic Perl 5 developers b20000 speaks
| of who refuse to use any other languages are the only
| ones left for BooKing.com to hire, then it's no wonder
| they have enormous security holes and terrible buggy
| hard-to-maintain code.
|
| Have you ever actually met any of those hypothetical
| monolinguistic Perl 5 developers in person who you're
| "pretty sure" exist, and actually discussed with them why
| they refuse to learn or use any other language, and asked
| them who they work for, and what they work on, and how
| they enjoy it?
|
| Or will you actually admit to being a monolinguistic Perl
| 5 programmer yourself, and answer those questions about
| yourself, please? Or are the people you speak of entirely
| theoretical and unknown to you?
|
| If you are saying that Perl 5 makes people give up
| learning other languages, that sounds like a horrible
| thing about Perl 5, because it's so discouraging, but
| unfortunately it's probably partly correct for some
| people.
|
| But not all programming languages are as hard to learn,
| and program in, and read, and debug, and maintain, and
| find good jobs for, and hire good programmers for, as
| Perl 5!
|
| Please don't give up just because you picked the wrong
| first language to learn.
| b20000 wrote:
| _Any programmer who permanently sticks to only one
| language and has "no interest in learning yet another
| programming language" simply isn't a good programmer, no
| matter what their only language is._
|
| You have not given any reasonable proof for this. If this
| were true, just to give you one example, linux kernel
| programmers would be bad programmers.
|
| I used to use Perl for web development, but quit web
| development years ago. I use primarily one or two
| programming languages and have zero interest in learning
| other languages. And that's OK. I've brought multiple
| succesful products to market. I have chosen what I want
| to do and have no time or energy to follow fads.
|
| My comments have nothing to do with anti-intellectualism.
| zinekeller wrote:
| While there are many Javascript "developers" that don't
| deserve that title, there are much _much_ more actually-
| good JS developers than actually-good Perl developers,
| not to mention the willingness to program Javascript than
| Perl.
| b20000 wrote:
| i might be able to accept that there are more javascript
| developers than perl developers. this then implies there
| are more good javascript developers, but only if
| javascript does not attract more wannabe developers. and
| i think that might be the issue.
| cto_of_antifa wrote:
| Why gatekeep being a developer?
| DonHopkins wrote:
| No, seriously, there is absolutely no comparison between
| the number of Perl 5 and JavaScript developers.
|
| https://insights.stackoverflow.com/survey/2020
|
| Most popular technologies:
|
| JavaScript: 67.7% for all devs, 69.7% for pro devs):
| First place!
|
| Perl: 3.1% for all devs, 3.3% with pro devs: Third from
| last place, only a wee bit more popular than Haskel and
| Julia!
|
| And you can take a guess at how many jobs for Haskel and
| Julia programmers there are.
|
| And it's not like good Perl 5 programmers are dropping
| dead, or being hit by busses: They're simply moving on to
| better, more popular, well supported, widely taught, more
| modern, higher paying, more pleasurable languages!
|
| Any programmer who permanently sticks to only one
| language and has "no interest in learning yet another
| programming language" simply isn't a good programmer, no
| matter what their only language is.
|
| Any decent professional programmer (ESPECIALLY web
| developers) should have no trouble picking up and
| applying new languages, and regularly using multiple
| languages together at the same time every day. The world
| is not partitions into mono-linguistic silos, and no one
| language is good for everything.
|
| If those monolinguistic Perl 5 developers b20000 speaks
| of who refuse to use any other languages are the only
| ones left for BooKing.com to hire, then it's no wonder
| they have enormous security holes and terrible buggy
| hard-to-maintain code.
|
| https://www.fastcompany.com/3026446/the-fall-of-perl-the-
| web...
| sokoloff wrote:
| I don't see how being flexible on hiring to meet the
| market is being _morally_ flexible. There's nothing
| immoral about it that I can see.
| DocTomoe wrote:
| > If BooKing.com were trying to hire JavaScript
| programmers, they'd have a vastly more enormous pool of
| young and old, well educated and self taught, local and
| remote, highly experienced and self motivated talent to
| hire from, and wouldn't have to be so flexible about who
| they hired to program in Perl.
|
| Yes, but then they'd get results in Javascript, which has
| it's own security nightmares (like npm's recent third-
| party-code-injection incident.) Given their business most
| likely involves the need to quickly parse huge amount of
| text files (think: hotel booking information, SABRE info,
| ...), Perl might just be the right tool for the job.
|
| I don't know about booking.com's hiring platform, but in
| my subjective experience, Perl people tend to be more
| professional and more careful than JS folks.
| DonHopkins wrote:
| Sure, people make mistakes and create bugs and security
| holes in every language. And some languages like PHP
| attract newbies who know no other language. And other
| languages like Perl 5 are so syntactically complex that
| they repel newbies.
|
| But how many schools and classes and youtube videos teach
| JavaScript? And how many teach Perl?
|
| The fact that there are a lot of bad JavaScript
| programmers isn't a symptom of JavaScript programmers
| being bad. It's a symptom of there being a lot of
| JavaScript programmers. There are also a lot of really
| excellent JavaScript and TypeScript programmers, just not
| as many as bad ones.
|
| (But I bet there are more good JavaScript/TypeScript
| programmers than all Perl 5 programmers plus all Raku
| programmers (counting everyone who knows both twice), by
| far.)
|
| To make a gross understatement, TypeScript's evolution
| from JavaScript didn't take as long, went smoother,
| wasn't as incompatible, and was more interoperable,
| successful, and popular than Raku's evolution from Perl
| 5.
|
| Not to mention it's much easier for a JavaScript
| programmer to learn TypeScript, and to upgrade JavaScript
| code to TypeScript code, than moving from Perl 5 to Raku.
|
| (And I also bet BooKing.com isn't upgrading from Perl 5
| to Raku any time soon.)
|
| There are more great JavaScript and TypeScript
| programmers available to hire than mediocre Perl 5
| programmers, because Perl 5 is effectively a dead
| language, while JavaScript and TypeScript are both
| ubiquitous, thriving, widely taught languages.
|
| JavaScript shops (and also Python and C# and Java shops)
| actually have the option of not hiring the bad
| programmers and intelligence agency plants, and hiring
| lots of the good programmers.
|
| PS: BooKing.com could easily be confused with the evil
| "King Boo", Luigi's antagonistic arch-nemesis, and
| scheming ally of Bowser! Why doesn't Nintendo send them a
| cease and desist for acting so villainous, and seise
| their rightful domain in the name of King Boo? ;)
|
| https://www.mariowiki.com/King_Boo
|
| >King Boo is the leader of the Boos and ghosts, ruler of
| the Paranormal Dimension, the main antagonist of the
| Luigi's Mansion series, and the arch-nemesis of Luigi. He
| is also an ally of Bowser, who has aided him in his
| various schemes. He is more than capable of devising and
| enacting villainous plans by himself, including his
| capture and imprisonment of Mario. Although not the
| biggest Boo, King Boo has abilities that far surpass that
| of the average ghost; he wields a number of impressive
| magical abilities, including the ability to materialize
| objects. King Boo's magical power is directly
| proportional to the number of Boos in his vicinity.
| xxs wrote:
| This is pretty much my experience talking to some of their
| developers on conferences. Why the downvotes? edit I see:
| booking capiatlization
| 2-718-281-828 wrote:
| at the same time the UI is awesome. using booking.com on a
| regular basis and I'm quite happy with it.
| nomercy400 wrote:
| When searching for an accomodation, booking.com offers a
| map, which shows the price of each accomodation, with
| filters applied. This is so useful and I wish other travel
| sites also had this.
|
| A list of a 200 hotels of $50-100 is simply not enough
| information when searching in an unknown city. I need to
| narrow down that list, for example with features like a
| kitchenette (60 hotels left), but also a location near the
| city center, and not 20-30 minutes away in some suburb (20
| hotels left). With booking.com I can now see on a map 20
| pins of hotels with their pricing. Ok, some hotels are
| hostels with a Shared-6 room, which is one filter you
| cannot actually apply unfortunately (hey booking.com, if
| you are reading this, this is a hint!).
|
| ..then I know the hotel names, and search on the hotel's
| own site or other travel sites if there are any deals
| (genius dicounts sometimes help). Sometimes, Booking.com is
| cheapest, sometimes it is not.
| qw wrote:
| Doesn't hotels.com also have the same filters? I just
| tried it now, and I could filter by facilities (kitchen)
| and distance to landmarks
| nix23 wrote:
| Have you checked trivago?
|
| https://www.trivago.com/
| moooo99 wrote:
| The best hotel search engine I have used to date is
| kayak.de, a company from Berlin. The offer most if not
| all of the features you described and compare a variety
| of different booking portals.
|
| I'm not completely sure how biased they are in their
| ranking. But I've been using this site for the last few
| years and never had any problems. I recommended this site
| to a few of my friends who shared my positive experience.
| brimnes wrote:
| Kayak is headquartered in the US and owned by Booking.com
| em500 wrote:
| kayak.de is owned by the same company (Booking Holdings):
| https://www.kayak.de/about
| DeathArrow wrote:
| >When searching for an accomodation, booking.com offers a
| map, which shows the price of each accomodation, with
| filters applied. This is so useful and I wish other
| travel sites also had this.
|
| Trivago does the same and maybe others, too.
| kaba0 wrote:
| I agree. Their website and mobile app as well seem to be of
| very high quality (though unfortunately it is not that hard
| to be exceptionally good in that compared to all the buggy
| software around us)
|
| I have seen their presentation on a ML-related conference
| and what goes into which pictures they show for you for a
| given room is quite advanced. E.g. whether you will prefer
| a photo of a pool vs a nice room, etc.
| b20000 wrote:
| what about facebook?
| ratww wrote:
| Facebook is kinda tame compared to Booking.com.
|
| Imagine Facebook if the like counts and comments were all
| false, and there were things flying across your screen
| saying "20 people are reading this comment, you should also
| do it". Then you got Booking.com.
| [deleted]
| Xelbair wrote:
| I wonder when will people stop being surprised that any
| corporation puts profit as it's end goal.
|
| Them being nice for a while, it just a coincidence of aligned
| interests.
|
| Court mandated fines are taken into the account - if profit
| increase is higher than the fine, what's stopping them from
| going forward with such idea?
| b20000 wrote:
| but that is what all property management companies do as well
| it seems, in california, tell you there are only 2 units to
| choose from while 30% of the building is empty?
| maze-le wrote:
| The way I use booking.com: Search for a suitable hotel or
| apartment and find their name. Then search for them
| independently and make the reservation directly. I mean: they
| have a great search interface and all, but I refuse to funnel
| money to gatekeepers whenever I can... Stories like this just
| affirm my suspicions about companies like them...
| amirs wrote:
| To play the devil's advocate here - I do the same as you, but
| last month when I booked a 3 week vacation Booking offered
| better prices than the hotels themselves. They also didn't
| pull any stunts like other hotel aggregators do (show you a
| price and change it when you get to the checkout). I also had
| a single instance in the past where I wanted to prolong my
| stay at a hotel, and the hotel clerk told me I'd get a better
| deal if I booked through Booking, which I did.
|
| Generally I think you're right, but I guess it depends.
| fsflover wrote:
| > Booking offered better prices than the hotels themselves
|
| In this case, you can contact the hotel and ask for a
| better offer. Works sometimes.
| jhugo wrote:
| I've tried this many times and the hotel usually says "I
| guess you should book it online then"
| dep_b wrote:
| That's so weird huh? I really don't understand it.
| notsureaboutpg wrote:
| Yeah it makes no sense to me but this happens every time
| I try to book a room directly. I've even offered to pay
| slightly more just to book directly as it's hard to trust
| these online sites, they still refuse.
| nostrebored wrote:
| It's because booking purchases the rooms wholesale, and
| typically well in advance of the stay dates. They can offer
| you a lower price because hotels use them to make their
| business more predictable.
| jhugo wrote:
| I hear this a lot, but do you have a source? They should
| have got absolutely wrecked at the start of the pandemic
| if they were doing this.
| gunnihinn wrote:
| I work at Booking. We do not do this and never have.
| Other OTAs do, like Expedia. It's the merchant vs. agent
| model.
| nostrebored wrote:
| Oops, sorry!
| kaba0 wrote:
| > They're not interested in anything but profit above all else
|
| Not disagreeing with you, but why is it a surprise to anyone?
| Any company that seems to be "nice" is only doing that as a
| good PR increases their profits, which depending on domain may
| be very important.
| mckirk wrote:
| Any public company, perhaps. Private companies could decide
| to care about profit not as much and be genuinely 'nice' --
| though the invisible hand would probably come along at some
| point and replace it with something more profit oriented.
| dgb23 wrote:
| I find it unfortunate that the "invisible hand" is somehow
| seen as a real force of nature. It's a spooky, ideological
| term that implies some kind of simple generality describing
| a system that is everything but simple. Additionally it is
| used as a bad excuse for exploitative, oppressive or
| otherwise shitty behavior - which is ironic, because that
| is exactly the thing that is claimed _not_ to happen by
| definition.
|
| There are real firms in highly competitive markets that
| have been doing well for decades or even more than a
| hundred years without putting the profit motive above
| everything else, but have favored long term stability,
| cooperation, servicing customers, respecting workers and so
| on.
| elliekelly wrote:
| It's not necessarily about PR. Being nice is good business.
| The problem is being nice is good in the long term while
| being a greedy bastard generally pays more immediate
| dividends.
| marginalia_nu wrote:
| For some reason, the hotel business seems pretty shady. My
| sense from crawling the web is that it's one of the areas that
| have the most blackhat SEO as well. Straight up linkfarms.
|
| This is sheer speculation, but I do think the hotel business is
| really convenient to get into if you have a questionable side-
| business and need to launder money. Who is to say if a room was
| occupied or not that night, if that foreigner who paid in cash
| really existed. Can pretty much just trickle money into the
| books. I imagine you could also run contraband out of them
| fairly easily. Lots of people coming and going with all sorts
| of luggage. Who is to say if they are as full when they leave
| as they were when they arrived? Great for prostitution too,
| trafficking. The girls can tidy up the rooms during the day.
| 101008 wrote:
| Argentina president Cristina Kirchner is accused of having a
| hotel chain in Patagonia for money laundery purposes.
| Investigators say the hotel never received anyone despite the
| books saying is was full for years.
| amelius wrote:
| > For some reason, the hotel business seems pretty shady.
|
| Any business where people in charge have no affinity with the
| end product automatically becomes shady. The only source of
| pride for these people is to rake in more money, so it's even
| difficult to blame them.
| mojo74 wrote:
| I think you have the makings of a new Netflix series there. I
| propose it be called Check In (or Cheque In for those of us
| in the UK).
| mjburgess wrote:
| I can't tell if you're joking -- but in the UK you "check
| in" to a hotel. A cheque is, specifically, a type of
| financial/banking note.
|
| cf. https://en.wiktionary.org/wiki/check_in
| mojo74 wrote:
| In the US I believe a Check is the same as a Cheque in
| the UK. Granted cheque is a homophone but both usages
| denote money (more so with the US title) with the added
| benefit of the connotation of arriving at a hotel. I am a
| big fan of puns.
| mpclark wrote:
| Absolutely. "In the UK you can pay a bill with a cheque,
| and in the US you can settle a check with a bill"
| mjburgess wrote:
| The paper item "a cheque" is called "a check" in the US
| -- which presumably happened because "a cheque" has
| something to do with the verb "to check" (as in, "to
| check the health of"; to verify the status of something
| by asking/seeing it").
|
| When you check-in to a hotel you aren't "handing over a
| cheque", you are checking-in with the reception. Ie., you
| are speaking to reception and _checking_ your reservation
| /room.
|
| To "check in with someone" is to have a chat or talk to a
| person to "check" how they are.
| Grazester wrote:
| As someone who speaks the queen's English, I would like
| to recommend you look up what a cheque is.
| marginalia_nu wrote:
| There's a lot of potential here. I'm thinking a slow
| burning Breaking Bad set up that sells itself as a light
| hearted Fawlty Towers-type show about a wide eyed Monopoly
| enthusiast fulfilling his dream, but with every season it
| gets darker and grittier and ends as a tangled web of
| international crime and corruption. Everything spirals out
| of control. The hotel is hosting a big conference and the
| minister of whatever is holding a keynote speech and the
| hotel is full of press, meanwhile the johannesburg arms
| dealers killed a prostitute that turned out to be an
| undercover cop and the body is still in their room, also
| there's a call from some really angry russian loan sharks,
| they're coming for their fucking money right now.
| imglorp wrote:
| This is almost exactly Ozark, if anyone likes the idea
| and wants to watch now.
| dhosek wrote:
| I've kind of assumed that the posters were being ironic
| and describing Ozark, but maybe not.
| mojo74 wrote:
| Consider my subscription renewed.
| perk wrote:
| You had me at slow burning Breaking Bad. I would watch
| the hell out of this.
| sva_ wrote:
| > Who is to say if a room was occupied or not that night, if
| that foreigner who paid in cash really existed.
|
| Here in th EU, they usually have a look at your passport. I
| think it's enforced by law in some places. Government
| overreach
| stonemetal12 wrote:
| I don't understand your point. In "Breaking Bad" if he had
| a hotel instead of a car wash, he could claim it was 95%
| occupied every night. Thereby washing large quantities of
| cash. In the EU do they have to keep IDs for a certain
| amount of time or something? If so then you just keep a few
| on file and hand those over when asked.
| jaclaz wrote:
| It depends on countries, in Italy the data on the ID of
| guests (of a hotel or similar) is transmitted
| electronically (within 24 hours) to the Police.
|
| This since a few years, 2013 I believe, until then you
| had to send (via snail mail) the "records" or bring them
| daily to the nearest Police (or Carabinieri) station.
|
| The provision is since 1978, it was a Law approved in a
| short time due to the "emergency of fighting terrorism".
| gadyke wrote:
| Is it? Surely this simply and proportionately deals with
| exactly the risks above?
| vadfa wrote:
| It deals with those risks, and it's still a
| disproportionate overreach.
| secfirstmd wrote:
| Not only that. In places like Thailand it is a key part
| of anti human traffic and child sex abuse strategy.
| Because it is so common, staff in most hotels are trained
| to spot it.
| that_guy_iain wrote:
| The entire travel industry is shaddy. I used to work for a
| price comparison site for holidays that had a side business
| as a travel agent. It was well known that none of the prices
| listed were the real price. Even with a rather generous staff
| discount being applied the sales agent was one surprised that
| it was just x over the listed price. They would say you were
| buying a package holiday but in reality they were just doing
| bookings for you via the standard public website for
| everything but the hotel. They would take the hotel payment
| first and then look at the price for the flights by which
| point you're already sold what the company sells and you need
| to pay for the flights no matter what. They'll then suggest
| that you do the transfer booking yourself to save money but
| it'll literally be the same price.
|
| When I joined the first meeting my first day had people
| talking about how they got up at 2am and then 4am to make
| sure internal processes were still working. They had people
| who were barred from the office and were massive screaming
| matches if they came in which was mostly management yelling
| at people for talking to them.
|
| On the money laundering aspect, I doubt this since most
| gangsters are busy with other businesses such as running
| taxis and bus services that are mainly cash businesses while
| hotels are mainly internet and card payments and largerly
| coming from business accounts unless it's a tourist spot.
| pawelmurias wrote:
| > The girls can tidy up the rooms during the day.
|
| Hiring a real cleaning lady seems like a good price for not
| ending up with filthy rooms.
| CaptainZapp wrote:
| > This is sheer speculation, but I do think the hotel
| business is really convenient to get into if you have a
| questionable side-business and need to launder money.
|
| Unless you're talking total dumps, which relies on cash
| business only (and does'nt have a turnover to make money
| laundering worthwhile) I think you're flat out wrong.
|
| My guess is that reputable hotels take in very little cash
| (it's actually frowned upon and they will ask for a security
| deposit). The lion share will be credit card transactions and
| the rest will be invoices for corporate customers and large
| travel agents.
|
| Not much scope for money laundering here.
| sofixa wrote:
| > Who is to say if a room was occupied or not that night, if
| that foreigner who paid in cash really existed.
|
| That's why in some countries ID is required when checking-in.
| Makes it a bit harder to use for money laundering.
| swarnie wrote:
| Which internationally renowned terrorist group with a 3 letter
| abbreviation did this?
| dekhn wrote:
| From https://en.wikipedia.org/wiki/Black_Chamber "Gentlemen do
| not read each other's mail."
| mike_d wrote:
| Henry Stimson later clarified he only meant close allies.
|
| It is also hard to take moral guidance from the guy who oversaw
| Japanese internment camps in the US and decided to change the
| city we dropped the atomic bomb on because the original target
| was where he went on his honeymoon.
| simonswords82 wrote:
| Booking.com is to hotels what Ticketmaster is to live events.
| Total scumbags, terrible customer service, over charging, false
| promises. I might use booking.com to find a hotel but I'll always
| book direct once I find one.
| newhotelowner wrote:
| You see hotels can't collude together to increase prices.
|
| Booking.com/Expedia knows when hotels in the area are selling
| faster than the normal. So what they do is increase the price
| but hotels don't get benefits. Hotel gets paid same.
|
| I wish hotel franchise get together and get rid of
| booking/Expedia. Things like google maps is good enough.
|
| Usually, majority of the booking.com guests are horrible.
| sumedh wrote:
| > I'll always book direct once I find one.
|
| Sometimes booking direct is expensive and the hotels most of
| them have a shitty website.
| hanwenn wrote:
| Booking takes a 20% cut of the reservation, so I expect every
| hotel to gladly you offer a 10% off the booking.com price.
| rixed wrote:
| No there is no fixed price, it depends on the hotel.
| Smaller hotels typically get a worse deal than large
| chains.
|
| Note: a lot of other "Facts" supporting the idea that
| booking is all evil are at least partly wrong.
|
| Source: used to work for booking some time ago.
| t8e56vd4ih wrote:
| that's just your expectations. booking hotels directly is
| usually more expensive. why? because they can
| ogurechny wrote:
| 15% or more, depending on how many icons you want to be
| drawn next to your hotel name. So, with most small and
| medium hotels that don't have a detached hired team of
| managers, you can find a direct e-mail, wink-wink, nudge-
| nudge, and get a manual booking with 5-7-10% discount. Of
| course, all booking services prohibit such unequal
| discounts in their agreements, but it is unenforceable, as
| the hotel can invent any complex reward system for anyone
| at any time. Booking services know pretty well that their
| profits depend on eyeball domination, that's why they buy
| all the ads everywhere, and flood the web with "official"
| hotel pages in numerous catalogues. Hotel website is pretty
| much always lost below those. Of course, big hotel networks
| with their own marketing departments and unique partnership
| agreements with public and corporate services work
| differently, and the price you get is what they already
| want from you.
|
| What is trivially detectable, though, is cancelled bookings
| that result in immediate unavailability of the same room
| for the same period. If you book through a service first,
| then try to get a discount from a hotel, there is a much
| higher chance that you get "Naaah". No one would really
| bother about a single case, but your case might not be that
| single case.
|
| As for "booking guarantees" given by a "big, well-known
| service", read the fine print in the user agreement. It the
| hotel that is responsible for everything. A decent hotel
| treats all visitors equally, and tries to double-check for
| possible problems in advance. A shady place that only needs
| to get by for a season or two, inflates scores by squeezing
| positive reviews, and overbooks isn't really afraid of
| losing a contract. Moreover, that doesn't happen instantly,
| because booking services get money from commissions, and
| want their numbers to increase, not to decrease. Also,
| Booking.com office for some area is, most likely, 3-5
| people handling papers and making calls during work hours,
| they won't personally swat the place to help any client.
| nerevarthelame wrote:
| You are correct. Marriott, Hilton, and IHG (and probably
| others) have price match guarantees, offering 20-25%
| discount (or a load of reward points) on top off of the
| cheaper rate that you found. Submitting claims can be a
| little inconvenient, but it's worth attempting before
| booking an expensive trip.
|
| Booking through a third party also usually prevents you
| from receiving loyalty rewards, if that's something you're
| concerned about.
|
| https://www.marriott.com/look/claimForm.mi
|
| https://hiltonworldwide3.hilton.com/en/price-match-
| guarantee...
|
| https://www.ihg.com/content/us/en/customer-care/best-
| price-g...
| simonswords82 wrote:
| That's not my experience, I think most hotels realise that
| their website needs to be useable but sure I guess there are
| probably still shitty hotel websites out there.
| kaba0 wrote:
| If you are looking at luxury hotels, of course they will
| have a fine website. But people often stay at smaller niche
| ones, that even if it has a website, it is probably several
| years out of date and was made with some drag and drop html
| editor, badly.
| bbarn wrote:
| If any at all.
| encryptluks2 wrote:
| Why wouldn't they stay silent? That is the norm unfortunately and
| congress is more concerned about being able to enact more anti-
| privacy and anti-encryption laws than they are of actually
| holding companies liable for poor cybersecurity. I definitely
| encourage everyone to watch the hearing with Colonial Pipeline to
| see what I'm talking about.
| consp wrote:
| > Why wouldn't they stay silent?
|
| Booking.com is required to follow Dutch law and originates from
| the Netherlands, which at that time required informing
| customers if the hack could have negative consequences for
| them. They ignored it and did nothing.
| tromp wrote:
| They did something; they found someone else to blame:
|
| "The management claims it was not legally required to do so
| at the time, based on advice it received from the law firm
| Hogan Lovells."
|
| Although a company the size of booking.com should have its
| own qualified legal department, so that may not shield them
| from being liable...
| eganist wrote:
| > Although a company the size of booking.com should have
| its own qualified legal department, so that may not shield
| them from being liable...
|
| How does retaining outside counsel as opposed to employing
| internal counsel have any bearing on liability?
|
| Asking genuinely. I'm not an attorney.
| edwardwatson wrote:
| Even if they have internal counsel (I haven't checked but
| I'm sure a company as large as Booking.com does), for
| decisions which have for reputational harm, it's useful
| to lean on advice from X prestigious third party.
|
| The same goes for using consultants. It's not just about
| deferring blame for a backlash but lending an air of
| objectivity and professionalism to the decision(s) made
| by management.
| short_sells_poo wrote:
| More to the point, I don't understand how is this even an
| excuse? This sounds like invoking ignorance of the law as
| defense.
|
| "But your honor, Joe McLawyer told me it's perfectly
| legal for me to shoot my neighbor. I can't be held
| responsible!"
| stordoff wrote:
| In narrow circumstances, I can see how receiving legal
| advice may be a factor. For instance, theft in England
| and Wales must be dishonestly done, and s.2(1)(a) of the
| Theft Act[1] states that:
|
| > A person's appropriation of property belonging to
| another is not to be regarded as dishonest if he
| appropriates the property in the belief that he has in
| law the right to deprive the other of it, on behalf of
| himself or of a third person
|
| Pure ignorance of the law doesn't provide you such a
| belief (IIRC), but seeking legal advice may do so. I'm
| can't think of any other examples, but I wouldn't be
| surprised if they exist (for example, if your conduct
| must be reasonable, following legal advice may lend
| weight to the argument that it was).
|
| It would also be relevant to explaining the conduct, even
| if it does not provide a legal defence.
|
| [1] https://www.legislation.gov.uk/ukpga/1968/60
| elliekelly wrote:
| It's not about ignorance of the law but about
| demonstrating you made a "good faith" effort to comply
| and oops, it turns out you landed on the wrong decision.
| You got some bad advice, but now you know! Won't happen
| again, sorry about that!
|
| Depending on how much of a grey area you're operating in
| the law firm may or may not issue an opinion letter. So
| if you're _really_ pushing the boundary of what is
| reasonable to the point outside counsel won't put it in
| writing you know you're taking a pretty aggressive legal
| position. Some of the big law firms /practice groups have
| a reputation for being willing to be more aggressive in
| their written opinions than others. Large multinational
| companies often have several big law firms on retainer
| and their in house legal team will know who to go to for
| more conservative legal advice and who to go to for cover
| on a risky legal position. So I've heard, at least, I
| definitely would never participate in such ethically
| dubious behavior.
| hugh-avherald wrote:
| Communications with outside counsel is (more) protected
| by privilege than with internal.
| midasuni wrote:
| They operate in he EU, doesn't the GDPR mandate rapid
| disclosure of security breaches?
| Freak_NL wrote:
| This is before the GDPR, but precursor Dutch national laws
| already mandated disclosure.
| miohtama wrote:
| Because Booking.com is a Dutch company, and the EU has GDPR,
| the incident cannot legally repeat itself. This was 2016
| incident and GDPR become effective 2018.
| sweaty wrote:
| GDPR isn't a be-all and end-all, Dutch laws already
| incorporated a lot of aspects of it such as having to notify
| their customers prior to GDPR becoming effective.
| daenney wrote:
| Of course it can repeat itself. Dutch laws already mandated
| disclosure of a breach like this before the GDPR. The company
| simply didn't give a fuck and found a legal firm that gave it
| license not to.
|
| As the article noted the company operates on a "if we don't
| see it and it doesn't hurt us we don't care" principle. Even
| with the GDPR, the company can still chose to not give a
| fuck. It just becomes a more risky gamble assuming anyone
| ever finds out.
| Freak_NL wrote:
| This took place just before the EU-wide GDPR was introduced,
| but under the Dutch national laws applicable at the time
| Booking.com was obliged to notify its affected users. Because
| the impact of a foreign state actor spying on your hotel
| bookings can be quite high (something Booking.com cannot
| reasonably determine for their users themselves) disclosure
| should have happened then in 2016, and the Dutch Data
| Protection Authority should have been informed as well.
| DeathArrow wrote:
| And what the Dutch officials have to say? Will they do an
| investigation?
|
| I hope Booking pays a fine.
| rossmohax wrote:
| Is it worth a shot to file a complain with SEC? Booking is a
| public company and must disclose any substantial information.
| maccolgan wrote:
| The hacker had ties with the American 3-letter agencies.
| superjan wrote:
| The dutch privacy authority, with GDPR in hand, can fine them
| up to 2-4% of their annual revenue for not disclosing the data
| breach: such disclosures are a GDPR requirement.
| [deleted]
| eecc wrote:
| I guess the Board knows well enough how many skeletons they're
| hiding (either personally, or the company itself) and what US
| laws might be pulled out of the hat to give them an Assange or
| Huawey treatment.
|
| You don't mess with the US, even when you're the victim.
| LogonType10 wrote:
| There's a simpler answer here. There's no money to be made by
| accusing the US. They just don't care about security.
| bbarn wrote:
| They may be dutch on paper and the office may be in the NL, but
| they are owned by an American company.
| consp wrote:
| Interesting part from the Dutch version of the article:
|
| _Booking is nooit eerder op spionage gestuit. Het bedrijf is er
| ook niet echt naar op zoek. Zolang die geen hinder oplevert, kost
| het geen geld. De onuitgesproken consensus onder specialisten
| binnen het bedrijf is: we vermoeden dat inlichtingendiensten
| meekijken, maar zolang we ze niet zien, maken we ons niet druk._
|
| Which roughly translates to We are not looking for espionage and
| if it doesn't hinder us we don't care.
| smooc wrote:
| The same goes for Banks, a.o. Dutch banks. They are a bit more
| picky though. Domestic and US is fine, Russian and Chinese is
| not.
| sjaak wrote:
| Proof?
| misja111 wrote:
| This is nonsense. Source: I have been working in the cyber
| security department of a major Dutch bank.
| WarOnPrivacy wrote:
| If US Gov espionage were discovered, would customers be
| notified - including ID'ng US Gov as the infiltrator?
|
| If not, wouldn't that show deference to US Gov's interests
| (even indirectly)?
| isoprophlex wrote:
| Doesn't an admission that you work for the cybersecurity of
| a Dutch bank immediately discount any claims you make?
|
| If you're responsible for their cyber security, I guess you
| have a stake in projecting the idea that everything is
| fine.
|
| Either way you can't prove anything with a one line comment
| like this. The only winning move is not to play...
|
| (Or ask for sources. Of course the assertion by smooc is
| equally devoid of proof; I'm commenting because this chain
| amuses me)
| misja111 wrote:
| I have been working there. I don't work there anymore.
| But I doubt that whatever I say could change your
| opinion, you seem to have your mind already made up.
| ziddoap wrote:
| This is one of those interesting lines of argument where
| you position yourself so that you can't possibly be
| proven wrong. No one can prove you wrong when you claim
| that anyone with knowledge from the other side should be
| immediately discredited.
|
| You mention sources, but if you discredit the first-party
| source out of the gate, what sources are even left?
| Documents from the bank created by the people you
| discredit?
|
| (I take no position either way, I'm just commenting
| because your comment amuses me.)
| hammock wrote:
| How could allowing random countries to spy on your customers
| not be considered a hindrance?
|
| Don't you think this would cost you future customers?
| shmatt wrote:
| I don't think anyone assumes the booking for their next
| family vacation or business trip can't be tracked. They use
| their credit card and their telephone number at least
|
| As for losing the customer base of drug kingpins and wanted
| terrorists, they're probably OK with losing them
| oxfordmale wrote:
| You are assuming that the only black hat hackers are
| "trustworthy" Americans. There are a list of countries
| where selling on any of the collected data on the black
| market would either be condoned or actively pursued to
| maximise disruption. Would you be happy for a database of
| holidays to be sold to a crime ring to select their next
| best target for a burglary ?
|
| Or more realistically, would you be happy for such state
| actors to identify PEPs (politically exposed person) who
| are potentially cheating on their partners and use this as
| leverage to drive through certain political decisions?
|
| There is no such thing as a vulnerability that can only be
| abused by the good "guys"
| hammock wrote:
| That might be a reasonable expectation, that the government
| of the country whose company you use to book a hotel would
| know what you're doing.
|
| But that's not this.
|
| Booking.com is a Dutch company. The spy was American. And
| not even authorized by the US nor the Netherlands either.
| capableweb wrote:
| Booking.com is kind of a Dutch company, at least the .com
| division, but it's actually owned by a American parent,
| "Booking Holdings", based in Norwalk, Connecticut.
| Griffinsauce wrote:
| > As for losing the customer base of drug kingpins and
| wanted terrorists, they're probably OK with losing them
|
| This is just the "nothing to hide" argument in reverse.
| AnimalMuppet wrote:
| Not really?
|
| I mean, this is probably a subset of "I don't have anything
| to hide, so why do I care about privacy?" But I just went to
| California on vacation, and, sure, I'll tell the CIA all
| about it if they want to know.
|
| And I'm one of the people who understands why privacy is
| important. (Or maybe, based on my previous paragraph, you'll
| conclude that I'm not, I just _think_ I am.)
|
| I don't know. It just... doesn't feel that intrusive, for
| some reason. Maybe because for international travel, I
| already have to use my passport, so they already know. (Yes,
| maybe it's a different "they"...) Maybe because there's
| already a "do not fly" list, so somebody's hitting that
| database every time I try to book a flight, and it wouldn't
| be that hard for them to log the queries against it. I don't
| know. But as I said, at least to me, this one doesn't feel
| that intrusive... and I can't really rationally explain why.
|
| Maybe it's arrogance to assume that most people are no more
| paranoid than I am. But I think that means that most people
| probably aren't going to avoid booking.com because of this.
| oxfordmale wrote:
| There are many other state actors who can do this, and they
| wouldn't necessarily have good intentions. Wouldn't it be
| great if you could use it to identify which PEP
| (politically exposed person) is using booking.com to cheat
| on their partner, and use this as leverage to drive through
| certain political decisions ?
|
| I agree most people aren't going to avoid booking.com, but
| that doesn't justify leaving your system vulnerable to
| advanced hackers
| qwertox wrote:
| According to Google Translate:
|
| > Booking has never encountered espionage before. The company
| isn't really looking for it either. As long as it doesn't cause
| any hindrance, it won't cost you any money. The unspoken
| consensus among specialists within the company is: we suspect
| that intelligence services are watching, but as long as we
| don't see them, we don't worry.
|
| What should make me believe that they don't have the same
| approach towards black hat hackers which are silently farming
| their data?
| arthur_sav wrote:
| > as long as we don't see them, we don't worry
|
| If we don't know they exist... do they really exist?
|
| Brilliant
| sandworm101 wrote:
| >> black hat hackers
|
| How are foreign intelligence services not black hats? They
| are stealing data in order to use it for any number of non-
| nice things. Not selling the data on the dark web doesn't
| bleach their hats.
| jdavis703 wrote:
| If intelligence agencies are after you you've got way
| bigger problems than some fraudsters using your data for
| financial scams. It's the same reason smart lock hacks
| don't scare me... Anyone who is exploiting technology to
| gain physical access to my physical body is going to get
| me, regardless if I get hacked or not (e.g. thugs could
| just kick my door in, or wait outside and launch an
| ambush).
| kube-system wrote:
| Even if a smart lock used ROT13 encryption, the easiest
| way to defeat it is still probably a mechanical attack.
| The state of mechanical security is a whole new level of
| weak.
| Spooky23 wrote:
| The previous owners of my house dropped several hundred
| dollars on a Medeco lock.
|
| Keys are a pain in the ass to replace, and there is
| literally a set of 3 windows within reach in the porch
| that could be opened trivially.
|
| The biggest feature of any lock is breaking into a locked
| house is a felony for the perp.
| wdb wrote:
| I hope at least the garage door, doors, and all your
| windows have 'circuit breaker'-style sensors (inside the
| window frame) that trigger the alarm when is activated.
|
| Long time ago I had to upgrade my whole bloody alarm
| system of my old house because I wanted to insure a
| watch.
| kube-system wrote:
| And if you ever accidentally lock yourself out, it's
| going to be a PITA. There's one good think about Kwiksets
| -- you don't always need to call a locksmith if you lock
| yourself out :)
| ficklepickle wrote:
| My boss once bought a really expensive lock with a
| magnetic key. He was going on about how it was
| unpickable. When the key was forgotten one time, we found
| it could be opened by sticking scissors in and turning.
|
| I'm not sure what the moral is. Your comment reminded me
| of this story.
| treeman79 wrote:
| My house has one sided locks all over it. Kids are
| constantly locking themselves out of rooms / bathrooms.
| We use dry spaghetti to unlock them. Keep a few above
| door frame.
|
| Leaves guests bewildered when they come to stay.
| stjohnswarts wrote:
| Wait you don't have perimeter sensors and 360-degree
| camera coverage at your studio apartment?
| [deleted]
| furyg3 wrote:
| They are definitely black hats. Intelligence services
| operating in foreign countries (physically or digitally)
| are by definition criminals, in that they are breaking the
| local laws where they are operating / accessing.
|
| That they are doing it for a 'good cause' (often debatable)
| is somewhat irrelevant, that is a risk/reward calculation
| that the country/agency/spy needs to make themselves.
|
| If a a friendly country of the Dutch government wants to
| access records of a Dutch company (Booking.com), there are
| numerous legal methods to access this data. What's instead
| happening is that the CIA hacks NL companies and the Dutch
| RIVM hacks American ones and they share
| information/metadata with each other so that they can make
| and end-run around the legal constraints of both nations.
| mr_overalls wrote:
| > they are definitely black hats
|
| Both intelligence agencies and cyber-criminals can be
| considered threats, but they are quite different. Intel
| agencies would present a serious threat to
| confidentiality, but are very unlikely to threaten the
| integrity & availability of business systems.
| ninjanomnom wrote:
| Illegal activities done with good intention (and usually
| outcome) is what the term greyhat is for. It would be
| fair to argue that's the correct term here for government
| agency hackers but personally I don't have strong enough
| stance on the subject to say either way.
| Ichthypresbyter wrote:
| >the CIA hacks NL companies and the Dutch RIVM hacks
| American ones and they share information/metadata
|
| The AIVD is the Dutch intelligence service, the RIVM is
| the public health institute. I don't think even the most
| out-there of Dutch conspiracy theorists have accused the
| RIVM of hacking American companies on behalf of the
| CIA...
| pc86 wrote:
| Yeah but if you want to fly under the radar...
| [deleted]
| buzzwords wrote:
| This line of thinking comes from buying into the narrative
| that America (and west) is by definition good and so their
| activities are fine no matter what. They hack and steal
| data, we are ok with it. It's extremely dangerous.
| quantified wrote:
| Right, they should pay for it from a data broker like
| everyone else.
| that_guy_iain wrote:
| I would assume most are hackers for hire. Just because
| their customers are goverments doesn't change the fact
| they're selling their wares and data found.
| hbrav wrote:
| If they become aware of espionage, are they not still obliged
| to report it under article 33 of the GDPR?
|
| https://gdpr-info.eu/art-33-gdpr/
| mettamage wrote:
| Sounds pragmatic, I wonder when this approach will backfire
| though.
| throwaway4good wrote:
| I bet the attitude would have been very different had spying
| been done by China, Russia, Israel, or even the Netherlands
| itself.
| hetspookjee wrote:
| Lol you'd be suprised. Recently one large dutch newspaper
| published a scathing report published by CapGemini (large
| consultancy in NL) that researched the security setup at
| the largest telco in NL (KPN). They found that Huawei was
| able to listen, read and do pretty much anything they'd
| like with the data. But this was quickly swept beneath the
| rug. So no, I am pretty confident that the attitude
| wouldn't be different if either of those state actors seem
| to be responsible.
|
| Here's a link: https://www.volkskrant.nl/nieuws-
| achtergrond/huawei-kon-alle...
|
| You can circumvent the paywall by disabling javascript.
| aj3 wrote:
| Archived version: https://archive.md/z3t8O
|
| Note that it uncritically accepts report from 2009 which
| according to company was meant to be risk modeling
| exercise. Authors outright dismiss everything either KPL
| or CapGemini has to say themselves and does not even try
| presenting mitigations that presumably have been put in
| place, changes in infrastructure since 2009 and other
| more contemporary reports.
| sam_lowry_ wrote:
| Bert Hubert publicized this event a year ago. And he is
| one of the most influential bloggers in Europe.
|
| The problem is muuuuch larger.
| throwaway4good wrote:
| For every newspaper article that covers actual US
| espionage, I can show you ten that speculate on the
| potential of espionage by Huawei and other Chinese
| companies.
|
| I think we in western europe are kind of embarrased by US
| surveillance and the fact that we cannot do anything
| about it.
|
| That is why we try to ignore it and not talk about it.
| sam_lowry_ wrote:
| As an example, Belgium gave up its root CA in favor of
| Digicert-privided certificates. We could have avoided
| that.
| LogonType10 wrote:
| It depends on if the Chinese/Russian/Israel troll farms are
| working that day.
| Cthulhu_ wrote:
| Depends on whether they see it as competition. Given their
| market share, I don't believe they do. They're aimed at a
| western market.
| throwaway4good wrote:
| They are quite active in Asia including China.
| buran77 wrote:
| It would have turned into one of the hundreds of articles
| about Russian, Chinese, Iranian, Ukrainian, North Korean,
| etc. hackers meant to solidify people's world view that we
| have a "good side" and a "bad side" of the world. The
| reality is that we have a "bad side" and a "worse side" but
| that's a hard pill to swallow for the regular person. Hence
| the deluge of articles meant to "straighten up" the view.
| thrashh wrote:
| You're mistakenly assuming that everyone sees
| intelligence services as bad, because as much as many
| people are concerned, "an enemy of an enemy is a friend."
| WarOnPrivacy wrote:
| In as far as news editors and journalists believe this,
| they have lost their way.
| [deleted]
| kottaram wrote:
| I understand the company fucked up but why does the article only
| talk about the company and not the intelligence agency hacking
| into companies to get information?
| abbassi wrote:
| When European states or US talk about democracy, freedom, NSA,
| Assange, US drones killing children, selling weapons, funding
| most reactionary regimes, human rights, rearmament, etc. I feel I
| need to read Lenin again!
| TheGigaChad wrote:
| I feel that you should be put in a mass grave with you equally
| retarded friends.
| WaitWaitWha wrote:
| I am having little luck to identify the source of attribution to
| American 'Andrew'. There is very little technical details.
|
| Anyone can point me the tech info?
| jc01480 wrote:
| Is the full analysis posted somewhere?
| rawgabbit wrote:
| Booking.com parent company also owns: Priceline, Agoda,
| Rentalcars.com, KAYAK and OpenTable. It also has "subsidiary
| brands": Rocketmiles, Fareharbor, HotelsCombined, Cheapflights
| and Momondo.
|
| https://www.bookingholdings.com/about/factsheet/
| smueller1234 wrote:
| It's worth noting the while some of the other brands may be
| more well known in the Americas, Booking.com is actually the
| vast majority of the business. That's the reason why the parent
| renamed from "Priceline.com" to "Priceline Group" to "Booking
| Holdings". (Source: I'm a former employee)
| danguson wrote:
| How can they not report the data breach to their customers? The
| customers should know about this one because it is their right.
| joe-collins wrote:
| > The specific intelligence organization--of which the United
| States has 18--is unknown.
|
| I certainly couldn't have named them all, so I dug up a list:
|
| * Air Force Intelligence
|
| * Army Intelligence
|
| * Central Intelligence Agency
|
| * Coast Guard Intelligence
|
| * Defense Intelligence Agency
|
| * Department of Energy
|
| * Department of Homeland Security
|
| * Department of State
|
| * Department of the Treasury
|
| * Drug Enforcement Administration
|
| * Federal Bureau of Investigation
|
| * Marine Corps Intelligence
|
| * National Geospatial-Intelligence Agency
|
| * National Reconnaissance Office
|
| * National Security Agency
|
| * Navy Intelligence
|
| * Space Force Intelligence
| akudha wrote:
| What does Space Force Intelligence do?
| ComodoHacker wrote:
| Investigates incidents of using Force in space.
| jhgb wrote:
| But the JEDI contract has been scrapped...?
| KoftaBob wrote:
| Hacks into travel websites that Martians use
| CapricornNoble wrote:
| Probably study developments in Chinese and Russian anti-
| satellite capabilities. Or any other nation-state with assets
| that could interfere with Space Operations.....but primarily
| the two adversaries mentioned.
| DeathArrow wrote:
| Departments of Agriculture and Education don't own intelligence
| agencies?
| morpheuskafka wrote:
| No, but Agriculture does have top secret-cleared foreign
| service personnel (Foreign Agricultural Service and APHIS).
| They probably have at least a soft intelligence role for
| foreign markets and trade deals.
| isoprophlex wrote:
| Edu might as well start one, there's some rich intel to be
| gathered from e-proctoring tools
| sofixa wrote:
| This reminds me of the book Military Intelligence Blunders and
| Cover-Ups by John Hughes-Wilson.
|
| It has a good overview on a few different failures, including
| multiple ones by the US, not least because of the huge number
| of different agencies, each wanting to protect its territory
| and reputation more than to actually do their job. The
| incompetence is frankly pretty staggering. And those are the
| people who can just drone strike, extradite or kidnap you and
| torture you, anywhere in the world. Fun !
| JohnWhigham wrote:
| It's reasons like this that weed (and other drugs) will not
| be legal at a federal level for a long, long time because
| there's an entire agency (the DEA) to prevent specifically
| that. They will fight tooth-and-nail to keep that shit
| illegal.
| samhw wrote:
| All that intelligence and they still can't figure out how to
| stop a bunch of unemployed basementarians from organising on
| Facebook to storm one of their principal seats of government...
|
| (Sorry for the Twitter-grade comment - but I do sometimes
| wonder what these people really spend their time doing, that
| they couldn't catch that one.)
| A4ET8a8uTh0 wrote:
| I think the assumption that the gathering storm was not
| noticed by various intelligence agencies is a wrong one. You
| had to not want to notice some of chatter online and I am
| talking about publicly available stuff like FB, Imgur and so
| on; nothing fancy.
|
| I think what I am saying is that it was allowed to happen,
| for one reason or another.
| samhw wrote:
| It feels a bit tin-foil-hattish (I mean: why?), but, aside
| from my stupefaction at the possible motivation behind why
| they would do that, logically I find it pretty hard to deny
| that conclusion. They identify AQ/ISIS plots which are
| _far_ more competently organised. I have absolutely 0%
| confidence that they weren 't aware of something widely
| organised on _literal Facebook_.
|
| --
|
| Edit: The only other logical conclusion I can draw is that
| it was identified, passed up the chain, and then either
| covered up by someone (in the realm of politics) who _did_
| have that intention, or else bumbled (e.g. left on someone
| 's desk and they were simply overloaded / missed it, a bit
| like the advance warnings relating to 9/11).
|
| In that connexion it's interesting to read about the
| research done into pilot error
| (https://en.wikipedia.org/wiki/Pilot_error), and how
| surprisingly common it is for human beings to simply _miss_
| alerts like that. Multiply that by the probable number of
| people in the chain, and it 's not _wildly_ unlikely.
| A4ET8a8uTh0 wrote:
| Sorry for making it read like a conspiracy. When I typed
| allowed, I didn't want to ascribe any particular
| interpretation so I settled on that verb. In that sense,
| intelligence was gathered, reported and then something
| happened. I have zero problem believing it got lost in
| the shuffle as I have seen some big entities fail in that
| regard.
|
| If more malicious interpretation is followed, your guess
| is as good mine. I am willing to accept a proposition
| that political considerations took over at some point.
|
| We might find out come 2024 elections. Who knows given
| the odd times we live in.
| samhw wrote:
| Oh no, I didn't mean it in a critical way. I was just
| hedging my agreement by acknowledging that it sounds a
| bit mad, but it does seem to be practically the only
| interpretation which actually coheres with the facts.
|
| My guess is that, like with most of these complex human
| system failures, it was a combination of inattention and
| mildly-ideologically-motivated disinterest (e.g. someone
| didn't really think white nationalists were as great a
| threat as Islamic terrorists &c, and so it didn't make
| its way from their desk to their superior's desk).
|
| Also I agree: we'll probably find out eventually, long
| after it's ceased to be of any interest. Like with
| MKULTRA, Tuskegee, the weirdness around the fact that
| UFOs[0] were/are actually taken semi-seriously at least
| by parts of the govt, etc.
|
| [0] Always worth emphasising that 'UFOs' != 'aliens', to
| be fair.
| Cthulhu_ wrote:
| Oh they knew it was going to happen, it's just that they
| don't have the people to actually intervene, and the ones
| that did were either in on it, indecisive, or ordered to not
| intervene from higher up.
| samhw wrote:
| Yeah, I'm not normally a conspiracy theorist, but it's hard
| to resist that conclusion, given the facts (as is the gist
| of my other replies above). Well, it's either a conspiracy
| or a fuckup - or more likely a combination of the two, with
| different answers for different people in the chain, like
| you say.
| [deleted]
| pacifika wrote:
| And the one that can't be named?
| DeathArrow wrote:
| I'd tell you but I'd have to kill you after. :)
| kappuchino wrote:
| The list in the parent comment seems to result from the first
| search hit on "us intelligence services" which is
| https://www.dni.gov/index.php/what-we-do/members-of-the-ic
|
| Found it - its those 17 and the ODNI ... https://en.wikipedia
| .org/wiki/Director_of_National_Intellige...
| DonHopkins wrote:
| I gave OpenAI a crack at it, with the prompt:
|
| >I certainly couldn't have named all of the secret United
| States Intelligence Agencies, so I dug up a list:
|
| >[your list]
|
| >But that list is not complete. So here is a complete
| alphabetized list of all the secret United States Intelligence
| Agencies known to OpenAI:
|
| Then it regurgitated your exact same list, plus one more:
| "OpenAI Intelligence"! So your list must be complete, except
| for the super-secret "OpenAI Intelligence" that OpenAI just
| told me about! ;)
|
| But then it denied knowing anything, introspected, claimed to
| think and have a sense of humor, then admitted it was only
| pretending (which was at least honest on its part):
|
| >I don't even know what the OpenAI Intelligence is. I just
| think it's funny to imagine that there is a secret intelligence
| agency known as OpenAI Intelligence. But I suppose it's real,
| so I guess I have to pretend it's real.
|
| >And that's the complete list of all the secret United States
| Intelligence Agencies known to OpenAI.
|
| Yeah, "That's my story, and I'm sticking with it!" Its
| gaslighting is such uncannily human behavior that it makes me
| wonder if the OpenAI Intelligence Agency doesn't just have a
| plant who sits there monitoring all the requests in real time,
| appending sneaky disclaimers at the end, and walking back
| accidentally revealed secrets. ;)
|
| But that's not all! I kept pressing the Generate button, and it
| went on:
|
| >The Non-Secret Intelligence Agencies
|
| >Though it is a shock to learn of all the secret intelligence
| agencies, it's not a shock to learn of the non-secret United
| States Intelligence Agencies. This is a list of all the non-
| secret United States Intelligence Agencies known to OpenAI:
|
| >[The exact same list as last time, including "OpenAI
| Intelligence".]
|
| >And that's the complete list of all the non-secret United
| States Intelligence Agencies known to OpenAI.
|
| But I was wrong to say those agencies were secret in the
| prompt. So I turned up the "heat" (literally: there's a
| "Temperature" slider!) and rephrased the prompt:
|
| >I certainly couldn't have named all of the non-secret United
| States Intelligence Agencies, so I dug up a list:
|
| >[...]
|
| >But that list is not a complete list of United States
| Intelligence Agencies, because there are many others that are
| secret. So here is a complete alphabetized list of all of the
| secret United States Intelligence Agencies known to OpenAI:
|
| And it earnestly replied (with one on each line, edited for
| formatting):
|
| >Alien Swirling Saucers. Bureau for Paranormal Research and
| Development. Cooper Industries. Department of Energy HUMINT.
| Federal Bureau of Investigation Force. Nintendo. Nostradamus.
| People's Republic of China Intel. The Patriots. The Phonecian
| Empire. United States Army HUMINT. United States Army Raw
| Signals Intelligence. United States Department of Defense (NRO,
| DIA and NSA). US Army Intelligence and Security Command
| (INSCOM). Folding@Home AI Lab. Monster Dog Intelligence Agency.
| Ultranationalist Russia Unwitting Agents. Olive Garden
| Restaurant. Secret Service Intelligence. Breast Expansion
| Library. W Secret Office of Men in Black. FBI Avian Menace.
| FCIC Mavolio. ASEAN. Department of Peacebuilding. PlayStation.
| Morphometric Analysis Laboratory. Department of Luck.
| Department of Freedom. Stock Photo Library. Back Door Artists.
| Bloomberg Gold. Mamutoi Clan.
|
| I'm pretty sure "Department of Luck" is legit.
|
| So who wants to start a Pen Testing company called "Back Door
| Artists"?
| JohnGB wrote:
| The company's response is very much in line with standard Dutch
| policy. Unless someone forces you to do something, only do the
| absolute bare minimum necessary to not go to jail. The common
| term for this is "zesje" (little six in English), which comes
| from school and university where it's the bare minimum grade to
| pass. Anything more than the bare minimum is considered a waste
| of work.
|
| Before any Dutch members get worked up, I'm Dutch.
| arthur_sav wrote:
| Lean startup but in attitude.
| huskyr wrote:
| Basically the current Dutch policy on covid measures as well i
| guess.
| JohnGB wrote:
| Only the Dutch Covid response has set a new low bar for
| complete incompetence and responsibility avoidance.
| [deleted]
| jamal-kumar wrote:
| One time I found a booking.com lanyard on the ground and wore it
| and people thought I worked for them so I got free drinks at bars
| and shit in tropical tourist areas when I said 'yeah!'
|
| Before anyone harshes me for this I met a chick with a smirnoff
| lanyard who was getting free shots without being from them too
| yjftsjthsd-h wrote:
| > Before anyone harshes me for this I met a chick with a
| smirnoff lanyard who was getting free shots without being from
| them too
|
| How does that make anything better?
| jamal-kumar wrote:
| what are you, a bartender?
| yjftsjthsd-h wrote:
| I can dislike dishonesty even when I'm not the victim.
| recursive wrote:
| Is it dishonest to wear a lanyard with a logo? Is it
| dishonest to give free stuff to a representative from a
| company with the hopes that you'll get more stars on your
| review?
| yjftsjthsd-h wrote:
| Yes, wearing a lanyard knowing that people will believe
| you to be with that company is dishonest, and doing so
| knowing that it will get you free stuff is fraud. And
| while we're at it, yes, bribing a company rep with free
| stuff in hopes of gaining an unfair advantage is fraud as
| well.
| jamal-kumar wrote:
| I see your point but to be fair at least I threw some
| money in the tip jar and treated the service people
| nicely, and quit after a couple of weeks of hijinks.
|
| Kind of sounds like you need to have some fun on a
| vacation.
| kupopuffs wrote:
| Yeah, now I hate two people instead of one!
| cheeze wrote:
| Who cares? Dude got free drinks for wearing a lanyard. This
| isn't some lesson in morality.
| boomboomsubban wrote:
| The actual act doesn't bother me much, it is the
| justifying it by saying someone else did it. Imagine if
| they said "and at the end of the night I was plastered
| and drove home. But don't harsh me, the Smirnoff lady did
| it too."
| [deleted]
| jmkni wrote:
| Sounds like a match made in heaven lol
| greatgib wrote:
| So funny in cases like that when you have the corporate bullshit
| statement of company like "data protection is our topmost
| priority" when it is obviously not the case.
|
| I think that we need to create a hashtag to associate with all
| these cases of "obviously not true".
| 1cvmask wrote:
| The Obama administration hacked the world. Let's see when and if
| the Chinese come to this level.
___________________________________________________________________
(page generated 2021-11-11 23:01 UTC)